|
Avenging_Mikon posted:You don't put your actual password in those, you use something of the same length and characteristics. yes, a password inspector. don't use your actual password (any of them, for anything), just one you might use. cool, no problem, and definitely something a layperson worried about wizardsec would use in the manner in which its intended.
|
#
?
Aug 19, 2017 04:38
|
|
|
|
| # ? May 13, 2024 21:41 |
|
|
Powaqoatse posted:the nazi site has been cleaned up a bit since, but archive.org shows the type of poo poo they sell/sold:  
|
|
#
?
Aug 19, 2017 04:50
|
|
|
infernal machines posted:yes, a password inspector. don't use your actual password (any of them, for anything), just one you might use. I dunno, I found them useful to demonstrate to people the importance of complexity.
|
|
#
?
Aug 19, 2017 05:15
|
|
|
Avenging_Mikon posted:I dunno, I found them useful to demonstrate to people the importance of complexity. what kind of complexity? how does it work?
|
|
#
?
Aug 19, 2017 05:28
|
|
|
basghetti is nice but ugh nazis
|
|
#
?
Aug 19, 2017 10:17
|
|
|
pci dss gives fucks about exactly one thing: protecting cardholder data, and only cardholder data. you can store plaintext passwords on a sql server 2005 db with an asp.net 1.1 app running on windows server 2003 in tyool 20 loving 17 and as long as your cardholder data is 'adequately' protected you can get the big pci dss level one certificate it is a total loving bullshit scam incidentally, we're pci dss level one version three point oh certified
|
|
#
?
Aug 19, 2017 13:07
|
|
|
redleader posted:pci dss gives fucks about exactly one thing: protecting cardholder data, and only cardholder data. you can store plaintext passwords on a sql server 2005 db with an asp.net 1.1 app running on windows server 2003 in tyool 20 loving 17 and as long as your cardholder data is 'adequately' protected you can get the big pci dss level one certificate 
|
|
#
?
Aug 19, 2017 13:33
|
|
|
Powaqoatse posted:speaking of secfucks, someone hacked a nazi merch webstore and handed over their customer db to Swedish antifa Is there a translation of the letter somewhere?
|
|
#
?
Aug 19, 2017 15:28
|
|
|
infernal machines posted:what kind of complexity? how does it work? Short vs. Long, use of special characters, numbers, capitals. People are really dumb, and having something to show them to say "look, this simple change gives you way more protection without making your life more difficult" is useful. The thing just evaluates attack space and compares to brute force speed to get approximate time to crack.
|
|
#
?
Aug 19, 2017 16:02
|
|
|
so a friend is having fun with sprint today https://twitter.com/sprintcare/status/898800482663014400 https://twitter.com/sprintcare/status/898901472594636801 https://twitter.com/sprintcare/status/898912177523892224 https://twitter.com/sprintcare/status/898918538546565120 https://twitter.com/sprintcare/status/898895355609202689
|
|
#
?
Aug 19, 2017 16:13
|
|
|
Avenging_Mikon posted:Short vs. Long, use of special characters, numbers, capitals. People are really dumb, and having something to show them to say "look, this simple change gives you way more protection without making your life more difficult" is useful. The thing just evaluates attack space and compares to brute force speed to get approximate time to crack. okay, so the issue is a "complex" password isn't necessarily a harder to crack password. assuming you're going for a human memorable password, you probably just want a long phrase rather than something that has a bunch of special characters in it. but also, if the thing just scores Name<birthyear> as complex* it's not very good either *microsoft online services, i'm looking at you
|
|
#
?
Aug 19, 2017 16:25
|
|
|
A Pinball Wizard posted:Is there a translation of the letter somewhere? dunno, but here's my liberal translation quote:Hello, My PIN is 4826 fucked around with this message at 16:57 on Aug 19, 2017 |
|
#
?
Aug 19, 2017 16:55
|
|
|
My PIN is 4826 posted:dunno, but here's my liberal translation
|
|
#
?
Aug 19, 2017 18:24
|
|
|
anthonypants posted:owns
|
|
#
?
