[BBLISA] 19,000 person company passwords stolen via HTTPS

Josh Smift irilyth at infersys.com
Tue Oct 6 10:12:31 EDT 2015


ENH> All because your password gets sent to the company over the HTTPS
ENH> connection. There is zero upside to sending the password, when there
ENH> exist standard techniques to prove you know something without
ENH> exposing the thing.

Unless I've misunderstood how this works, though, the "you" who gets to
make this decision is the server, not the client. Like, there's nothing I
as a client can do to choose to send one-time credentials rather than
reusable ones, if the server doesn't support it, right?

(So maybe what you mean here is "there's zero upside to asking your
customers to send reusable credentials", because what you want is to
encourage us IT professionals to change how our servers work. But your
rhetoric here keeps making it sound like I should feel free to do
something ("reuse passwords"), or that I should refuse to do something
("send a password"), that I can't actually choose to do as a client.)

                                      -Josh (irilyth at infersys.com)



More information about the bblisa mailing list