|
hihifellow posted:Password hashing is more disappointing than I thought it would be Yes it is, but even with things like distributed rainbow tables and massive hash libraries, most attackers don't even bother with cracking hashes. There are too many hash formats in use, and the processing power required to break a hash is still too costly. Most still rely on credential harvesting from live machines, and tools which require no breaking of hashes, but instead just people downloading malware on to privileged machine. http://youtu.be/BIlqWNpxIGY
|
#
?
Feb 10, 2015 13:23
|
|
|
|
| # ? Jun 7, 2024 03:37 |
|
|
Weatherman posted:How secrue is keepass, and how secure are the PCs people are installing it on? We have keyfobs that do the whole 2FA thing, why not a non-wireless capable fob that you can run keypass on? Only way to hack that is to have it. I guess that's fine until you lose it and the password to the fob is password.
|
|
#
?
Feb 10, 2015 15:17
|
|
|
Eldercain posted:We have keyfobs that do the whole 2FA thing, why not a non-wireless capable fob that you can run keypass on? Only way to hack that is to have it. I guess that's fine until you lose it and the password to the fob is password. Wait what, do you think token fobs are wireless somehow?
|
|
#
?
Feb 10, 2015 15:48
|
|
|
deimos posted:Wait what, do you think token fobs are wireless somehow? No but since we're talking about them being secure let's not add that feature. People already getting their thermostats and poo poo broken into because why not add lovely wireless features!
|
|
#
?
Feb 10, 2015 15:54
|
|
|
Honestly a RFID which gives an RSA key in return is not that far fetched and would actually be useful. Especially when you're able to buy a universal RFID copier/generator from china for $20. We're not that far off from that, now. The tech currently relies on obscurity for security.
|
|
#
?
Feb 10, 2015 16:01
|
|
|
Bhodi posted:Honestly a RFID which gives an RSA key in return is not that far fetched and would actually be useful. Especially when you're able to buy a universal RFID copier/generator from china for $20. We're not that far off from that, now. The tech currently relies on obscurity for security. This would make for terrible TFA, all I'd have to do is sit near you with a high powered antenna and use poof goes TFA.
|
|
#
?
Feb 10, 2015 16:26
|
|
|
deimos posted:This would make for terrible TFA, all I'd have to do is sit near you with a high powered antenna and use poof goes TFA. You could also punch me in the face and steal my token too. I am happy to defeat the vast majority of attackers who aren't going to put in the effort to single people out at Panera.
|
|
#
?
Feb 10, 2015 16:32
|
|
|
Eldercain posted:No but since we're talking about them being secure let's not add that feature. People already getting their thermostats and poo poo broken into because why not add lovely wireless features! Honestly, for the stats all the hacks required the user to be physically in front of it.
|
|
#
?
Feb 10, 2015 16:55
|
|
|
Our core switch has telent enabled  . All the password complexity in the world won't save you if poo poo is misconfigured. Thanks external network engineer with "20 years of experience". pr0digal fucked around with this message at 18:39 on Feb 10, 2015 |
|
#
?
Feb 10, 2015 18:35
|
|
|
When you're using keepass or whatever with some six paragraph password with cuneiform and hieroglyphics in it, how hosed are you if you have to log into something from someone else's computer? This is a sticking point for me. I prefer to keep my passwords in my brain where I can access them anywhere and have yet to see a convincing reason to do otherwise.
|
|
#
?
Feb 10, 2015 19:17
|
|
|
I have the teamviewer client on a usb drive on my key ring incase I need to remote to my work PC to do actual admin work.
|
|
#
?
Feb 10, 2015 19:21
|
|
|
Javid posted:When you're using keepass or whatever with some six paragraph password with cuneiform and hieroglyphics in it, how hosed are you if you have to log into something from someone else's computer? This is a sticking point for me. I prefer to keep my passwords in my brain where I can access them anywhere and have yet to see a convincing reason to do otherwise. This is why I used LastPass, but also, aside from maybe 3 different accounts, how often do you have to log in to accounts from strangers' computers?
|
|
#
?
Feb 10, 2015 19:22
|
|
|
I've got keepassdroid and read from the copy on my google drive to keep everything synced. I've never needed to log in somewhere and also been without my phone. If I really needed, I could just copy over the binary TO my phone and use it as an external drive to launch the program.
|
|
#
?
Feb 10, 2015 19:23
|
|
|
Inspector_666 posted:This is why I used LastPass, but also, aside from maybe 3 different accounts, how often do you have to log in to accounts from strangers' computers? The better question is, how much do you trust their computer not to be a slathering infected pit of hell? I always travel with either my tablet or laptop, and if I can't login to whatever it is from them, I don't need to log in. I just 100% don't trust any system that's not mine.
|
|
#
?
Feb 10, 2015 19:25
|
|
|
Javid posted:how hosed are you if you have to log into something from someone else's computer? Honestly if you're asking that question you're probably hosed regardless. If you're in the "I'm too paranoid to use a password manager" category then you should be treating any passwords you're using on a random untrusted computer as far more likely to be compromised.
|
|
#
?
