« First « Previous Comments 44 - 83 of 85 Next » Last » Search these comments
Your wish has been granted. The profile page now has a place to put in a new password.
where do you get these pre-paid cards? What is the cost to use them?
My first reaction to reading that is "you don't know what the fuck you're talking about".
But you're right. I was certain that Apache's dialogue box accepted a hashed password that was generated on the client. It doesn't, the password is sent in the clear - I just checked.
Apache's dialogue box
Hircus saysHow could you identify passwords in logfiles with certainty, so as to "sanitize" the logfile?
Dude, this is literally a CISA requirement. Had to test this for a former employer, and had to implement it to keep sensitive creds from showing up in our test logs. That you would even say this tells me you don't have the experience to weigh in here.
First it was strawman arguments.
Now its ad hominem. You try to discredit me instead of debating my point (because you cant identify passwords in logfiles with certainty).
I live and breath cybersecurity. It's my job.
Just because you don't understand the argument, doesn't make it invalid or insulting. It just means you're in over your head, so maybe try a little humility. Masking creds is so common, rather than asking me for my personal experience, you can easily find a hundred examples online. But yes, I did mask sensitive creds, and I will again. Logs are programmed to detail specific data events, they're not random dumps of meaningless combinations of words. All you have to do is know the pattern that precedes the string you want to obfuscate.
66.249.65.159 - - [06/Nov/2014:19:10:38 +0600] "GET /news/foo.html?param1=val1&Param2=val2&p=I_AM_A_PASSWORD&Param4=val4 HTTP/1.1" 404 177 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
But I think I'm wasting my time explaining this, as you don't give a fuck. You're too busy being arrogant.
And any decent security system should detect the wrong password has been put in wrong after short amount of tries. 3 to 5 tops!
The assumption you must ALWAYS make is that the attacker has the encrypted password file and the algorithms for it.
That's worst case - you always plan for worst case.
St@pWith1! these kinds of passwords.
IdLikeToBeUnderTheSea! instead. In an Octopus' Garden easy.
We were habituated to Hrd2ReCl but LandmineHasTakenMySight Or HerNameWasLolaSheWasAShowgirl Or ShineOnYouCrazyDiamond is sure easier to remember and faster to type and better.
ShineOnYouCrazyDiamond is sure easier to remember and faster to type and better.
porkchopexpress saysThis isn’t my deep area of expertise, but what implementation language are you using?I live and breath cybersecurity. It's my job.
@porkchopexpress
Ah - found you. Besides OpenSSL, what do you suggest for a crypto library? I'm looking for AES256 and ECC public/private keypairs. I'm playing with the NaCL library:
https://libsodium.gitbook.io/doc/?source=patrick.net
But I'm running into an issue that the public/private keypairs it generates for different things (Diffie–Hellman versus digital signatures for example) I have to generate a completely new keypair rather than being able to reuse them. Got another library to suggest?
The worse is autogenerated passwords and you don't have easy access to change it.Agreed. Long passphrases for ones you have to remember such as a vault or network password, but random generated at least 16 (I do 20) characters in a password manager for everything else because you won’t have to remember them. If the target system uses a good hash algo, they’ll never get cracked.
bm9XjoK#3nMG0cV0
This was a real password I had to use at one time. Which I always copied and pasted into the password box. I bet that's easy to capture for a hacker, than figuring out the complex password.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
This isn’t my deep area of expertise, but what implementation language are you using?
Libgcrypt or crypto++ could be other options
I just did a light scan and nothing too concerning showed up.
@porkchopexpress If you have security advice for patrick.net, please let me know.
Please poke around and tell me if you can break in in any way.
That chart is useless and not true in most cases. Passwords are not hacked instantly or in a time, it's tries!
Tenpoundbass saysThat chart is useless and not true in most cases. Passwords are not hacked instantly or in a time, it's tries!
Seems you've never heard of the re-authentication attack for wifi. I force all your devices off, then grab your WPA key when you log back in.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
That's why companies need to have password manager subscriptions. Make it stupid simple for the users to create and save complex passwords without having to ever write them down or memorize them/
What they will do get a list of users, setup a bot farm, and run a dictionary against every user in the list.
How does that work when after three tries the account is locked out?
FWIW I am using the exact same password I created for my very first Windows 95 machine and used to sign up for AOL in 1996.
It has never been compromised.
How does that work when after three tries the account is locked out?
FWIW I am using the exact same password I created for my very first Windows 95 machine and used to sign up for AOL in 1996.
It has never been compromised.
I'm just pointing out that security is 99.999% not getting a phishing attack.So true. Over 90% of successful cyber attacks involve some sort of social engineering (e.g., phishing) because it works.
HeadSet saysHow does that work when after three tries the account is locked out?
Maybe not the best example, but the point is, the attack will be much broader than a single user, and weak password requirements mean less guesses before getting a match.
I don't even use a recognizable username on my machine, much less a common password, and "root" is disabled by default.
My point is the more complex they make passwords, then the lazier the user will be to have that impossible password handy, and the easier it will be for the baddies to retrieve it for the users actions of storing it on a sticky note, or pasting the password from a file on their computer.
<script>code</script>or
<a onclick="...code..."></a>you can easily and robustly thwart most xss vectors and sinks. CSP can potentially be very powerful against xss if you dont mind writing your code in certain ways, such as putting all js in .js files. CSP can support allowing you to use inline script tags safely if you tag each with a random-per-page-load nonce, or tagged with a checksum of the code contents.
It's true, you can make a very strong password with just lowercase. But that's not the point - the policy is used because SOME users will create weak passwords if the system lets them type it in
« First « Previous Comments 44 - 83 of 85 Next » Last » Search these comments
And if anyone's interested I use Keepass, none of that cloud shit.