• Nick Sabalausky (16/16) Jan 24 2009 Anyone know of a reliable, reasonably-priced web host that...and here's ...
• Chris Nicholson-Sauls (4/29) Jan 25 2009 I gave up trying to find a good one ages ago. There's always the option...
• Andrei Alexandrescu (5/19) Jan 25 2009 Never ever *ever* EVER *EVER* email a password in clear. I'd say, if
• Christopher Wright (5/10) Jan 25 2009 This isn't terribly important if you're only considering one system that...
• Andrei Alexandrescu (7/19) Jan 25 2009 My point exactly. I do have one "insecure" password that I use e.g. with...
• Sergey Gromov (4/23) Jan 26 2009 All my passwords are generated, and different. When I acquire a
• Andrei Alexandrescu (4/27) Jan 26 2009 Now what password do you use for the file you keep all your passwords

"Nick Sabalausky" <a a.a> writes:

Anyone know of a reliable, reasonably-priced web host that...and here's the 
key part...actually understands even the most basic security concepts?

It seems like every place out there has an IT/support department that is 
absolutely convinced of one or more of the following:

1. Unencrypted emails are secure.

2. PGP *signing* an email encrypts the entire message.

3. It is somehow possible to email users their passwords without the 
password ever being stored in either plaintext or in a reversible form (not 
counting, of course, the process that actually sets the password in the 
first place).

4. Secure access to the control panel isn't important.

5. If all of the navigation links and redirects inside of the HTTPS secure 
version of the control panel (including the URL that the login form submits 
to) all point directly to the insecure HTTP version, this somehow doesn't 
defeat the whole point of having secure control panel access.

6. Some other such silliness. 

Chris Nicholson-Sauls <ibisbasenji gmail.com> writes:

Nick Sabalausky wrote:
 Anyone know of a reliable, reasonably-priced web host that...and here's the 
 key part...actually understands even the most basic security concepts?
 
 It seems like every place out there has an IT/support department that is 
 absolutely convinced of one or more of the following:
 
 1. Unencrypted emails are secure.
 
 2. PGP *signing* an email encrypts the entire message.
 
 3. It is somehow possible to email users their passwords without the 
 password ever being stored in either plaintext or in a reversible form (not 
 counting, of course, the process that actually sets the password in the 
 first place).
 
 4. Secure access to the control panel isn't important.
 
 5. If all of the navigation links and redirects inside of the HTTPS secure 
 version of the control panel (including the URL that the login form submits 
 to) all point directly to the insecure HTTP version, this somehow doesn't 
 defeat the whole point of having secure control panel access.
 
 6. Some other such silliness. 
 
 

I gave up trying to find a good one ages ago.  There's always the option 
of starting an account with SliceHost and doing it yourself, though.

-- Chris Nicholson-Sauls

Andrei Alexandrescu <SeeWebsiteForEmail erdani.org> writes:

Nick Sabalausky wrote:
 Anyone know of a reliable, reasonably-priced web host that...and here's the 
 key part...actually understands even the most basic security concepts?
 
 It seems like every place out there has an IT/support department that is 
 absolutely convinced of one or more of the following:
 
 1. Unencrypted emails are secure.
 
 2. PGP *signing* an email encrypts the entire message.
 
 3. It is somehow possible to email users their passwords without the 
 password ever being stored in either plaintext or in a reversible form (not 
 counting, of course, the process that actually sets the password in the 
 first place).

Never ever *ever* EVER *EVER* email a password in clear. I'd say, if 
anyone thinks she wants to do that, she doesn't deserve a server that 
understands basic security concepts, even if one existed.

Andrei

Christopher Wright <dhasenan gmail.com> writes:

Andrei Alexandrescu wrote:
 Never ever *ever* EVER *EVER* email a password in clear. I'd say, if 
 anyone thinks she wants to do that, she doesn't deserve a server that 
 understands basic security concepts, even if one existed.
 
 Andrei

This isn't terribly important if you're only considering one system that 
does not require any significant amount of security.

However, people reuse passwords, and sometimes they'll use the same 
password for sensitive and non-sensitive systems.

Andrei Alexandrescu <SeeWebsiteForEmail erdani.org> writes:

Christopher Wright wrote:
 Andrei Alexandrescu wrote:
 Never ever *ever* EVER *EVER* email a password in clear. I'd say, if 
 anyone thinks she wants to do that, she doesn't deserve a server that 
 understands basic security concepts, even if one existed.

 Andrei

 
 This isn't terribly important if you're only considering one system that 
 does not require any significant amount of security.
 
 However, people reuse passwords, and sometimes they'll use the same 
 password for sensitive and non-sensitive systems.

My point exactly. I do have one "insecure" password that I use e.g. with 
mailing lists, and a "secure" password. The worst that happened was that 
some webmoron has set up a system that asked me to choose a password via 
a https protocol, to then email it to me in clear... When I tried to 
casually explain the mistake of his ways, he got all combative.

Andrei

Sergey Gromov <snake.scaly gmail.com> writes:

Sun, 25 Jan 2009 13:51:28 -0800, Andrei Alexandrescu wrote:

 Christopher Wright wrote:
 Andrei Alexandrescu wrote:
 Never ever *ever* EVER *EVER* email a password in clear. I'd say, if 
 anyone thinks she wants to do that, she doesn't deserve a server that 
 understands basic security concepts, even if one existed.

 Andrei

 
 This isn't terribly important if you're only considering one system that 
 does not require any significant amount of security.
 
 However, people reuse passwords, and sometimes they'll use the same 
 password for sensitive and non-sensitive systems.

 
 My point exactly. I do have one "insecure" password that I use e.g. with 
 mailing lists, and a "secure" password. The worst that happened was that 
 some webmoron has set up a system that asked me to choose a password via 
 a https protocol, to then email it to me in clear... When I tried to 
 casually explain the mistake of his ways, he got all combative.

All my passwords are generated, and different.  When I acquire a
password for a sensitive resource I make sure to change it to generated
as soon as possible.

Andrei Alexandrescu <SeeWebsiteForEmail erdani.org> writes:

Sergey Gromov wrote:
 Sun, 25 Jan 2009 13:51:28 -0800, Andrei Alexandrescu wrote:
 
 Christopher Wright wrote:
 Andrei Alexandrescu wrote:
 Never ever *ever* EVER *EVER* email a password in clear. I'd say, if 
 anyone thinks she wants to do that, she doesn't deserve a server that 
 understands basic security concepts, even if one existed.

 Andrei

 This isn't terribly important if you're only considering one system that 
 does not require any significant amount of security.

 However, people reuse passwords, and sometimes they'll use the same 
 password for sensitive and non-sensitive systems.

 My point exactly. I do have one "insecure" password that I use e.g. with 
 mailing lists, and a "secure" password. The worst that happened was that 
 some webmoron has set up a system that asked me to choose a password via 
 a https protocol, to then email it to me in clear... When I tried to 
 casually explain the mistake of his ways, he got all combative.

 
 All my passwords are generated, and different.  When I acquire a
 password for a sensitive resource I make sure to change it to generated
 as soon as possible.

Now what password do you use for the file you keep all your passwords 
in? :o)

Andrei