Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
"The core problem with passwords is that they reside on a server."
That's so empty I don't know what it means...
sbiewald369311dDepends on context.
On Windows this is a huge problem: While the cleartext password of the logged in user (from console or RDP) is not stored in a persistent database, it is in memory for the length of a session.
This means, if a Windows server administrated with RDP is compromised (e.g. with malware), the user account is as well. As sessions are commonly done with network wide credentials, it may hurt the whole network.
The emotet malware does this: It waits on a server / workstation for a domain administrator to log on and uses his credentials to compromoise the network.
For web applications there is a similar issue: in case a hacker can execute arbitrary code, as the web application takes the password unhashed from the user before comparing it to the stored hash.
sbiewald369311dI think the 'expert' still draws the wrong conclusion:
The problem is that the same passwords are used for multiple resources.