On Thu, Apr 23, 2020 at 06:31:04PM -0700, Michael Thomas wrote:
Passwords over the wire are the *key* problem of computer security. Nothing else even comes close.
Hmm, a bold claim, but I'm confident the author will have strong support for their position.
One only needs to look at the LinkedIn salting problem
That was a stored password problem, not a passwords-over-the-wire problem, but OK. I'm sure we'll be back on track shortly.
to know how trivial it is to exploit password reuse.
Not sure how exploiting password reuse causes problems with passwords over the wire. Halfway through the paragraph now, still haven't seen anything talking about passwords over the wire. No doubt the next sentence will address the claim in detail, though.
They are a big company and they still absolutely failed.
Starting to think that maybe there isn't going to be the solid justification for the topic sentence that I'd originally assumed.
There are a trillion smaller sites who are just as vulnerable, and all it takes is one.
A trillion smaller sites that are just as vulnerable... to passwords over the wire? Wait, this is the end of the paragraph. How odd, not a single statement in support of the assertion. Perhaps it's not, in fact, true, then, that passwords over the wire are the *key* problem of computer security. While I do think webauthn is a neat idea, and solves at least one very real problem (credential theft via phishing), you do an absolutely terrible job of making that case. - Matt