On 25/08/17 11:51, Brian wrote: > However, users use passwords to log into accounts *online* and those > passwords are devised to withstand an *online* attack (of 100 tests per > second maximimum(?)). This is the only aspect a user can completely > control and many make a good job of it. Passwords which are long and > have some complexity but are not a burden on the user or impossible to > memorise would withstand such an attack. (This leaves aside the defences > the site itself has in place). > > A user has no control over what happens at the other end. Knowledge > about how data are stored and safeguarded will be sparse, so the user > will have to make a risk assessment about that; only time will tell > whether it is correct. What doesn't seem quite right (morally and > technically) is for it to be implied that the user should take some > responsibilty for the site's (unknown) shortcomings.
Unless you have a good reason to think otherwise (e.g. *you* manage the web site and you know you are doing a good job), you should assume that the data-base with hashes passwords will leak without the system administrators noticing, and then an attack can be carried offline. -- Do not eat animals, respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
signature.asc
Description: OpenPGP digital signature