mail admins?

Michael Thomas mike at mtcc.com
Mon Apr 27 00:10:56 UTC 2020


On 4/26/20 5:07 PM, Matt Palmer wrote:
> On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote:
>> On 4/26/20 7:32 AM, Rich Kulawiec wrote:
>>> On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote:
>>>> $SHINYNEWSITE has only to entice you to enter your reused password which
>>>> comes out in the clear on the other side of that TLS connection.?? basically
>>>> password phishing. you can whine all you like about how stupid they are, but
>>>> you know what... that is what they average person does. that is reality. js
>>>> exploits do not hold a candle to that problem.
>>> Two equally large problems -- neither of which have anything to do with
>>> encryption in transport -- are backend security and password strength.
>>> In the former case, we've seen an ongoing parade of security breaches
>>> and subsequent dataloss incidents.  That parade is still going on.
>>> In the latter case, despite years of screaming from the rooftops, despite
>>> myriad enforcement attempts in code, despite another parade of incidents,
>>> despite everything, we still have people using "password" as a password.
>>>
>>> As a side note, I've found it nearly impossible to get users to
>>> understand that there is a qualitative and quantitative difference
>>> between "password used for brokerage account" and "password used for
>>> little league baseball mailing list".
>>>
>>> The minor problem of passwords-over-the-wire pales into insignificance
>>> compared to these (and others -- but that's a long list).
>> Um, those are exactly the consequences of passwords over the wire. If you
>> didn't send "password" over the wire, nobody could guess that's your
>> password on your banking site.
> I guess that's why best practices for authentication encourage the adoption
> of HTTP Digest authentication.  No password over the wire == no problems!

Which exactly zero deployment. And you need to store the plain-text 
password on the server side. What could possibly go wrong?

Mike




More information about the NANOG mailing list