Cybersecurity

6732 readers

213 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Password reuse is rampant: nearly half of observed user logins are compromised (blog.cloudflare.com)

submitted 22 hours ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

20 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] drspod@lemmy.ml 10 points 20 hours ago (1 children)

Why is Cloudflare monitoring/recording our passwords on the sites they are supposed to be protecting?

[–] Saik0Shinigami@lemmy.saik0.com 14 points 17 hours ago (1 children)

Because Cloudflare users enable the feature?

It's literally opt-in.

[–] Radium@sh.itjust.works -2 points 5 hours ago (1 children)

Gross

[–] xor@lemmy.blahaj.zone 3 points 4 hours ago (1 children)

Oh no, a toggle switch! Whatever will we do?!

[–] Saik0Shinigami@lemmy.saik0.com 1 points 15 minutes ago

Indeed... And from the eyes of a potential service who's looking at this feature.

"Ew, a toggle that could potentially save me from liability because they'll detect shitty passwords when I don't have the manpower/developer time to implement that check in my server itself! Or pay for access to HIBP/other service for millions of requests a month."...

This is low hanging fruit... And while I'm not the biggest fan of Cloudflare (I do use it only because it's the "best option" I have for what I need). This isn't it... This isn't what you get mad about. Checking and disabling known compromised passwords is literally best practice... While this isn't the "best" implementation. It is one that gets us closer to best practice with minimal effort, which means it's more likely to actually be implemented. High barrier security features are simply ones that will never get implemented. Does this have it's own risk? Sure... But I'd rather a known risk with a well known company that can be actively sued should they fail, vs "anonymous" who can dox, steal, harass, etc... with virtually no repercussion.