Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8

Sat Apr 12 02:53:02 PDT 2014

On 12 April 2014 19:04, Paolo Invernizzi <paolo.invernizzi at no.address>wrote:

> On Saturday, 12 April 2014 at 08:45:23 UTC, Nick Sabalausky wrote:
>
>> On 4/12/2014 3:47 AM, Paolo Invernizzi wrote:
>>
>>> On Saturday, 12 April 2014 at 01:33:10 UTC, Manu wrote:
>>>
>>>> On 12 April 2014 11:16, Manu <turkeyman at gmail.com> wrote:
>>>>
>>>> Anyway, this is all beside the point, the issue is _I got an email that
>>>> TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and
>>>> offensive. When will it be fixed?
>>>>
>>>
>>> Barry Warsaw is a kind person, and has spent a lot of effort in offering
>>> the community something like mailman: what's the problem with people
>>> about reading instruction of what they are doing, before doing it? Is'n
>>> that the first rule for being conscious about security?
>>>
>>> /Paolo
>>>
>>
>> I shouldn't have to read a label just to know whether or not my food
>> contains dog shit. Some things are basic and obvious enough to just be
>> *expected*.
>>
>
> You have hit the point: in security you _cant_ expect basic and obvious
> things, as you are starting with a biased mindset, you have to care.

There's a difference between opportunism and malicious intent. I'm sure I
can be hacked if someone really wants to, but that's completely different
the idea that someone will almost certainly hack me, just because they can;
ie, they opportunistically stumbled across my password while running their
script over the internet, and see how far they can run with it.

We're talking about storing users passwords _in plain text_ on a niche
forum server. What confidence could I possibly have that dlang's forum
server is properly secured and monitored?
I'm comfortable that hackers (or even the administrators for that matter)
may get my hashed salted passwords from time to time... that's an
understanding of the internet that I have become comfortable with. I'm NOT
comfortable that anyone can see my password in plain text. It's practically
an invitation.

You can't say to a community "I'm sorry, we lost all of your passwords, in
plain text! You should have cared more about your personal security." when
someone hacks your database (not that you'd know; users would just start to
be randomly compromised). It is a basic reality that most people aren't
particularly concerned about their security (until they are bitten) and
it's also a reality that not everybody even understands computer security
enough to secure themselves in basic ways. Web services MUST take a
proactive approach regarding users security, at least to a reasonable
extent, and I'd argue that not storing users passwords in plain text is
quite a reasonable expectation!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puremagic.com/pipermail/digitalmars-d/attachments/20140412/cc822206/attachment.html>