There are ways to have passwords transmitted completely encrypted, but it involves hitting the backend for a challenge, then using that challenge to encrypt the password client side before sending. It still gets decrypted on the backend tho before hash and store.
And what is the token in the link?
But Google that high? I wouldn’t have expected as high considering Apple (another one who takes a cut of mobile gaming) isn’t.
Consider that a ‘username+password’ is much harder to ‘revoke’ individually. As in, you can have 3-4 API keys in use, and can revoke any one of them without having to change a password.
You can also change password independently of the keys, or have it linked so keys are revoked on a password change. It also allows traceability as to where accesses are coming from (auditability). If everything is using the same client-id+secret (or usn/pwd), you don’t know which ‘client’ is doing what.
It’s the sort of thing that makes me really, really sad for the people working there. That crazy breakneck pace cannot be good for mental health.
Did you only make it past the first paragraph? Cause you missed the years of scummy shit they’ve done, completely unrelated to politics.
Now install tools that are only available as github released binaries. And ensure that hashes match for that. Maybe install a tool that needs to be compiled.