[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mail admins?

On 4/26/20 7:32 AM, Rich Kulawiec wrote:
> On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote:
>> $SHINYNEWSITE has only to entice you to enter your reused password which
>> comes out in the clear on the other side of that TLS connection.?? basically
>> password phishing. you can whine all you like about how stupid they are, but
>> you know what... that is what they average person does. that is reality. js
>> exploits do not hold a candle to that problem.
> Two equally large problems -- neither of which have anything to do with
> encryption in transport -- are backend security and password strength.
> In the former case, we've seen an ongoing parade of security breaches
> and subsequent dataloss incidents.  That parade is still going on.
> In the latter case, despite years of screaming from the rooftops, despite
> myriad enforcement attempts in code, despite another parade of incidents,
> despite everything, we still have people using "password" as a password.
> As a side note, I've found it nearly impossible to get users to
> understand that there is a qualitative and quantitative difference
> between "password used for brokerage account" and "password used for
> little league baseball mailing list".
> The minor problem of passwords-over-the-wire pales into insignificance
> compared to these (and others -- but that's a long list).

Um, those are exactly the consequences of passwords over the wire. If 
you didn't send "password" over the wire, nobody could guess that's your 
password on your banking site. "password" to unlock your local 
credential store of private keys is far less serious because they have 
to have access to the device that hosts those credentials. "password" to 
your bank, on the other hand, is just a https away.

the other thing this allows is people to have a single extremely good 
password that doesn't change to protect the local credential store, and 
also protects you from the idiotic corpro security theater which 
requires passwords to be changed so often that you have to write them 
down. on my own local machine, i get to dictate the policy not some 
corpro security thespian.