Re: mail admins?

[Matt Palmer <mpalmer () hezmatt org>]

On Thu, Apr 23, 2020 at 06:31:04PM -0700, Michael Thomas wrote:
> Passwords over the wire are the *key* problem of computer security. Nothing
> else even comes close.

Hmm, a bold claim, but I'm confident the author will have strong support for
their position.

> One only needs to look at the LinkedIn salting problem

That was a stored password problem, not a passwords-over-the-wire problem,
but OK.  I'm sure we'll be back on track shortly.

> to know how trivial it is to exploit password reuse.

Not sure how exploiting password reuse causes problems with passwords over
the wire.  Halfway through the paragraph now, still haven't seen anything
talking about passwords over the wire.  No doubt the next sentence will
address the claim in detail, though.

> They are a big company and they still absolutely failed.

Starting to think that maybe there isn't going to be the solid justification
for the topic sentence that I'd originally assumed.

> There are a trillion smaller sites who are just as vulnerable, and all it
> takes is one.

A trillion smaller sites that are just as vulnerable... to passwords over the
wire?

Wait, this is the end of the paragraph.  How odd, not a single statement in
support of the assertion.  Perhaps it's not, in fact, true, then, that
passwords over the wire are the *key* problem of computer security.

While I do think webauthn is a neat idea, and solves at least one very real
problem (credential theft via phishing), you do an absolutely terrible job
of making that case.

- Matt