Le 03/05/2020 à 05:27, Grant Taylor a écrit :
On 5/2/20 1:47 PM, Loren Wilton wrote:
The compromised password is already in plain text in the subject of
the message; there isn't much point in hiding it other than
embarassment.
What if the email server with the list of plain text passwords is
compromised and said list of plain text passwords is released to a
wide audience? The list of previous compromised passwords could have
been very private (known corporate hack or something like that) and
not released to a wide audience.
Now, your list of plain text passwords on the email server is the
source of a larger and more public release.
Why have that list of plain text passwords /anywhere/ if you don't
have to?
In the context of a list of passwords known to be compromised, it is
hopefully fair to assume that they are no longer in current use, and
thus no longer of any importance. If it isn't fair to assume that, then
the organisation has bigger issues in any case!
--
John
