|
Blue Footed Booby posted:It's incredibly frustrating when sites won't let you specify a custom security question, and then only provide poo poo like "what is your mother's maiden name" that's trivial to find out for anyone whose extended family is on Facebook. I answer these questions by just randomly generating passwords using a password manager, but I figure if someone was determined to get into my account and they called in and answered "what is your mother's maiden name" with "i can't remember, it's just a bunch of random letters", whoever they were talking to would let them in more often than not.
|
#
?
Oct 21, 2014 03:03
|
|
|
|
| # ? Jun 8, 2024 03:11 |
|
|
Banks also don't want to make it too hard to access your money. "That time my flight out of Sevastopol was cancelled and I got stranded in a goddamn war zone because they locked my card when I tried to buy a train ticket and wouldn't unlock it after calling them" is going to cost a liver transplant or three for the PR department.
|
|
#
?
Oct 21, 2014 03:10
|
|
|
When I first created a Vanguard account, years ago, their passwords had to be exactly 10 characters long with at least one special character Now their passwords can be longer than 10 characters, but they can't have any special characters  I also have a bank account password that won't let you have sequential letters or numbers. So your password can't include "567" or "abc" or whatever. This means your password can't include any words with sequential letters such as "define" or "nope" QuarkJets fucked around with this message at 06:07 on Oct 21, 2014 |
|
#
?
Oct 21, 2014 06:04
|
|
|
Bonfire Lit posted:Also Blizzard probably saves a lot more money on not having their CS agents explain to people what the caps lock key does than they have to spend on restoring accounts that were hacked because the password was case insensitive. I dont play wow anymore. But since i stopped playing my account was hacked - even though i have the 2 factor auth and someone apparently hacked my account and logged in from china.... WTF!!!!! how????
|
|
#
?
Oct 21, 2014 07:08
|
|
|
Centripetal Horse posted:I have a friend who I occasionally work with on programming projects. He is the worst array-abuser I have ever seen in my life. There is no programming challenge that he does not solve by cramming arrays into other arrays. Half the time, I can't even find the logic portion of his programming, and it looks like the arrays are magically making things happen. When we first worked together, I ribbed him about it, because I thought it was a one-off thing, where our thought processes just worked a bit differently. Nope. It's every block of code he writes in any language to solve any problem. I used to write code a bit like this (but less extreme), but I've grown out of it. I don't think I ever used ++ or -- operators within multiply nested arrays though. Actually, I don't think those operators should be combined with other operators in the same statement at all.
|
|
#
?
Oct 21, 2014 15:20
|
|
|
Here's some choice Node.js I ran into at work today:code:I feel bad for the dev because he's a .NET guy forced into working on Node.js, but drat... The commit message is simply "edit smart things." e: It's not really called "things" in the code, that's my own edit for this post. Mogomra fucked around with this message at 16:02 on Oct 21, 2014 |
|
#
?
Oct 21, 2014 15:58
|
|
|
QuarkJets posted:This means your password can't include any words with sequential letters such as "define" or "nope" Well that doesn't seem like a huge restriction seeing as you shouldn't be using words in your password
|
|
#
?
Oct 21, 2014 17:27
|
|
|
Dessert Rose posted:Well that doesn't seem like a huge restriction seeing as you shouldn't be using words in your password Wasn't this kind of debunked a while back? Like just having tons of characters is really your best bet because it makes it hard to brute force. chickentomorrowfastpalpablebarnyard vs 7fhv73
|
|
#
?
Oct 21, 2014 18:05
|
|
|
There's two sides, length reduces vulnerability to brute forcing by character, as in try a, b, c, d, e etc etc. That said brute forcing typically doesn't do that as a first pass. They take dictionaries of common words, common manglings (zeros for o, ones for I, etc) and brute force with the dictionary stuff. Word permutations would be vulnerable against that style of brute forcing, provided correct spelling that means 6 words to guess. The thing about passwords is nothing is ever 'debunked'. Its about social engineering as much as it is about cryptography, knowing the passwords people use is the biggest source of correct guesses, now that rainbow tables are less useful due to per user salting (not that everyone does this yet). Password theft moves with the times, and the security approaches people use. If you use anything but pure randomness you password may be guessable by a brute force algorithm using dictionaries as a source. That is especially true if your method of creating passwords lines up with common wisdom of the time. That said though, vulnerability requires the ability to brute force, which either means a major password database theft or a poorly secured API endpoint (that let's you constantly retry authentication). Provided you don't have a single golden password available on someone's service (as in, its local only, maybe for accessing your password locker) you are unlikely to lose the primary password to all your other passwords, and can just change the passwords that get compromised on demand. Maluco Marinero fucked around with this message at 19:09 on Oct 21, 2014 |
|
#
?
