On Sun, Apr 26, 2020 at 05:10:56PM -0700, Michael Thomas wrote: > > On 4/26/20 5:07 PM, Matt Palmer wrote: > > On Sun, Apr 26, 2020 at 07:59:24AM -0700, Michael Thomas wrote: > > > On 4/26/20 7:32 AM, Rich Kulawiec wrote: > > > > On Thu, Apr 23, 2020 at 07:56:30PM -0700, Michael Thomas wrote: > > > > > $SHINYNEWSITE has only to entice you to enter your reused password > > > > > which > > > > > comes out in the clear on the other side of that TLS connection.?? > > > > > basically > > > > > password phishing. you can whine all you like about how stupid they > > > > > are, but > > > > > you know what... that is what they average person does. that is > > > > > reality. js > > > > > exploits do not hold a candle to that problem. > > > > Two equally large problems -- neither of which have anything to do with > > > > encryption in transport -- are backend security and password strength. > > > > In the former case, we've seen an ongoing parade of security breaches > > > > and subsequent dataloss incidents. That parade is still going on. > > > > In the latter case, despite years of screaming from the rooftops, > > > > despite > > > > myriad enforcement attempts in code, despite another parade of > > > > incidents, > > > > despite everything, we still have people using "password" as a password. > > > > > > > > As a side note, I've found it nearly impossible to get users to > > > > understand that there is a qualitative and quantitative difference > > > > between "password used for brokerage account" and "password used for > > > > little league baseball mailing list". > > > > > > > > The minor problem of passwords-over-the-wire pales into insignificance > > > > compared to these (and others -- but that's a long list). > > > Um, those are exactly the consequences of passwords over the wire. If you > > > didn't send "password" over the wire, nobody could guess that's your > > > password on your banking site. > > I guess that's why best practices for authentication encourage the adoption > > of HTTP Digest authentication. No password over the wire == no problems! > > Which exactly zero deployment. And you need to store the plain-text password > on the server side. What could possibly go wrong?
But you said that *passwords on the wire* were the biggest problem. Digest auth solves that. Also, you don't have to store the plain-text password. - Matt
