|
PT6A posted:I've only seen that sort of thing on systems where the password occasionally has to be entered on a phone. The length limitation baffles me, though; I can't think of a reason for that at all. There are some hella ancient things that cap at 8 characters and/or ignore everything past that, but not sure what. Way before my time
|
# ? Mar 5, 2017 21:48 |
|
|
# ? Jun 8, 2024 11:27 |
|
Biowarfare posted:There are some hella ancient things that cap at 8 characters and/or ignore everything past that, but not sure what. Way before my time AS/400 usually. 8 Char limit IIRC.
|
# ? Mar 5, 2017 21:55 |
|
Biowarfare posted:There are some hella ancient things that cap at 8 characters and/or ignore everything past that, but not sure what. Way before my time Traditional Unix passwords ignore anything past 8 characters, and Linux naturally copied it, although it's not been the default for a long time and idk if it's even still supported on modern distros (what does my heart tell me)
|
# ? Mar 5, 2017 21:57 |
|
Soricidus posted:Traditional Unix passwords ignore anything past 8 characters, and Linux naturally copied it, although it's not been the default for a long time and idk if it's even still supported on modern distros (what does my heart tell me) That's the bog standard original DES-based implementation of crypt(3), which has widespread cross-platform support everywhere because it's stupid and simple. The reason it has an eight character cap is because it manipulates the characters into 7 bits each in order to create the 56 bit key that DES requires. Every shipping crypt(3) implementation contains support for alternate hashing schemes which aren't completely hosed. In this case though we're probably just dealing with no hashing and storing the password in a CHAR(10) or equivalent because people are loving stupid.
|
# ? Mar 6, 2017 00:07 |
|
TooMuchAbstraction posted:"I don't understand security, but I'm just going to roll my own. How hard can it be?" I had a co-worker once that thought he was god's gift to everything. He managed our ERP that ran on an old-as-dirt multi-value database with a text-based front end about 10 years ago. He also had one small VB program he wrote and maintained for the company and that program kept its data encrypted by an encryption algorithm he wrote himself... in VB... When I found out about that I asked why he didn't just use one of the many encryption algorithms that were already available via .Net's standard libraries. Apparently it was an insult of the highest order to suggest he was not capable of writing a good encryption algorithm from scratch. I tried being as diplomatic as possible but I was in shock at the ignorance on display and had a hard time hiding my disbelief and keeping the WTF? look off my face. Took a third person coming in to defuse the jackass before he exploded or before I started laughing my rear end off. Yes, people can write good encryption algorithms, even individuals. But you're not gonna whip one out for a one-off project and even if it is AMAZING, it's not safely usable until it's been studied, reviewed and tested by a large number of people for quite a while. I wish I would've grabbed a copy of his code to see how close it was to a ROT13 variant.
|
# ? Mar 6, 2017 00:19 |
|
RandomBlue posted:Yes, people can write good encryption algorithms, even individuals. People can, I suppose, but people don't. I wouldn't even trust myself or any other single person to write a properly secure implementation of a well-known and secure algorithm, frankly.
|
# ? Mar 6, 2017 01:05 |
|
They should make a language that throws a compile-time error if you implement broken crypto.
|
# ? Mar 6, 2017 02:00 |
|
PT6A posted:People can, I suppose, but people don't. It depends on whether you care about side channels. If not, it's easy to implement some algorithms. If they matter then agreed.
|
# ? Mar 6, 2017 05:53 |
|
The 8 to 10 char password was in the registration process for the Virgin Mobile UK site.
