|
Apparently the cost of not having to deal with a bajillion my password doesn't work support requests. Must have been a lot of calls/emails.
|
# ? May 23, 2012 18:52 |
|
|
# ? Jun 7, 2024 01:43 |
|
geonetix posted:Who needs internet security, right? It makes sense when you consider the reduced number of technical support questions related to forgotten or mistyped passwords. A 16 character password would effecitvely take 16 million years to crack according to http://howsecureismypassword.net/
|
# ? May 23, 2012 18:53 |
|
MEAT TREAT posted:It makes sense when you consider the reduced number of technical support questions related to forgotten or mistyped passwords. A 16 character password would effecitvely take 16 million years to crack according to http://howsecureismypassword.net/ Ug, taking the caps out makes my blizzard password go from 10 day to 3 hours. I use an authenticator so I don't feel like I need a stronger password.
|
# ? May 23, 2012 18:56 |
|
poemdexter posted:Ug, taking the caps out makes my blizzard password go from 10 day to 3 hours. I use an authenticator so I don't feel like I need a stronger password. At 10 days you were screwed no matter the caps, it's only really secure once you hit the years. And to hit that mark it's easier just making it longer than adding caps and weird symbols. Seriously the password fuckthisgayearth takes 5 million years to crack and is very easy to remember. Janitor Prime fucked around with this message at 22:20 on May 23, 2012 |
# ? May 23, 2012 19:01 |
|
I can't wait for 'how secure is my credit card number'
|
# ? May 23, 2012 19:01 |
|
tef posted:I can't wait for 'how secure is my credit card number' We're sorry but we can only verify the security of your credit card by checking the last 3 digits on the back of your card.
|
# ? May 23, 2012 19:03 |
|
MEAT TREAT posted:At 10 days you were screwed no matter the caps, it's only really secure once you hit the years. And to get hit that mark it's easier just making it longer than adding caps and weird symbols. Seriously the password fuckthisgayearth takes 5 million years to crack and is very easy to remember. That password is longer than 16 characters, so you can't use it on Battle.net, and is extremely vulnerable to a dictionary attack.
|
# ? May 23, 2012 19:04 |
|
quiggy posted:That password is longer than 16 characters pre:fuckthisgayearth 1234567890123456
|
# ? May 23, 2012 19:16 |
|
MEAT TREAT posted:It makes sense when you consider the reduced number of technical support questions related to forgotten or mistyped passwords. A 16 character password would effecitvely take 16 million years to crack according to http://howsecureismypassword.net/ Regardless of that, I think it's a bad habit to truncate passwords, refuse characters (something blizzard does too, for example '@' and '#' are refused) and make the password case insensitive. The more entropy you allow, the more secure your password can be, if your users feel the need to. edit: added extra characters to negate e-mail remarks (even though it's a valid remark and people who use their e-mail address as their password deserve to get their accounts stolen) geonetix fucked around with this message at 19:38 on May 23, 2012 |
# ? May 23, 2012 19:24 |
|
I received this email from my institution's IT dept in response to a query about passwords:quote:linux/unix silently truncates passwords to 8 characters It does this not only when you set up your account, but every time you log in as well. Which means I can type in ********cockshitcuntfart as my password and it will work.
|
# ? May 23, 2012 19:26 |
|
geonetix posted:'@' is refused That makes sense as a way to keep stupid people from using their email address (or their email address simply reversed) as their password.
|
# ? May 23, 2012 19:26 |
|
abiogenesis posted:I received this email from my institution's IT dept in response to a query about passwords: They're dead wrong, though. This hasn't been the case for years if not decades. Unless they mean "our linux/unix systems truncate passwords to 8 characters (because we have configured them to do so)", in which case they're right, but idiots. E: except even then they're wrong, because even if you configure PAM or whatever to truncate, you'll get a warning about that when you set your password, so there's no "silently" about it.
