hacked - looking for doc/suggestions on hardening/securing systems from the start

Patrick O'Callaghan pocallaghan at gmail.com
Fri Dec 20 11:05:40 UTC 2013


On Fri, Dec 20, 2013 at 10:40 AM, Roger <arelem at bigpond.com> wrote:

>  On 12/20/2013 09:24 PM, Patrick O'Callaghan wrote:
>
>
> On Fri, Dec 20, 2013 at 8:05 AM, Tim <ignored_mailbox at yahoo.com.au> wrote:
>
>> e.g. A fool uses some webservice that asks you to log in with your
>> hotmail username and password, so they do, despite the face that this
>> webservice is not hotmail.
>>
>
>
>  Not quite what you're saying but tangentially related: many web sites
> are confusing to the naive user. They ask you to register using your email
> address and a password, without making it clear that they don't mean the
> password for the email account. I'm sure more than a few people have been
> caught by that. It doesn't mean the website is malicious, but now the
> attack front on the password has been expanded.
>
>  poc
>
>  I've noticed that they prefer/require email address as user name to
> reduce the instance of simplistic user names while remaining memorable.
> There's nothing to stop one using a fictitious email address as a user
> name provided one remembers it when needed. qwertuyt at qwe.bv once worked
> for me along with similary stupid trials.
>


Except when they actually want the real address to confirm the
registration, which is quite common. In any case, the point I was making is
that the password should be different, something which may not be clear to
every user.

poc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20131220/8e891983/attachment.html>


More information about the users mailing list