[Dovecot] Heartbleed openssl vulnerability?

Reindl Harald h.reindl at thelounge.net
Wed Apr 9 20:38:05 UTC 2014



Am 09.04.2014 22:06, schrieb Robert Schetterer:
> Am 09.04.2014 19:54, schrieb Reindl Harald:
>> i have faced users in real life with where punsihed by
>> change their passwords each month and the result was
>> that not a single of them was secure or not stored
>> somewhere while the same person would have choosed
>> something like below otherwise
> 
> yes its common and old security practice to force password changes at
> some terms in many software products, looks like many coders agreed that
> this is a good idea, but for sure they had not your universal jedi power

that's polemic

it is not a matter of "jedi power", it's a matter of how likely
it is that your password maybe get stolen and how many really
secure passwords a human kan keep in his mind compared with
change them again and again forcing to store the password on
a place where it is more likely to get compromised

if the password i am using for critical infrastructure leaves
my hands it would be a nightmare - a braindump is unliekly, get
whatever store containing it compromised is more likely

the same for the class of not that critical passwords, generated
with random algorithms and because that stored in password safes
which *may* be compromised but better than "shitpwd-year-moth-123"

so stop this polemic, there is no asbolute right solution in case
of credentials and before a user chosses "fuckingadmin123" i prefer
passwords like "!Y*c*k*m*b*S!*"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140409/753ce22e/attachment.sig>


More information about the dovecot mailing list