undefined | Better HN

0 pointsmasklinn13y ago0 comments

> Because it's not that important.

yes, it very much is.

> In most cases what someone could do with my account is to view articles I have paid for

That's not the problem with leaking plaintext accounts. If the user database is compromised, you can safely assume all of the site is and the site's data is leaked as well (or would be if anyone gave a fuck).

The problem of cleatext (or easy to reverse) password databases is twofold:

1. Most users reuse the same password again and again and again. Having their password leaked on site 1 means all of their accounts are now wide open to whoever got the passwords.

2. Even if only the passwords themselves are leaked, this provides a huge dataset of effective, real-world password. This is a treasure trove of human behaviors and enables the improvement of brute-forcing mutators. In fact, one of the most substantial and important events in modern hacking history was the RockYou password leak.

0 comments

5 comments · 2 top-level

danielweber13y ago· 2 in thread

You seem unfamiliar with the specific case. It wasn't the user database that was compromised.

It was plainly obvious to any user of IEEE that they were storing your password in clear text. Because they would, y'know, mail it to you. And the mail would have live hyperlinks to access your account, which generally means GET requests.

masklinnOP13y ago

> You seem unfamiliar with the specific case. It wasn't the user database that was compromised.

Which isn't really relevant. A password leak is a password leak, whatever its source is.

> It was plainly obvious to any user of IEEE that they were storing your password in clear text

And nobody every took issue with that?

> And the mail would have live hyperlinks to access your account, which generally means GET requests.

That doesn't mean anything, the hyperlink could have contained a nonce allowing log-in.

danielweber13y ago

Which isn't really relevant.

Then please don't bring it up, i.e., say things like "if the user database is compromised, you can safely assume all of the site is".

And nobody every took issue with that?

Maybe they did, maybe they didn't. IEEE members are probably slightly more informed than your random AOL user. There are plenty of mail managers out there that mail you your password automatically every month.

1 more reply

larrys13y ago· 1 in thread

"Most users reuse the same password again and again and again. Having their password leaked"

Yes it is generally accepted that many users reuse the same password on different sites. But that is a separate issue and really has nothing to do with what has happened here or why proper security should obviously be followed. Not disagreeing with that.

But I disagree with the fact that since the user does the wrong thing many times, it is the responsibility of the site operator to assume that in the building of their product (in the way this issue is being discussed). If it is, where are all the warnings on any site saying "make sure not to give us a password you use anywhere else". (I've rarely seen any warning like that, have you?)

Of course this is all a matter of degree. There are many cases where you have to prevent users from their folly. True. My question is simply while there are many ways that sites try to enforce correct password behavior, I've yet to see (meaning if it exists I haven't really noticed it whereas I've notice other password thoughts) one that informs people to make sure the password they use is unique to their site AND the other typical restrictions (length, mixed case etc.)

masklinnOP13y ago

> Yes it is generally accepted that many users reuse the same password on different sites. But that is a separate issue

No. That's the one and whole reason why you're supposed to one-way encrypt passwords with a suitable hash: protecting the shared secret.

> But I disagree

So what?

> If it is, where are all the warnings on any site saying "make sure not to give us a password you use anywhere else". (I've rarely seen any warning like that, have you?)

Yes, I have. These warnings don't actually add to anything as they're not followed, and impossible to get followed without making the system so cumbersome it's unusable. Apart from using 2-factor auth. Which is an other "responsibility of the site operator" which I guess you wouldn't want foisted upon him as you seem to believe site operators are and should be irresponsible.

> one that informs people to make sure the password they use is unique to their site

A suggestion which will go instantly ignored by 99% of the users (on average, technical sites will probably be lower). The single % left already don't reuse passwords.

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

danielweber13y ago· 2 in thread

You seem unfamiliar with the specific case. It wasn't the user database that was compromised.

masklinnOP13y ago

> You seem unfamiliar with the specific case. It wasn't the user database that was compromised.

Which isn't really relevant. A password leak is a password leak, whatever its source is.

> It was plainly obvious to any user of IEEE that they were storing your password in clear text

And nobody every took issue with that?

> And the mail would have live hyperlinks to access your account, which generally means GET requests.

That doesn't mean anything, the hyperlink could have contained a nonce allowing log-in.

danielweber13y ago

Which isn't really relevant.

Then please don't bring it up, i.e., say things like "if the user database is compromised, you can safely assume all of the site is".

And nobody every took issue with that?

1 more reply

larrys13y ago· 1 in thread

"Most users reuse the same password again and again and again. Having their password leaked"

masklinnOP13y ago

> Yes it is generally accepted that many users reuse the same password on different sites. But that is a separate issue

No. That's the one and whole reason why you're supposed to one-way encrypt passwords with a suitable hash: protecting the shared secret.

> But I disagree

So what?

> If it is, where are all the warnings on any site saying "make sure not to give us a password you use anywhere else". (I've rarely seen any warning like that, have you?)

> one that informs people to make sure the password they use is unique to their site

A suggestion which will go instantly ignored by 99% of the users (on average, technical sites will probably be lower). The single % left already don't reuse passwords.

j / k navigate · click thread line to collapse