Tyler Smith <tyler.sm...@eku.edu> writes:

> Ben Finney <ben+em...@benfinney.id.au> writes:
>
> > A large part of my reason for reading via Gmane is to avoid yet
> > another set of authentication credentials. Especially one that I
> > never use; that's a security nightmare waiting to happen. So I'm not
> > interested in increasing my security exposure by making a Mailman
> > account on yet another site.
>
> Yikes! What nightmare awaits those of us who've foolishly gone ahead
> and subscribed? What's my exposure, beyond some nefarious cracker
> impersonating me on emacs-orgmode?

The assumption here is that logging into the mailing list account is
something done infrequently to never for any given user. That's
certainly the case for just about any list I've subscribed to.

For an infrequently-to-never used passphrase, one of two things is the
case: either it's unique, or it is identical to the passphrase that
accesses some other set of services for the user.

Since it's an infrequently-to-never accessed service, it's an
unreasonable burden to expect the user to maintain unique passphrases
for every such service. If for this list, why not for every such list?

So what usually ends up happening is they're identical for a given
person across many different services. But the more that's the case, the
greater the exposure: any one of those services could manage their
security poorly, or simply be unlucky enough to attract a bored and/or
motivated cracker; and a compromise on any one of them removes any
expectation of security on any of the rest of the services where the
user has the same passphrase.

The sensible policy, therefore, is to cull the proliferation of such
passphrase-requiring infrequently-to-never-accessed accounts. Which, in
turn, means saying a polite “no thank you” to most requests to set up
new accounts.

-- 
 \        “The greatest tragedy in mankind's entire history may be the |
  `\       hijacking of morality by religion.” —Arthur C. Clarke, 1991 |
_o__)                                                                  |
Ben Finney



_______________________________________________
Emacs-orgmode mailing list
Please use `Reply All' to send replies to the list.
Emacs-orgmode@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-orgmode

Reply via email to