SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 67
  1. #26
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,788
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Stormrider View Post
    Yeh, it effectively allows a denial of service attack to happen!
    But only at the account level so the person gets their account moved to a different username and they are back in business while the attacker wastes time continuing to attack a permanently locked account.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  2. #27
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Perhaps, but anything that inconveniences the user that much has something wrong with it. Why should I have to change my username on a system just because someone is trying to hack it? Even something as simple as only allowing login attempts once every 5 seconds can work well - the user is unlikely to ever notice but it stops loads of login attempts on the same account, making brute forcing ineffective / impractical.

    Following the link earlier in this thread, my password's space would take 14.1 billion trillion years at a thousand guesses a second - already impractical, but imagine only being able to try this at 1/5000th the speed as well?

  3. #28
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,088
    Mentioned
    255 Post(s)
    Tagged
    5 Thread(s)
    I had three sites hacked, one via FTP, two I don't know. All had so-called strong passwords, known only to me. I only access them from one, malware-free Linux machine, to which nobody else has access, so I'm pretty confident the problem was not at this end. Anyway, I cleaned up the sites, changed the passwords, etc. Unfortunately, I forgot to update the stored password for one site, so next time I logged in, it used the old password and (obviously) failed. I realised my mistake at once, entered the correct password and was met by a message that my account had been temporarily locked because of multiple unsuccessful log-in attempts and I should try again "in a short while". I couldn't decide whether to laugh or cry.

    On a related point, we've all been told not to use the same password for every site, so am I alone in being dubious about Windows Live ID, which uses the same log-in for everything from Hotmail to Bing Webmaster Tools? Seems like a security nightmare to me.

  4. #29
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TechnoBear View Post
    On a related point, we've all been told not to use the same password for every site, so am I alone in being dubious about Windows Live ID, which uses the same log-in for everything from Hotmail to Bing Webmaster Tools? Seems like a security nightmare to me.
    Except Bing and Hotmail do not see your password. Only login.live.com gets your password. These services, like Windows Live ID, Google ID, OpenID, etc. Are in fact more secure then having a username and password for every single site. First the sites in question never get your password only a token. And the sites that do take your password are secured at every level.

    In other words, you should not be dubious about it.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  5. #30
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Tory Hunt has written nice blog article on subject:
    I’m sorry, but were you actually trying to remember your comical passwords?

  6. #31
    SitePoint Member
    Join Date
    Aug 2011
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think Password Length should be minimum 10 characters or digits(text).

  7. #32
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,329
    Mentioned
    191 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Stormrider View Post
    Why is carrying a piece of paper around with your password on considered so bad? I'm sure there was some security expert recently who was encouraging it, because it's a lot better than the alternative (a weak password so you can remember it), and your wallet is a pretty secure place!
    When I am faced with a situation where I choose to 'write down' a password (and I try to avoid doing so) I always purposely mangle the password.

    For example: if my password is "G69*8DDf" I will write down "G69*8DfD".
    Only I know the transposition and that is much easier to remember than the entire password!
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  8. #33
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Indeed. Even without that though, I'd say it's still more secure to use a strong password and keep it in your wallet than use a weak password and memorise it.

    Password manager is still the best solution of all I reckon though.

  9. #34
    Non-Member
    Join Date
    Jan 2008
    Location
    N43 44.4824', W079 13.9408
    Posts
    2,220
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just make sure my password would take a million years to hack, although I know it's not guaranteed, it's better then 'pooboo' Although there is a downfall to my passwords, I can't remember them !

  10. #35
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    I use a password manager (KeePass) and I keep it in my dropbox account, which makes me feel pretty safe about not losing my passwords due to a hard disk failure, etc. I have a copy on at least 2 computers plus one on the remote dropbox servers. I like it better than pieces of paper which can be stolen, lost, torn, burned, soaked, etc.

    My master password is 18-characters long, it's an easy to remember sentence about my personal preferences plus a memorable number. However, I don't setup random passwords - I prefer passwords which are somewhat difficult but which I can at least remember for a short period of time so that I don't have to launch KeePass everytime I want to login somewhere.

