|
Eddy Vluggen wrote: It may just be that you are incapable of reading of course
The only opinion I've really offered has been to state that HTTPS protects the password in transport, everything else I've said has been trying to pin you down on your belief that the client should also be involved in security by encrypting or (as you later changed to) hashing with salt, and why you think those things are good ideas. You subsequently abandoned this to hint at some un-named technology should be used instead.
Eddy Vluggen wrote: I will never point to a single item and make it responsible for security.
I didn't say "solely responsible", but you said the client should encrypt\hash before transmitting ergo should be responsible. If you want to focus on the interpretation of words rather than your actual arguments then I guess you can't have a lot of faith in them.
|
|
|
|
|
F-ES Sitecore wrote: The only opinion I've really offered has been to state that HTTPS protects the password in transport As the article explained, this one was leaked outside of transport. I gave you a VERY easy example to explain that.
F-ES Sitecore wrote: on your belief that the client should also be involved in security by encrypting or (as you later changed to) hashing with salt I do not "believe", and despite your misquoting I did not go from encrypting to hashing. I also did not abandon any view.
F-ES Sitecore wrote: you said the client should encrypt\hash before transmitting ergo should be responsible. That's a non-sequitur, quod Eddy demonstrandum.
F-ES Sitecore wrote: If you want to focus on the interpretation of words rather than your actual arguments then I guess you can't have a lot of faith in them. You are focussing on pinning me; I'm focussing on whacking you and having fun. It is never going to be a productive "discussion", hence the suggestion to end it.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: As the article explained, this one was leaked outside of transport
Why does that invalidate what I said?
Eddy Vluggen wrote: I do not "believe", and despite your misquoting I did not go from encrypting to hashing. I also did not abandon any view
V asked "shouldn't passwords be encrypted even before they are sent to the server".
You responded "I'd go for "both""
That suggests to me that you think the client should be involved in security? You then went on to defend the process of hashing with salt via js rather than saying "Oh, no, that's not what I meant" so that confirms that is what you believe. You then abandoned the js angle entirely by saying that it isn't the only technology you can use on the client, implying that perhaps you didn't mean js after all?
Are you aware that everything you have written is available for anyone to go back and look at?
|
|
|
|
|
F-ES Sitecore wrote:
Are you aware that everything you have written is available for anyone to go back and look at? Yes, that's why I keep it going
You not amused?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
If I was clearly as wrong as you are and as equally determined not to admit it, I'd try and divert away from the actual issues too. When caught out I might even say I was just trolling, I hear that's popular with the kids today too.
|
|
|
|
|
|
"Mirroring is the subconscious replication of another person's nonverbal signals"
Clutching at straws much?
Eddy Vluggen wrote: I have no need to troll
You a mere few posts ago;
"I'm focussing on whacking you and having fun"
Can I just ask again, you are aware that everyone can go back and verify what you're written?
|
|
|
|
|
F-ES Sitecore wrote: Can I just ask again, you are aware that everyone can go back and verify what you're written? Yes; banking on it
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: Yes; banking on it
Ditto. Everyone can see you're using the excuse of trolling when being called out giving bad advice and failing to be able to back it up.
|
|
|
|
|
You really having trouble reading
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
And you have trouble justifying your technical advice.
So let's sum up, again
You think javascript should be involved in encrypting passwords before sending them to servers despite the fact that this gives away any keys and algorithms used in the encryption. You then said that they should hash them with salt, despite the fact that would expose the salt. Failing to explain why neither of these issues are of concern you then attempted to say that the client technology doesn't have to be javascript but something else that you didn't elaborate on. Rather than explain yourself we've had you backpedaling, employing a range of fallacious arguments, implying you're just trolling and so on, all to (and this is how it appears to me) drag the discussion away from your original advice because you can't back it up and you're unwilling to simply admit that you were wrong.
|
|
|
|
|
V. wrote: shouldn't passwords be encrypted even before they are sent to the server?
That's not really possible, https is there to protect the data in transit so that it's never exposed in plain text.
|
|
|
|
|
..as does Twitter. SSL is for transport, and as you can read in the article; once received, it enters the system. It was logged in plaintext.
So, no, having SSL does not mean that it is "never" exposed. If you are saying it is not possible for others to get the password due to SSL, then again, Twitter shared this message (and took a hit in the value of their stocks!) because the password was visible in plain-text to the employers of Twitter.
TL;DR - yer wrong.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
I said HTTPS means it isn't exposed in transit. The fact that you implied I meant HTTPS means the data can never ever be exposed no matter what you with that data after you receive it is just a straw-man argument.
TL;DR - yer a troll
|
|
|
|
|
In this case enough strawman argument to warrant a password-change.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Your argument was a straw-man one because you misrepresented what *I* said, twitter is irrelevant. If you have no counter to my rebuttal against your misrepresentation of what I said then I'll take that as an admission.
|
|
|
|
|
My apologies for the insinuation. Given the article and your post, I merely wanted to point out that SSL is not enough to say that you've a 'secure environment'.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Good.
At least they are open about the problem.
I'd rather be phishing!
|
|
|
|
|
Eddy Vluggen wrote: If you have reused the password on other sites, change those too I have used your password to login to Twitter.
I've changed my password to your new password, but you might want to change your own password too
|
|
|
|
|
Sander Rossel wrote: I have used your password to login to Twitter. My Twitter-password will never be stolen, as I never had an account there.
So, please change my password back?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Eddy Vluggen wrote: My Twitter-password will never be stolen, as I never had an account there.
exactly.
|
|
|
|
|
Well, since this "mistake" has most likely been there since day one, then it is possible that either Biz Stone or Noah Glass were to blame. I am sure there was no "thorough" security code review done prior to first launch, or this "mistake" would have been caught.
-- my opinions, so I could be completely off mark here.
|
|
|
|
|
That sound more like a careless mistake to me.
Bryian Tan
|
|
|
|
|
Toolkit aims to make building "confidential computing" containerized apps easier. TEE off your applications
|
|
|
|
|
Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine reported on Thursday. That's great, because they almost fixed the old ones already
|
|
|
|