Reply to post: Re: We need a browser extension...

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Charles 9 Silver badge

Re: We need a browser extension...

If you're forced to allow JavaScript to log onto a site, the malware writers will pwn you with a JavaScript injection attack. Increasing numbers of people want future HTML to be LESS rather than MORE complicated: more passive, with media tasks shunted back to dedicated apps.

"This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient."

Except if you make things TOO complicated, you force people to create shortcuts that malcontents can exploit. You need a solution that's strong enough to block anything short of an insider or state yet simple enough that even the dullest drone can and will do it nigh-automatically.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020