1. Home

Subtle changes, bugs and feedback

You are reading a single comment by @gbj_tester and its replies. Click here to read the full conversation.

  • @Velocio One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication. It gets users used to trusting and typing in their passwords into popup windows, which they shouldn't. I'm curious to know why you think that that is not only a positive, but a necessity.

    The other issue is that it uses Javascript, cookies or local storage, none of which are that secure and all of which can be spoofed. I'm no expert on server and security matters, but I understand that it is not as secure as a form posting directly to a back-end API that performs it's own authentication with the server. What is your take on that?

    Also, does the fact that Mozilla have abandoned Persona development concern you?

  • One of the main criticisms of Persona...

    Every site you log in to has a list of potential vulnerabilities as long as your arm. The only sensible thing to do, whether this site uses the irritating persona method or the lovely old 'form on every page', is to have a separate user name and password for every site. That way, if your LFGSS log in is hacked, you only have to suffer the mild embarrassment of being impersonated here.

  • And yet, the vast majority (meaning unbelievably high percentage) of people use the same password everywhere. Only a very small % use a password manager or have a non-trivial password for each site.

    That is probably higher on LFGSS, because I've been banging that drum for years.

    But still... when vBulletin and phpBB have been hacked in the past, and things have been leaked, I did compare password hashes with ours to see in general the strength of passwords on LFGSS. A very large number of people used the password password and all of the most popular passwords were well-represented.

    So even on this site, where the cause has been argued for ages... the vast majority still used common passwords and dictionary words.

    Passwords have long been broken, but no-one has a better solution that people seem willing to use. 2FA is damn good, and is the right thing, but again... virtually no-one really uses it widely.

About

Avatar for gbj_tester @gbj_tester started

About Terms of Use Privacy Policy Cookie Policy Report a problem