nanog mailing list archives
Re: LinkedIn password database compromised
From: Randy Bush <randy () psg com>
Date: Thu, 21 Jun 2012 08:33:47 +0900
The fact that it is symmetric leads to the problem. Even if the attacker had fully compromised the server end they get nothing. There's no reply attack. No shared secret they can use to log into another web site. Zero value.
with per-site passphrases there is no cross-site threat. there is replay, as you point out. would be interested to hear smb on this.
Yep. Don't get me wrong, there's an RFC or two here, a few pages of code in web servers and browsers. I am not asserting this is a trival change that could be made by one guy in a few minutes. However, I am suggesting this is an easy change that could be implemented in weeks not months.
did you say RFC in the same sentence as weeks? but i definitely agree that we should be able to do better than we are now. randy
Current thread:
- Re: LinkedIn password database compromised, (continued)
- Re: LinkedIn password database compromised Tei (Jun 21)
- Re: LinkedIn password database compromised Jay Ashworth (Jun 21)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 21)
- Re: LinkedIn password database compromised AP NANOG (Jun 21)
- Re: LinkedIn password database compromised Matthew Kaufman (Jun 20)
- Re: LinkedIn password database compromised Jared Mauch (Jun 20)
- Re: LinkedIn password database compromised valdis . kletnieks (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- Re: LinkedIn password database compromised Randy Bush (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- Re: LinkedIn password database compromised Randy Bush (Jun 20)
- Re: LinkedIn password database compromised Tei (Jun 21)
- Re: LinkedIn password database compromised Tony Finch (Jun 21)
- Re: LinkedIn password database compromised Rich Kulawiec (Jun 21)
- RE: LinkedIn password database compromised Keith Medcalf (Jun 23)
- Re: LinkedIn password database compromised Michael Thomas (Jun 23)
- Re: LinkedIn password database compromised AP NANOG (Jun 20)
- How to fix authentication (was LinkedIn) Jay Ashworth (Jun 20)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 20)
- Re: How to fix authentication (was LinkedIn) valdis . kletnieks (Jun 20)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 20)