Good point about MITM doing script injection, which I hadn't fully considered. I'm not sure that going to HTTPS would solve everything (e.g. that alone wouldn't prevent the origin site from reading passwords that someone enters into the tool, and HTTPS is not foolproof) but it would indeed be a big step in the right direction to avoid MITM.
I wonder (looking at the WMF people in the room) how quickly could WMF deploy a password strength checking tool to the Wikimedia sites? That won't solve all of the problems but it would be a step in the right direction.
Pine
On Thu, Nov 17, 2016 at 10:00 AM, Tyler Romeo tylerromeo@gmail.com wrote:
On Thu, Nov 17, 2016 at 12:28 PM, Pine W wiki.pine@gmail.com wrote:
- If you don't trust that strength testing site (which is fine), choose
another. I did a couple of quick checks on that site; while it's entirely possible that I missed something, it appeared to me that the site was not sending passwords over the Internet, whether in the clear or encrypted.
The
use of HTTP or HTTPS is irrelevant if the data isn't getting sent out in the first place.
Or use a password manager that has a local built-in password strength tool, that way you don't risk being MiTMed by an HTTP site.
In general, as mentioned, you should simply not enter your password on any website that is not the site the password belongs to. For my full-time job, employees have a Chrome extension where accidentally type your password on any website (even if it's not in a text box) you're required to reset it.
*-- * Regards,
*Tyler Romeo* 0x405d34a7c86b42df https://parent5446.nyc _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l