nanog mailing list archives

Re: mail admins?

From: Michael Thomas <mike () mtcc com>
Date: Sun, 26 Apr 2020 17:10:56 -0700


On 4/26/20 5:07 PM, Matt Palmer wrote:

On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote:

On 4/26/20 7:32 AM, Rich Kulawiec wrote:

On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote:

$SHINYNEWSITE has only to entice you to enter your reused password which
comes out in the clear on the other side of that TLS connection.?? basically
password phishing. you can whine all you like about how stupid they are, but
you know what... that is what they average person does. that is reality. js
exploits do not hold a candle to that problem.

Two equally large problems -- neither of which have anything to do with
encryption in transport -- are backend security and password strength.
In the former case, we've seen an ongoing parade of security breaches
and subsequent dataloss incidents.  That parade is still going on.
In the latter case, despite years of screaming from the rooftops, despite
myriad enforcement attempts in code, despite another parade of incidents,
despite everything, we still have people using "password" as a password.

As a side note, I've found it nearly impossible to get users to
understand that there is a qualitative and quantitative difference
between "password used for brokerage account" and "password used for
little league baseball mailing list".

The minor problem of passwords-over-the-wire pales into insignificance
compared to these (and others -- but that's a long list).

Um, those are exactly the consequences of passwords over the wire. If you
didn't send "password" over the wire, nobody could guess that's your
password on your banking site.

I guess that's why best practices for authentication encourage the adoption
of HTTP Digest authentication.  No password over the wire == no problems!

Which exactly zero deployment. And you need to store the plain-textpassword on the server side. What could possibly go wrong?


Mike

Current thread:

Re: mail admins?, (continued)
- - - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? Matt Palmer (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 24)
    - Re: mail admins? Bryan Holloway (Apr 24)
    - Re: mail admins? Michael Thomas (Apr 24)
    - Re: mail admins? Raymond Burkholder (Apr 23)
    - Re: mail admins? Michael Thomas (Apr 23)
    - Re: mail admins? Rich Kulawiec (Apr 26)
    - Re: mail admins? Michael Thomas (Apr 26)
    - Re: mail admins? Matt Palmer (Apr 26)
    - Re: mail admins? Michael Thomas (Apr 26)
    - Re: mail admins? Matt Palmer (Apr 26)
    - Re: mail admins? Michael Thomas (Apr 27)
    - Re: mail admins? William Herrin (Apr 27)
    - Re: mail admins? Michael Thomas (Apr 27)