Aug 19, 2017 18:28
|
|
|
Lain Iwakura posted:so a friend is having fun with sprint today fun reverse of this story: Amex wouldn't let me create a username unless it had at least 2 #s. gotta get dem high entropy... usernames? 🤔 tacked on my birth year like everyone else probably does 🎉 at least they let me create a complex password too
|
|
#
?
Aug 19, 2017 18:31
|
|
|
maskenfreiheit posted:fun reverse of this story: Amex wouldn't let me create a username unless it had at least 2 #s. Put a 0 in front of it you might get root
|
|
#
?
Aug 19, 2017 18:44
|
|
|
maskenfreiheit posted:fun reverse of this story: Amex wouldn't let me create a username unless it had at least 2 #s. i think it's a good idea. compensates for idiot assholes who reuse username/password combos
|
|
#
?
Aug 19, 2017 19:13
|
|
|
My PIN is 4826 posted:dunno, but here's my liberal translation nice, thanks!
|
|
#
?
Aug 19, 2017 19:14
|
|
|
maskenfreiheit posted:fun reverse of this story: Amex wouldn't let me create a username unless it had at least 2 #s. we actually got rid of predictable usernames at work because the brute force bots were getting way too good
|
|
#
?
Aug 19, 2017 20:14
|
|
|
Shinku ABOOKEN posted:we actually got rid of predictable usernames at work because the brute force bots were getting way too good you should have added more entropy to the passwords rather than the usernames
|
|
#
?
Aug 19, 2017 20:39
|
|
|
Shinku ABOOKEN posted:we actually got rid of predictable usernames at work because the brute force bots were getting way too good
|
|
#
?
Aug 19, 2017 20:44
|
|
|
Shinku ABOOKEN posted:we actually got rid of predictable usernames at work because the brute force bots were getting way too good good job!
|
|
#
?
Aug 19, 2017 20:52
|
|
|
infernal machines posted:okay, so the issue is a "complex" password isn't necessarily a harder to crack password. assuming you're going for a human memorable password, you probably just want a long phrase rather than something that has a bunch of special characters in it. but also, if the thing just scores Name<birthyear> as complex* it's not very good either Yes, that's why I said short vs. Long. Showing someone a 20 character pass phrase is better than 8 with the gamut of characters. I'm not sure why you're so keen on making GBS threads on an educational tool.
|
|
#
?
Aug 19, 2017 21:45
|
|
|
because a tool that says "check your password here" is a stupid tool*. look at this website: http://www.speedypassword.com (http!!!) do you think "Test your password below to check its strength and find out how secure it is!" suggests you should enter your actual password? a site that offers to generate username and password pairs for you? seriously? *to be clear, i'm talking specifically about this password inspector website (you know, the one the tweet was about), password strength indicators in general can be useful assuming they're part of the service you're creating an account for, and properly weight things. telling someone to put their password into a random website probably isn't doing them any favours though infernal machines fucked around with this message at 22:07 on Aug 19, 2017 |
|
#
?
Aug 19, 2017 21:57
|
|
|
Shinku ABOOKEN posted:we actually got rid of predictable usernames at work because the brute force bots were getting way too good 
|
|
#
?
Aug 19, 2017 22:13
|
|
|
infernal machines posted:*to be clear, i'm talking specifically about this password inspector website (you know, the one the tweet was about), password strength indicators in general can be useful assuming they're part of the service you're creating an account for, and properly weight things. telling someone to put their password into a random website probably isn't doing them any favours though making a "password inspector" website that just displays "thanks for telling me your password, idiot" in giant letters once you press submit would probably be an effective way to teach people not to do that. hell, that might even be enough to cause them to change their now-compromised password
|
|
#
?
Aug 19, 2017 22:19
|
|
|
infernal machines posted:because a tool that says "check your password here" is a stupid tool*.
|
|
#
?
Aug 19, 2017 22:20
|
|
|
I think someone once posted here a sign up form that tried to log into your Twitter account with your given email and password and rejected your password if it was successful.
|
|
#
?
