Good point about MITM doing script injection, which I hadn't fully
considered. I'm not sure that going to HTTPS would solve everything (e.g.
that alone wouldn't prevent the origin site from reading passwords that
someone enters into the tool, and HTTPS is not foolproof) but it would
indeed be a big step in the right direction to avoid MITM.
I wonder (looking at the WMF people in the room) how quickly could WMF
deploy a password strength checking tool to the Wikimedia sites? That won't
solve all of the problems but it would be a step in the right direction.
Pine
On Thu, Nov 17, 2016 at 10:00 AM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
On Thu, Nov 17, 2016 at 12:28 PM, Pine W
<wiki.pine(a)gmail.com> wrote:
1. If you don't trust that strength testing
site (which is fine), choose
another. I did a couple of quick checks on that site; while it's entirely
possible that I missed something, it appeared to me that the site was not
sending passwords over the Internet, whether in the clear or encrypted.
The
use of HTTP or HTTPS is irrelevant if the data
isn't getting sent out in
the first place.
Or use a password manager that has a local built-in password strength tool,
that way you don't risk being MiTMed by an HTTP site.
In general, as mentioned, you should simply not enter your password on any
website that is not the site the password belongs to. For my full-time job,
employees have a Chrome extension where accidentally type your password on
any website (even if it's not in a text box) you're required to reset it.
*-- *
Regards,
*Tyler Romeo*
0x405d34a7c86b42df
https://parent5446.nyc
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l