nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: gmail security is a joke

From: William Herrin <bill () herrin us>
Date: Wed, 27 May 2015 16:05:12 -0400
On Wed, May 27, 2015 at 1:51 PM, Barry Shein <bzs () world std com> wrote:

On May 27, 2015 at 10:28 bill () herrin us (William Herrin) wrote:
 > On Tue, May 26, 2015 at 4:10 PM, Scott Howard <scott () doc net au> wrote:
 > > It means they are storing it unhashed
 > > which is probably what you mean.
 >
 > It means they're storing it in a form that reduces to plain text
 > without human intervention. Same difference. Encrypted at rest matters
 > not, if all the likely attack vectors go after the data in transit.

It matters a lot. [...]
The OP was correct, if they can send you your cleartext password then
their security practices are inadequate, period.


Am I speaking English? I thought I was speaking English.



Unless I misunderstand what you're saying (I sort of hope I do)


Yeah, I think you probably did since I was largely agreeing with you.
What I was trying to say was that there wasn't a heck of a lot of
difference between storing a user's password with reversible
encryption and storing it in plain text. Both are supremely
unsatisfactory. Reasonable security starts by not retaining the user's
password at all. Keep only the non-reversible hash.

Regards,
Bill Herrin

-- 
William Herrin ................ herrin () dirtside com  bill () herrin us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
Previous By Date Next
Previous By Thread Next

Current thread: