[180188] in North American Network Operators' Group
Re: gmail security is a joke
daemon@ATHENA.MIT.EDU (William Herrin)
Wed May 27 16:07:41 2015
X-Original-To: nanog@nanog.org
X-Really-To: <nanog@nanog.org>
In-Reply-To: <21862.1063.465196.824619@world.std.com>
From: William Herrin <bill@herrin.us>
Date: Wed, 27 May 2015 16:05:12 -0400
To: Barry Shein <bzs@world.std.com>
Cc: John Levine <johnl@iecc.com>, "Aaron C. de Bruyn" <aaron@heyaaron.com>,
NANOG mailing list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, May 27, 2015 at 1:51 PM, Barry Shein <bzs@world.std.com> wrote:
> On May 27, 2015 at 10:28 bill@herrin.us (William Herrin) wrote:
> > On Tue, May 26, 2015 at 4:10 PM, Scott Howard <scott@doc.net.au> wrote:
> > > It means they are storing it unhashed
> > > which is probably what you mean.
> >
> > It means they're storing it in a form that reduces to plain text
> > without human intervention. Same difference. Encrypted at rest matters
> > not, if all the likely attack vectors go after the data in transit.
>
> It matters a lot. [...]
> The OP was correct, if they can send you your cleartext password then
> their security practices are inadequate, period.
Am I speaking English? I thought I was speaking English.
> Unless I misunderstand what you're saying (I sort of hope I do)
Yeah, I think you probably did since I was largely agreeing with you.
What I was trying to say was that there wasn't a heck of a lot of
difference between storing a user's password with reversible
encryption and storing it in plain text. Both are supremely
unsatisfactory. Reasonable security starts by not retaining the user's
password at all. Keep only the non-reversible hash.
Regards,
Bill Herrin
--
William Herrin ................ herrin@dirtside.com bill@herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
