mail admins?

• Previous message (by thread): mail admins?
• Next message (by thread): mail admins?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote:
> 
> On 4/26/20 5:07 PM, Matt Palmer wrote:
> > On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote:
> > > On 4/26/20 7:32 AM, Rich Kulawiec wrote:
> > > > On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote:
> > > > > $SHINYNEWSITE has only to entice you to enter your reused password which
> > > > > comes out in the clear on the other side of that TLS connection.?? basically
> > > > > password phishing. you can whine all you like about how stupid they are, but
> > > > > you know what... that is what they average person does. that is reality. js
> > > > > exploits do not hold a candle to that problem.
> > > > Two equally large problems -- neither of which have anything to do with
> > > > encryption in transport -- are backend security and password strength.
> > > > In the former case, we've seen an ongoing parade of security breaches
> > > > and subsequent dataloss incidents.  That parade is still going on.
> > > > In the latter case, despite years of screaming from the rooftops, despite
> > > > myriad enforcement attempts in code, despite another parade of incidents,
> > > > despite everything, we still have people using "password" as a password.
> > > > 
> > > > As a side note, I've found it nearly impossible to get users to
> > > > understand that there is a qualitative and quantitative difference
> > > > between "password used for brokerage account" and "password used for
> > > > little league baseball mailing list".
> > > > 
> > > > The minor problem of passwords-over-the-wire pales into insignificance
> > > > compared to these (and others -- but that's a long list).
> > > Um, those are exactly the consequences of passwords over the wire. If you
> > > didn't send "password" over the wire, nobody could guess that's your
> > > password on your banking site.
> > I guess that's why best practices for authentication encourage the adoption
> > of HTTP Digest authentication.  No password over the wire == no problems!
> 
> Which exactly zero deployment. And you need to store the plain-text password
> on the server side. What could possibly go wrong?

But you said that *passwords on the wire* were the biggest problem.  Digest
auth solves that.  Also, you don't have to store the plain-text password.

- Matt

• Previous message (by thread): mail admins?
• Next message (by thread): mail admins?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]