Hacker News new | past | comments | ask | show | jobs | submit login

Exactly. This action is so obviously horrendous it's had to believe it still happens. Once a password hits your inbox, you can almost count on it living forever. And Basically with one 5 second search of my inbox for "password" a thief could easily discover my password that I use for almost every web site.

It's totally irresponsible for a service provider to essentially reveal a secret like that (without asking or really, ever).




Does none of that responsibility lay with you for using the same password across all sites? What if, on the other side of the spectrum, their site was compromised, and your password was retrieved that way? You'd be vulnerable in the same way.


Blaming the victim. Yes of course, but no, not reasonable to expect users to be smart about passwords in general.


I don't mean to exclusively blame the victim, but you can only go so far to protect a user if they won't protect themselves. I haven't read through the suggestions on the site, but it seems like this should be the primary -- as a user, you need to take care of your own safety and not rely on good development practices to protect you.


You just blamed the victim. Again.


My comment implied that I was. I said it's not exclusively their fault, implying that it is partially their fault. In the case of reusing the same password between sites, the blame for reusing that password does lay with the victim. That's not to say that sites should be sending the password to them -- that's still a horrible idea. A site cannot prevent a user from reusing the same password, though.

I guess what I mean to say is that you need to play both sides of it. As a developer, you should be doing all you can to prevent anything from leaking user info. As a user, you should do anything you can to prevent leaks from one site affecting other parts of your internet identity. Isn't that the entire goal of the FAQ this guy is putting together?


I think people are learning about password wallets. My mom, wife, and kids (12 and 9) all use and understand the value of password wallets.

If google really does get in-browser crypto working, they might even understand pgp. They won't understand Diffie-Hellman, but they understand if words --> block of gibberish --> words, then there must be some math in between.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: