undefined | Better HN

0 pointstialaramex4y ago0 comments

If the passwords are being used by some automated service this is probably fine, at least modulo the quality of the service implementation.

If they're for actual humans, even in the best case you're vulnerable to phishing, also you are a perpetual risk because you know these passwords (or a password equivalent) so an adversary might steal your passwords (e.g. from a backup, logs, test systems, ...) and now they can impersonate all users.

It's almost certainly safer than letting users pick their own passwords, but it's less protected than, say, a Google user who set up 2-step, and much less than if they went with Advanced Protection and thus can't get phished or impersonated.

0 comments

1 comments · 1 top-level

malinens4y ago

I agree but "advanced" users should have the ability to switch advanced protections off (for example, sending emails via SMTP or for easier migration to another provider)

j / k navigate · click thread line to collapse