|
I remember seeing a tweet from some eBay support person saying that disabling the paste prevents brute force attacks, which... I don't even know how you get that confused.
|
# ? Feb 26, 2017 04:27 |
|
|
# ? May 11, 2024 14:11 |
|
flosofl posted:I feel like you missed a joke or something? Yeah that seems sarcastic to me.
|
# ? Feb 26, 2017 04:32 |
|
Not sarcastic at all. There are very obvious reasons why copy/pasting is disallowed when changing your password versus when logging in. If you can't think of them, try turning on your brain.
|
# ? Feb 26, 2017 04:49 |
|
Very obvious, that's why you're the only person in the thread who sees these obvious, definitely good reasons.
|
# ? Feb 26, 2017 05:02 |
|
not tested chrome but firefox already disallows copying *from* a password field, so preventing people pasting into the 2nd one only fucks with innocent people
|
# ? Feb 26, 2017 05:03 |
|
sarehu posted:Not sarcastic at all. There are very obvious reasons why copy/pasting is disallowed when changing your password versus when logging in. If you can't think of them, try turning on your brain. You're trolling, right? Like, what are you talking about? What are the "very obvious reasons"?
|
# ? Feb 26, 2017 05:09 |
|
sarehu posted:Not sarcastic at all. There are very obvious reasons why copy/pasting is disallowed when changing your password versus when logging in. If you can't think of them, try turning on your brain. LOL
|
# ? Feb 26, 2017 05:14 |
|
Gee, maybe stop and consider why people have to type it twice.
|
# ? Feb 26, 2017 05:46 |
|
sarehu posted:Gee, maybe stop and consider why people have to type it twice. I....you cannot be serious. No one posting in an infosec thread is this dense.
|
# ? Feb 26, 2017 05:51 |
|
CLAM DOWN posted:I....you cannot be serious. No one posting in an infosec thread is this dense. Oh, believe it. Try going to a conference for info-sec and be amazed at how a lot of "security engineers" cargo-cult their practices and policies. Most of them go through the motions without understanding WHY. It's all a ritual for the blessing of the security gods, whose ways are a mystery. Proteus Jones fucked around with this message at 05:58 on Feb 26, 2017 |
# ? Feb 26, 2017 05:56 |
|
CLAM DOWN posted:I....you cannot be serious. No one posting in an infosec thread is this dense. If you are familiar with his previous posts you would not be surprised. He is your typical HN commenter.
|
# ? Feb 26, 2017 05:56 |
|
flosofl posted:Oh, believe it. Try going to a conference for info-sec and be amazed at how a lot of "security engineers" cargo-cult their practices and policies. Most of them go through the motions without understanding WHY. I've been lucky, the last couple SANS conferences I've been to have been incredibly rewarding experiences for me but I can totally see what you're saying. I see it daily at work OSI bean dip posted:If you are familiar with his previous posts you would not be surprised. He is your typical HN commenter. Ugh I wasn't aware
|
# ? Feb 26, 2017 05:59 |
|
I still don't get how that makes it easy to gently caress up a copy/pasted password?? I mean obviously it's tripe. But I don't understand the internal logic either.
|
# ? Feb 26, 2017 06:14 |
|
Cup Runneth Over posted:I still don't get how that makes it easy to gently caress up a copy/pasted password?? Sarehu is demonstrating that he has no idea about how passwords should be handled in an application and would rather tell us that we are "missing the obvious" instead of actually elaborating on his (idiotic) point.
|
# ? Feb 26, 2017 06:29 |
|
Users will gently caress up the copy/paste and cost money getting customer support and complaining on Yelp.
|
# ? Feb 26, 2017 07:38 |
|
sarehu posted:Users will gently caress up the copy/paste and cost money getting customer support and complaining on Yelp. As opposed to being forced to type in a weak password that will be easily guessed and then cost money getting customer support to un-gently caress their account and complain on Yelp.