    The idea shown in the cartoon is pretty good! I think I have used too short and too difficult passwords most of the time.

  11. #36
    Non-Member
    Join Date
    Jan 2008
    Location
    N43 44.4824', W079 13.9408
    Posts
    2,220
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting, I should follow the same thing. Create a DropBox account.

  12. #37
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Skip Dropbox and use LastPass, it automatically saves to a "cloud" service.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  13. #38
    SitePoint Member
    Join Date
    Aug 2011
    Location
    Canberra
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Password strength is so important these days. My PayPal account got hacked because it consisted of simple words. All of my passwords now are so complicated, even I can't remember them lol I write them down in a little book

  14. #39
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Skip Dropbox and use LastPass, it automatically saves to a "cloud" service.
    I wouldn't trust ANY third party service to keep my passwords safe! If they got hacked, or had malicious intent, you are screwed. Dropbox has had its fair share of security problems as well... I have mine on an FTP, which KeePass supports natively. Also, I have it start up with windows, so easy to use random passwords and KeePass is always there (I have to unlock it when I log in, but that's it). Ctrl-Alt-A autocompletes details!

    Also, as a link earlier in this thread pointed out, the XKCD advice isn't so good! Best way is using characters from all spaces (symbols, lowercase, uppercase, numbers), long and random.

  15. #40
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    I wouldn't trust ANY third party service to keep my passwords safe! If they got hacked, or had malicious intent, you are screwed. Dropbox has had its fair share of security problems as well... I have mine on an FTP, which KeePass supports natively.
    I don't think trusting third party service is that important here as long as you trust the software you use to encypt your data properly. Both KeePass and LastPass store all data encrypted on your hard drive and in this way they get sent to the servers. So even if someone gets access to your data on LastPass or Dropbox servers they won't access your passwords as long as you use a strong enough password for encryption.

    The question is whether you trust open source KeePass more or proprietry LastPass to properly encrypt your passwords. Personally, I would lean more towards open source plus I like all my data to be in simple files and folders that are fully portable.

    But if I have a good master password why would I need to care if someone breaks into my Dropbox data? If they want to spend a few hunder centuries trying to break my password then I'm perfectly fine with this!

  16. #41
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    I wouldn't trust ANY third party service to keep my passwords safe! If they got hacked, or had malicious intent...
    Not an issue with LastPass. The only data they receive is a series of encrypted files. They don't even have your master password on file. Thus if you forget your password, your data is unrecoverable.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  17. #42
    SitePoint Wizard rguy84's Avatar
    Join Date
    Sep 2005
    Location
    Durham, NC
    Posts
    1,659
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by poes
    've also been a fan of the idea that the input type="password" should only show stars if the user chooses that. Especially when people are filling in new passwords. It is in fact extremely possible to mistype a new password twice: I've done it several times actually. I've had to resort to opening a text file, typing what I want (so, in plain view of anyone looking over my shoulder anyway) and then pasting twice. Since that defeats the purpose, it should be something users can turn off.
    I am shocked you didn't share Jakob's article
    Ryan B | My Blog | Twitter

  18. #43
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Not an issue with LastPass. The only data they receive is a series of encrypted files. They don't even have your master password on file. Thus if you forget your password, your data is unrecoverable.
    Oh OK, I thought LastPass was a web based service. Does it have a client that does the encoding before it gets passed on?

  19. #44
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lemon Juice View Post
    But if I have a good master password why would I need to care if someone breaks into my Dropbox data? If they want to spend a few hunder centuries trying to break my password then I'm perfectly fine with this!
    Ah, but you said your password only contains a sentence and numbers, so it isn't as strong as it could be :P I wouldn't use anything but a completely randomly generated string now. You learn to type them pretty easily after a few goes, even a long (20 character or so) one, and it's only 1 that you need to remember anyway.

  20. #45
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    Oh OK, I thought LastPass was a web based service. Does it have a client that does the encoding before it gets passed on?
    Yes, its all client side. Even on their website, JavaScript does the encryption and decryption locally. They have clients for almost all systems and browsers, as well for mobile devices.

