Educause Security Discussion mailing list archives
Re: Password security
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Wed, 1 Feb 2012 16:21:34 -0800
Hi, While I share everyone's concern about plain text passwords, there *are* many, many, mainstream applications that *do* store passwords unencrypted, and often in ways that are publicly accessible. (Anyone skeptical of this can quickly lose that skepticism via a little Google dorking, e.g., see for example http://www[dot]exploit-db[dot]com/google-dorks/9/ )
From my POV, the *real* issue is this: given that plain text passwords
ARE out there all over the place, how do we get that problem sorted? I suspect that a straightforward find-and-notify strategy might be an excellent way to trigger a "shoot the messenger bearing bad news" sort of reaction, unfortunately. Regards, Joe
Current thread:
- Re: Password security, (continued)
- Re: Password security David Pirolo (Jan 31)
- Re: Password security Joel Rosenblatt (Jan 31)
- Re: Password security Robert Meyers (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Brian Helman (Feb 01)
- Re: Password security Bradner, Scott (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Sarazen, Daniel (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Roger A Safian (Feb 01)
- Re: Password security Palmer, Kevin (Feb 01)
- Re: Password security Joe St Sauver (Feb 01)
- Re: Password security David Pirolo (Feb 02)