Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Are passwords even long enough?

On 07/07/16 23:01, Rich Pieri wrote:
> On 7/7/2016 8:07 PM, IngeGNUe wrote:
>> But that means you're considering whether one of Google's sites are
>> compromised, which is something I thought we had written off as
>> improbable. It's not like I'm using a Google account to log in to a
>> Bookface.net website or whatever.
> 
> Comodo issuing fraudulent Google certificates qualifies as "Google's
> sites are compromised".

OK, now we're on the same page. Yes, I agree.

> 
> 
>> Or does Google rely on some other site to host, for example, YouTube?
>> Are you saying that their whole one-google-account-for-all-google-sites
>> is bad security? Because, that's what Google Apps (not talking about
>> Android) is.
> 
> It's a truism that password reuse is a problem. If you reuse passwords
> then compromise of one server/service means compromise of many
> servers/services.
> 
> Single sign on subsumes one password for many servers/services.
> 
> Therefore yes, what Google Apps does is bad security.

Gotcha.

> 
> 
>> Alright, but that's the whole using a Google Account to log in to
>> Headdesk.com. I mean, if there's a federated login service for Google
>> Accounts, this is the first I've heard of it / I've never heard of it.
> 
> Google, Facebook, Microsoft and Yahoo all provide federated identity
> services for third parties. Others do, too, but those are probably the
> biggest names globally.
> 
> Now you've heard of it.
> 
> 
>> Another thing, related to endpoint security, is the mail client. They
>> say it's good enough to have SSL with POP/IMAP but then again, I don't
>> have much faith in the way SSL is implemented. Then again, I don't know
>> how much faith I *should* have in it.
> 
> None.
> 

I strongly agree.

People tend to avoid blaming large corporations and err on the side of
but I agree, I don't feel secure using SSL with all the ways to break it
AND the badly architectured chain of trust. Not that it's the same as
plain text data, but it's not nearly as good as it was supposed to be.
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org