[BBLISA] 19,000 person company passwords stolen via HTTPS

Josh Smift irilyth at infersys.com
Tue Oct 6 11:18:51 EDT 2015 

JBS> Unless I've misunderstood how this works, though, the "you" who gets
JBS> to make this decision is the server, not the client. Like, there's
JBS> nothing I as a client can do to choose to send one-time credentials
JBS> rather than reusable ones, if the server doesn't support it, right?

ENH> As a client, you can choose to use services that don't require access
ENH> to your password, encryption keys, or data. If you use services such
ENH> as Dropbox, Google, etc, that require you to provide them access, you
ENH> can inform them this is something you care about (maybe you can't
ENH> actually reach Dropbox or Google, but others you can actually reach)
ENH> and you can choose to switch to competing services that don't have
ENH> that requirement.

Sure, but at the moment, "competing services that don't have that
requirement" is basically zero, right? I can certainly be an activist, and
send feedback to every password-using web site that I use saying "hey it'd
be better if you offered the option to use one-time credentials, this
CBcrypt thing looks like a really good way to do it", it just doesn't seem
likely to get very far.

JBS> (So maybe what you mean here is "there's zero upside 

ENH> What I mean is, there is zero benefit and all downside, to exposing
ENH> your password to any servers.

Enh, I'm quibbling with your rhetoric here, but I think your rhetoric is
confusing and misleading. This sounds to me like you're saying that I
should stop exposing my password to any servers, because there's no
advantage to me to doing that. I think that's obviously not true: One
advantage is that I get to use those servers. If I decided to stop
exposing my password to Google, I'd have to stop using Google's services
entirely. Being able to use Google's services has more than zero benefit
to me.

Yes, *if Google offered me the option*, it'd be all benefit and no
downside to switching to one-time credentials. But they're not actually
offering me that option. (Well, they sort of are, in that they do offer
MFA-based authentication, and in fact I use it there, and everywhere else
that offers it.)

ENH> All servers and services worldwide should adopt the new standard. 
ENH> Most services aren't there yet.

Yep. But I as a client can't do much to cause that to happen.

JBS> to asking your customers to send reusable credentials"

ENH> There wasn't any mention of reusable credentials in this thread

Sending a password to a server, which can be used a second time to log in
to that server, is what I meant by "reusable credentials".

JBS> But that's not a core focus - gaining the ability to reuse passwords
JBS> is just a nice side-effect and isn't the main reason you should care

I don't mean "reusable" in the sense of "I can use a single password to
generate one-time credentials for multiple web sites", I mean it in the
sense of "when I send my password to a site, if someone intercepts it,
they can use it again". As opposed to if I send a one-time credential,
which can only be used once, and is thus worthless even if it's intercepted.

                                      -Josh (irilyth at infersys.com)

More information about the bblisa mailing list