|
# ? May 23, 2012 19:42 |
|
abiogenesis posted:I received this email from my institution's IT dept in response to a query about passwords: Then your IT is bad. http://stackoverflow.com/questions/2179649/are-passwords-on-modern-unix-linux-systems-still-limited-to-8-characters
|
# ? May 23, 2012 19:42 |
|
quiggy posted:That password is longer than 16 characters, so you can't use it on Battle.net, and is extremely vulnerable to a dictionary attack. (size of dictionary)4 tends to be a pretty big number. "extremely vulnerable" is a gross exaggeration. I'd also point out that unless Blizzard just lets connections make 50 million guesses at a password, the password strength only really matters if an attacker acquires their database. At that point, (as long as you don't have a common password), the complexity of the hashing algorithm is as important (if not more) than the strength of your password. It would take significantly longer to bruteforce a case-insensitive bcrypt hash with an appropriate work factor than a case-sensitive SHA1 hash.
|
# ? May 23, 2012 19:49 |
|
LordKaT posted:This isn't code, but it's related, and my face almost imploded when I read this. The reasoning seems pretty straight forward. Less support calls about passwords. Majority of account passwords are compromised from user phishing or a keylogger. And using the hardware authentication makes a compromised password less of an issue. I also think facebook does similar shenanigans where it will try a few rules to change your password and let you login. Such as invert alpha characters as if the user typed with caps lock on or invert first character as if it was auto capitalized.
|
# ? May 23, 2012 20:08 |
|
I think the bigger issue is that it can be a sign that your password is stored in plaintext somewhere. A hash would generally make a differentiation between "FuckThisGayEarth" and "fuckthisgayearth". (The other, more plausible solution is just turning all input to lowercase letters, but given the "security" of several large corporations these past few years, I suspect the worst.)
|
# ? May 23, 2012 20:28 |
|
If you don't have an authenticator attached to your bnet account pretty much anything even vaguely suspicious results in it getting locked. If you do have an authenticator, your password strength is unimportant. Brute forcing any password better than the account name or "password" would be pretty hard.Zamujasa posted:I think the bigger issue is that it can be a sign that your password is stored in plaintext somewhere. A hash would generally make a differentiation between "FuckThisGayEarth" and "fuckthisgayearth".
|
# ? May 23, 2012 20:46 |
|
Hibame posted:invert first character as if it was auto capitalized. How the christ can a control tell if the first letter was autocapitalized...
|
# ? May 23, 2012 20:51 |
|
epswing posted:How the christ can a control tell if the first letter was autocapitalized...
|
# ? May 23, 2012 20:55 |
|
Have you ever called your bank and you've had to insert your web password over the phone? So if your password was 'fuckthisgayearth' you'd type in 9285244148398124. It worries me how they do that conversion.
|
# ? May 23, 2012 21:05 |
|
ijustam posted:Have you ever called your bank and you've had to insert your web password over the phone? I would hope that they produce and store a second "touch tone phone" hash when you are initially selecting the password, but if they didn't plan for that when they first created the system... edit: And even then, you've massively decreased the amount of entropy in basically every password, which is still pretty bad.
|
# ? May 23, 2012 21:07 |
|
quiggy posted:That password is longer than 16 characters, so you can't use it on Battle.net, and is extremely vulnerable to a dictionary attack. Goddamn that is a pretty thorough dictionary if they have, "fuckthisgayearth"
|
# ? May 23, 2012 21:16 |
|
Internet Janitor posted:I would hope that they produce and store a second "touch tone phone" hash when you are initially selecting the password, but if they didn't plan for that when they first created the system... With the 8-character limit that a lot of banks have it'd be pretty reasonably to simply hash every possibly choice of letters from the keypresses.
|
# ? May 23, 2012 21:21 |
|
Zamujasa posted:(The other, more plausible solution is just turning all input to lowercase letters, but given the "security" of several large corporations these past few years, I suspect the worst.) Pretty sure that's how they do it. It's just a game password, and not brute-forceable (against their servers), so meh, reasonable enough.
|
# ? May 23, 2012 21:29 |
|
Strong Sauce posted:Goddamn that is a pretty thorough dictionary if they have, "fuckthisgayearth" Just checked, even the rock you list doesn't have it. In any form. So using "fuckthisgayearth" was a pretty safe password to use.
