|
shrughes posted:What? Where did they find the "MD5 of your password" field? It was stored in your session cookie. Also this might've been IPB not PHPBB. The details are fuzzy.
|
# ? Aug 4, 2010 01:59 |
|
|
# ? May 14, 2024 05:12 |
|
Ugg boots posted:It was stored in your session cookie. Also this might've been IPB not PHPBB. The details are fuzzy. Probably some varient of apache's AuthTkt, which stores a hashed user identifier in a cookie. Of course, you're supposed to use salt, for christs sake.
|
# ? Aug 4, 2010 03:08 |
|
shrughes posted:And MD5, or SHA-X, would be the wrong things to use. Sadly it's not that big of a step up from plain text. I've been using this neat Java library that applies the hash algorithm x times and uses salts. http://www.jasypt.org/howtoencryptuserpasswords.html
|
# ? Aug 4, 2010 04:11 |
|
For gently caress's sake, why can't people figure out password digests? Just use a decent-sized nonce and SHA-anything and all the computing power in the universe won't be able to break them. Adding iterations won't do anything, especially not such a small number as 1000. If you're really worried about somebody with warehouse full of FPGAs trying to crack the user tables for your pokemon forums, use something nice and space-intensive like scrypt. Space-intensive algorithms are orders of magnitude more expensive to break than time-intensive algos. TOO SCSI FOR MY CAT fucked around with this message at 03:46 on Aug 5, 2010 |
# ? Aug 4, 2010 05:55 |
|
What's the danger in storing passwords as plaintext? Is it that a user might use the same password for both their bank account and their anime forum account so someone getting access to the anime forum's database can get access to their bank account?
|
# ? Aug 4, 2010 06:36 |
|
tractor fanatic posted:What's the danger in storing passwords as plaintext? Is it that a user might use the same password for both their bank account and their anime forum account so someone getting access to the anime forum's database can get access to their bank account? A surprisingly large number of people will use their email password on forums. If any passwords can be reversed from that forum's user table, attackers can test it against 1) the account's email contact and 2) accounts on other sites with the same username. Most sites allow "forgot my password" emails, so once an attacker enters your email it's all over. TOO SCSI FOR MY CAT fucked around with this message at 07:03 on Aug 4, 2010 |
# ? Aug 4, 2010 07:01 |
|
tractor fanatic posted:What's the danger in storing passwords as plaintext? Is it that a user might use the same password for both their bank account and their anime forum account so someone getting access to the anime forum's database can get access to their bank account? I think the sign up process for a web site should be along the lines of: Please enter your e-mail address: Please enter your password: Enter password again: [Please wait...] For your convience, we have used your password to log into your facebook account and automatically signed you up for our Facebook group. Also, we have logged into your webmail account and set ourselves as a contact so our e-mails won't be marked as spam. Thank-you.
|
# ? Aug 4, 2010 07:03 |
|
Janin posted:Space-intensive algorithms are orders of magnitude more expensive to break than time-intensive algos. Well, to be precise, spacetime-intensive algorithms.
|
# ? Aug 4, 2010 07:05 |
|
Janin posted:Yes Is there then generally any protection from eavesdroppers stealing a password digest and gaining access to a user's anime forum account? That is, is there a unique session salt also sent along with the unique user salt?
|
# ? Aug 4, 2010 07:15 |
|
shrughes posted:Well, to be precise, spacetime-intensive algorithms. Time complexity is a measure of how many calculations must be performed to solve an algorithm. Space complexity is a measure of how many intermediate results must be stored at once to solve an algorithm. Calculation engines (CPUs, GPUs, FPGAs) are relatively easy to make more powerful, by inventing smaller transistors, more efficient cooling mechanisms, and specialised circuits. It can be scaled easily by dividing the solution space and testing each subsection in parallel. Consider this: you have a choice between making an algorithm take 1,000,000,000x more CPU time, or 1,000,000,000x more storage. Lets say it starts at 1ms and 100KiB. Increased CPU means it will take 1000000 seconds, or about a week and a half, to break. This is easily parallelized -- with 100 devices, you can expect a crack in just under 3 hours. Stuff a warehouse full, and it's done in seconds. Increased storage means it will take about 93GiB. You can't parallelize storage, so that's 93GiB **per device**. tractor fanatic posted:Is there then generally any protection from eavesdroppers stealing a password digest and gaining access to a user's anime forum account? That is, is there a unique session salt also sent along with the unique user salt? 1. User opens the login screen. The login screen is encrypted, using TLS (aka HTTPS) 2. User enters password. This is sent, encrypted, to the server. 3. Server performs SHA1(server nonce + user nonce + submitted text), compares it to the stored digest, and either creates a session or refuses the login 4. The session ID is sent to the user, and is used for all further authentication when browsing. If further browsing is unencrypted, then it's possible for an attacker to intercept the user's session ID and impersonate them. However, this requires either expensive technology or physical proximity to the victim. Furthermore, the user can end the attack by logging out (which deletes their session). TOO SCSI FOR MY CAT fucked around with this message at 03:46 on Aug 5, 2010 |
# ? Aug 4, 2010 07:30 |
|
Janin posted:Properly designed software never sends the user's password digest. What should happen is: I see, thanks. Also, I think by "space-time" he meant that the time complexity would have a factor at least a linear multiple of the space complexity, so that space complexity would create time complexity as well.
