> From: Tracy Reed [mailto:tr...@ultraviolet.org] > > I'm not sure I understand you here. But my initial reaction is to caution you > against confusing the public by pushing this. They are much better off using > separate passwords and a password manager.
Everybody knows they shouldn't login to anything over HTTP. Even the most non-technical people I know have been trained to use HTTPS. You don't know your Verizon tech guy any better than you know the employees working at Dropbox, Google, Yahoo, or whatever. > We should also assume (because it is true) that it is much easier for bad guys > to access the passwords in the database than in memory post-decryption or > in > the decryption software itself etc. Whatever site you're operating, there is a form that users HTTPS POST their password to. That form has the actual plaintext password available, and calls bcrypt or whatever. In wordpress, I just did this: grep -lir bcrypt wordpress And found this: wordpress/wp-includes/class-phpass.php Which is a PHP file, that I could trivially edit, which has access to passwords submitted to my site over HTTPS. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
