[Cryptography] Possible reason why password usage rules are such a mess

Kent Borg kentborg at borg.org
Fri Nov 20 15:19:57 EST 2020


On 11/20/20 11:57 AM, Arnold Reinhold wrote:
> That is why we need some requirement that services that use password 
> authentication disclose the measures they use to store password 
> validation data, or maybe some seal of approval that guarantees the 
> meet some minimum standards, in particular something better than fast 
> hashes, which are no almost useless. 

Down that road lies a lot of territory…

Whether, say, passwords are even required! Didn't T-Mobile recently have 
a problem where once logged in a user could change an account number in 
the URL and access a different account? Isn't S3 data routinely 
discovered sitting around unprotected?

Regulating around password storage feels like a narrow concern.

There are *so* many ways to build an insecure system, and there is *so* 
little regulation about the building of these systems. First, can we 
regulate our way out of this insecure mess? If we can, is this really 
where to start?


-kb



More information about the cryptography mailing list