On 2020-03-24 9:35 a.m., micah anderson via mailop wrote:
Steve Freegard via mailop <mailop@mailop.org> writes:
I included the partial SHA-1 to be compatible with automation and
tooling around the HaveIBeenPwned API - see
https://haveibeenpwned.com/API/v3#PwnedPasswords
I understand that desire, but I wish the HaveIBeenPwned things were
better. As a provider, even with their API, its basically useless for us
to actually consume in a way that makes sense.
While 'haveIbeenpwned' is an interesting piece of data for researchers,
having an email address password combination in there does NOT
necessarily mean the account has been compromised either, or more to the
point, still compromised.
There are many other tools available to email operators to detect email
compromises (rate limiters, outbound filtering, authentication source
verification and ACL's etc), and of course implementing multi-factor
authentication, can also address re-used passwords.
Like others on the list pointed out, if you send 'noise' then people
will simply 'tune out' to your reports. While I commend you for looking
at ways to help address the problem, you might want to have a smaller
set of more accurate reports, and then widen it bit by bit, rather than
the other way around.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop