Re: [PSB] Digest for portable-sound-blaster@googlegroups.com - 25 Messages in 3 Topics

[Dean A. Stewart]

Kyle Smith <air...@me.com> Jan 09 09:15AM -0500 

That qualifies as a deal breaker in my book! Maybe if enough people spoke out against the practice, digiKey would implement secure password reset procedures

Kyle<<< It seems a tad harsh reaction to a process of accessing your account via your email so you can change your profile settings and password online in https://

 

What’s the big deal for a sending your password by email? Seems like your password is common to other purposes, which is the issue here, not Digi-key.

I never use the same password and they are easy to remember and not found in the dictionary.

[Kyle Smith]

Dean, 

If you think it adequate security to have your password sent to you, in the clear, via unencrypted email, which will likely be stored and forwarded on who knows how many email servers prior to its arrival in your inbox, then you are apparently in the majority.  The fact remains that this is a case study in how to gain unauthorized access to a server, and make no mistake about who the blame lies with. It lies squarely on the shoulders of every person that continues to do business as usual with a company that continues to use such a frankly insecure method of dealing with customers who have no recollection of their accounts password. If you personally feel secure providing financial data to a company that has so little concern for the most fundamental security policy governing the management of user passwords, then you may take some comfort in knowing that you will be among the vast majority of citizens, who will be effected when their servers are compromised, which is nearly a dead certainty, from what we know of their security posture. You may respond that it won't effect you, since you apparently use one-time passwords. However, once an adversary has gained control over servers within a companies infrastructure, you will not be the least aware of any problem on their website. Yet, they can and will turn those servers into a method of capturing anything about you which you chose to share with the compromised server. And with a server completely under their control, they can and will turn your own personal system into one of their countless bots to further spread their control over more clueless users. 

However, after saying the above, you will not be persecuted for your own lack of concern. Indeed, you will take your place happily among the majority of people who choose to do nothing to motivate companies who have faulty security policy. So, you need not heed a thing I've said, and no one will condemn you for your own personal security posture. I am but an old retired fart who you may simply dismiss as having odd opinions on security. My purpose is to voice my viewpoint, not to denigrate those who do not share my perspective. So be of good cheer,   mine is strictly a minority opinion, and your are welcome to state your own views. That is after all, the very value of having groups. If I have offended you in anyway, let me offer a sincere apology, as that was not at all my intent. I find myself drawn to this group because of the respect I have for the programming capabilities of Steve Gibson; he is a highly gifted individual, and just by sharing his love for assembly with so many, who might otherwise have never dabbled with machine code, were it not for his selfless act of sharing his seasoned knowledge on the subject. Nothing has changed my view in that regard, so I will continue to make my very occasional observation in the hope of helping where I can, and more so learning from the collective intelligence to be found within this groups threads. 

Best wishes,

--

Kyle Smith AG2F

air...@me.com