[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Possible reason why password usage rules are such a mess



On 11/20/20 11:57 AM, Arnold Reinhold wrote:
That is why we need some requirement that services that use password authentication disclose the measures they use to store password validation data, or maybe some seal of approval that guarantees the meet some minimum standards, in particular something better than fast hashes, which are no almost useless.

Down that road lies a lot of territory…

Whether, say, passwords are even required! Didn't T-Mobile recently have a problem where once logged in a user could change an account number in the URL and access a different account? Isn't S3 data routinely discovered sitting around unprotected?

Regulating around password storage feels like a narrow concern.

There are *so* many ways to build an insecure system, and there is *so* little regulation about the building of these systems. First, can we regulate our way out of this insecure mess? If we can, is this really where to start?


-kb

_______________________________________________
The cryptography mailing list
cryptography AT metzdowd.com
https://www.metzdowd.com/mailman/listinfo/cryptography