« First « Previous Comments 24 - 63 of 85 Next » Last » Search these comments
@Patrick - I agree. Up it to 18 characters. Nobody memorizes their password here anyhow - they just have the browser remember it.
And the passwords here are 6 characters long. I know because the power off is at my place today and I sent my password to my phone so I didn't have to update it on my browser when I got home.
12 is now considered the minimum length.
Hircus saysImagine a password that ends up in a log somewhere, and a sysadmin happens upon it a few months later. Or a disgruntled employee who leaves the company, and is now willing to sell the password that they never change.
In these two examples log santization and a policy that immediately locks an ex-employee out are better practices, and really essential to running a secure business. Forced password update is not a good fallback for either of these.
So this is an issue with password complexity
Also, 2FA is complete bullshit. ... and has zero security applications what-so-ever.
No, it is not. Yet another scenario you have not considered. If the password is compromised, possibly not yet realized, it doesn't matter if the password is 5 billion characters long.
Passwords are stored with "salt" on any system worth a damn.
Really, I think the salt should change on each login, and that's possible to do - this prevents a replay attack.
Agreed if you're hardcore. Most people want convenience and aren't willing to go that far, so that's why Lastpass works great because people will actually use it and have the backup data built in.
How could you identify passwords in logfiles with certainty, so as to "sanitize" the logfile?
but you ain't logging into to my account without texting me or me inputting the random generated code every 30 seconds to log in.
Also, 2FA is complete bullshit. It's implemented as a way to issue in a global Id and tracking system, and has zero security applications what-so-ever.
Try browsing the security subs on reddit. 2FA is the lazy man's security, and absolutely is being leveraged to create a digital ID to track everything you fucking do. Have we learned nothing from the last two years?
My system isn’t foolproof, but you’d need to first access my password protected phone to get my other passwords.
The key word here is its "stored" hashed and salted. But the password is still typed or entered as plain text, and often transmitted plain text as well (albeit usually in an encrypted tls/ssl tunnel) allowing the plain text pw to still be compromised.
Not all 2FA is the same!
i kind of miss picking a password
There's NOTHING you can do to stop insiders from looking at your info. Nothing.
Haven't ever had a hack on my CC's with close to 20 cards and a couple hundred thousand in credit lines. I'm a perfect target. Nothing.
This obsession with privacy makes me think you're doing illegal things. There's really no reason to have such a hard on for it. Time is money and you're wasting it on something that is a net negative to your bottom line.... being paranoid.
I use pre-paid cards for almost all online purchases now.
Your wish has been granted. The profile page now has a place to put in a new password.
where do you get these pre-paid cards? What is the cost to use them?
My first reaction to reading that is "you don't know what the fuck you're talking about".
But you're right. I was certain that Apache's dialogue box accepted a hashed password that was generated on the client. It doesn't, the password is sent in the clear - I just checked.
Apache's dialogue box
Hircus saysHow could you identify passwords in logfiles with certainty, so as to "sanitize" the logfile?
Dude, this is literally a CISA requirement. Had to test this for a former employer, and had to implement it to keep sensitive creds from showing up in our test logs. That you would even say this tells me you don't have the experience to weigh in here.
First it was strawman arguments.
Now its ad hominem. You try to discredit me instead of debating my point (because you cant identify passwords in logfiles with certainty).
I live and breath cybersecurity. It's my job.
Just because you don't understand the argument, doesn't make it invalid or insulting. It just means you're in over your head, so maybe try a little humility. Masking creds is so common, rather than asking me for my personal experience, you can easily find a hundred examples online. But yes, I did mask sensitive creds, and I will again. Logs are programmed to detail specific data events, they're not random dumps of meaningless combinations of words. All you have to do is know the pattern that precedes the string you want to obfuscate.
66.249.65.159 - - [06/Nov/2014:19:10:38 +0600] "GET /news/foo.html?param1=val1&Param2=val2&p=I_AM_A_PASSWORD&Param4=val4 HTTP/1.1" 404 177 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
But I think I'm wasting my time explaining this, as you don't give a fuck. You're too busy being arrogant.
And any decent security system should detect the wrong password has been put in wrong after short amount of tries. 3 to 5 tops!
The assumption you must ALWAYS make is that the attacker has the encrypted password file and the algorithms for it.
That's worst case - you always plan for worst case.
St@pWith1! these kinds of passwords.
IdLikeToBeUnderTheSea! instead. In an Octopus' Garden easy.
We were habituated to Hrd2ReCl but LandmineHasTakenMySight Or HerNameWasLolaSheWasAShowgirl Or ShineOnYouCrazyDiamond is sure easier to remember and faster to type and better.
ShineOnYouCrazyDiamond is sure easier to remember and faster to type and better.
porkchopexpress saysThis isn’t my deep area of expertise, but what implementation language are you using?I live and breath cybersecurity. It's my job.
@porkchopexpress
Ah - found you. Besides OpenSSL, what do you suggest for a crypto library? I'm looking for AES256 and ECC public/private keypairs. I'm playing with the NaCL library:
https://libsodium.gitbook.io/doc/?source=patrick.net
But I'm running into an issue that the public/private keypairs it generates for different things (Diffie–Hellman versus digital signatures for example) I have to generate a completely new keypair rather than being able to reuse them. Got another library to suggest?
The worse is autogenerated passwords and you don't have easy access to change it.Agreed. Long passphrases for ones you have to remember such as a vault or network password, but random generated at least 16 (I do 20) characters in a password manager for everything else because you won’t have to remember them. If the target system uses a good hash algo, they’ll never get cracked.
bm9XjoK#3nMG0cV0
This was a real password I had to use at one time. Which I always copied and pasted into the password box. I bet that's easy to capture for a hacker, than figuring out the complex password.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
This isn’t my deep area of expertise, but what implementation language are you using?
Libgcrypt or crypto++ could be other options
I just did a light scan and nothing too concerning showed up.
@porkchopexpress If you have security advice for patrick.net, please let me know.
Please poke around and tell me if you can break in in any way.
« First « Previous Comments 24 - 63 of 85 Next » Last » Search these comments
And if anyone's interested I use Keepass, none of that cloud shit.