|
# ? May 23, 2012 21:31 |
|
Guys, please stop giving out my super secure password.
|
# ? May 23, 2012 21:41 |
|
Just change it to fuckthisstraightearth. We won't tell.pigdog posted:Pretty sure that's how they do it. Don't they have billing information in their accounts? Plus, if you've spent enough time getting your WoW character to whatever the max level is, I imagine it's got more than monetary value to you.
|
# ? May 23, 2012 21:50 |
|
MEAT TREAT posted:It makes sense when you consider the reduced number of technical support questions related to forgotten or mistyped passwords. A 16 character password would effecitvely take 16 million years to crack according to http://howsecureismypassword.net/
|
# ? May 23, 2012 22:53 |
|
Munkeymon posted:Just change it to fuckthisstraightearth. We won't tell. God drat it, and I just got done changing all my passwords
|
# ? May 23, 2012 22:53 |
|
Aleksei Vasiliev posted:This assumes that only 250 million passwords can be attempted per second, which is a pretty drat low estimate. I dunno, I think that's a pretty reasonable estimate for a desktop CPU. Obviously you can go a lot faster if you have a big cluster of GPUs, but that's not really the point the site is trying to make.
|
# ? May 23, 2012 23:02 |
|
Zhentar posted:I dunno, I think that's a pretty reasonable estimate for a desktop CPU. Obviously you can go a lot faster if you have a big cluster of GPUs, but that's not really the point the site is trying to make.
|
# ? May 23, 2012 23:05 |
|
Aleksei Vasiliev posted:Even with just the mid-high-end GPU in my desktop that I use for gaming I can get >1bn/s. It's pretty much guaranteed that an attacker who has access to the hashes will be using at least one GPU to attack them. Against someone with access to the hashes, the complexity of the hashing algorithm is far more important than password strength as soon as you get outside the really dumb things like "your account name backwards" and "password".
|
# ? May 23, 2012 23:13 |
|
Aleksei Vasiliev posted:Even with just the mid-high-end GPU in my desktop that I use for gaming I can get >1bn/s. It's pretty much guaranteed that an attacker who has access to the hashes will be using at least one GPU to attack them. That's why you salt your hashes, of course. GPUs can't handle all that umami flavor, and they have to throw up every three servings, leaving half your results invalid.
|
# ? May 23, 2012 23:37 |
|
tef posted:I can't wait for 'how secure is my credit card number' http://ismycreditcardstolen.com/
|
# ? May 24, 2012 02:31 |
|
Good luck when VISA find them. They're less tolerant of parody than the olympics. (mycreditcarddetails.co.uk got shafted)
|
# ? May 24, 2012 02:41 |
|
Suspicious Dish posted:That's why you salt your hashes, of course. GPUs can't handle all that umami flavor, and they have to throw up every three servings, leaving half your results invalid. Better yet, don't try to think about hashing/salting/storing passwords yourself. There are plenty of good password stretching schemes with well written libraries. Bcrypt is good. PBKDF2 is good. Hell, glibc/some BSDs' crypt() is good if you use the right options. Pick one and never worry again. Or everyone keep doing your own crypto because that will keep a steady supply of stories rolling in to this thread
|
# ? May 24, 2012 03:16 |
|
Functional programming in zsh. $ sum(){ foldl λ a b . 'echo $(($a + $b))' } $ list {1..100} | sum 5050
|
# ? May 24, 2012 03:19 |
|
Gotta admire the guys who knowingly and deliberately set out to make something terrible. Like whoever invented unify and surrender algorithms.
|
# ? May 24, 2012 03:37 |
|
Fren posted:Functional programming in zsh. Do you really have to use that lambda character?
|
# ? May 24, 2012 06:21 |
|
|
# ? Jun 7, 2024 01:43 |
|
Strong Sauce posted:Do you really have to use that lambda character? It's just an alias for another function, you can use "lambda" instead.
|
# ? May 24, 2012 06:55 |