On Sat, 10 Oct 2015, Edward Ned Harvey (lopser) wrote:
The whole point of the thread (and of cbcrypt) is to never expose passwords or encryption keys to servers, because hackers or bad employees sometimes get it and do bad stuff with it.
The think you seem to be missing is that in most cases, bad actor insiders can do so much damage to you that getting your password is probably the least dangerous thing that can happen to you.
On almost every significant system, your password is only used to log you in, afte that some other token is used to identify you and authorize your actions. Bad insiders can create such a token without your password and/or just tell the system that they are you and start taking action.
Especially if you are postulating that they are doing so by modifying server-side code undetected, they can create a backdoor that lets them authorize as yourid-2 and the system then does everything as yourid.
About the only attack scenario that this prevents is an internal bad actor at one company gathering your password and then figuring out that you have accounts somewhere else that they care about and using your password at those other sites. Fixing that is very possible without requireing any server-side changes or even defining a single required standard for the solution (increasing it's effectiveness) All that you need is client-side software that takes the password the user enters and the site you are connecting to in order to create a site-specific password to send to the site. Browser plugins hve been available to do this for a long time.
David Lang _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
