|
|
On 06/05/2011 00:38, Darren New wrote:
> In either case, sending the "private" key over cleartext and then using
> it for authentication is just as broken as sending your password in
> cleartext. Moreso, because you'd think someone smart enough to use
> encryption for authentication would be smart enough to know that's not
> how you do it.
If you're using passwords for authentication, it's almost infeasible to
not make the system extremely fragile. Public key authentication is a
sophisticated system which solves almost all of these problems... except
that these people managed to do it so completely wrong as to trivially
circumvent any extra security provided.
Actually, the key they sent us was password protected. And they sent us
the password in a separate email. But really, how long is it going to
take a password cracker to figure out the 8-digit random alphanumeric
code they used for a password? That's even assuming the two emails
didn't trickle across the Internet right next to each other in the first
place.
Still, it's not a major company or anything. *cough* Pfizer *cough*
Post a reply to this message
|
|