[Discuss] Are passwords even long enough?
IngeGNUe
ingegnue at riseup.net
Fri Jul 8 13:56:47 EDT 2016
On 07/07/16 23:01, Rich Pieri wrote:
> On 7/7/2016 8:07 PM, IngeGNUe wrote:
>> But that means you're considering whether one of Google's sites are
>> compromised, which is something I thought we had written off as
>> improbable. It's not like I'm using a Google account to log in to a
>> Bookface.net website or whatever.
>
> Comodo issuing fraudulent Google certificates qualifies as "Google's
> sites are compromised".
OK, now we're on the same page. Yes, I agree.
>
>
>> Or does Google rely on some other site to host, for example, YouTube?
>> Are you saying that their whole one-google-account-for-all-google-sites
>> is bad security? Because, that's what Google Apps (not talking about
>> Android) is.
>
> It's a truism that password reuse is a problem. If you reuse passwords
> then compromise of one server/service means compromise of many
> servers/services.
>
> Single sign on subsumes one password for many servers/services.
>
> Therefore yes, what Google Apps does is bad security.
Gotcha.
>
>
>> Alright, but that's the whole using a Google Account to log in to
>> Headdesk.com. I mean, if there's a federated login service for Google
>> Accounts, this is the first I've heard of it / I've never heard of it.
>
> Google, Facebook, Microsoft and Yahoo all provide federated identity
> services for third parties. Others do, too, but those are probably the
> biggest names globally.
>
> Now you've heard of it.
>
>
>> Another thing, related to endpoint security, is the mail client. They
>> say it's good enough to have SSL with POP/IMAP but then again, I don't
>> have much faith in the way SSL is implemented. Then again, I don't know
>> how much faith I *should* have in it.
>
> None.
>
I strongly agree.
People tend to avoid blaming large corporations and err on the side of
but I agree, I don't feel secure using SSL with all the ways to break it
AND the badly architectured chain of trust. Not that it's the same as
plain text data, but it's not nearly as good as it was supposed to be.
More information about the Discuss
mailing list