|
# ? Aug 4, 2010 07:56 |
|
Janin posted:Consider this: you have a choice between making an algorithm take 1,000,000,000x more CPU time, or 1,000,000,000x more storage. Lets say it starts at 1ms and 100KiB. So just expanding storage requirements, it takes 93GiB of storage, and 1ms, to break. That's very affordable. The reason to expand in storage is because attacking a function in hardware can be much more efficient than computing it on a general purpose CPU, but if you require lots of space, the attacker has to use the same kind of general purpose memory that you use. Edit: Specifically, it means the attacker can only use a fraction of his hardware for computation at any given time, instead of streaming everything through a pipeline. shrughes fucked around with this message at 08:38 on Aug 4, 2010 |
# ? Aug 4, 2010 08:33 |
|
tractor fanatic posted:Also, I think by "space-time" he meant that the time complexity would have a factor at least a linear multiple of the space complexity, so that space complexity would create time complexity as well. This thread never fails to deliver.
|
# ? Aug 4, 2010 08:35 |
|
floWenoL posted:This thread never fails to deliver. welp, didn't think I'd be wrong about that, but I'm not a computer scientist. If the space complexity is say, n^2, wouldn't you need at least n^2 time to generate all the data you are storing?
|
# ? Aug 4, 2010 08:38 |
|
tractor fanatic posted:welp, didn't think I'd be wrong about that, but I'm not a computer scientist. If the space complexity is say, n^2, wouldn't you need n^2 time to generate each datum you are storing? Yes, but I just happened not to be referring to that effect, I was just referring to space * time, whatever the source of those values might be. Edit: also, you said "linear multiple" when you meant "constant multiple".. or something. shrughes fucked around with this message at 08:43 on Aug 4, 2010 |
# ? Aug 4, 2010 08:39 |
|
shrughes posted:Yes, but I just happened not to be referring to that effect, I was just referring to space * time, whatever the source of those values might be. Edit: also, you said "linear multiple" when you meant "constant multiple".. or something. Yeah I should have just said, "time complexity is at least as big as space complexity".
|
# ? Aug 4, 2010 08:56 |
|
Well, this directory exists so someone... /sbcimp/run/perl/32-bit/old/do_not_delete/perl3/ Edit: I changed the do_not_delete to do_not_use, let's see who notices! baquerd fucked around with this message at 10:19 on Aug 4, 2010 |
# ? Aug 4, 2010 10:14 |
|
shrughes posted:And MD5, or SHA-X, would be the wrong things to use. Wrong thing to use for what? You telling me my /etc/shadow is not in SHA 512 when it starts with $6$? MD5 maybe weak, but it is still very usable. We can generate collisions for SHA1 but it is not trivial. Depending on risk level, it may still be exceptable? Obviously, you need to salt the password properly so that the same password doesn't end up the same storage for all users. I was leaving out actually sending the password which is where we would have to get into a DH key exchange. HFX fucked around with this message at 19:06 on Aug 4, 2010 |
# ? Aug 4, 2010 17:55 |
|
HFX posted:Wrong thing to use for what? You telling me my /etc/shadow is not in SHA 512 when it starts with $6$? That's right. When it starts with $6$ the output consists of 5000 rounds of some unnecessarily baroque scheme that inputs the results from past rounds of computation into SHA-512.
|
# ? Aug 4, 2010 19:39 |
|
Janin posted:FGPA You've used this acronym twice, but do you really mean FPGA or is it a new acronym?
|
# ? Aug 5, 2010 02:37 |
|
TRex EaterofCars posted:You've used this acronym twice, but do you really mean FPGA or is it a new acronym?
|
# ? Aug 5, 2010 03:45 |
|
loving up more, quote is not edit; I am literally retarded IRL
|
# ? Aug 5, 2010 03:46 |
|
Janin posted:no, that's just me typoing, sorry. I mean FGP---loving drat it, FPGA read it as: Field-programmable gate array, so no worries anyway
|
# ? Aug 5, 2010 22:15 |
|
Ban four letter acronyms now!
