• fkn@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    I would trust most government instances more than most of the private instances. Would I trust them not to harvest all of that info? Absolutely not. Would I trust them to not masquerade as me? Way more. Governments have way more to lose by being caught.

    • JustinAngel@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      I’ve spent quite a bit of time as a penetration tester and one of the first things we do once we recover credentials is check for validity against online accounts known to be good for a given user. We do that because it simulates attackers and government operators alike. It’s a guarantee that free credentials will be abused in one manner or another when they’re available to government entities.

      The obvious control for this is to maintain a unique password for each account but that’s not always feasible for users due to myriad conditions.