|
# ? Feb 26, 2017 07:57 |
|
sarehu posted:Users will gently caress up the copy/paste and cost money getting customer support and complaining on Yelp. How often do you run across users who are the type to whine on Yelp that also copy and paste passwords?
|
# ? Feb 26, 2017 08:06 |
|
sarehu posted:Users will gently caress up the copy/paste and cost money getting customer support and complaining on Yelp. As opposed to the customer service cost of making people type their own complex passwords repeatedly? Or do you advocate for simple short passwords as well?
|
# ? Feb 26, 2017 08:27 |
|
sarehu posted:Users will gently caress up the copy/paste and cost money getting customer support and complaining on Yelp. Lol, this is good. You really had me thinking you were actually this stupid.
|
# ? Feb 26, 2017 09:19 |
|
Lmao @ the idea of people reviewing websites on yelp. Is that even possible?
|
# ? Feb 26, 2017 10:15 |
|
gallop w/a boner posted:Within my organisation, we use an application white-listing product (Appsense Application Manager) on all Windows endpoints. We only allow pre-approved applications and block scripting engines like cscript.exe, powershell.exe etc. We do not allow executables to run from anywhere in the user's profile, network drives etcetera. We haven't had a single malware infection (well, as far as we know) since implementing white-listing, and are generally pretty pleased with it. I'm still trying to sort out the truth vs FUD about this but yeah apparently fileless malware is a thing now. I think the usual "train your employees" argument is still the best counter to that ; but still, as we know if you get specifically targeted you will be fooled/infected eventually given enough resources. I reckon the usual DLP mitigation technologies still work for fileless malware. I mean, we know anti-virus are pretty much useless now and they can actually make your systems less secure because they increase the attack surface but you still have to handle the malwares and nowadays doing it at the network layers seem to be the way to go. Some people are trying to come up with Machine Learning technologies to detect anomalies on the network, for instance. In any case, I don't see how fileless malware change the game (except you can't scan for files, but like I said this way of detecting malware is probably out of date now). Just out curiosity, what's this vendor solution to that?
|
# ? Feb 26, 2017 11:11 |
|
skull mask mcgee posted:Lmao @ the idea of people reviewing websites on yelp. Is that even possible? https://www.yelp.com/biz/something-awful-pleasant-hill
|
# ? Feb 26, 2017 18:04 |
|
If only Lowtax would disable copy-pasting into the change password field, that rating would be a good two stars higher.
|
# ? Feb 26, 2017 18:57 |
|
Kassad posted:Also: Don't upload a pair of files with identical SHA-1 to a SVN repository, turns out this corrupts them. Oh man, that just made Monday morning so much better.
|
# ? Feb 27, 2017 11:46 |
|
The most baffling disabling copy/paste is Namecheap's SMS "MFA" implementation. They won't let you paste into the textbox for the code. Not that typing in those digits is annoying, but the fact that they thought this was the hill to die on. Were people pasting in from Messages.app really that big a threat?
|
# ? Feb 27, 2017 14:17 |
|
sarehu posted:It's so easy to gently caress up a copy/pasted password so making you type it makes a lot of sense. You're a dipshit
|
# ? Feb 27, 2017 18:22 |
|
CLAM DOWN posted:As opposed to the customer service cost of making people type their own complex passwords repeatedly? Or do you advocate for simple short passwords as well? Yeah, make your passwords short, and different for each website. The length doesn't help -- if somebody's hacked the website, they'll probably get everything else in the database too, and a targeted crack isn't going to matter much.
|
# ? Feb 27, 2017 22:32 |
|
sarehu posted:Yeah, make your passwords short, and different for each website. The length doesn't help -- if somebody's hacked the website, they'll probably get everything else in the database too, and a targeted crack isn't going to matter much.
|
# ? Feb 27, 2017 22:45 |
|
Yeah, has to be a troll.
