Repository with sources and generator of https://larlet.fr/david/ https://larlet.fr/david/
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

index.md 1.3KB

12345678910111213141516
  1. title: Granted access
  2. lang: en
  3. > You can — and should — be taking some precautions to ensure that, say, an auto-created subdomain for a user account doesn’t conflict with a pre-existing subdomain you’re actually using or that has a special meaning, or that auto-created email addresses can’t clash with important/pre-existing ones.
  4. >
  5. > But to really be careful, you should probably also just disallow certain usernames from being registered.
  6. >
  7. > <cite>*[Let's talk about usernames](https://www.b-list.org/weblog/2018/feb/11/usernames/)* ([cache](/david/cache/f11fd87b74b7e887269b0e4f300de405/))</cite>
  8. Let me tell you a story about that. I have the username *david* on Bitbucket. You might think it’s quite harmless and I do agree.
  9. There is no such week for the last ten years without somebody giving me write access to a private repository. This is not intentional, it is a user experience security flaw that is really hard to spot. And still, I get access to so many critical stuff!
  10. Even with good will, I cannot find an elegant solution to that confusion. The first year I sent an humorous email about that to each owner and then I gave up. Now imagine if I was nasty…
  11. My point is: even with a strong password — two-factors authentication or whatever — when the user interface is confusing social hacking is made incredibly simple.