- From: Paul Leach <paulle@microsoft.com>
- Date: Wed, 7 Jan 1998 17:59:01 -0800
- To: "'jg@pa.dec.com'" <jg@pa.dec.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, Scott Lawrence <lawrence@agranat.com>
> ---------- > From: jg@pa.dec.com[SMTP:jg@pa.dec.com] > Sent: Wednesday, January 07, 1998 9:52 AM > To: Paul Leach > Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com; Scott Lawrence > Subject: RE: Digest mess > > > While I agree with both Paul and Scott on message integrity, I'd > like to remind people that the BIG disaster on the Internet > is password grabbing. > Of course. But that's because no one needs to do anything complicated when something trivial suffices. > Naive people use the same > password for many things... > (Interesting side note: the SCRAM auth protocol uses a per-server or per-authentication domain salt to allow safe use of the same password for many sites. There's an I-D by Chris Newman -- I forget the exact title.) > At this point, anything that can help that problem is worth alot, eve > n if it has other issues... > All that will happen is that the attackers will switch to exploiting the other weaknesses. Paul
Received on Wednesday, 7 January 1998 18:03:40 UTC