Hacker Newsnew | comments | show | ask | jobs | submit login

Probably to prevent people accidentally saving a login on a shared/public computer.



The curious thing about this "solution" is that it's pretty fundamentally broken. If you're authenticating to any important site by typing a username/password into a computer you don't "trust", you're doing it wrong.

The subset of computers in between "people I don't trust also use this computer" and "this computer could easily have had a key logger Or root kit installed" must be vanishingly small.

If you don't own it (or trust the person who owns it enough to satisfy your personal security requirements), then any username/password you type into it should be considered "possibly compromised" no matter what measures the website has taken to protect you. Two factor auth helps, but still have the problem that 2/3rds of your auth credentials could be compromised (the attacker could end up knowing your gmail username & password, leaving only the six digit auth-code to brute force, which I _hope_ google have sensible protection in place for). Single use passwords also help, but both tfa and single use passwords don't protect against an attacker who 0wns the machine seeing and recording everything that happens in your current session - including I suspect for a sufficiently skilled attacker (or perhaps even a script kiddie with an off the shelf tool), complete access to the post SSL decrypted data inside a trojaned browser (if I can modify the browser, none of the httponly or secureonly flags for your session cookies are safe, sure, JavaScript can't extract them, but the browser code can… And it could be exporting them in real time to the bad guy, or piggybacking proxied instructions to empty your bank account via Western Union while you check your credit card balance)

-----


I don't disagree, but if you run a site of any size you will quickly realize that users will do all sorts of crazy things against the best practices for security. One of the top (if not the top) search requests Google gets is "facebook login". What do you want to bet that a lot of those requests are coming from a shared computer?

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: