To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.generalOpen lugnet.admin.general in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / General / 6340
    Re: Opinions wanted: article rating harmful? (was: New feature: Article rating) —Larry Pieniazek
   (...) Time is time, all I have to do is look at the number of posts about it to tell that some time was spent on it, by you, by me, by others, regardless of how much time was development time vs playing with it time vs loading up its DB. I won't (...) (25 years ago, 21-Apr-00, to lugnet.admin.general)
   
        PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
   (...) Fair enough. (...) Not really. Wish I hadn't had to. (...) Not really, no. It's not intended as a toy or a means of entertainment. I enjoyed getting feedback on aspects of it to the extent that getting useful feedback is enjoyable. (...) Not (...) (25 years ago, 21-Apr-00, to lugnet.admin.general)
   
        Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Richard Franks
     (...) Even if you have great passwords - can't just anyone in the intervening networks between the user and LUGNET just snoop in and copy down the unencrypted password? Richard (25 years ago, 22-Apr-00, to lugnet.admin.general)
    
         Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Matthew Miller
      (...) Not if it uses https, which I assume it will at some point. (25 years ago, 22-Apr-00, to lugnet.admin.general)
    
         Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
      (...) As long as it's using http and not https, yes. Once it's in a cookie, it's no longer plaintext, so it's less susceptible to snooping although still susceptible to playback attacks. --Todd (25 years ago, 22-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Jeremy H. Sproat
      (...) Aren't the contents of a cookie simply Base64-encoded? I mean, it's a wel-known and reversable format. Cheers, - jsproat (25 years ago, 22-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Matthew Miller
       (...) I assume it's a one-way hash of some sort. I'd guess (without looking) that it's probably md5.... (25 years ago, 22-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
      (...) No, the last phase of encoding (and thus the first phase of decoding) for the sign-in cookie is a Base16 (ASCII hex [0-9A-F]) pass. This, however, is applied to an already-encrypted id/pw combo, which has been passed through a pad-style (...) (25 years ago, 22-Apr-00, to lugnet.admin.general)
    
         Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
     (...) So are you going to enforce that people HAVE to set their passwords to things that the validator feels don't suck, or are you going to give advice but allow it anyway? The former is rather draconian for a site that doesn't handle money. I've (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
    
         Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
      (...) That is its purpose. --Todd (25 years ago, 23-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Richard Franks
       (...) But the validator doesn't find non-sucky passwords, it just finds the least randomised - ie, it will pass something like: 4h(i,>$s& but fail: 4h(i,>$s&-fun What's the point of allowing people to change from their highly randomised default (...) (25 years ago, 23-Apr-00, to lugnet.admin.general) ! 
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Matthew Miller
        (...) It's finding _more_ random passwords in a technical sense of "random". (More random = containing no sequences. Or more accurately, no part of the number follows from any other part.) I agree that the super-cool validator may be overkill for (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
       
            Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Richard Franks
        (...) Yup - you're right - my squiff (I meant *more*) :) (...) I'd be happy with a user-responsible password for membership logins (ie 90% of membership use including posting privilidges), but with authorisation through a LUGNET-validated password (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
       
            (canceled) —Larry Pieniazek
        
             Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —John Matthews
         I can't believe that Larry posted this twice (accident maybe, maybe not). I am with Larry on this one. This is a problem that requires a simple solution. Please do not confuse simple with simplistic. It is a complicated problem; the solution, while (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
        
             Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
         (...) It was an accident and I would appreciate the first one being cancelled. There is a difference in phrasing of less than 1% between the first and second, but it's crucial. (...) I appreciate the support but I don't actually agree with John. At (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)  
       
            Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
         (...) a (...) I wouldn't. Look. I've read through the plan several times. There is nothing there that needs this *insane* level of protection. Nothing. Really. We are *not* talking missile lanuch codes here, people. Two levels of passwords is (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)  
       
