gmail security is a joke

William Herrin bill at
Wed May 27 20:05:12 UTC 2015

On Wed, May 27, 2015 at 1:51 PM, Barry Shein <bzs at> wrote:
> On May 27, 2015 at 10:28 bill at (William Herrin) wrote:
>  > On Tue, May 26, 2015 at 4:10 PM, Scott Howard <scott at> wrote:
>  > > It means they are storing it unhashed
>  > > which is probably what you mean.
>  >
>  > It means they're storing it in a form that reduces to plain text
>  > without human intervention. Same difference. Encrypted at rest matters
>  > not, if all the likely attack vectors go after the data in transit.
> It matters a lot. [...]
> The OP was correct, if they can send you your cleartext password then
> their security practices are inadequate, period.

Am I speaking English? I thought I was speaking English.

> Unless I misunderstand what you're saying (I sort of hope I do)

Yeah, I think you probably did since I was largely agreeing with you.
What I was trying to say was that there wasn't a heck of a lot of
difference between storing a user's password with reversible
encryption and storing it in plain text. Both are supremely
unsatisfactory. Reasonable security starts by not retaining the user's
password at all. Keep only the non-reversible hash.

Bill Herrin

William Herrin ................ herrin at  bill at
Owner, Dirtside Systems ......... Web: <>

More information about the NANOG mailing list