[ale] help - how do I log into learnstreet without ...
Michael B. Trausch
mbt at naunetcorp.com
Thu Mar 28 11:06:50 EDT 2013
On 03/27/2013 04:39 PM, Jim Kinney wrote:
> Ron, your level of paranoia is becoming disturbing. I'm not trying to be
> mean or attacking, but seriously, this is sounding a bit nutty to me.
+1.
Best security practice isn't to have a different username and password
everywhere, exactly.
Best security practice is to ensure that the level of security present
on each account is merited based on the value of what can be obtained
through that account. And best security practice is to use
single-sign-on type technologies whenever possible, because humans can
more easily deal with that in production environments.
A lot of web applications are going with sign-in over the Web through
various providers. Now, I would love to see sites support Google,
Twitter, Facebook, etc., but also support plain Jane generic OpenID as
well, along side those. OpenID is a safe and usable SSO method on the
Internet.
I use stronger passwords than probably most people on this list do for
most things, but I don't much need a bookkeeping method for my passwords
because I leverage SSO technologies where I can. They make my life way
easier, at a minimal cost, and I never actually have to share my
authentication data with third party sites that I sign into that way.
It's win/win.
Best security practice is also to know not only the _what_ to do to have
practical security: the _how_ and the _why_ are very important as well.
That is why there are people whose full-time job is security in a real,
large, production setting. And even then, some of those don't get it
right; they'll apply whatever they know to apply, but not necessarily
know why.
It is important to fully, truly realize the impact of this statement:
What constitutes a "security breach" in one environment might be
expected, even normal behavior in another environment altogether.
We can all agree that, for example, plaintext communication is unsafe
across the Internet for many things. But on an intranetwork,
particularly a very small and isolated intranetwork, there is little
need to increase complexity just to have communications be encrypted on
that network. Internetwork links transited over the public Internet,
though, that's another story altogether.
Plaintext passwords are simply bad security practice all the way around,
for no other reason than it means that the database can be had by
whoever happens to be the first to crack it. However, if you have a
network application that is on an intranetwork and cannot be reached by
way of the Internet itself, it may very well be necessary. In fact, I
wrote a Web application not long ago where I *did* have to store a
cached copy of the user's plaintext password in order to give the
application any functionality whatsoever. Sometimes, it truly is
necessary. (Of course, that's why we have an can deploy things like
Kerberos, where delegation of credentials without giving up the shared
secret is possible.)
--- Mike
--
Michael B. Trausch, President
Naunet Corporation
Telephone: (678) 287-0693 x130
Toll-free: (888) 494-5810 x130
FAX: (678) 287-0693
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20130328/06257009/attachment.sig>
More information about the Ale
mailing list