[Discuss] Are passwords even long enough?

[richard.pieri at gmail.com (Rich Pieri)]

On 7/7/2016 8:50 AM, IngeGNUe wrote:
> Now, now, we're moving the goal post. First it was spyware, then it was
> malware in general, and now vulnerabilities? These are all distinct
> categories.

You made an assertion about trusted sources. I countered with the trust
you place in a source has nothing to do with the quality and security,
and that trust placed in FLOSS because it is FLOSS is misplaced.

> I'm having trouble understanding yet why it would be a risk for
> passwords as long as the federation remains within Google Apps (Drive,
> YouTube, Docs, Mail, the whole potato)

If you use Google's identity service on a site and you don't have a
valid token (cookie) then you need to get a token. The site will
redirect you to a login page. This is how it is intended to work.

If the site's servers are compromised then they can easily be configured
to direct users to a fake login page regardless of valid tokens. These
fake login pages can collect credentials and forward them to Google
using the identity platform APIs. Users get (new) valid tokens and
attackers get users' credentials.

-- 
Rich P.