Hacker News new | past | comments | ask | show | jobs | submit login

passwords for other sites

Wait, seriously? People are using websites where the password reset emails are being sent from somebody's Droid phone? I think you've gotten a little carried away.




I said nothing about password reset emails. I come from an IT background. I can't even count the number of times I've sent temporary passwords over email to co-workers, customers, etc., including from my phone. If something can be sent via email, it will be, and when the numbers are in the millions...there's a lot of data that people consider private.


Makes me wish asymmetric crypto was used more often :) "Hey, send me your public key and I'll encrypt and e-mail you the password."


Maybe a phone call to communicate a password would be better. Not as convenient of course, but security and convenience don't often go together. That assumes your voice provider isn't recording the call.


Frustrated voice fades in, "Right, capital L. No, slash, not backslash. The one that's leaning to the right. Bottom-left to top-right. By the shift key. On your phone? I'm not sure where it is on your phone's keyboard. Ohh, you got it? Ok, the rest is lowercase..."

Sometimes an email or text is better for everyone. But I always split up the info between two bands. Most info in an email and a SMS for the password. Or just have them change it after they log in.


Sure, sometimes that's what you need to do. But, other times, if you know you're sending to a trusted server, such as your own company server that you manage yourself (or people who are trusted manage), it's deemed acceptable to send passwords via email. The problem here is that facebook has introduced a new vector.

It's low grade evil; but low grade evil multiplied by millions starts looking like more serious evil. Just like low grade incompetence begins to cause serious harm when it is inflicted on millions.


Ever seen sites with the ability to connect via Facebook? It often grants said site(s) with the user's Facebook primary-email. Now all personal emails, including password recoveries, are going through Facebook for said site(s).


I'm having a hard time imagining a scenario where a site would send some information via email but that same information would not be available to anyone logging in via the web interface. But whatever.


You seem to lack imagination when it comes to nefarious deeds, which is fine; unfortunately, facebook does not lack imagination in this area (and in fact, one could argue this is a core belief at facebook, since it was founded upon a hacking incident wherein Zuckerberg borrowed student data).

They desperately want your email...they don't want it because it's cool to be an email provider. They want it because they intend to use it. The point isn't what specific piece of data they'll get from it (though passwords will be among that data--as a mail server administrator of 15+ years I can assure you of that); the point is that it's simply evil for them to interject their servers into the path via deceptive means.


I remember many phpbb forums are configured like that and administrative mails aren't duplicated in the forum internal messaging system.


if the site is using facebook for authentication, you don't have a password on said site therefore you don't have a password recovery leakage vector




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: