
GitHub will now tell you if your password has been pwned - PascLeRasc
https://blog.github.com/2018-07-31-new-improvements-and-best-practices-for-account-security-and-recoverability/
======
yRetsyM
I'm continually impressed at the positive impact Troy has had, it's a real
dent in the universe.

~~~
ocdtrekkie
I was a big fan of Troy until relatively recently. He's turned to bullying and
ridiculing people publically who don't agree with his positions on security. I
blocked him on Twitter after I realized that I wasn't the only person who
noticed, and that I had made at least a couple tweets that could make me a
target.

That being said, what I really want to see someone do is make an Active
Directory plugin for Pwned Passwords. Corporate networks are both most at risk
and most often where you find bad passwords.

~~~
jsmeaton
Troy doesn't really have that many positions on security matters other than
"as an operator of a website, you must offer HTTPs". Is this the topic you're
referring to?

~~~
ocdtrekkie
One for sure, but he's also pretty adamant against password reuse of any kind
on any site no matter how trivial and in favor of cloud-based password
managers, which, while very much the current mainstream opinions today, I
disagree with fairly heavily. I'm willing to bet many of these approaches will
be seen in a different light in a few years, just like we no longer favor
regular password rotation in recommendations today.

There's significant problems with all of those views, and while arguing about
each one would be a larger discussion, Troy's behavior towards people who
don't agree with him is concerning.

~~~
jsmeaton
Well yes, his views on password reuse are obvious, and that password managers
are the best option __for most people __are clear, but I haven 't seen any
tweets shaming people for these things. So I assume the bullying behaviour
you're referring to is regarding HTTPS.

If that's the case, then you should probably be more clear. He ridicules
people for not using HTTPS is a much weaker claim than that he ridicules
people for not agreeing with his security principles.

~~~
theoctopus
And he doesn't ridicule people who don't use HTTPS, he ridicules people who
spread BS about how it's not necessary.

------
snowwolf
I don’t understand. If you’ve rightfully decided not to offer sms as a 2
factor option because of its poor opsec (number porting, sim cloning, etc.)
why then offer it as a recovery option. Your 2-Factor is only a secure as the
weakest recovery option.

~~~
detaro
But they do offer SMS as 2FA, they just recommend against it? (Same for
recovery presumably?)

~~~
snowwolf
Ah yes I missed that. Hopefully they do explain the risks of using SMS. At
least they don’t force you to use it unlike some sites.

------
jokoon
Good thing.

I guess that most website should do the same and progressively warn users that
their password is weak and is listed in a popular password list.

Of course it's bothering users, but frankly it should be done.

------
hartator
Some unrelated thoughts I’ve always wondering, why not use bcrypt function on
the client side this way the clear password never hit the servers?

It seems so weird to me that the passwords are not hashed leaving the client,
and it’s considered good practice.

~~~
itake
I think you want to be able to verify that the password is secure (greater
than a certain length, uses capitals and symbols, etc.)

if you just pass the hash back to the server, you can't verify that the
password was secure.

~~~
the8472
That can also be verified on the client side.

~~~
itake
How do you trust the client verified it correctly?

~~~
the8472
The client attempting to bypass password complexity checks on registration is
not part of most threat models. I.e. they're not an attacker, it's more of a
user aid.

------
jwilk
Please use the original title.

