

Is web security a hopeless pursuit? - algoshift

Two examples that make me think about this from time to time.<p>First, a number of sites that require registration email you with confirmation of your registration.  They include your user id and password in plain text within the email.  Few things are as irritating as this (at least to me).  One has to think about how and if they store that email and who within the company has access to it in plain text.<p>Second: Google Chrome still has no security to prevent access to all of your passwords in plain text!  OK, they added a "Show" button.  Fantastic.<p>Those in tech are probably very aware of this.  However, "civilians" using this browser at home or at the office might not be aware of the fact that they are opening their lives up for anyone with access to their computer.<p>These are just two of the many examples one might be able to come-up with.<p>I am starting to think that I want to see a day when every device has a fingerprint scanner and passwords are history in some form and at some level.  Probably not the best solution.  Not sure that one exists.
======
pilom
The best solution is education. Its the first thing they teach security
auditors. Just about all of the really hard problems in security have solved
solutions that really do thwart attackers. The issue is that both
organizations and regular users do not know how to actually use them
correctly.

~~~
algoshift
You might be assuming tech-capable users. My concern focuses around those like
my parents, uncles, aunts, cousins, friends and acquaintances for whom what
happens past the keyboard and mouse is as mysterious as can be. Trying to
educate users, at some level, is an exercise in futility. It just isn't going
to happen.

The situation here is that someone might trust a company like Google (not
picking on them...just a good example of the mechanism), download Chrome and
start using it for everything. This can happen at home or the office. By doing
this they are exposing themselves at the worst possible level to identity
theft and worst, without as much as a warning. It's perplexing, to be honest.

My wife would save emails from services that she subscribed to in order to
"have the user id and password handy if I forget". Probably half a dozen
emails with plain-text passwords on her machine (deleted now after an
explanation). There have to be millions of people with similar issues out
there.

I'd say that blaming the user isn't quite right in all cases. The sites and
companies that expose their most secure information so easily are the real
culprits. Google, are you reading this? Fix Chrome please, this security flaw
is bad, bad, bad.

