davidbgk
/
larlet-fr-david
보기 1
좋아요 0
포크 0
코드 릴리즈 0 Activity
Repository with sources and generator of https://larlet.fr/david/ https://larlet.fr/david/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
201 커밋
1 브렌치
트리: 3f200d1f00
브랜치 태그
${ item.name }
Create branch ${ searchTerm }
from '3f200d1f00'
${ noResults }
larlet-fr-david/david/stream/2018/02/28/index.md

index.md 1.3KB
Raw Normal View 히스토리

Add initial content
4 년 전
 12345678910111213141516 
  1. title: Granted access

  2. lang: en

  3. 

  4. > You can — and should — be taking some precautions to ensure that, say, an auto-created subdomain for a user account doesn’t conflict with a pre-existing subdomain you’re actually using or that has a special meaning, or that auto-created email addresses can’t clash with important/pre-existing ones.

  5. >

  6. > But to really be careful, you should probably also just disallow certain usernames from being registered.

  7. > 

  8. > <cite>*[Let's talk about usernames](https://www.b-list.org/weblog/2018/feb/11/usernames/)* ([cache](/david/cache/f11fd87b74b7e887269b0e4f300de405/))</cite>

  9. 

  10. Let me tell you a story about that. I have the username *david* on Bitbucket. You might think it’s quite harmless and I do agree.

  11. 

  12. There is no such week for the last ten years without somebody giving me write access to a private repository. This is not intentional, it is a user experience security flaw that is really hard to spot. And still, I get access to so many critical stuff!

  13. 

  14. Even with good will, I cannot find an elegant solution to that confusion. The first year I sent an humorous email about that to each owner and then I gave up. Now imagine if I was nasty…

  15. 

  16. My point is: even with a strong password — two-factors authentication or whatever — when the user interface is confusing social hacking is made incredibly simple.