Oct 21, 2014 19:02
|
|
|
Outside of infrequent spearfishing types of attacks, the shared password problem is IMO the only one that's really economically interesting to use as an attacker. (In spearfishing cases, malware probably works well too.) Losing one password from a low-significance/low-security site is not a big deal. Losing a password from a high-significance/high-security site is unlikely and not worth making lifestyle decisions over as long as your password isn't bottom-5% stupid. Losing a password from a poo poo-tier site and that granting chaining to the email account you use for password resets is the thing that people should worry about. Exception: brute forcing of machine passwords with physical access is a thing, and can be pretty damaging.
|
|
#
?
Oct 21, 2014 19:34
|
|
|
Subjunctive posted:Losing a password from a poo poo-tier site and that granting chaining to the email account you use for password resets is the thing that people should worry about. Yep, ding ding ding. The big thing is to not reuse passwords, but then that basically means use a password manager and let it do the thinking for passwords.
|
|
#
?
Oct 21, 2014 19:59
|
|
|
Trying to label words and characters as good or bad is kind of missing the point. A random word has about as much entropy as two random characters. Mix and match freely until you have enough.
|
|
#
?
Oct 21, 2014 20:09
|
|
|
Maluco Marinero posted:Yep, ding ding ding. The big thing is to not reuse passwords, but then that basically means use a password manager and let it do the thinking for passwords. Or write them in a loving book. Anyone who gets into my house already has my checkbook, financial records, and the entire computer. Once that happens you're hosed anyway, so why memorize anything you don't need when outside your home (edit: aside from the one for your main email account)? Also, use the same password for all the poo poo tier stuff. Oh nooo, they compromised all the mmo trial accounts I don't remember creating! 
Blue Footed Booby fucked around with this message at 21:00 on Oct 21, 2014 |
|
#
?
Oct 21, 2014 20:57
|
|
|
Blue Footed Booby posted:Or write them in a loving book. Anyone who gets into my house already has my checkbook, financial records, and the entire computer. Once that happens you're hosed anyway, so why memorize anything you don't need when outside your home (edit: aside from the one for your main email account)? I'll just copy/paste my password right off this piece of paper. brb
|
|
#
?
Oct 21, 2014 21:26
|
|
|
Dessert Rose posted:Well that doesn't seem like a huge restriction seeing as you shouldn't be using words in your password There's nothing wrong with using a word in your password. Even if you use randomly generated strings of alphanumeric characters there's a decent chance that you'll wind up with at least 3 sequential characters. It's a stupid rule to impose
|
|
#
?
Oct 21, 2014 21:41
|
|
|
Or just hide it in plain sight: export PS1="(\!)[\u@\h:\w]\$ " (Note: This is probably a bad idea)
|
|
#
?
Oct 21, 2014 21:44
|
|
|
I seem to recall someone (in here?) relating a story about a fairly important service having a 4 digit pin code for login, and you were not allowed to have sequential numbers (at all) or repreated numbers (at all), totally choking all but the last vestiges of entropy out of that paltry little sequence, for the sake of increasing it. Like 3658 and 1774 would be forbidden because 65 are sequential and 77 is a repeat. Hey. You. Stop doing security, right now. Step away from the company.
|
|
#
?
Oct 21, 2014 22:14
|
|
|
That system was actually 2-factor authentication, though. It was the card in addition to the pin number in your head. It also wasn't really possible to brute force due to the transaction speed of the pin check taking forever, and the bank would also lock the card after a certain number of attempts. So, in terms of meeting basic security criteria for a system it wasn't all that terrible. Users also generally liked it because remembering 4 numbers was pretty easy. There are a lot of well-meaning restrictions placed on password system by admins that don't fully understand what the hell their auth system is actually doing, though. As you stated, banning sequential and repeated characters removes entropy from the system and makes the problem space for brute forcing smaller. That's probably not a huge difference if you're doing 16-character case-sensitive with punctuation, but it can be a real big difference if it's 8 characters alphanumeric case insensitive.
|
|
#
?