|
# ? Mar 6, 2017 12:11 |
|
I'm at my second client that thinks it can use TFS like Git w.r.t. branching. I'm going to refer to this as the Slam Your Dick In A Car Door Strategy from now on, but that's just the background for what I saw this morning. I was updating the QA branch this morning because a dev branch had just been merged in, and of course some jackass had committed his development copy of the config of the main project, so I had to hold TFS's hand to merge the changes in. Mostly just a bunch of service URLs that you have to point to different environments based on where your poo poo is running. Not a huge deal - it's even all set up so you can do a quick, global search and replace! The WTF was that, while the jackass' file was full of references to local environment 1 (http://L1.etc.blah.blah.whocares, basically) and my local copy to group environment 2 (E2), but TFS thought they should all be environment 5. So, it looked at L1 and E2 and decided that E5 was the way to merge those. It's worth noting that there is an E5, so it's in the file's history... somewhere, but trying to branch and merge in TFS like the cool git kids are doing clearly just breaks its fuckin brain. Munkeymon fucked around with this message at 16:58 on Mar 6, 2017 |
# ? Mar 6, 2017 16:41 |
|
Is TFS super-crappy compared to git?
|
# ? Mar 6, 2017 17:48 |
|
return0 posted:Is TFS super-crappy compared to git? Blog post I've been using TFS at work for the past five or so years, and I've only used git for relatively smaller open source projects, but at least from my work experience, making branches and doing merges doesn't seem to be the strong point of TFS version control, and it seems like git is a lot less of a pain in the rear end if you need to branch and merge a lot. Bruegels Fuckbooks fucked around with this message at 18:28 on Mar 6, 2017 |
# ? Mar 6, 2017 18:25 |
|
return0 posted:Is TFS super-crappy compared to git? Centralized vs decentralized... mostly. I have a laundry list of things I loving hate about it, but many of them could be classified as UI problems, I guess. Problem is that the UI comes baked right into it, so it's hard to differentiate. Oh and AFAIK Microsoft still doesn't dogfood it which is always a good sign.
|
# ? Mar 6, 2017 18:25 |
|
Yeah the TFS underpinnings might be amazing but you'd never know from the UI.
|
# ? Mar 6, 2017 19:57 |
|
Dylan16807 posted:It depends on whether you care about side channels. If not, it's easy to implement some algorithms. If they matter then agreed. No no you don't understand crypto is magic and will spontaneously fail to provide any security at all unless written by a wizard. Unlike e.g. input validation code, which you can safely leave to your intern and not bother fuzzing or anything because it's only crypto that is special and uniquely difficult.
|
# ? Mar 6, 2017 20:01 |
|
Soricidus posted:No no you don't understand crypto is magic and will spontaneously fail to provide any security at all unless written by a wizard. Unlike e.g. input validation code, which you can safely leave to your intern and not bother fuzzing or anything because it's only crypto that is special and uniquely difficult. There's qualitatively different levels of hard at play here. Input validation doesn't require you to understand a lot of high-level mathematics to do properly. And to be clear, we're talking about why it's foolish to implement crypto algorithms yourself here, not making use of crypto libraries. I mean, it's still easy to use a crypto library in a way that doesn't provide any security, but at least there it's because you didn't follow the (reasonably straightforward) instructions, not because you didn't understand how information theory can be applied to your encrypted data to extract the unencrypted message.
|
# ? Mar 6, 2017 20:04 |
|
return0 posted:Is TFS super-crappy compared to git? Pretty much a moot question for new development, since git is now the default VCS for tfs. TFSVC is on life support.
|
# ? Mar 6, 2017 20:22 |
|
pokeyman posted:Yeah the TFS underpinnings might be amazing but you'd never know from the UI. It's almost certainly not! quote:TF401190: The local workspace temp_WS;User has 248536 items in it, Branching doesn't help, either, because a branch is just a special folder in the same workspace you can merge with neighboring folders. As a consequence, one commit can span branches and, for the icing on the cake, the UI makes it trivially easy to do that accidentally. Also note the workspace name is the computer/user login. If the computer name changes, the local copy stops working. That's not even getting into 'version' conflicts and what happens to shelvesets when you delete their backing branch. It's real bad. boo_radley posted:Pretty much a moot question for new development, since git is now the default VCS for tfs. TFSVC is on life support. Which is cool until you get saddled with a dinosaur client that requires locking version control because that's what the 40 year old contract template says.
