BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Are passwords even long enough?
- Subject: [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- Date: Thu, 7 Jul 2016 20:07:15 -0400
- In-reply-to: <5291960d-7318-d847-c02e-d3c8f11c0781@gmail.com>
- References: <da2a3b17-dacb-fe11-aeb3-9622103ddc5a@riseup.net> <c8758c88-6482-92e5-58e0-d379b6794b14@borg.org> <43abc9bc-4b74-65cd-2d2b-5cdf3dc891d0@riseup.net> <bcde90e5-06b3-5413-5101-39be3ea1d866@gmail.com> <6979f7dc-ebe7-1930-3075-5df4b72631ee@riseup.net> <e96a001a-3503-a9c2-c06f-69fb7d94a6d5@gmail.com> <a64384cd-0d87-3c1b-540a-19a52706d7a5@riseup.net> <5291960d-7318-d847-c02e-d3c8f11c0781@gmail.com>
On 07/07/16 11:36, Rich Pieri wrote: > On 7/7/2016 8:50 AM, IngeGNUe wrote: >> Now, now, we're moving the goal post. First it was spyware, then it was >> malware in general, and now vulnerabilities? These are all distinct >> categories. > > You made an assertion about trusted sources. I countered with the trust > you place in a source has nothing to do with the quality and security, > and that trust placed in FLOSS because it is FLOSS is misplaced. > >> I'm having trouble understanding yet why it would be a risk for >> passwords as long as the federation remains within Google Apps (Drive, >> YouTube, Docs, Mail, the whole potato) > > If you use Google's identity service on a site and you don't have a > valid token (cookie) then you need to get a token. The site will > redirect you to a login page. This is how it is intended to work. But that means you're considering whether one of Google's sites are compromised, which is something I thought we had written off as improbable. It's not like I'm using a Google account to log in to a Bookface.net website or whatever. > > If the site's servers are compromised Google's sites? :\ Or does Google rely on some other site to host, for example, YouTube? Are you saying that their whole one-google-account-for-all-google-sites is bad security? Because, that's what Google Apps (not talking about Android) is. Anyway, to clarify, I'm not blaming Google, just following the argument. Google has been breached in the past, but we rule it out because this would have to be happening to many people. > then they can easily be configured > to direct users to a fake login page regardless of valid tokens. These > fake login pages can collect credentials and forward them to Google > using the identity platform APIs. Users get (new) valid tokens and > attackers get users' credentials. > Alright, but that's the whole using a Google Account to log in to Headdesk.com. I mean, if there's a federated login service for Google Accounts, this is the first I've heard of it / I've never heard of it. If my imaginary site examples already exist btw (and they probably do), I have no idea what is on them :) Another thing, related to endpoint security, is the mail client. They say it's good enough to have SSL with POP/IMAP but then again, I don't have much faith in the way SSL is implemented. Then again, I don't know how much faith I *should* have in it. Then there's also the trustworthiness of the network you're using -- your VPN provider, or the wired/wireless network you're using.
- Follow-Ups:
- [Discuss] Are passwords even long enough?
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Are passwords even long enough?
- References:
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Are passwords even long enough?
- From: ingegnue at riseup.net (IngeGNUe)
- [Discuss] Are passwords even long enough?
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Are passwords even long enough?
- Prev by Date: [Discuss] Are passwords even long enough?
- Next by Date: [Discuss] Are passwords even long enough?
- Previous by thread: [Discuss] Are passwords even long enough?
- Next by thread: [Discuss] Are passwords even long enough?
- Index(es):