On 10/01/2013 10:26 PM, Kelly John Rose wrote: > I think that's absurd to say that it gives a false sense of security. It > only gives a sense of security if you didn't read the text when you > entered the password in the first place.
Well, that applies to at least 90% of people for 90% the cases. Yes, often enough including myself. > It keeps people from doing mass unsubscribes trivially. As I pointed out, there are other ways to achieve that, without the need for a password. Or actually rather with one-time passwords, instead. > If someone was targeting you, yes, they would be able to delete your > subscription, Sure. That's the case either way. > but that would likely be true with little effort to begin > with if you are of the type that doesn't read that your password is > stored insecurely and sent in plain text when you enter it. Let's compare apples to apples: even if you manage to actually read the instructions, you actually have to do so, have to come up with a throw-away-password, and remember it. For no additional safety compared to one-time tokens. The positive point I see for the web front-end is that people are more used to it. And have a hard time reading instructions on emails and hitting reply to send back a confirmation token. But your hypothesis is that people do read instructions, so... Regards Markus Wanner _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography