[HN Gopher] "Posting it to you is secure, as it's illegal to ope...
___________________________________________________________________
"Posting it to you is secure, as it's illegal to open someone
else's mail."
Author : jamespwilliams
Score : 39 points
Date : 2022-03-14 20:07 UTC (2 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| [deleted]
| dataflow wrote:
| I'm seeing some people miss the point here, so just to clarify:
| the part of this that's supposed to be ridiculous isn't the fact
| that they're deeming postal mail to be secure, but the fact that
| they're storing passwords in plaintext in their _database_ (and
| also the fact that they completely miss the nature of this very
| issue in their reply about postal mail).
|
| I think the title should also be edited to make this clear.
| charcircuit wrote:
| Surely there is an engineer there who understands plain text
| passwords is wrong, so why can't he fix it?
| MattGaiser wrote:
| Engineers don't get to randomly allocate their time like that.
| bogantech wrote:
| Iirc (it's been a few decades..) if you have an ADSL service
| your password is stored in plaintext because that's the only
| way RADIUS can check your password with the various
| authentication protocols there are.
|
| Iirc the two mainly used authentication protocols for PPPOE
| connections are CHAP or MSCHAPv2, the former requires that both
| sides know the plaintext but the latter uses an NTLM hash that
| can be cracked. Everything is built around horrible old auth
| protocols
|
| ISPs usually have you use the same password for email, account
| and pppoe which all comes from RADIUS. They don't all support
| the same support for hashing algorithms etc
|
| ISP's should be changing them before sending them out but then
| you'll be without internet for a week or two depending on how
| slow your postal service is.
| jonathantf2 wrote:
| Virgin is a DOCSIS service and I'm fairly sure you have to
| use their CPE so there aren't any connection login
| credentials that the user has - this is most likely just
| awful security on their part.
| bogantech wrote:
| From what I can see they used to have DSL too. But they
| should modernise things a bit if they don't need to deal
| with ancient crap.
| maxbond wrote:
| Authentication is the sort of thing that gets set up very early
| in the life of the application, and usually doesn't run into
| issues or need new features. When I've read production
| authentication/authorization code for apps I've worked on, it's
| usually been out of interest, not necessity.
|
| I feel like many, many people could work on that application,
| understand clear text passwords are wrong, and just not know
| that the application works that way.
| Havoc wrote:
| How do you run a major corporate Twitter and not realise audience
| is in various countries and thus laws.
|
| Esp for a UK group - the threshold for getting into trouble in UK
| for opening mail is quite high legally
| jwalton wrote:
| Just like guns are secure, as it's illegal to shoot someone.
| twobitshifter wrote:
| I had a parked domain with a registrar and the registrar had
| grown increasingly expensive and behind the competition over the
| years. Eventually I decided to move my domain. After a five step
| process that initially blocked me and eventually required me to
| speak to an agent they provided me with the auth code to transfer
| my domain. The code provided was the login password for my
| account.
| suprjami wrote:
| If you're being robbed, just say no. It's actually illegal to
| take a person's property without their permission.
| jakelazaroff wrote:
| "Burglars hate him! This one weird trick protects your home!"
___________________________________________________________________
(page generated 2022-03-14 23:01 UTC)