[147424] in cryptography@c2.net mail archive
Re: [Cryptography] Why is emailing me my password?
daemon@ATHENA.MIT.EDU (Markus Wanner)
Tue Oct 1 17:06:25 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 01 Oct 2013 22:43:44 +0200
From: Markus Wanner <markus@bluegap.ch>
To: Kelly John Rose <iam@kjro.se>
In-Reply-To: <524B2FD9.70301@kjro.se>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/01/2013 10:26 PM, Kelly John Rose wrote:
> I think that's absurd to say that it gives a false sense of security. It
> only gives a sense of security if you didn't read the text when you
> entered the password in the first place.
Well, that applies to at least 90% of people for 90% the cases. Yes,
often enough including myself.
> It keeps people from doing mass unsubscribes trivially.
As I pointed out, there are other ways to achieve that, without the need
for a password. Or actually rather with one-time passwords, instead.
> If someone was targeting you, yes, they would be able to delete your
> subscription,
Sure. That's the case either way.
> but that would likely be true with little effort to begin
> with if you are of the type that doesn't read that your password is
> stored insecurely and sent in plain text when you enter it.
Let's compare apples to apples: even if you manage to actually read the
instructions, you actually have to do so, have to come up with a
throw-away-password, and remember it. For no additional safety compared
to one-time tokens.
The positive point I see for the web front-end is that people are more
used to it. And have a hard time reading instructions on emails and
hitting reply to send back a confirmation token. But your hypothesis is
that people do read instructions, so...
Regards
Markus Wanner
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
