[GTALUG] blackmail
D. Hugh Redelmeier
hugh at mimosa.com
Sat Aug 4 10:25:29 EDT 2018
| From: ac via talk <talk at gtalug.org>
| no, not really. by the time you receive the type of email you have, it is way too late.
Probably. But the information that a site was hacked should still be
useful to the site.
| How sure are you that it was Canada Computers? Are you saying that that
| was the only place you used that password?
Yes. (I said that in my original posting.)
| And, is it a current
| password (dollars to donuts says: no...)
It was. No longer.
| and with Google hacked, Yahoo
| hacked, Microsoft hacked, it matters very little anyway... Change your
| passwords every 30 days (or less)
I find that too much bother. Experts have waffled on this policy.
| and never use the same password
| twice (or even anywhere else) - If they sent me my google/yahoo/etc
| password - I would even be able to tell you from which week it came :)
For real security, use something other than passwords. But that
doesn't seem to be in place for most sites.
Single-sign-on makes multi-factor authentication more feasible. I don't
trust the monopoly power of single-sign-on providers. And I don't
trust the resulting "one compromise to rule them all" ecosystem. And
I'm not attached at the hip to a mobile phone (SMS is the usual second
factor for consumers).
I can imagine that client certificates for TLS could help, and I
assume that the TLS supports this feature. But I don't know that
any important sites expoit them. And the certificate hierarchy
provides for monopoly abuse.
More information about the talk
mailing list