[Users] Thanks for the per-session password!

Kevin Chadwick ma1l1ists at yahoo.co.uk
Tue Apr 22 18:11:52 CEST 2014 

previously on this list Steve Litt contributed:

> Post-Heartbleed, I'm much more risk-averse,

Always good to be pedantic about security. Not starting your browser
which may grab keystrokes until after it is entered may be a good idea
too otherwise you could argue that doing this is actually worse.
Restarting or closing your browser or even PC (depends how hardened as
filesystem changes may become resident) before banking or entering card
details is a good idea too.

> so I'm not putting my
> locally hosted IMAP's password into my mail client's configuration. I
> was worried that I'd need to re-enter it every few minutes, but that
> checkbox took care of it. Now I enter it once a day,  and that's the
> way I like it.

You know the advice of changing your passwords was wrong. What they
should have said was the passwords you have used recently as changing
all your passwords on a potentially insecure ssl channel at a time when
servers may not have updated yet could be the worst thing to do,
especially if you normally enter just a few characters.

There was also a lot of rubbish about clients like Android being
vulnerable. They contain the vulnerability but unless they are serving
data (hosting a website) which I've never heard of then they are not
vulnerable to any attack.

The good thing is that the OpenBSD devs who wrote OpenSSH but not
OpenSSL are auditing the parts of OpenSSL that they wish to keep in
base and so all should get atleast some or maybe most of the benefit
from that. What they have found is "very surprising" so SSL is not out
of the woods yet.

-- 
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

_______________________________________________________________________

More information about the Users mailing list