[Discuss] Are passwords even long enough?

Thu Jul 7 20:07:15 EDT 2016

On 07/07/16 11:36, Rich Pieri wrote:
> On 7/7/2016 8:50 AM, IngeGNUe wrote:
>> Now, now, we're moving the goal post. First it was spyware, then it was
>> malware in general, and now vulnerabilities? These are all distinct
>> categories.
> 
> You made an assertion about trusted sources. I countered with the trust
> you place in a source has nothing to do with the quality and security,
> and that trust placed in FLOSS because it is FLOSS is misplaced.
> 
>> I'm having trouble understanding yet why it would be a risk for
>> passwords as long as the federation remains within Google Apps (Drive,
>> YouTube, Docs, Mail, the whole potato)
> 
> If you use Google's identity service on a site and you don't have a
> valid token (cookie) then you need to get a token. The site will
> redirect you to a login page. This is how it is intended to work.

But that means you're considering whether one of Google's sites are
compromised, which is something I thought we had written off as
improbable. It's not like I'm using a Google account to log in to a
Bookface.net website or whatever.

> 
> If the site's servers are compromised 

Google's sites? :\

Or does Google rely on some other site to host, for example, YouTube?
Are you saying that their whole one-google-account-for-all-google-sites
is bad security? Because, that's what Google Apps (not talking about
Android) is.

Anyway, to clarify, I'm not blaming Google, just following the argument.
Google has been breached in the past, but we rule it out because this
would have to be happening to many people.

> then they can easily be configured
> to direct users to a fake login page regardless of valid tokens. These
> fake login pages can collect credentials and forward them to Google
> using the identity platform APIs. Users get (new) valid tokens and
> attackers get users' credentials.
> 

Alright, but that's the whole using a Google Account to log in to
Headdesk.com. I mean, if there's a federated login service for Google
Accounts, this is the first I've heard of it / I've never heard of it.

If my imaginary site examples already exist btw (and they probably do),
I have no idea what is on them :)

Another thing, related to endpoint security, is the mail client. They
say it's good enough to have SSL with POP/IMAP but then again, I don't
have much faith in the way SSL is implemented. Then again, I don't know
how much faith I *should* have in it.

Then there's also the trustworthiness of the network you're using --
your VPN provider, or the wired/wireless network you're using.