|
# ? Mar 6, 2017 20:50 |
|
return0 posted:The 8 to 10 char password was in the registration process for the Virgin Mobile UK site. I haven't logged into Barclaycard's website for a while but one of the two passwords had a restriction of being precisely 6 digits long. Not characters. Digits.
|
# ? Mar 6, 2017 21:13 |
|
Munkeymon posted:It's almost certainly not! This is a real version control system?
|
# ? Mar 6, 2017 21:42 |
|
Soricidus posted:No no you don't understand crypto is magic and will spontaneously fail to provide any security at all unless written by a wizard. Maybe I misunderstood, but I'm pretty sure this is a fairly accurate representation of how crypto works.
|
# ? Mar 6, 2017 22:09 |
|
Dr. Arbitrary posted:Maybe I misunderstood, but I'm pretty sure this is a fairly accurate representation of how crypto works. It is, and anyone who spends 5 minutes reading cryptofails can confirm that there are tons of people out there who think they can do crypto but really can't QuarkJets fucked around with this message at 22:23 on Mar 6, 2017 |
# ? Mar 6, 2017 22:16 |
|
Today I had the privilege of looking at some CSRF prevention code that actually generated a CSRF token for the attacker if they didn't provide one. There were two servlet filters. The first filter on the chain would create the token and store it in a cache and also set it as parameter on the request, and the second filter would then validate that the token stored in the cache would match the one that was literally just set on the request.
|
# ? Mar 7, 2017 00:54 |
|
Arachnamus posted:I haven't logged into Barclaycard's website for a while but one of the two passwords had a restriction of being precisely 6 digits long. Not characters. Digits. Same for BMO in Canada. Does it really matter, though, given that you get only 3 attempts before you're locked out? An attacker still has only a 3/1,000,000 chance of successfully getting in, and there's usually a secondary "security question" asked if the login occurs from an unknown IP address (or maybe it's cookie-based, I'm not sure). Arguably, it's more secure than requiring a long alphanumeric password with upper- and lower-case characters and special characters without a lockout (or even with a lockout, because those complex passwords are more likely to get written down and left somewhere unsafe).
|
# ? Mar 7, 2017 01:07 |
|
PT6A posted:Same for BMO in Canada. Does it really matter, though, given that you get only 3 attempts before you're locked out? An attacker still has only a 3/1,000,000 chance of successfully getting in, and there's usually a secondary "security question" asked if the login occurs from an unknown IP address (or maybe it's cookie-based, I'm not sure). Arguably, it's more secure than requiring a long alphanumeric password with upper- and lower-case characters and special characters without a lockout (or even with a lockout, because those complex passwords are more likely to get written down and left somewhere unsafe). If you lock out after three attempts, an attacker can launch a denial of service attack by rapidly locking out every account. Also, the passwords aren't going to be random, there's much larger than 1/1,000,000 chance of guessing what are likely MMDDYY passwords. And if you get to the security question screen, you know you got the password right.
|
# ? Mar 7, 2017 01:28 |
|
In addition to the post above, your application-level rate limiting makes no difference if they have a copy of the database or just an alternative connection to it like an unprotected MongoDB.
|
# ? Mar 7, 2017 01:34 |
|
Munkeymon posted:Branching doesn't help, either, because a branch is just a special folder in the same workspace you can merge with neighboring folders. As a consequence, one commit can span branches and, for the icing on the cake, the UI makes it trivially easy to do that accidentally. In those ways, is it much like Subversion? Yes, I realize from the article that was linked that it's different from Subversion in other ways.
|
# ? Mar 7, 2017 06:02 |
|
Munkeymon posted:Branching doesn't help, either, because a branch is just a special folder in the same workspace you can merge with neighboring folders. Workspaces and branches are loosely related. In most cases, you should have one branch per workspace. It's not technologically impossible to check out all server branches into a single local workspace, but it's weird and unusual. The only time I've done that is to reconcile some deep hurting between server branches and something a junior dev did. quote:As a consequence, one commit can span branches and, for the icing on the cake, the UI makes it trivially easy to do that accidentally. Again, this is technically by design. It's odd to do, and stumbling into a situation where it happens by default makes me wonder how you got there.
