On 12 April 2014 19:04, Paolo Invernizzi <[email protected]>wrote:
> On Saturday, 12 April 2014 at 08:45:23 UTC, Nick Sabalausky wrote: > >> On 4/12/2014 3:47 AM, Paolo Invernizzi wrote: >> >>> On Saturday, 12 April 2014 at 01:33:10 UTC, Manu wrote: >>> >>>> On 12 April 2014 11:16, Manu <[email protected]> wrote: >>>> >>>> Anyway, this is all beside the point, the issue is _I got an email that >>>> TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and >>>> offensive. When will it be fixed? >>>> >>> >>> Barry Warsaw is a kind person, and has spent a lot of effort in offering >>> the community something like mailman: what's the problem with people >>> about reading instruction of what they are doing, before doing it? Is'n >>> that the first rule for being conscious about security? >>> >>> /Paolo >>> >> >> I shouldn't have to read a label just to know whether or not my food >> contains dog shit. Some things are basic and obvious enough to just be >> *expected*. >> > > You have hit the point: in security you _cant_ expect basic and obvious > things, as you are starting with a biased mindset, you have to care. There's a difference between opportunism and malicious intent. I'm sure I can be hacked if someone really wants to, but that's completely different the idea that someone will almost certainly hack me, just because they can; ie, they opportunistically stumbled across my password while running their script over the internet, and see how far they can run with it. We're talking about storing users passwords _in plain text_ on a niche forum server. What confidence could I possibly have that dlang's forum server is properly secured and monitored? I'm comfortable that hackers (or even the administrators for that matter) may get my hashed salted passwords from time to time... that's an understanding of the internet that I have become comfortable with. I'm NOT comfortable that anyone can see my password in plain text. It's practically an invitation. You can't say to a community "I'm sorry, we lost all of your passwords, in plain text! You should have cared more about your personal security." when someone hacks your database (not that you'd know; users would just start to be randomly compromised). It is a basic reality that most people aren't particularly concerned about their security (until they are bitten) and it's also a reality that not everybody even understands computer security enough to secure themselves in basic ways. Web services MUST take a proactive approach regarding users security, at least to a reasonable extent, and I'd argue that not storing users passwords in plain text is quite a reasonable expectation!