Aug 19, 2017 22:22
|
|
|
tl;dr: mozilla wants to readd the Totally Not Eddy Nigg/Mossad SSL vendor to the trust rolls https://bugzilla.mozilla.org/show_bug.cgi?id=1311832#c16 https://news.ycombinator.com/item?id=15055707 if the circlejerk ever shows it instead of a blank page, lol.
|
|
#
?
Aug 19, 2017 22:37
|
|
|
quote:> e.- StartCom has developed a new CMS system and website, using a new 
|
|
#
?
Aug 19, 2017 22:43
|
|
|
https://twitter.com/zacaj_/status/898999055707234305
|
|
#
?
Aug 19, 2017 22:49
|
|
|
mdl posted:tl;dr: mozilla wants to readd the Totally Not Eddy Nigg/Mossad SSL vendor to the trust rolls is that mozilla that wants to add it or is it some random gently caress
|
|
#
?
Aug 19, 2017 22:58
|
|
|
i'm glad them changing management again erasing all past attempts to hide changes in management
|
|
#
?
Aug 19, 2017 23:18
|
|
|
vOv posted:is that mozilla that wants to add it or is it some random gently caress our buddy iñigo works at startcom, but the original/first post in the thread is a mozilla employee stating that startcom are allowed to reapply. also, you have to click my comments to show them now, because apparently warning the public that mozilla are imbeciles who will undermine the entire browser/CA security model is "advocacy" and therefore should not appear un-collapsed in bugzilla by default
|
|
#
?
Aug 19, 2017 23:25
|
|
|
vOv posted:is that mozilla that wants to add it or is it some random gently caress that's just someone commenting in it now that startcom has applied to be re-admitted. there's nobody from Mozilla commenting on the request.
|
|
#
?
Aug 19, 2017 23:27
|
|
|
people are always allowed to reapply. doing otherwise would require tracking employment and private company ownership to avoid deemed reapplication. "are permitted to reapply" is boilerplate from Kathleen, not an invitation. see her other similar bugs. (disclosure: I wrote a bunch of the CA policies, authorized removals, and was Kathleen's boss)
|
|
#
?
Aug 19, 2017 23:30
|
|
|
Subjunctive posted:that's just someone commenting in it now that startcom has applied to be re-admitted. there's nobody from Mozilla commenting on the request. see the first post: https://bugzilla.mozilla.org/show_bug.cgi?id=1311832#c0 some credulous mozillan posted:StartCom may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and shown that WoSign has no control (people or code) over StartCom. edit: fix url mdl fucked around with this message at 23:35 on Aug 19, 2017 |
|
#
?
Aug 19, 2017 23:31
|
|
|
Subjunctive posted:people are always allowed to reapply. doing otherwise would require tracking employment and private company ownership to avoid deemed reapplication. "are permitted to reapply" is boilerplate from Kathleen, not an invitation. see her other similar bugs. if only there were databases that had this sort of information, or if any industry had the capacity to do it, such as the "information" "security" industry, which already does it. apparently this is too hard for the multi-national browser vendors Subjunctive posted:(disclosure: I wrote a bunch of the CA policies, authorized removals, and was Kathleen's boss) i'm glad you're saying this in past tense. i hope it means you aren't still employed in this capacity
|
|
#
?
Aug 19, 2017 23:34
|
|
|
mdl posted:if only there were databases that had this sort of information, or if any industry had the capacity to do it, such as the "information" "security" industry, which already does it. apparently this is too hard for the multi-national browser vendors I don't know of any database of private company employees, but I'm happy to be educated.
|
|
#
?
Aug 19, 2017 23:35
|
|
|
|
| # ? May 13, 2024 21:41 |
|
|
Subjunctive posted:I don't know of any database of private company employees, but I'm happy to be educated. have you honestly never received a background check? i'm not even talking about getting a security clearance; i mean the sort that companies often do on prospective employees. surely the browser/ca forum is capable of vetting CAs, which, i would like to point out, account for far fewer heads total than a single CA has customers. mdl fucked around with this message at 23:45 on Aug 19, 2017 |
|
#
?
Aug 19, 2017 23:39
|
|