Oct 22, 2014 00:36
|
|
|
We have a C++ binary and an HTML 5/Javascript app that are about to cover overlapping niches in the category of real-time display of live data. Cue clueless product owner suggesting we avoid duplication of effort by either having the C++ binary interpret the Javascript or the Javascript to call the C++ binary. Fortunately, I'm pretty sure I headed that one off at the pass. Yeah, it does suck that we have duplication of effort, but overall the apps fulfill different use cases and have different customers.
|
|
#
?
Oct 22, 2014 03:51
|
|
|
baquerd posted:We have a C++ binary and an HTML 5/Javascript app that are about to cover overlapping niches in the category of real-time display of live data. Cue clueless product owner suggesting we avoid duplication of effort by either having the C++ binary interpret the Javascript or the Javascript to call the C++ binary. Fortunately, I'm pretty sure I headed that one off at the pass. Emscripten?
|
|
#
?
Oct 22, 2014 03:57
|
|
|
baquerd posted:Cue clueless product owner suggesting we avoid duplication of effort by either having the C++ binary interpret the Javascript or the Javascript to call the C++ binary. Seems like the safest path is to start both workstreams.
|
|
#
?
Oct 22, 2014 03:59
|
|
|
Subjunctive posted:Emscripten? If you tell him about that, I'll find you, no matter what it takes. The Javascript app would take a week at most on its own to modify, if you add that crap, probably more like 6 months once all the dependency issues are worked out.
|
|
#
?
Oct 22, 2014 04:13
|
|
|
baquerd posted:If you tell him about that, I'll find you, no matter what it takes. The Javascript app would take a week at most on its own to modify, if you add that crap, probably more like 6 months once all the dependency issues are worked out. Nah, it's pretty easy. I think we use libjpeg as JS for client-side image resizing now. The ergonomics are pretty decent.
|
|
#
?
Oct 22, 2014 04:21
|
|
|
Subjunctive posted:Nah, it's pretty easy. I think we use libjpeg as JS for client-side image resizing now. The ergonomics are pretty decent. OK, saying I give you the benefit of the doubt, these aren't straightforward library functions I'm talking about, they're entirely different view models. The duplicated functionality is displaying a new type of event that is now shared between the two systems. Cross server requests would also come into play. Just take my word for it that even if Emscripten was the most seamless translator imaginable, there would be more side effects than would be worthwhile.
|
|
#
?
Oct 22, 2014 04:32
|
|
|
baquerd posted:OK, saying I give you the benefit of the doubt, these aren't straightforward library functions I'm talking about, they're entirely different view models. The duplicated functionality is displaying a new type of event that is now shared between the two systems. Cross server requests would also come into play. Just take my word for it that even if Emscripten was the most seamless translator imaginable, there would be more side effects than would be worthwhile. I don't know why you insist on contradicting the analysis that I, unburdened by facts, have generously provided.
|
|
#
?
Oct 22, 2014 04:38
|
|
|
Subjunctive posted:I don't know why you insist on contradicting the analysis that I, unburdened by facts, have generously provided. I didn't think those loving ergonomics were going to come into play, but now I see how things are. Do you even have a standing desk?
|
|
#
?
Oct 22, 2014 04:43
|
|
|
baquerd posted:I didn't think those loving ergonomics were going to come into play, but now I see how things are. Do you even have a standing desk? Motorized, baby.
|
|
#
?
Oct 22, 2014 04:50
|
|
|
Of course you should always use a password of ';drop table users;
|
|
#
?
Oct 22, 2014 08:11
|
|
|
Subjunctive posted:I think we use libjpeg as JS for client-side image resizing now.
|
|
#
?
Oct 22, 2014 09:08
|
|
|
Subjunctive posted:Nah, it's pretty easy. I think we use libjpeg as JS for client-side image resizing now. The ergonomics are pretty decent. gently caress you  , so that's why uploading pictures now pegs the CPU at 100% and makes my browser unusable 
|
|
#
?
