Agreed, but we have to trust the instances we keep accounts on. Trust is subjective, but I certainly wouldn't trust a government ran instance for anything other than an outlet for information originating from the owning government.
If I run a private instance or know the maintainer of another, then I can have greater confidence in the security/privacy implementations.
I would trust most government instances more than most of the private instances. Would I trust them not to harvest all of that info? Absolutely not. Would I trust them to not masquerade as me? Way more. Governments have way more to lose by being caught.
I've spent quite a bit of time as a penetration tester and one of the first things we do once we recover credentials is check for validity against online accounts known to be good for a given user. We do that because it simulates attackers and government operators alike. It's a guarantee that free credentials will be abused in one manner or another when they're available to government entities.
The obvious control for this is to maintain a unique password for each account but that's not always feasible for users due to myriad conditions.
I didn't say they wouldn't be abused. I said they wouldn't be impersonated.
Agreed, but we have to trust the instances we keep accounts on. Trust is subjective, but I certainly wouldn't trust a government ran instance for anything other than an outlet for information originating from the owning government.
If I run a private instance or know the maintainer of another, then I can have greater confidence in the security/privacy implementations.
I would trust most government instances more than most of the private instances. Would I trust them not to harvest all of that info? Absolutely not. Would I trust them to not masquerade as me? Way more. Governments have way more to lose by being caught.
I've spent quite a bit of time as a penetration tester and one of the first things we do once we recover credentials is check for validity against online accounts known to be good for a given user. We do that because it simulates attackers and government operators alike. It's a guarantee that free credentials will be abused in one manner or another when they're available to government entities.
The obvious control for this is to maintain a unique password for each account but that's not always feasible for users due to myriad conditions.
I didn't say they wouldn't be abused. I said they wouldn't be impersonated.
Masquerading is literally the term used for this.
Exactly? I'm confused. Did you not understand my position?