lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: raymond at dyn.org (Raymond Morsman)
Subject: Microsoft removes 'user:passwd@...e' support

Quoting Richard Hatch <r.hatch@...s.qinetiq.com>:

> Was Microsoft 'wrong' to simply remove this support?  Maybe.
> Were people wrong to register domain names with reserved characters? Maybe.

You're not getting it, are you? 

You can't reserve a domain with reserved characters. You can expect RFC's to be
used by any participant on the Internet.

Microsoft just chose not to, which is plain wrong. If you don't like the rules,
don't play.

> I am not a Microsoft fan, but given the huge number of email scams relying
> on this type of URL, something clearly had to be done to help protect users.
> Microsoft could have simply said "It's not our fault, we can't fix this
> without breaking other things".

They could have. For example with a popup with the username and password already
filled in and with a explainatory realm. It's not that hard to think up a usable
solution.

> I find it curious that this type of response has not been prompted by the
> "Hide known file extensions" feature of Windows.

Not relevant. What's going on within a Windows box is not your or my thing to
discuss. But when Microsoft isn't compliant with Internet RFC's, we're all involved.


Raymond.


Powered by blists - more mailing lists