    If you are really concerned about securty of your passwords, LastPass supports dual-factor authentication a Yubikey like device for example.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  21. #46
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,036
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    My passwords have evolved over the years. From "pet's name" to "pet's name with a number" to "pet's name with substitutions".

    Now I usually do "one off". Something that makes sense to me and is easy to remember but instead of the actual key I use one next to it.

    And I have a notebook full of them since I try to always use a different one for the many sites I'm registered at. If I ever lose that I sure hope the sites have the "did you forget" feature !

  22. #47
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    Ah, but you said your password only contains a sentence and numbers, so it isn't as strong as it could be :P I wouldn't use anything but a completely randomly generated string now. You learn to type them pretty easily after a few goes, even a long (20 character or so) one, and it's only 1 that you need to remember anyway.
    Well, the sentence also contains some special characters so it's not that bad . Anyway, I believe for a person like me a completely random password is too extreme, who would want to spend a huge amount of computational power to crack a password of some unknown John Smith? If the attacker is not able to use a fast dictionary attact he'll move on to someone else. He would need to have a very compelling reason to try to break a long password of a person. So I prefer to have a password that is long but easy to remember.

    What about this article: GRC's*|*Password Haystacks: How Well Hidden is Your Needle?** ?

    The author argues that a password like D0g..................... is more secure than PrXyc.N(n4k77#L!eVdAfp9 because it has more characters while dictionary attacts are equally ineffective. I don't know if I'm convinced but he may have a good point.

  23. #48
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Yes, its all client side. Even on their website, JavaScript does the encryption and decryption locally. They have clients for almost all systems and browsers, as well for mobile devices.

    If you are really concerned about securty of your passwords, LastPass supports dual-factor authentication a Yubikey like device for example.
    But KeePass does all this as well, and is free. The only difference is you have to sort out the online sharing bit yourself - nothing an FTP account can't solve (or indeed Dropbox).

  24. #49
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lemon Juice View Post
    Well, the sentence also contains some special characters so it's not that bad . Anyway, I believe for a person like me a completely random password is too extreme, who would want to spend a huge amount of computational power to crack a password of some unknown John Smith?
    That's not the point - there are ALWAYS people willing to crack anyone's password just as a challenge. And you never know how valuable your passwords can be - banking? Your whole online identity? Email?

    Quote Originally Posted by Lemon Juice View Post
    The author argues that a password like D0g..................... is more secure than PrXyc.N(n4k77#L!eVdAfp9 because it has more characters while dictionary attacts are equally ineffective. I don't know if I'm convinced but he may have a good point.
    Indeed, length is the most important factor, but after that it says using all different types of characters is (in fact, both passwords use symbols, lowercase, uppercase and numbers). Imagine if everyone started using that though - suddenly they become easy to crack cause you try dictionary words plus a bit of padding.

    Anything with a 'system' can be cracked. It might be impractical now but tools develop, things like that get better. You never know. Enigma may have stayed unbroken if it wasn't for the way people used it - many used girlfriends initials etc to encode messages, and then when they repeated the first 3 characters of a message twice at the beginning of each message, it led to each message being cracked a lot easier.

    I'm of the opinion that the only decent password is a totally randomly generated one. Anything with a system, or a meaning, is vulnerable to attack, and whatever the inconvenience of spending 5 or 10 minutes learning 20 or so characters in a row is, my online identity, banking info etc is worth a lot more than that inconvenience. Why make assumptions and take chances to save a few minutes of your life? It makes no sense to me at all!

    I used to use incredibly weak passwords - digits only, 5 characters long, I thought noone would guess it because the numbers didn't mean anything and was totally random. I now realise how idiotic this mindframe was, then moved on to an 8 character random password, yet still used the same password for everything. Now, I have gone on to 20 character, random, and even I don't know what my passwords are - and being introduced to KeePass did all that! I won't go back now

  25. #50
    SitePoint Wizard ryanhellyer's Avatar
    Join Date
    Oct 2006
    Location
    New Zealand
    Posts
    2,323
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I assume this comic was inspired by the password haystacks episode of Security Now (The TWiT Netcast Network with Leo Laporte) which aired only a few weeks before the comic was made. They also mention the comic in one of their latest episodes.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •