Security Basics mailing list archives
RE: News Item: UN warns on password 'explosion'
From: "Lall, Navneet Singh" <nlall () ipolicynetworks com>
Date: Tue, 12 Dec 2006 12:43:44 +0530
Hi, I think because of following reasons online forums need username + password: - Authenticity: This ensures that a human and not an automated program in posting in the forums. This is done by asking you to type the letters in the picture at the time of creating the account. - Protection: Mailing list usually has span protection online forums don't. - Feeling Good: Online forums enjoy having a big member data base. - Money: If you login then you definitely have to move around with many pages in the site; which increases the chances of you clicking on one of the ad banners and making the owner a bit richer. The scheme suggested by you have a drawback that the user have to login to his email to make the post appear. Considering the average volume of email increasing everyday this is not scalable. Also it can be abused by an attacker if he posts lots bogus posts with your email id using some automated program. Only sensible solution to this problem so far is to use good password managers. Unless some global secure password management system appears which can is acceptable to all websites. It could be like a "reverse" digital certificate. It's provided by you to the website. Navneet Singh -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Saqib Ali Sent: Monday, December 04, 2006 8:23 PM To: security-basics Subject: News Item: UN warns on password 'explosion' Nothing new: Username + Password reuse will make the net less secure which in turn make people wary of spending money online. Still a good read. My question is why so many online discussion forum require logon to post messages? Currently I have 20+ discussion forum account for the various vendors that I deal with (e.g. citrix, wise, altiris, active batch etc) . Why can't they be like mailing lists where the username+password is optional/not-required. Discussion forums use username+password as mean to 1) control access, 2) tie the post to a email address; and 3) prevent anonymous spam. Alternatively this can also be achieved by simply requiring email address along with post, and then sending a authorization email to the poster before making the post visible on the forum. This will achieve the same effect, and the user will not be burdened with remembering username+password for each forum where they make posts. -- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- News Item: UN warns on password 'explosion' Saqib Ali (Dec 04)
- Re: News Item: UN warns on password 'explosion' Alexander Klimov (Dec 06)
- RE: News Item: UN warns on password 'explosion' Andrew Aris (Dec 06)
- Re: News Item: UN warns on password 'explosion' Saqib Ali (Dec 06)
- RE: News Item: UN warns on password 'explosion' Andrew Aris (Dec 06)
- Re: News Item: UN warns on password 'explosion' Saqib Ali (Dec 06)
- RE: News Item: UN warns on password 'explosion' Pranav Lal (Dec 07)
- Re: News Item: UN warns on password 'explosion' Saqib Ali (Dec 06)
- RE: News Item: UN warns on password 'explosion' Lall, Navneet Singh (Dec 12)