Comments on: Stolen password checking: a question of trust http://www.welivesecurity.com/2011/11/04/password-compromise-checking-a-question-of-trust/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: David Harley http://www.welivesecurity.com/2011/11/04/password-compromise-checking-a-question-of-trust/#comment-3684 Sun, 06 Nov 2011 18:08:31 +0000 http://blog.eset.com/?p=10171#comment-3684 Thanks, Stephen. It is indeed a pity that we can't simply recommend well-meant and even well-implemented services because of the wider implications of such a recommendation. It's easy to point out the problems: if only it were as easy to come up with ironclad solutions. :(

]]>
By: Stephen Cobb http://www.welivesecurity.com/2011/11/04/password-compromise-checking-a-question-of-trust/#comment-3683 Sun, 06 Nov 2011 18:03:58 +0000 http://blog.eset.com/?p=10171#comment-3683 David — Your analysis is spot on. Which is a pity because some of these offerings are undoubtedly well-intentioned. The most problematic factor with these services, and many others that pop up, security-related or otherwise, is the unpredictable conjunction of time and human nature. In other words, over time, the people who create and operate the service are subject to change, or replacement. Personal and organizational goals and priorities change.
The most immediate concern might be an insider on an otherwise good project going bad. As you rightly point out, "a bad actor suddenly has access, potentially, to a whole bunch of self-verified addresses." Longer term concerns include maintianing the assurances made to people submitting their data, despite possible changes to funding, ownership, and so forth.
Until there is a strong, reliable, easy-to-use and universal alternative to passwords, or the general standard of human behavior takes a great leap forward, it looks like we are all stuck with the chore of managing a bunch of unique and frequently changing hard-to-guess passwords or passphrases.

]]>