Fwd: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8
Manu
turkeyman at gmail.com
Sun Apr 13 18:20:43 PDT 2014
On 13 April 2014 12:02, Adam D. Ruppe <destructionator at gmail.com> wrote:
> On Saturday, 12 April 2014 at 21:18:26 UTC, Nick Sabalausky wrote:
>
>> Never storing or transmitting password in plain text is not only basic,
>> obvious and to be expected, but it is THE most basic, obvious and
>> to-be-expected principle that exists in computer security.
>>
>
> ... and it is also the most common way passwords are sent in internet
> protocols.
>
> * SMTP and HTTP will base64 encode it with their basic auth but that's it
>
> * web sites typically transmit it completely open
>
>
> There's SSL now that gets more traction, but if you expect a password NOT
> to be sent in something trivially converted to plain text, wake up an smell
> the RFC.
>
There's been a migration of responsible services to https, but even without
that, I consider that a different level of negligence.
The difference is, someone has to be actively monitoring me to capture my
password in flight; if I'm a deliberate target, they'll get me somehow
anyway.
This is passive, it's _storing_ a large number of users passwords all
together in one big plain-text blob. It's basically asking to be collected.
There's no transience, I'm compromised even if I'm not a target, and even
if I don't log on. My involvement is not required.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puremagic.com/pipermail/digitalmars-d/attachments/20140414/eaf00538/attachment-0001.html>
More information about the Digitalmars-d
mailing list