LinkedIn password database compromised
Tei
oscar.vives at gmail.com
Thu Jun 21 10:59:38 UTC 2012
Anonymity on the Internet is a feature, because a lot of the world
netcitizens come from countries where saying this or that is a crime,
and can get you in trouble.
Any asymetric cryptography solution that remove anonymity is a bad
thing. Making censorship easier on the internet is making it worse.
What could do some good, is to discredit some bad practices, and
propose alternate better practices.
This is hard, and part of it is because some people good practices is
other people good practices. We can't start this yet, because we
don't agree on these good practices.
Theres something weird with passwords length, on most websites you
are allowed to type a 80 or 120 characters long name. But if you try
that with your password, you find a problem. Somehow VARCHAR(120) is
unfeasible for passwords, but ok for first_name,second_name.
Is even more weird wen people are storing hashs. The length of a md5
don't change if I choose very long passwords, so why are people
limiting password length?
Other weird limitations that "must go", is the idea that you can't use
"special characters". The expresion "special characters" is a red flag
itself. Most passwords sould allow UTF-8, and allow anything that
UTF-8 allow.
Forcing people to mix uppercase and lowercase.. I understand where
this come from. It enhance the password strength. A what price? Making
passwords a random mix of letter and numbers make then hard to
remember and make life miserable for everyone. Practices to make
passwords stronger may be pushing people to write password down, or
reuse passwords.
--
ℱin del ℳensaje.
More information about the NANOG
mailing list