[Discuss] Are passwords even long enough?

[ingegnue at riseup.net (IngeGNUe)]

On 07/07/16 09:21, John Hall wrote:
> On Thu, Jul 7, 2016 at 8:50 AM, IngeGNUe <ingegnue at riseup.net> wrote:
> 
>>
>> I'm having trouble understanding yet why it would be a risk for
>> passwords as long as the federation remains within Google Apps (Drive,
>> YouTube, Docs, Mail, the whole potato)
> 
> 
> ?I agree!
> 
> I am however suspicions of IT departments that have "business requirement"
> to maintain a man in the middle attack on everyone in the office for
> "enterprise data security".

IIRC that would be a proxy service. Yes, there are plenty of reasons to
be nervous about the power disparity between IT staff and users, because
it places extraordinary amounts of trust in the IT staff to respect and
protect the information. There are individual IT staff who would NEVER
dream of doing anything shady, but still. IT can be your little 'big
brother'.

You would have a very different relationship to a proxy service that you
set up on your own computer (e.g. Privoxy)

> Do you roam and visit many companies and log into Google there?
> Do you ever use a public terminal that could have a keyboard logger or a
> colleague or friend's computer that might have been infected with spyware?

I don't log on to Google anywhere else but my own computer, and
previously a mail client on a Nexus device. The length of the passwords
and scope/goal of the account discourages misbehaviors such as logging
on to foreign computers. If I can't remember a password, then I can't be
tempted to misuse it.

I'm willing to believe that I may have broken one of my rules at some
point, and just don't remember it, but it does make me curious if
there's some security precaution I failed to include in my process.

> ?
> On Sat, Jul 2, 2016 at 9:13 PM, Rich Pieri <richard.pieri at gmail.com> wrote:
> 
>> So I ask: have you used
>> your Google account to authenticate yourself with any services other
>> than Google? If so then that's probably how it happened.
>>
> 
> 
> I"m not following this assertion that using OAUTH to use other services is
> a conduit for compromising passwords. I call bullshit on this. How do you
> figure that happens?

I don't know much about OAuth specifically but there's a few points at
which data could be compromised:

Scenario: Website1.com sends login data to Website2.com for some
presumably justified reason:

0) Not specific to federated services: the security of the connection
between the user and Website1.com. Also not specific to federated
services is endpoint security (that no malicious code is running) on any
of the machines handling the data, be it client or server.
1) The security of the connection between Website1.com and Website2.com
2) The user assumes that Website1.com is trustworthy, and while this may
be true, the user is, as a side-effect, trusting Website1.com's trust in
Website2.com. If Website2.com is actually malicious, compromised, or
more negligent than Website1.com, then your security is undermined.

I think this is what Rich means by federated, but IDK.

> I believe that using oauth is a great way to access many websites and a
> secure way to use fewer passwords. It solves the problem of password reuse.
> 
> The authentication mechanism *never* passes your password to websites using
> oauth.

Oh, that's neat!

> 
> When you enter your user name and password when you use Google or Facebook
> to log into sites that information is never shared. That form is from
> Google, Facebook, etc. The site is given a LIMITED access OAUTH token that
> for example might allow them to know your email address ,but what they can
> do with this token is very limited and it gives them zero insight on your
> password.
> 
> The 2-factor services that allow access to many websites are one of the
> most important tools you can use to keep your accounts secure.
> 
> Thanks,
> John?
> 

Thanks for the info.