On Saturday, 12 April 2014 at 16:41:09 UTC, Walter Bright wrote:
And a company whose only business goal is to keep passwords
secure is probably harder
to hack into that companies which have a different focus and
might not invest as
much into security.
"probably" doesn't work for me when the consequences of being
wrong are so awful.
True, and by being a password business which people use for
important passwords it becomes a primary target. So if there are
weaknesses they are more likely to be found and expolitation
skillfully hidden from detection...
Besides, the weakest link is your keyboard. You could be snooped
by a radiation based scanner when you are outside you Faraday
cage. Master passwords for anything more important than facebook
is irresponsible IMHO.
But yeah, storing passwords in the clear is no good, because MOST
people reuse passwords for services that are unimportant with the
assumption that they are hashed before they are compared. This is
a calculated risk. Man in the middle attacks are a bit less
likely than site hacking (try a traceroute), and https can also
suffer from those, so I think Manu is right about being upset.
Storing passwords in the clear is a lot worse than clear
transmission.
