[Cryptography] Why is emailing me my password?
Kelly John Rose
iam at kjro.se
Tue Oct 1 16:26:01 EDT 2013
I think that's absurd to say that it gives a false sense of security. It
only gives a sense of security if you didn't read the text when you
entered the password in the first place. It keeps people from doing mass
unsubscribes trivially.
If someone was targeting you, yes, they would be able to delete your
subscription, but that would likely be true with little effort to begin
with if you are of the type that doesn't read that your password is
stored insecurely and sent in plain text when you enter it.
On 01/10/2013 2:17 PM, Markus Wanner wrote:
> On 10/01/2013 06:56 PM, Benjamin Kreuter wrote:
>> 2. The password is sent just in case you forgot it and want to
>> unsubscribe. Without the password, any troll might unsubscribe you
>> from the list by simply forging headers. Were this to be encrypted,
>> you would wind up with the classic problem of lost private keys,
>> leaving people who forgot their password unable to unsubscribe (at
>> least in any automated fashion).
>
> Agreed, that's a good point against PKI in this case. However, why use a
> password at all? I'd also argue it gives a false sense of security.
>
> For that very reason I prefer mailing list software that works via email
> (rather than web interface) and authenticates by the ability to receive
> mails under the given email. Forging headers doesn't quite suffice
> there, either.
>
> Regards
>
> Markus Wanner
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
--
Kelly John Rose
Mississauga, ON
Phone: +1 647 638-4104
Twitter: @kjrose
Document contents are confidential between original recipients and sender.
More information about the cryptography
mailing list