mpalmer at hezmatt.org
Mon Apr 27 00:07:30 UTC 2020
On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote:
> On 4/26/20 7:32 AM, Rich Kulawiec wrote:
> > On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote:
> > > $SHINYNEWSITE has only to entice you to enter your reused password which
> > > comes out in the clear on the other side of that TLS connection.?? basically
> > > password phishing. you can whine all you like about how stupid they are, but
> > > you know what... that is what they average person does. that is reality. js
> > > exploits do not hold a candle to that problem.
> > Two equally large problems -- neither of which have anything to do with
> > encryption in transport -- are backend security and password strength.
> > In the former case, we've seen an ongoing parade of security breaches
> > and subsequent dataloss incidents. That parade is still going on.
> > In the latter case, despite years of screaming from the rooftops, despite
> > myriad enforcement attempts in code, despite another parade of incidents,
> > despite everything, we still have people using "password" as a password.
> > As a side note, I've found it nearly impossible to get users to
> > understand that there is a qualitative and quantitative difference
> > between "password used for brokerage account" and "password used for
> > little league baseball mailing list".
> > The minor problem of passwords-over-the-wire pales into insignificance
> > compared to these (and others -- but that's a long list).
> Um, those are exactly the consequences of passwords over the wire. If you
> didn't send "password" over the wire, nobody could guess that's your
> password on your banking site.
I guess that's why best practices for authentication encourage the adoption
of HTTP Digest authentication. No password over the wire == no problems!
More information about the NANOG