[Discuss] Are passwords even long enough?
Rich Pieri
richard.pieri at gmail.com
Thu Jul 7 23:01:07 EDT 2016
On 7/7/2016 8:07 PM, IngeGNUe wrote:
> But that means you're considering whether one of Google's sites are
> compromised, which is something I thought we had written off as
> improbable. It's not like I'm using a Google account to log in to a
> Bookface.net website or whatever.
Comodo issuing fraudulent Google certificates qualifies as "Google's
sites are compromised".
> Or does Google rely on some other site to host, for example, YouTube?
> Are you saying that their whole one-google-account-for-all-google-sites
> is bad security? Because, that's what Google Apps (not talking about
> Android) is.
It's a truism that password reuse is a problem. If you reuse passwords
then compromise of one server/service means compromise of many
servers/services.
Single sign on subsumes one password for many servers/services.
Therefore yes, what Google Apps does is bad security.
> Alright, but that's the whole using a Google Account to log in to
> Headdesk.com. I mean, if there's a federated login service for Google
> Accounts, this is the first I've heard of it / I've never heard of it.
Google, Facebook, Microsoft and Yahoo all provide federated identity
services for third parties. Others do, too, but those are probably the
biggest names globally.
Now you've heard of it.
> Another thing, related to endpoint security, is the mail client. They
> say it's good enough to have SSL with POP/IMAP but then again, I don't
> have much faith in the way SSL is implemented. Then again, I don't know
> how much faith I *should* have in it.
None.
--
Rich P.
More information about the Discuss
mailing list