Feb 10, 2015 19:42
|
|
|
Internet went down thanks to our internet router thinking it was being ddos'ed by our internet firewall. Good effort, router
|
|
#
?
Feb 10, 2015 19:44
|
|
|
LastPass is so awesome and I don't know why everyone doesn't use it.
|
|
#
?
Feb 10, 2015 19:44
|
|
|
It's pretty great. You need to get your poo poo together if you aren't using that or keepass.
|
|
#
?
Feb 10, 2015 19:50
|
|
|
Javid posted:When you're using keepass or whatever with some six paragraph password with cuneiform and hieroglyphics in it, how hosed are you if you have to log into something from someone else's computer? This is a sticking point for me. I prefer to keep my passwords in my brain where I can access them anywhere and have yet to see a convincing reason to do otherwise. If you absolutely have to put in a password on an unknown system, there are clients for all major managers (Keepass, 1Password, LastPass) on all major smart devices (iOS, Android, WinPhone). You can sync manually or via most of the cloud storages (Dropbox, iCloud, OneDrive). If you don't have a smartphone, a cheap iPod touch could be your mobile password vault. Hell, you can even use that for a lot of two-factor authentication apps, too.
|
|
#
?
Feb 10, 2015 20:02
|
|
|
How will a password manager help me enter 24 characters of mixed case, digits and punctuation on the Windows logon screen?
|
|
#
?
Feb 10, 2015 20:14
|
|
|
nielsm posted:How will a password manager help me enter 24 characters of mixed case, digits and punctuation on the Windows logon screen? Step 1: Don't use 24 characters of mixed case digits and punctuation for a password you have to enter with regularity, unless you're good about memorization and muscle memory and don't have to change it every 30 days.
|
|
#
?
Feb 10, 2015 20:29
|
|
|
Javid posted:When you're using keepass or whatever with some six paragraph password with cuneiform and hieroglyphics in it, how hosed are you if you have to log into something from someone else's computer? This is a sticking point for me. I prefer to keep my passwords in my brain where I can access them anywhere and have yet to see a convincing reason to do otherwise. You can log into lastpass from a web browser.
|
|
#
?
Feb 10, 2015 20:39
|
|
|
skooma512 posted:Some E-waste came in. Manager was getting rid of old software. The old shareware licenses were pretty lenient about preloading stuff on machines. My pacard bell came with a shitton of free stuff, 90% of the games were all shareware style 'if you like, send check or money order to: 'registration pages. This was also before AOL was really a thing, Compuserv still had Internet by the minute accounts, and those awesome telephone couplers for the old 9600 baud modems could be found in the ads section of computer magazines.
|
|
#
?
Feb 10, 2015 20:45
|
|
|
"Can you please add me to the address book on the printer?" We have 3 main sites and a hundred remote users. I've never heard this dude's name before. :facepalm:
|
|
#
?
Feb 10, 2015 21:25
|
|
|
An email came in: "Hi, can you please install <website> on my computer? Also can you install the intra and internet on my computer too?" Then while I was talking to him to figure out what he really needed (which I'm sure everyone here can guess) he asked me how to open a blank Word document. Apparently he was confused by the pop-out recent documents list by the Word icon in the start menu and didn't realize he could just click on Word itself. He'd been opening recent documents, erasing everything in them, and saving them as a new file.
|
|
#
?
Feb 10, 2015 21:35
|
|
|
What convinced me Lastpass was great: Their response to heartbleed was to give you the list of your passwords on sites that were vulnerable to it, the last time you updated your password and when they stopped being vulnerable to heartbleed (and a convenient "should you change your password yes/no/maybe" column). I thought that was pretty neat.
|
|
#
?
Feb 10, 2015 21:36
|
|
|
Knormal posted:An email came in: "Hi, can you please install <website> on my computer? Also can you install the intra and internet on my computer too?" Then while I was talking to him to figure out what he really needed (which I'm sure everyone here can guess) he asked me how to open a blank Word document. Apparently he was confused by the pop-out recent documents list by the Word icon in the start menu and didn't realize he could just click on Word itself. He'd been opening recent documents, erasing everything in them, and saving them as a new file. He's your new CTO or IT Director isn't he???
|
|
#
?
Feb 10, 2015 21:37
|
|
|
mattfl posted:He's your new CTO or IT Director isn't he??? I will -never- forget a new IT manager starting at an ISP I used to work at back in the late '90s. We had setup their desk with a desktop, monitor etc, but for some reason this person wanted to site at the other end of the desk, so had moved all the equipment, then called us saying 'The PC won't start' I rocked up expecting the old 'floppy disk in the drive' that foxed a lot of high earners, but no, this person had simply unplugged the monitor, keyboard and mouse, moved them to the other end of the desk and ... then called IT. They were genuinely clueless that cables had to be connected in order to work. This was the person in charge of my manager. At an ISP. They lasted a month as far as I can remember, no idea how they ever got hired.
|
|
#
?
