[Cryptography] Possible reason why password usage rules are such a mess
Kent Borg
kentborg at borg.org
Fri Nov 20 15:19:57 EST 2020
On 11/20/20 11:57 AM, Arnold Reinhold wrote:
> That is why we need some requirement that services that use password
> authentication disclose the measures they use to store password
> validation data, or maybe some seal of approval that guarantees the
> meet some minimum standards, in particular something better than fast
> hashes, which are no almost useless.
Down that road lies a lot of territory…
Whether, say, passwords are even required! Didn't T-Mobile recently have
a problem where once logged in a user could change an account number in
the URL and access a different account? Isn't S3 data routinely
discovered sitting around unprotected?
Regulating around password storage feels like a narrow concern.
There are *so* many ways to build an insecure system, and there is *so*
little regulation about the building of these systems. First, can we
regulate our way out of this insecure mess? If we can, is this really
where to start?
-kb
More information about the cryptography
mailing list