On 13 April 2014 12:02, Adam D. Ruppe <[email protected]> wrote:
> On Saturday, 12 April 2014 at 21:18:26 UTC, Nick Sabalausky wrote: > >> Never storing or transmitting password in plain text is not only basic, >> obvious and to be expected, but it is THE most basic, obvious and >> to-be-expected principle that exists in computer security. >> > > ... and it is also the most common way passwords are sent in internet > protocols. > > * SMTP and HTTP will base64 encode it with their basic auth but that's it > > * web sites typically transmit it completely open > > > There's SSL now that gets more traction, but if you expect a password NOT > to be sent in something trivially converted to plain text, wake up an smell > the RFC. > There's been a migration of responsible services to https, but even without that, I consider that a different level of negligence. The difference is, someone has to be actively monitoring me to capture my password in flight; if I'm a deliberate target, they'll get me somehow anyway. This is passive, it's _storing_ a large number of users passwords all together in one big plain-text blob. It's basically asking to be collected. There's no transience, I'm compromised even if I'm not a target, and even if I don't log on. My involvement is not required.