|
# ? Mar 7, 2017 06:28 |
|
boo_radley posted:Workspaces and branches are loosely related. In most cases, you should have one branch per workspace. It's not technologically impossible to check out all server branches into a single local workspace, but it's weird and unusual. One workspace holding all code has been my normal experience for how TFS is set up so far. I guess this is why my TFS zealot colleague is so critical of all the TFS setups he sees? quote:Again, this is technically by design. It's odd to do, and stumbling into a situation where it happens by default makes me wonder how you got there. Just the way the UI will slurp up every change in a workspace whether they're controlled by the active Solution or not into Included Changes when you go to check in is what's doing it. If you've got changes in two or more branches, you have to janitor that, which is a weird, unexpected default(?) behavior when I've got a solution open. Understandable if I don't, but I generally do. I'm also having trouble thinking of a reason why I'd want to do such a thing. Buttcoin purse posted:In those ways, is it much like Subversion? Yes, I realize from the article that was linked that it's different from Subversion in other ways. Now that you've got me thinking about it, I think so, but it's been a while. It might let you merge any two trees where TFS won't. Mentioned it because habitual Git users might be used to thinking of a branch as lightweight pointers to a root object plus maybe some tiny modifications - a very thin copy, but TFS seems to make fat copies that count towards that 10k soft limit.
|
# ? Mar 7, 2017 16:02 |
|
Munkeymon posted:One workspace holding all code has been my normal experience for how TFS is set up so far. I guess this is why my TFS zealot colleague is so critical of all the TFS setups he sees? quote:Just the way the UI will slurp up every change in a workspace whether they're controlled by the active Solution or not into Included Changes when you go to check in is what's doing it. If you've got changes in two or more branches, you have to janitor that, which is a weird, unexpected default(?) behavior when I've got a solution open. Understandable if I don't, but I generally do. quote:
|
# ? Mar 7, 2017 18:18 |
|
boo_radley posted:snip How about we move the derail to the right thread: https://forums.somethingawful.com/showthread.php?threadid=3113983&pagenumber=81#post470093367
|
# ? Mar 7, 2017 18:36 |
|
Munkeymon posted:Oh and AFAIK Microsoft still doesn't dogfood it which is always a good sign.
|
# ? Mar 7, 2017 22:34 |
|
Gazpacho posted:This is wrong on both counts. Azure is all Git, other orgs use TFS.
|
# ? Mar 8, 2017 08:35 |
|
Gazpacho posted:This is wrong on both counts. Good, but what the second count?
|
# ? Mar 8, 2017 20:34 |
|
Munkeymon posted:Good, but what the second count? That it is a good sign. Typo?
|
# ? Mar 8, 2017 21:50 |
|
Captain Capacitor posted:Azure is all Git, other orgs use TFS. most if not all are migrating to git
|
# ? Mar 8, 2017 23:15 |
|
Munkeymon posted:Good, but what the second count? I interpreted that to mean (1) it is incorrect that Microsoft still doesn't dogfood it, (2) it is not true that it is a good sign when Microsoft doesn't dogfood something.
|
# ? Mar 8, 2017 23:17 |
|
Malcolm XML posted:most if not all are migrating to git Which explains why visual studio has tighter git integration with each version.
|
# ? Mar 8, 2017 23:24 |
|
Absurd Alhazred posted:Demand that the word "password" is part of the password so our admins don't get confused. I saw a website the other day that insisted on >8 characters must have Upper and Lower case + Numerals - Special Characters not allowed including space
|
# ? Mar 9, 2017 15:12 |
|
|
# ? Jun 8, 2024 11:27 |
|
Headhunter posted:Knowledge of Git or other Sounds Control systems
|
# ? Mar 9, 2017 17:46 |