Feb 10, 2015 23:28
|
|
|
The passwords for a section of students got reset because someone accidentally ran a script they were testing on production. The passwords got set to their birth dates, which you'd think would be easy to explain to people and have them set a new password. Except the affected section was trades students, as in welding, woodworking, etc., and after today I suspect some of them are functionally illiterate. Some couldn't figure out how to enter their own birthdate in this country's standard date format, even after it was painstakingly explained to them. Most had the usual trouble making a password that met the requirements, but that's not surprising. Several of them took around 30 minutes to make a new password that works, 1 took a full hour, and 1 I gave up on and manually set a simple password for. The password requirements? At least 8 characters, one upper and lower case, one number, not your name, not one of your last 25 passwords. Good news is my contract was extended I'm moving from helpdesk to desktop support next week.  Japanese Dating Sim posted:LastPass is so awesome and I don't know why everyone doesn't use it. I love lastpass but my credit union actively blocks password managers on their web and mobile apps. This means my banking password is effectively one of my least secure, so that I can remember and type it on mobile in a reasonable amount of time.
|
|
#
?
Feb 10, 2015 23:31
|
|
|
Hungry Computer posted:I love lastpass but my credit union actively blocks password managers on their web and mobile apps. This means my banking password is effectively one of my least secure, so that I can remember and type it on mobile in a reasonable amount of time. As much as everyone loves to blame users, this poo poo is part of the problem, too.
|
|
#
?
Feb 10, 2015 23:35
|
|
|
There's an apocalypse coming in a few decades when the tech-savvy youth of today start getting old and forget all their passwords.
|
|
#
?
Feb 10, 2015 23:42
|
|
|
Javid posted:As much as everyone loves to blame users, this poo poo is part of the problem, too. gently caress websites that disable pasting into a password field.
|
|
#
?
Feb 11, 2015 00:14
|
|
|
Knormal posted:An email came in: "Hi, can you please install <website> on my computer? Also can you install the intra and internet on my computer too?" Then while I was talking to him to figure out what he really needed (which I'm sure everyone here can guess) he asked me how to open a blank Word document. Apparently he was confused by the pop-out recent documents list by the Word icon in the start menu and didn't realize he could just click on Word itself. He'd been opening recent documents, erasing everything in them, and saving them as a new file. I'm not one to poo poo users who lack basic computer knowledge, but I had a guy who wanted me to look at his machine because an E-mail wouldn't display properly om Outlook since there were "Funny white boxes and everything is all jumbled". I was either tired or busy and didn't want to get out of my chair, but it dawned on me that he might be talking about images; so over the phone I said "Just above the body of the email, is there a grey bar that says click to display pictures?" "Huh, what do you mean? Oh I see it now let's see... if I click it then- Oh, Ohhhhhhhhh" It's right loving there dude! Just read the buttons! spiny posted:I will -never- forget a new IT manager starting at an ISP I used to work at back in the late '90s. New starter; set up machine and cabling under the desk, fit the desk arm and mount monitor, perfect. "Oh um, could I possibly have my screen on the other side?" Unmount monitor, unbolt desk arm, shuffle machine about, re-do the lot "Hmm... I'm not sure if it was better the old way" Ok guy, I realise you're joking but I'm going to feed you to a loving woodchipper. 
|
|
#
?
Feb 11, 2015 00:22
|
|
|
spog posted:gently caress websites that disable pasting into a password field. Keepass has an auto type function that bypasses this, and at least on android has its own keyboard that lets you get around the copying and pasting issues.
|
|
#
?
Feb 11, 2015 00:26
|
|
|
At my last job, the head engineer had his mind blown when he was shown he could pick up his mouse and place it on the other side of the keyboard. Literally no idea it was possible. I can't make this poo poo up. To be fair, dude was sharp as a tack as far as the knowledge of the product we produced... but yeah.
|
|
#
?
Feb 11, 2015 00:39
|
|
|
spog posted:gently caress websites that disable pasting into any field.
|
|
#
?
Feb 11, 2015 00:55
|
|
|
ExcessBLarg! posted:There's no good reason for it, at all.
|
|
#
?
Feb 11, 2015 01:26
|
|
|
No it doesn't; bots like that form the page and send the http POST commands direct.
|
|
#
?
Feb 11, 2015 01:40
|
|
|
anthonypants posted:Preventing bots from brute force guessing passwords. Wouldn't you just use a post or I guess if you really wanted to use the browser for some reason disable to offending script that tracks/prevents pasting?
|
|
#
?
Feb 11, 2015 01:43
|
|
|
|
| # ? Jun 7, 2024 03:37 |
|
|
anthonypants posted:Preventing bots from brute force guessing passwords. The solution to this is a temporary lockout after a number of failed attempts, not client-side javascript.
|
|
#
?
Feb 11, 2015 01:44
|
|