LinkedIn password database compromised

• Previous message (by thread): LinkedIn password database compromised
• Next message (by thread): LinkedIn password database compromised
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The fact that it is symmetric leads to the problem.
> 
> Even if the attacker had fully compromised the server end they get
> nothing.  There's no reply attack.  No shared secret they can use to log
> into another web site.  Zero value.

with per-site passphrases there is no cross-site threat.  there is
replay, as you point out.  

would be interested to hear smb on this.

> Yep.  Don't get me wrong, there's an RFC or two here, a few pages of
> code in web servers and browsers.  I am not asserting this is a trival
> change that could be made by one guy in a few minutes.  However, I am
> suggesting this is an easy change that could be implemented in weeks
> not months.

did you say RFC in the same sentence as weeks?  but i definitely agree
that we should be able to do better than we are now.

randy

• Previous message (by thread): LinkedIn password database compromised
• Next message (by thread): LinkedIn password database compromised
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]