« First « Previous Comments 18 - 57 of 85 Next » Last » Search these comments
porkchopexpress saysI live and breath cybersecurity. It's my job.
Then riddle me this:
Why don't webservers just have different salt when a password is requested and store everything has a hash of the salt+password.
In this way, no password would ever be stored in the clear, even when it's setup and having a website compromised wouldn't matter. Why isn't this just standard for web browsers?
SunnyvaleCA saysI really hate websites that force all sorts of complexity in passwords
I've never worked at a single company that really understand password security. They all force these bullshit rules on you, and the worst are the ones that make you periodically change your password, and it cannot match last n passwords used. Because of stupidity like this my work passwords are always the weakest ones, too many useless rules.
Imagine a password that ends up in a log somewhere, and a sysadmin happens upon it a few months later. Or a disgruntled employee who leaves the company, and is now willing to sell the password that they never change.
Also, users hate to change passwords, and when you force them, they will resist, and will try to switch back and forth between 2 easy to remember passwords, if allowed. Ie p@ssword1 and p@assword2.
porkchopexpress saysAgreed if you're hardcore. Most people want convenience and aren't willing to go that far, so that's why Lastpass works great because people will actually use it and have the backup data built in.Keepass is fine but you'll lose it all if you lose the device it's installed on.
That's why you have redundancy! My vault is backed up to my home server, and uses a usb key rather than a password to unlock. So fuck the rubber hose, if I smash my USB's, no one's getting those passwords.
porkchopexpress saysI suppose you could do that but it sounds like a complicated architecture. If you use a solid hashing algo with long passwords, it won't matter because they can't be cracked. Of course none of this matters if you're phished or you allow "pass the hash" attacks in your environment.I live and breath cybersecurity. It's my job.
Then riddle me this:
Why don't webservers just have different salt when a password is requested and store everything has a hash of the salt+password.
In this way, no password would ever be stored in the clear, even when it's setup and having a website compromised wouldn't matter. Why isn't this just standard for web browsers?
@Patrick - I agree. Up it to 18 characters. Nobody memorizes their password here anyhow - they just have the browser remember it.
And the passwords here are 6 characters long. I know because the power off is at my place today and I sent my password to my phone so I didn't have to update it on my browser when I got home.
12 is now considered the minimum length.
Hircus saysImagine a password that ends up in a log somewhere, and a sysadmin happens upon it a few months later. Or a disgruntled employee who leaves the company, and is now willing to sell the password that they never change.
In these two examples log santization and a policy that immediately locks an ex-employee out are better practices, and really essential to running a secure business. Forced password update is not a good fallback for either of these.
So this is an issue with password complexity
Also, 2FA is complete bullshit. ... and has zero security applications what-so-ever.
No, it is not. Yet another scenario you have not considered. If the password is compromised, possibly not yet realized, it doesn't matter if the password is 5 billion characters long.
Passwords are stored with "salt" on any system worth a damn.
Really, I think the salt should change on each login, and that's possible to do - this prevents a replay attack.
Agreed if you're hardcore. Most people want convenience and aren't willing to go that far, so that's why Lastpass works great because people will actually use it and have the backup data built in.
How could you identify passwords in logfiles with certainty, so as to "sanitize" the logfile?
but you ain't logging into to my account without texting me or me inputting the random generated code every 30 seconds to log in.
Also, 2FA is complete bullshit. It's implemented as a way to issue in a global Id and tracking system, and has zero security applications what-so-ever.
Try browsing the security subs on reddit. 2FA is the lazy man's security, and absolutely is being leveraged to create a digital ID to track everything you fucking do. Have we learned nothing from the last two years?
My system isn’t foolproof, but you’d need to first access my password protected phone to get my other passwords.
The key word here is its "stored" hashed and salted. But the password is still typed or entered as plain text, and often transmitted plain text as well (albeit usually in an encrypted tls/ssl tunnel) allowing the plain text pw to still be compromised.
Not all 2FA is the same!
i kind of miss picking a password
There's NOTHING you can do to stop insiders from looking at your info. Nothing.
Haven't ever had a hack on my CC's with close to 20 cards and a couple hundred thousand in credit lines. I'm a perfect target. Nothing.
This obsession with privacy makes me think you're doing illegal things. There's really no reason to have such a hard on for it. Time is money and you're wasting it on something that is a net negative to your bottom line.... being paranoid.
I use pre-paid cards for almost all online purchases now.
Your wish has been granted. The profile page now has a place to put in a new password.
where do you get these pre-paid cards? What is the cost to use them?
My first reaction to reading that is "you don't know what the fuck you're talking about".
But you're right. I was certain that Apache's dialogue box accepted a hashed password that was generated on the client. It doesn't, the password is sent in the clear - I just checked.
Apache's dialogue box
Hircus saysHow could you identify passwords in logfiles with certainty, so as to "sanitize" the logfile?
Dude, this is literally a CISA requirement. Had to test this for a former employer, and had to implement it to keep sensitive creds from showing up in our test logs. That you would even say this tells me you don't have the experience to weigh in here.
First it was strawman arguments.
Now its ad hominem. You try to discredit me instead of debating my point (because you cant identify passwords in logfiles with certainty).
I live and breath cybersecurity. It's my job.
Just because you don't understand the argument, doesn't make it invalid or insulting. It just means you're in over your head, so maybe try a little humility. Masking creds is so common, rather than asking me for my personal experience, you can easily find a hundred examples online. But yes, I did mask sensitive creds, and I will again. Logs are programmed to detail specific data events, they're not random dumps of meaningless combinations of words. All you have to do is know the pattern that precedes the string you want to obfuscate.
66.249.65.159 - - [06/Nov/2014:19:10:38 +0600] "GET /news/foo.html?param1=val1&Param2=val2&p=I_AM_A_PASSWORD&Param4=val4 HTTP/1.1" 404 177 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
But I think I'm wasting my time explaining this, as you don't give a fuck. You're too busy being arrogant.
And any decent security system should detect the wrong password has been put in wrong after short amount of tries. 3 to 5 tops!
The assumption you must ALWAYS make is that the attacker has the encrypted password file and the algorithms for it.
That's worst case - you always plan for worst case.
St@pWith1! these kinds of passwords.
IdLikeToBeUnderTheSea! instead. In an Octopus' Garden easy.
We were habituated to Hrd2ReCl but LandmineHasTakenMySight Or HerNameWasLolaSheWasAShowgirl Or ShineOnYouCrazyDiamond is sure easier to remember and faster to type and better.
ShineOnYouCrazyDiamond is sure easier to remember and faster to type and better.
« First « Previous Comments 18 - 57 of 85 Next » Last » Search these comments
And if anyone's interested I use Keepass, none of that cloud shit.