On 13 April 2014 12:02, Adam D. Ruppe <destructionator@gmail.com> wrote:

On Saturday, 12 April 2014 at 21:18:26 UTC, Nick Sabalausky wrote:

Never storing or transmitting password in plain text is not only basic, obvious and to be expected, but it is THE most basic, obvious and to-be-expected principle that exists in computer security.

... and it is also the most common way passwords are sent in internet protocols.

* SMTP and HTTP will base64 encode it with their basic auth but that's it

* web sites typically transmit it completely open

There's SSL now that gets more traction, but if you expect a password NOT to be sent in something trivially converted to plain text, wake up an smell the RFC.

There's been a migration of responsible services to https, but even without that, I consider that a different level of negligence.

The difference is, someone has to be actively monitoring me to capture my password in flight; if I'm a deliberate target, they'll get me somehow anyway.

This is passive, it's _storing_ a large number of users passwords all together in one big plain-text blob. It's basically asking to be collected.

There's no transience, I'm compromised even if I'm not a target, and even if I don't log on. My involvement is not required.