Oct 22, 2014 09:30
|
|
|
Blue Footed Booby posted:Or write them in a loving book. Anyone who gets into my house already has my checkbook, financial records, and the entire computer. Once that happens you're hosed anyway, so why memorize anything you don't need when outside your home (edit: aside from the one for your main email account)? You're not hosed if someone steals your entire computer if you're using full disk encryption and the computer (assuming a laptop or other battery powered computer of some kind) is hibernating or powered off while unattended.
|
|
#
?
Oct 22, 2014 10:03
|
|
|
TheresaJayne posted:Of course you should always use a password of ';drop table users; I never understand why people don't just use ';drop database;--.
|
|
#
?
Oct 22, 2014 10:13
|
|
|
qntm posted:I never understand why people don't just use ';drop database;--. Well, you need* to know the name of the database, and it would be ';drop database databaseName;-- Whereas it's a reasonable bet that there might be a table called users or Users or user or some other variation. * Maybe this depends on the RDBMS, but based on a quick Google this is true at least for MySQL, PostgreSQL, and SQL Server.
|
|
#
?
Oct 22, 2014 13:25
|
|
|
Deus Rex posted:You're not hosed if someone steals your entire computer if you're using full disk encryption and the computer (assuming a laptop or other battery powered computer of some kind) is hibernating or powered off while unattended. You're also not hosed if the computer is embedded in a six ton block of iron. But I'm not doing that either.
|
|
#
?
Oct 22, 2014 14:51
|
|
|
Blue Footed Booby posted:You're also not hosed if the computer is embedded in a six ton block of iron. This is a valid point because doing this and full disk encryption are equally reasonable.
|
|
#
?
Oct 22, 2014 15:39
|
|
|
http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1017/DOC-330012A1.pdfFCC posted:Just before midnight on Wednesday, April 9, 2014, Pacific Daylight Time (PDT) a 911 call-routing facility in Englewood, Colorado, stopped directing emergency calls to eighty-one 911 call centers (Public Safety Answering Points or PSAPs) in seven states – California, Florida, Minnesota, North Carolina, Pennsylvania, South Carolina, and Washington. The outage was caused by a software coding error in the Colorado facility, and resulted in a loss of 911 service for more than 11 million people for up to six hours. Over 6,600 calls to 911 never reached a PSAP.
|
|
#
?
Oct 22, 2014 16:55
|
|
|
Steve French posted:This is a valid point because doing this and full disk encryption are equally reasonable. It's reasonable to use disk encryption but nobody does it
|
|
#
?
Oct 22, 2014 18:05
|
|
|
baquerd posted:We have a C++ binary and an HTML 5/Javascript app that are about to cover overlapping niches in the category of real-time display of live data. Cue clueless product owner suggesting we avoid duplication of effort by either having the C++ binary interpret the Javascript or the Javascript to call the C++ binary. Fortunately, I'm pretty sure I headed that one off at the pass. I hear some people have it worse: http://www.theguardian.com/technology/2014/jun/05/world-of-darkness-the-inside-story-mmo-ccp-white-wolf quote:Most of the sources spoken to for this piece identified the same problematic CCP manager, who had little vision for what the finished game would look like. (link stolen from SunAndSpring in Imp Zone)
|
|
#
?
Oct 22, 2014 18:21
|
|
|
Aleksei Vasiliev posted:http://transition.fcc.gov/Daily_Releases/Daily_Business/2014/db1017/DOC-330012A1.pdf Reality is more nuanced than that explanation, though. This error happened at the same time as another completely unrelated problem that also took down service elsewhere. Because the system throwing the error was not being monitored, the people doing the troubleshooting were operating under the assumption that both outages were due to the same root cause. When the cause of the other outage was fixed, and the 40M outage wasn't also fixed, that's the first time they were able to begin actually troubleshooting it. The lesson isn't just "don't put stupid limits on your identifiers," it's "monitor things that could have a limit" and "watch the drat logs, you idiots."
|
|
#
?
Oct 22, 2014 18:31
|
|
|
|
| # ? Jun 8, 2024 03:11 |
|
|
QuarkJets posted:It's reasonable to use disk encryption but nobody does it I do, and have for years.
|
|
#
?
Oct 22, 2014 19:11
|
|