nanog mailing list archives
Re: gmail security is a joke
From: Barry Shein <bzs () world std com>
Date: Wed, 27 May 2015 15:07:22 -0400
One weakness with sending a new cleartext password rather than a link is that a cleartext password (probably) has to be engineered to be easy to type in and maybe even remembered. Typically one uses some concatenation of CVC (consonant-vowel-consonant) with common punctuations and/or digits otherwise chosen randomly so something like pom%mur or kiv_ler for 7 chars anyhow, maybe add a digit or two, pom%mur87. A link can be much more random, just some long (64 char or more) string of hexified nonsense for example since the user presumably just clicks it and doesn't have to read it or type it in or worse remember it. SOOOOOO...an attacker could study your cleartext password generation algorithm which for a shorter, simpler, already structured cleartext password will be more likely to be predictable all else being equal. Perhaps the algorithm itself is is even available if you use some identifiable software package such as an e-commerce suite, I can't imagine every person selling paisley socks writes their own password generation algorithm. Or by studying the passwords it generates (create an acct, send yourself a few hundred or thousand.) I'm not just a-whistlin' dixie (I never a-whistle dixie! :-), I'd consider that a serious potential weakness adding more concern to choice of algorithms. -- -Barry Shein The World | bzs () TheWorld com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Current thread:
- Re: gmail security is a joke, (continued)
- Re: gmail security is a joke chris (May 26)
- Re: gmail security is a joke John R. Levine (May 26)
- Re: gmail security is a joke Aaron C. de Bruyn (May 26)
- Re: gmail security is a joke John R. Levine (May 26)
- Re: gmail security is a joke Aaron C. de Bruyn (May 26)
- Re: gmail security is a joke Scott Howard (May 26)
- Re: gmail security is a joke William Herrin (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke John R. Levine (May 27)
- Re: gmail security is a joke James Downs (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke William Herrin (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Rich Kulawiec (May 27)
- Re: gmail security is a joke Barry Shein (May 27)
- Re: gmail security is a joke Peter Beckman (May 27)
- RE: gmail security is a joke John Souvestre (May 27)
- Re: gmail security is a joke Jimmy Hess (May 27)
- Password storage (was Re: gmail security is a joke) Robert Kisteleki (May 28)
- Re: Password storage (was Re: gmail security is a joke) Christopher Morrow (May 28)