|
# ? Aug 5, 2010 22:24 |
|
ymgve posted:Ban four letter acronyms now! Acronyms in variable/function/class names piss me off too. I would rather have verbose names that are very descriptive than have to remember particular shortening of it. Although there is something to be said about long names that are still loving confusing and too long.
|
# ? Aug 5, 2010 22:27 |
|
Crazy RRRussian posted:Acronyms in variable/function/class names piss me off too. I would rather have verbose names that are very descriptive than have to remember particular shortening of it. Although there is something to be said about long names that are still loving confusing and too long. It really depends on the acronym, TBH. Certainly, I would hate to see a HyperTextMarkupLanguageParser class.
|
# ? Aug 6, 2010 01:47 |
|
Crazy RRRussian posted:Although there is something to be said about long names that are still loving confusing and too long.
|
# ? Aug 6, 2010 02:26 |
|
I've never seen anything top the quicktime SDK for obfuscating verboseness:code:
|
# ? Aug 6, 2010 03:03 |
|
Those aren't even good or descriptive. And one of the variables has the word Audio in it, twice. Sorry, three times.
|
# ? Aug 6, 2010 03:55 |
|
tripwire posted:Those aren't even good or descriptive.
|
# ? Aug 6, 2010 13:51 |
|
tripwire posted:Java Babey!!!! To be fair, most of the naming convention for the standard java library are intuitive and strike good balance between too long and not descriptive at all. Crazy RRRussian fucked around with this message at 05:04 on Aug 7, 2010 |
# ? Aug 7, 2010 04:54 |
|
So it turns out that Cake Poker, a fairly major poker site, was using XOR encryption on everything and was found to have a couple of possible unaccounted for superusers on its site. When pressured about this issue, they advised players to make sure to only use wireless networks with WEP.
|
# ? Aug 12, 2010 02:14 |
|
Found this one today.code:
|
# ? Aug 12, 2010 15:43 |
|
I dont see how that's particularly bad i mean sure that shouldn't go live.
|
# ? Aug 12, 2010 18:27 |
|
Sprawl posted:I dont see how that's particularly bad i mean sure that shouldn't go live. Sure it's not "bad", but it's still retarded. Vector.addElement shouldn't ever throw an exception. That method really should just be: code:
code:
|
# ? Aug 12, 2010 18:38 |
|
BigRedDot posted:You gotta be sure. Speaking of which, I had to integrate some stuff to a library where the methods names could change while the general boilerplate patterns were identical, and I did some analysis and found it's basically a query language in its idioms and dataflow model. Turns out it was taking a SQL database schema and generating methods according to the schema as it walked the tree and presented that to me as a client-side library. I had created a declarative language for query data to perform the integration, so basically here's what it did in the end: 1. I parse user inputs, which I defined as a declarative query language with hierarchical elements that looked a lot like CSS 2. I generate intermediate code to walk library and object graph of the API as compile-time validation (well, pre-processed because by definition it couldn't be compiled in our system - we had no choice but to do dynamic, but I could have easily converted to a compiled language) 3. Client-side library turns it into SOAP under the covers 4. Receiving server turns SOAP into its own intermediate language to move between a procedural library it exposed to a query language 5. Turned it into different SQL variants depending upon db backing The language I wrote up is apparently the only one that can handle all cases of customizations to the database schema because it's dynamic, and almost everyone that uses the server-side software has custom Java code written by consultants at $250+ / hr because nobody hires full-time developers to do this poo poo in reality. I've gotta get out of enterprise software somehow
|
# ? Aug 12, 2010 18:40 |
|
dancavallaro posted:Sure it's not "bad", but it's still retarded. Vector.addElement shouldn't ever throw an exception. That method really should just be: Well the Vector could have a size limit a la. code:
|
# ? Aug 12, 2010 18:45 |
|
Sprawl posted:Well the Vector could have a size limit a la. A Vector is a growable array. If you use the Vector(int) constructor, you're just specifying the initial capacity, but it will still grow if you add elements to it beyond that. Vector.addElement should never throw an exception.
|
# ? Aug 12, 2010 18:47 |
|
Technically it can if you run out of memory.
|
# ? Aug 12, 2010 18:52 |
|
|
# ? May 14, 2024 05:12 |
|
rjmccall posted:Technically it can if you run out of memory. Don't tell that to whoever wrote that code, because he'll wrap every single line in his program with code:
|
# ? Aug 12, 2010 18:57 |