On Tue, Oct 6, 2015 at 6:43 AM Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote:
> In this case, it was hackers planting a malicious DLL to capture > plaintext passwords received during HTTPS login sessions, but there's > nothing preventing bad employees from doing this exact type of thing - by > editing a PHP file or whatever. > Employees of "the company" already have access to all your information. They manage the application that stores the data and, we should assume, can do anything they want with it. By storing our data with an application provide we are already trusting everybody at the company to do the right thing with our data and our password. Even if they implemented this proposal. If a malicious actor can plant a DLL that captures passwords they could plant a DLL that captures session data and any data that you send to/from the service. And there will always be bad actors in a company, sometimes that might be the C*O, who won't improve their security for a variety of self-serving reasons. As consumers we need to be careful about what information we give away and how much we trust that company to do the right thing with our data. I am all for increased security but I'm having a hard time finding the value in this. It could mitigate password re-use, a password compromised in one place used to exploit an account in another place, but using service-specific passwords already does that. -- Perfection is just a word I use occasionally with mustard. --Atom Powers--
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
