BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Reusing Passwords on Different Sites Should be OK
- Subject: [Discuss] Reusing Passwords on Different Sites Should be OK
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- Date: Fri, 18 Sep 2015 11:01:02 +0000
- In-reply-to: <CAAbKA3XJCf+ZJaDivU=LZL+JAATv-nvv1skn4AsK_FaZg=4Dhg@mail.gmail.com>
- References: <BLUPR04MB3699329CB5E010185E50399DC5A0@BLUPR04MB369.namprd04.prod.outlook.com> <55FB23FE.3080909@mattgillen.net> <BLUPR04MB3698EA7D9AD9CF808062D89DC5A0@BLUPR04MB369.namprd04.prod.outlook.com> <CAAbKA3XJCf+ZJaDivU=LZL+JAATv-nvv1skn4AsK_FaZg=4Dhg@mail.gmail.com>
> From: Bill Ricker [mailto:bill.n1vux at gmail.com] > Sent: Thursday, September 17, 2015 10:11 PM > > Reusing passwords requires the users to know that the encryption is of a > safe variety.? Most users are not qualified to tell good crypto from bad > crypto.? Heck, most programmers can't be qualified to use good cypto > correctly. > Password Encryption done client-side must be handled very carefully to > avoid replay attacks yet still actually validate something.? Sounds like a half- > hearted attempt at Challenge-response. > tl;dr No. Everybody knows they shouldn't login to anything over http:// We've all been trained to use https:// and ensure we have green checkmark security shields or whatever. Because thousands of random unknown employees maintaining the routers on the Internet could access the http traffic. When you login via HTTPS, to google, facebook, twitter, and thousands of other sites, there are still thousands of unknown employees maintaining the load balancers and web servers at the other end, who could access the traffic. It is a no-brainer. You should not send your password or encryption keys, even over https. You need to prove you know your secret without exposing it.
- References:
- [Discuss] Reusing Passwords on Different Sites Should be OK
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Reusing Passwords on Different Sites Should be OK
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] Reusing Passwords on Different Sites Should be OK
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Reusing Passwords on Different Sites Should be OK
- From: bill.n1vux at gmail.com (Bill Ricker)
- [Discuss] Reusing Passwords on Different Sites Should be OK
- Prev by Date: [Discuss] java keytool x.509 error
- Next by Date: [Discuss] Reusing Passwords on Different Sites Should be OK
- Previous by thread: [Discuss] Reusing Passwords on Different Sites Should be OK
- Next by thread: [Discuss] Reusing Passwords on Different Sites Should be OK
- Index(es):