Archive of UserLand's first discussion group, started October 5, 1998.
Re: Biggest barrier to building a community in Manila
Author: Eric Soroos Posted: 9/9/2000; 1:23:37 PM Topic: Biggest barrier to building a community in Manila Msg #: 21080 (In response to 21059) Prev/Next: 21079 / 21081
Plus, since anyone with access to the server can look up each member's password — in plain text, mind you — this can be a security risk. So not only can the Manila admin potentially read your password, but if you use the same password over and over at each Manila site you visit, as well as at other sites that require membership, then you've blown your identity. Someone can sign in as you!So?
There are 7000+ manila sites. Has this been a problem yet? What's the potential damage from a stolen password? Not very big. Someone could forge posts.
Wooho.
One can reasonably convincingly forge email. One can reasonably convincingly forge usenet posts. We're a community, we know what people tend to say. I tend to be a bit of a crank. Wes tends to have good knowlege of programming arcania and privacy issues. Dave, well, Dave is Dave.
If I'm a malicious server admin, rest assured that if you ever log into the system, I can get your password somewhere in the chain unless you're using badass end to end crypto like kerebos.
Obfusated passwords don't count, since I have essentially infinite time to do dictionary attacks. SSL doesn't count, since I get to write the script on the other end of the sslized connection. There's your bank website level of security. But you trust your bank to not need to iterate the 9999 possible pin numbers that you have.
For reference, kerebos style security tends to be used in large lan situations like Universities where packet sniffing is a popular pasttime.
Security effort needs to be appropriate to the risk level. It should balance ease of use with security and accurately reflect the level of security. In a lot of cases, you're better with minimal security and the knowledge that it's minimal than half-assed moderate security with gaping hidden holes.
eric
This page was archived on 6/13/2001; 4:56:36 PM.
© Copyright 1998-2001 UserLand Software, Inc.