|
|
|
|
|
|
by chipperyman573
2256 days ago
|
|
|
It's accounts that were found by testing user/passwords that were found in other hacks to see if people had used same password on zoom. It's nothing zoom did wrong. And, it's something that happens to basically every company. |
|
|
"Reject Pwned Passwords" is a very cheap security improvement during sign-up processes. Of course the problem for Zoom is that they've focused very hard on reducing "Bounce" where people decide they'd rather not sign up, which has led to a lot of the other complaints about Zoom we're also reading.
If you run a service that has an email + password type sign-in, the top TWO items I'd tell you are must haves for that service today - as in if you aren't live they need to be requirements for go-live and if you're already live they should be top of your pile are:
1. Sign-in-with-X services that out-source authentication entirely to somebody else, it doesn't much matter if it's Facebook, Google, Apple, almost anything is better than creating yet another service with yet more credentials. These services are relatively low friction. Zoom does offer this, and if you must have Zoom (as many of us must in this period) then this is the least worst option.
2. Blocking known passwords with something like PwnedPasswords. If you must build your own account authentication either out of hubris or with some genuine rationale for why it's necessary, use PwnedPasswords or a similar service to reject these passwords. Don't have stupid "policies" that sounded good to some idiot who still thinks regular expressions are a pretty neat idea, just reject these known bad passwords.
There are lots of more expensive things I think companies should do if they take security seriously, like implementing WebAuthn (ie FIDO security keys) but the above two are low hanging fruit. If you haven't done them it is something you did wrong.