[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cryptography] Possible reason why password usage rules are such a mess
On 11/20/20 11:57 AM, Arnold Reinhold wrote:
That is why we need some requirement that services that use password
authentication disclose the measures they use to store password
validation data, or maybe some seal of approval that guarantees the
meet some minimum standards, in particular something better than fast
hashes, which are no almost useless.
Down that road lies a lot of territory…
Whether, say, passwords are even required! Didn't T-Mobile recently have
a problem where once logged in a user could change an account number in
the URL and access a different account? Isn't S3 data routinely
discovered sitting around unprotected?
Regulating around password storage feels like a narrow concern.
There are *so* many ways to build an insecure system, and there is *so*
little regulation about the building of these systems. First, can we
regulate our way out of this insecure mess? If we can, is this really
where to start?
The cryptography mailing list
cryptography AT metzdowd.com