Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Are passwords even long enough?

On 7/7/2016 8:50 AM, IngeGNUe wrote:
> Now, now, we're moving the goal post. First it was spyware, then it was
> malware in general, and now vulnerabilities? These are all distinct
> categories.

You made an assertion about trusted sources. I countered with the trust
you place in a source has nothing to do with the quality and security,
and that trust placed in FLOSS because it is FLOSS is misplaced.

> I'm having trouble understanding yet why it would be a risk for
> passwords as long as the federation remains within Google Apps (Drive,
> YouTube, Docs, Mail, the whole potato)

If you use Google's identity service on a site and you don't have a
valid token (cookie) then you need to get a token. The site will
redirect you to a login page. This is how it is intended to work.

If the site's servers are compromised then they can easily be configured
to direct users to a fake login page regardless of valid tokens. These
fake login pages can collect credentials and forward them to Google
using the identity platform APIs. Users get (new) valid tokens and
attackers get users' credentials.

Rich P.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /