On Saturday, 12 April 2014 at 08:45:23 UTC, Nick Sabalausky wrote:
> On 4/12/2014 3:47 AM, Paolo Invernizzi wrote:
>> On Saturday, 12 April 2014 at 01:33:10 UTC, Manu wrote:
>>> On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:
>>>
>>> Anyway, this is all beside the point, the issue is _I got an email that
>>> TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and
>>> offensive. When will it be fixed?
>>
>> Barry Warsaw is a kind person, and has spent a lot of effort in offering
>> the community something like mailman: what's the problem with people
>> about reading instruction of what they are doing, before doing it? Is'n
>> that the first rule for being conscious about security?
>>
>> /Paolo
>
> I shouldn't have to read a label just to know whether or not my food contains dog shit. Some things are basic and obvious enough to just be *expected*.

You have hit the point: in security you _cant_ expect basic and obvious things, as you are starting with a biased mindset, you have to care.

/Paolo

On 12 April 2014 17:56, Marco Nembrini <marco.nembrini.co@gmail.com> wrote:

> On 12.04.2014 03:16, Manu wrote:
>
>> On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net
>>
>> <mailto:eco@gnuk.net>> wrote:
>>
>>     On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>>
>>         This. Also, I have more than 1 computer (including a phone)...
>>         what's the
>>         solution there?
>>
>>
>>     LastPass is cloud synced (including with phones).
>>
>>
>> ... how does that work?
>>
>
>
> Encryption and decryption is only client-side so they only store an encrypted database of your passwords.
>

I mean, how does it run on all of your devices, and integrate with all of your software?

On 12 April 2014 18:45, Nick Sabalausky <SeeWebsiteToContactMe@semitwist.com
> wrote:

> On 4/12/2014 3:47 AM, Paolo Invernizzi wrote:
>
>> On Saturday, 12 April 2014 at 01:33:10 UTC, Manu wrote:
>>
>>> On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:
>>>
>>> Anyway, this is all beside the point, the issue is _I got an email that TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and offensive. When will it be fixed?
>>>
>>
>> Barry Warsaw is a kind person, and has spent a lot of effort in offering the community something like mailman: what's the problem with people about reading instruction of what they are doing, before doing it? Is'n that the first rule for being conscious about security?
>>
>> /Paolo
>>
>
> I shouldn't have to read a label just to know whether or not my food contains dog shit. Some things are basic and obvious enough to just be *expected*.
>

This.

On Saturday, 12 April 2014 at 09:06:48 UTC, Manu wrote:
> On 12 April 2014 17:56, Marco Nembrini <marco.nembrini.co@gmail.com> wrote:
>
>> On 12.04.2014 03:16, Manu wrote:
>>
>>> On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net
>>>
>>> <mailto:eco@gnuk.net>> wrote:
>>>
>>>     On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>>>
>>>         This. Also, I have more than 1 computer (including a phone)...
>>>         what's the
>>>         solution there?
>>>
>>>
>>>     LastPass is cloud synced (including with phones).
>>>
>>>
>>> ... how does that work?
>>>
>>
>>
>> Encryption and decryption is only client-side so they only store an
>> encrypted database of your passwords.
>>
>
> I mean, how does it run on all of your devices, and integrate with all of
> your software?

A variety of apps and plugins.

On 12 April 2014 19:31, John Colvin <john.loughran.colvin@gmail.com> wrote:

> On Saturday, 12 April 2014 at 09:06:48 UTC, Manu wrote:
>
>> On 12 April 2014 17:56, Marco Nembrini <marco.nembrini.co@gmail.com> wrote:
>>
>>  On 12.04.2014 03:16, Manu wrote:
>>>
>>>  On 12 April 2014 11:11, Brad Anderson <eco@gnuk.net
>>>>
>>>> <mailto:eco@gnuk.net>> wrote:
>>>>
>>>>     On Saturday, 12 April 2014 at 01:09:45 UTC, Manu wrote:
>>>>
>>>>         This. Also, I have more than 1 computer (including a phone)...
>>>>         what's the
>>>>         solution there?
>>>>
>>>>
>>>>     LastPass is cloud synced (including with phones).
>>>>
>>>>
>>>> ... how does that work?
>>>>
>>>>
>>>
>>> Encryption and decryption is only client-side so they only store an encrypted database of your passwords.
>>>
>>>
>> I mean, how does it run on all of your devices, and integrate with all of your software?
>>
>
> A variety of apps and plugins.
>

And for any software/services that don't support plugins?

On 12 April 2014 19:04, Paolo Invernizzi <paolo.invernizzi@no.address>wrote:

> On Saturday, 12 April 2014 at 08:45:23 UTC, Nick Sabalausky wrote:
>
>> On 4/12/2014 3:47 AM, Paolo Invernizzi wrote:
>>
>>> On Saturday, 12 April 2014 at 01:33:10 UTC, Manu wrote:
>>>
>>>> On 12 April 2014 11:16, Manu <turkeyman@gmail.com> wrote:
>>>>
>>>> Anyway, this is all beside the point, the issue is _I got an email that TOLD ME MY PASSWORD_. Which is completely inexcusable, ammateur, and offensive. When will it be fixed?
>>>>
>>>
>>> Barry Warsaw is a kind person, and has spent a lot of effort in offering the community something like mailman: what's the problem with people about reading instruction of what they are doing, before doing it? Is'n that the first rule for being conscious about security?
>>>
>>> /Paolo
>>>
>>
>> I shouldn't have to read a label just to know whether or not my food contains dog shit. Some things are basic and obvious enough to just be *expected*.
>>
>
> You have hit the point: in security you _cant_ expect basic and obvious things, as you are starting with a biased mindset, you have to care.


There's a difference between opportunism and malicious intent. I'm sure I can be hacked if someone really wants to, but that's completely different the idea that someone will almost certainly hack me, just because they can; ie, they opportunistically stumbled across my password while running their script over the internet, and see how far they can run with it.

We're talking about storing users passwords _in plain text_ on a niche
forum server. What confidence could I possibly have that dlang's forum
server is properly secured and monitored?
I'm comfortable that hackers (or even the administrators for that matter)
may get my hashed salted passwords from time to time... that's an
understanding of the internet that I have become comfortable with. I'm NOT
comfortable that anyone can see my password in plain text. It's practically
an invitation.

You can't say to a community "I'm sorry, we lost all of your passwords, in plain text! You should have cared more about your personal security." when someone hacks your database (not that you'd know; users would just start to be randomly compromised). It is a basic reality that most people aren't particularly concerned about their security (until they are bitten) and it's also a reality that not everybody even understands computer security enough to secure themselves in basic ways. Web services MUST take a proactive approach regarding users security, at least to a reasonable extent, and I'd argue that not storing users passwords in plain text is quite a reasonable expectation!

On Saturday, 12 April 2014 at 09:53:13 UTC, Manu wrote:
> On 12 April 2014 19:04, Paolo Invernizzi <paolo.invernizzi@no.address>wrote:
>
> It is a basic reality that most people aren't
> particularly concerned about their security (until they are bitten) and
> it's also a reality that not everybody even understands computer security
> enough to secure themselves in basic ways. Web services MUST take a
> proactive approach regarding users security, at least to a reasonable
> extent, and I'd argue that not storing users passwords in plain text is
> quite a reasonable expectation!

We are not talking the same language, Manu: what I'm meaning is that you are a smart guy, a programmer, and for sure you "understand computer security", still you shared a password among a few sites, and worst, you missed a _clear warning_ when you registered to mailman.

Assumed that I agree with you regarding the proactive approach of the others in security, I still state that nothing can be gained without a proactive approach of myself regarding security.

/Paolo

On 11 April 2014 08:39, Manu <turkeyman@gmail.com> wrote:
> I just received this email, which told me what my password is! My password is stored as text?
>
> Who is the sysadmin? They have *all your passwords*, along with potentially anyone else skillful enough to hack the database!
>

http://privatekeycheck.com/

:o)

On Saturday, 12 April 2014 at 09:53:13 UTC, Manu wrote:
> We're talking about storing users passwords _in plain text_ on a niche
> forum server. What confidence could I possibly have that dlang's forum
> server is properly secured and monitored?
> I'm comfortable that hackers (or even the administrators for that matter)
> may get my hashed salted passwords from time to time... that's an
> understanding of the internet that I have become comfortable with. I'm NOT
> comfortable that anyone can see my password in plain text. It's practically
> an invitation.

You do realize that, for example, forum.dlang.org does not use https and thus passwords are sent in plain text over the internet upon every login attempt anyway?

On 4/12/2014 1:15 AM, Marco Nembrini wrote:
> True. But that could happen with any of those sites individually too.

Absolutely. But it'd only happen to one, instead of ALL of them. Unless you're one of those people who uses the same pw on multiple accounts, which will burn you sooner or later.


> And a company whose only business goal is to keep passwords secure is probably harder
> to hack into that companies which have a different focus and might not invest as
> much into security.

"probably" doesn't work for me when the consequences of being wrong are so awful.