On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote: > > On 4/26/20 7:32 AM, Rich Kulawiec wrote: > > On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote: > > > $SHINYNEWSITE has only to entice you to enter your reused password which > > > comes out in the clear on the other side of that TLS connection.?? > > > basically > > > password phishing. you can whine all you like about how stupid they are, > > > but > > > you know what... that is what they average person does. that is reality. > > > js > > > exploits do not hold a candle to that problem. > > Two equally large problems -- neither of which have anything to do with > > encryption in transport -- are backend security and password strength. > > In the former case, we've seen an ongoing parade of security breaches > > and subsequent dataloss incidents. That parade is still going on. > > In the latter case, despite years of screaming from the rooftops, despite > > myriad enforcement attempts in code, despite another parade of incidents, > > despite everything, we still have people using "password" as a password. > > > > As a side note, I've found it nearly impossible to get users to > > understand that there is a qualitative and quantitative difference > > between "password used for brokerage account" and "password used for > > little league baseball mailing list". > > > > The minor problem of passwords-over-the-wire pales into insignificance > > compared to these (and others -- but that's a long list). > > Um, those are exactly the consequences of passwords over the wire. If you > didn't send "password" over the wire, nobody could guess that's your > password on your banking site.
I guess that's why best practices for authentication encourage the adoption of HTTP Digest authentication. No password over the wire == no problems! - Matt
