[Discuss] 19,000 person company passwords stolen via HTTPS
Rich Pieri
richard.pieri at gmail.com
Tue Oct 6 19:19:20 EDT 2015
On 10/6/2015 5:12 PM, Edward Ned Harvey (blu) wrote:
> I have no idea what RP was talking about, or if there was a point at
> all, but Anthony, you're right. I know in CBCrypt, there is no basket
> with all the eggs.
Yes, there is. The authenticating server has a piece of information for
each user which can be used to uniquely identify that user. Encrypting
these unique pieces of information, these eggs, does not prevent me from
cracking them open. It slows me down but it won't keep me out.
The point is that this paradigm is broken, backwards. It's /etc/passwd
in fancy dress. Users and clients should not be authenticating
themselves to servers and services. Servers and services should be
authenticating themselves to the users and clients which use them.
--
Rich P.
More information about the Discuss
mailing list