Allegedly, on or about 26 December 2018, home user via users sent: > I used to think Wikipedia is great. Lately, my opinion of it is > declining. It's not always authoritative, it's not very stable > (article contents change too much, too often), and other faults. I'm > almost certain I'm not the only member of this list with this view. While that's true, I still find it a good starting point for looking things up. There's mostly understandable explanations of technical stuff, and references to sources of information. And because the site gets reviewed, things get improved. > No mention was made of OAuth2. My first port of call is usually Google, though. And you can try doing a search using just the keywords of OAuth2 and yahoo, then try OAuth2 and gmail, etc. Plain text passwords are just bad news anywhere. Inside your own LAN, where nobody else connects, not so much of an issue. But if you do anything that allows an outsider to connect to it, then they're bad. A lot of mail servers don't allow plain text passwords any more. If you try to connect using one, the logon process refuses before it even starts and your system never even gets as far as sending your the password, and probably even before you even send a username. Encryption is only as good as the encryption is. But it's the best choice, and any security failure is limited to that particular bad service. Various third party authenticators, where you authenticate with one service, and it authenticates you with other services that listen to it, have their own set of problems. Kerboros, GSSAPI, OAuth2 are examples of that kind of scheme, and things that allow Facebook or the old Microsoft passport to authenticate you. While they have the convenience of login once, and not have to do it again for other things, most things let you save your password, so you only ever had to enter it once when configurating the program, anyway. The problems they have are being a central point of exploitation: Someone cracks that and you're instantly vulnerable in multiple places. And they know everything that you're up to, so you're trackable and databasable, privacy goes right out the window with any authenticator who doesn't give a damn about you. And they're a central point of failure, it goes down and you lose everything. And you may face the same situation if you decide you don't want to use them any more. I'd say to use encrypted connections or logons, hope that as a vulnerability in particular encryption scheme is discovered it gets removed from your applications and services. Use good, different, and unrelated, passwords for every service. It's probably going to be the easiest thing to do, too. Other authentication schemes are obscure. With little use or useful help. -- [tim@localhost ~]$ uname -rsvp Linux 4.16.11-100.fc26.x86_64 #1 SMP Tue May 22 20:02:12 UTC 2018 x86_64 Boilerplate: All mail to my mailbox is automatically deleted. There is no point trying to privately email me, I only get to see the messages posted to the mailing list. Hooray! I finally finished typing this email. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
