> From: Jeremy Charles [mailto:jchar...@epic.com] > > I need the ability to tell my friends and > family that [insert major browsers here] will do a much better job of > protecting them from password/identity theft, so they should use them.
As you've seen in this discussion thread, a lot of sysadmins *here* didn't realize that passwords were being sent over HTTPS, and imagined that accessing those server-side would be complex memory scanners, not just a simple edit to the PHP file that the POST request targets. Raising awareness is a good thing. For things you're able to do now, you can suggest people use ProtonMail and Tutanota instead of gmail and yahoo. Synctuary instead of Dropbox. Build servers in your network closet instead of cloud services, when appropriate (cloud services definitely have their place too.) Use password managers. If you develop web applications, you have architecture decisions that you make, and you can consider what options are available to offer improved security and privacy to your users. So what if CBCrypt is only ready for certain types of applications right now. The conversation didn't start out as "use CBCrypt." It started out as "This is why you should care. 19,000 person company passwords stolen over HTTPS." Awareness that passwords go to the server is a good start. Awareness of the risks that cause is also a good start. Deciding what to do about it is what comes next. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