|
# ? Feb 27, 2017 22:49 |
|
sarehu posted:Yeah, make your passwords short, and different for each website. The length doesn't help -- if somebody's hacked the website, they'll probably get everything else in the database too, and a targeted crack isn't going to matter much. Honestly I think my recommendation here is that you stop using a computer now and forever
|
# ? Feb 27, 2017 22:49 |
|
The only things that matter are reuse, and making sure the search space is large enough that your anti-brute-force system kicks in before they have a decent chance. To prevent reuse, pick 3 random characters at password set time and require them to be in the password. (Or take the password and try it on a bunch of sites in the background.)
|
# ? Feb 27, 2017 22:50 |
|
sarehu posted:The length doesn't help
|
# ? Feb 27, 2017 22:52 |
|
It's very easy to test my hypothesis. Take my 8 characters-and-less passwords on websites I use (they go down to 6), count how many times my accounts have been lost from the password being hacked, and compare the results with your however-long passwords that make you feel secure. I've never lost any account to somebody brute forcing my password over the wire. Or from anybody getting the password database and cracking it offline. That would be doable, but there's minimal harm that could be done on any service for which that could be accomplished.
|
# ? Feb 27, 2017 23:22 |
|
It's never backfired on me, therefore it is good security practice.
|
# ? Feb 27, 2017 23:42 |
|
Just ignore the troll. There's no way anyone can be this willfully stupid and still be functional enough to use a computer without a helper.
|
# ? Feb 28, 2017 04:05 |
|
My 1Password Watchtower/heartbleed tab has like 30+ websites listed as vulnerable. A lot of them are one off accounts I made to buy something or whatever that 1Password saved (I mean really do I "need" to update my account at "jetpens.com"? Whatever address i saved there isn't even where i live anymore and I'm sure the credit card is either expired or if not then well I know I'm not gonna be on the hook if someone steals it so who cares), and the others are websites that make it really difficult for me to change my password/can't login anymore without . My point is that passwords are annoying. You should still use password managers though. They help except when they don't (e.g. maximum arbitrary password lengths).
|
# ? Feb 28, 2017 13:52 |
|
Passwords are terrible but they are the least we can do. I mean, door keys are terrible too but there's not much choice there. Passwords wouldn't be half as bad if most websites set up a proper 2FA. It still wouldn't be perfect but much better. Personally I'm waiting for more news on SQRL. I'd like to see some security research done on this and cryptographic attacks, peer reviews, etc. Using a public key to log on a website, and specific to that website, is pretty cool.
|
# ? Feb 28, 2017 18:30 |
|
Furism posted:Passwords are terrible but they are the least we can do. I mean, door keys are terrible too but there's not much choice there. Passwords wouldn't be half as bad if most websites set up a proper 2FA. It still wouldn't be perfect but much better. SQRL is garbage: http://security.blogoverflow.com/2013/10/debunking-sqrl/ Also Steve Gibson is a loving charlatan, so stop reading up on his dumbassery: http://attrition.org/errata/charlatan/steve_gibson/
|
# ? Feb 28, 2017 19:11 |
|
OSI bean dip posted:SQRL is garbage: Wait, he's still around? I thought he faded into obscurity a decade ago when people finally figured out he was full of poo poo and didn't know what he was talking about. I still remember his "artisanal" programs, hand-crafted in x86 asm.
|
# ? Feb 28, 2017 19:16 |
|
|
# ? May 11, 2024 14:11 |
|
Furism posted:Passwords are terrible but they are the least we can do. I mean, door keys are terrible too but there's not much choice there. Passwords wouldn't be half as bad if most websites set up a proper 2FA. It still wouldn't be perfect but much better. Looking into it (and ignoring that, like OSI said, Gibson is an idiot that should be ignored) it seems like SQRL would be a replacement for the SMS based portion of a good multi-factor authentication system, not for passwords. Pub/priv key based signing is a "thing you have" auth check, passwords are a "thing you know" auth check. Yes, the key is protected by a password as well, but verifying the password isn't done by the system being authenticated against so it shouldn't be considered an auth mechanism.
|
# ? Feb 28, 2017 19:22 |