BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Are passwords even long enough?
- Subject: [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- Date: Thu, 7 Jul 2016 19:27:09 -0400
- In-reply-to: <CAPiok-pq-wj2Cs=EREyGFd+zXU8yvGvBW-9gDmewkqDTSkTwVQ@mail.gmail.com>
- References: <da2a3b17-dacb-fe11-aeb3-9622103ddc5a@riseup.net> <c8758c88-6482-92e5-58e0-d379b6794b14@borg.org> <43abc9bc-4b74-65cd-2d2b-5cdf3dc891d0@riseup.net> <bcde90e5-06b3-5413-5101-39be3ea1d866@gmail.com> <6979f7dc-ebe7-1930-3075-5df4b72631ee@riseup.net> <e96a001a-3503-a9c2-c06f-69fb7d94a6d5@gmail.com> <a64384cd-0d87-3c1b-540a-19a52706d7a5@riseup.net> <CAPiok-pq-wj2Cs=EREyGFd+zXU8yvGvBW-9gDmewkqDTSkTwVQ@mail.gmail.com>
On 07/07/16 09:21, John Hall wrote: > On Thu, Jul 7, 2016 at 8:50 AM, IngeGNUe <ingegnue at riseup.net> wrote: > >> >> I'm having trouble understanding yet why it would be a risk for >> passwords as long as the federation remains within Google Apps (Drive, >> YouTube, Docs, Mail, the whole potato) > > > ?I agree! > > I am however suspicions of IT departments that have "business requirement" > to maintain a man in the middle attack on everyone in the office for > "enterprise data security". IIRC that would be a proxy service. Yes, there are plenty of reasons to be nervous about the power disparity between IT staff and users, because it places extraordinary amounts of trust in the IT staff to respect and protect the information. There are individual IT staff who would NEVER dream of doing anything shady, but still. IT can be your little 'big brother'. You would have a very different relationship to a proxy service that you set up on your own computer (e.g. Privoxy) > Do you roam and visit many companies and log into Google there? > Do you ever use a public terminal that could have a keyboard logger or a > colleague or friend's computer that might have been infected with spyware? I don't log on to Google anywhere else but my own computer, and previously a mail client on a Nexus device. The length of the passwords and scope/goal of the account discourages misbehaviors such as logging on to foreign computers. If I can't remember a password, then I can't be tempted to misuse it. I'm willing to believe that I may have broken one of my rules at some point, and just don't remember it, but it does make me curious if there's some security precaution I failed to include in my process. > ? > On Sat, Jul 2, 2016 at 9:13 PM, Rich Pieri <richard.pieri at gmail.com> wrote: > >> So I ask: have you used >> your Google account to authenticate yourself with any services other >> than Google? If so then that's probably how it happened. >> > > > I"m not following this assertion that using OAUTH to use other services is > a conduit for compromising passwords. I call bullshit on this. How do you > figure that happens? I don't know much about OAuth specifically but there's a few points at which data could be compromised: Scenario: Website1.com sends login data to Website2.com for some presumably justified reason: 0) Not specific to federated services: the security of the connection between the user and Website1.com. Also not specific to federated services is endpoint security (that no malicious code is running) on any of the machines handling the data, be it client or server. 1) The security of the connection between Website1.com and Website2.com 2) The user assumes that Website1.com is trustworthy, and while this may be true, the user is, as a side-effect, trusting Website1.com's trust in Website2.com. If Website2.com is actually malicious, compromised, or more negligent than Website1.com, then your security is undermined. I think this is what Rich means by federated, but IDK. > I believe that using oauth is a great way to access many websites and a > secure way to use fewer passwords. It solves the problem of password reuse. > > The authentication mechanism *never* passes your password to websites using > oauth. Oh, that's neat! > > When you enter your user name and password when you use Google or Facebook > to log into sites that information is never shared. That form is from > Google, Facebook, etc. The site is given a LIMITED access OAUTH token that > for example might allow them to know your email address ,but what they can > do with this token is very limited and it gives them zero insight on your > password. > > The 2-factor services that allow access to many websites are one of the > most important tools you can use to keep your accounts secure. > > Thanks, > John? > Thanks for the info.
- References:
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- Prev by Date: [Discuss] Are passwords even long enough?
- Next by Date: [Discuss] Are passwords even long enough?
- Previous by thread: [Discuss] Are passwords even long enough?
- Next by thread: [Discuss] best way to automount removable SATA drives
- Index(es):