            Re: PW validation —Todd Lehman
        (...) Ya, sorta... But not so much two different states of logins as two tiers of passwords which would both be required (only if you wanted it that way) before you'd be considered actually logged in. In other words, you could give two passwords (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
       (...) It's perfectly content to "pass" most 6- to 8- character pw's constructed by the first letter of successive words, especially if the pw includes a digit, a capital letter, or a special character. Those types of things tend to be "random" from (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)  
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Richard Franks
       (...) Maybe I'm just miffed because it failed *all* of the passwords I use? :) If I did anything that even remotely required great security that would be a problem I guess! (...) *mumble*mumble* Look over there - a MISB Galaxy Explorer! (...) It's (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Eric Joslin
        (...) Me too. I mean, I'm not miffed (I have *much* better things to get miffed about) but it did fail, without exception, every password I have ever used. (...) I do. And the things I apply them to have checks for weak passwds. I suspect that they (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
       
            Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Eric Joslin
        (...) In a row. Very important phrase I left out. (...) eric (25 years ago, 23-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
       (...) Are there any that it gave between 0% and 100% to? (i.e., not < 0% ?) (...) Eeek -- no! -- locking people out on a failed login attempt would certainly negate the danger of a brute-force of attack, but it would make an entirely new type of (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
       (...) Draconian and rather big-parentish. Why can't I take the risk of a sucky password if I so choose? Not that I personally would, mind you. Now, unlike government jackbootedness, we do as consumers have a choice not to use Lugnet... but what (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)  
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
       (...) You put more at risk than your own data or matters when you choose a sucky password. (Think about it.) (...) Increased probability of successful brute-force compromises. (...) Have I somehow given you the impression that that the only purpose (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Dan Boger
        (...) true, but can't you limit the number of attempts to, say, 5 in 30 minutes... that will make brute force attacks impractical... :) Dan (25 years ago, 23-Apr-00, to lugnet.admin.general)
       
            Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
        (...) How without opening an equally dangerous door? --Todd (25 years ago, 23-Apr-00, to lugnet.admin.general)
       
            Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Dan Boger
        (...) Well, for a brute force attack to be successful, they have to try 100,000s of passwords... if you limit them to 5 tried every 30 minutes, it's pretty certain that they won't stumble upon the correct password before the password owner dies... (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
       
            Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
        (...) Denial of service. I could write a bot that wakes up every 4 minutes and tries 6 random passwords for your account (and theoretically every one else's too) thus denying you (or theoretically anyone) the ability to get on as a member, because (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
       (...) Who said that? Not me... ++Lar (25 years ago, 23-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Kevin Wilson
       (...) In that case, you may as well not bother allowing us to change passwords since we can only change to one just as random and hard to remember, which will also go up on a yellow sticky on the monitor like the current one is... (if I worked in an (...) (25 years ago, 23-Apr-00, to lugnet.admin.general) ! 
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Anders Isaksson
      Todd Lehman skrev i meddelandet ... (...) I think that's unwise (to _force_ people to use an acknowledged pw). Two reasons: - one cannot choose a password that is easy to remember --> it will be written down in some easy accessible place. - by (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
      (...) Can't or won't? (...) I don't believe that's the case. (URL) - the refutation of a password makes the customer irritated, especially if (...) I may have to make a short FAQ page. (...) SW:Ep1 M:Tron6989 70'sLEGO 2*4Brick Pi3.14159 12:34Sunday (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
       (...) Oops, almost forgot to list the classic counterexample! E=mc^2 That uses a mix of... * At least one uppercase letter from A-Z * At least one lowercase letter from a-z * At least one numeric digit from 0-9 * At least one "special" character (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Anders Isaksson
       Todd Lehman skrev i meddelandet ... (...) I'm not sure what you're asking here... What I tried to say was: If I have to construct a (for me) strange password, 'just to please the system' (that's how most users see it, at least), the probability of (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
       (...) oh, sorry. I was asking if you meant that people (a) actually wouldn't be _able_ to choose a password that was easy for them to remember or (b) actually could but wouldn't bother trying to come up with one that was easy for them to remember. (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
       (...) but not all. I don't. (...) I doubt most people that write down passwords apply any of these cyphers to them but I am just speculating on this particular point. (...) Fascinating... can you provide a reference for this assertion, or is it just (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —John Matthews
        From the last two posts, I think I have arrived at my own conclusion on this matter. Todd wants to protect his hard earned work by issuing complicated passwords that theoretically cannot be hacked. I can't blame Todd for this notion, it seems to (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
       
            (canceled) —Todd Lehman
       
            Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
        (...) Thanks for your insightful and thoughtful comments, John! It's really not as complicated as it may seem. There is a simple pw tester, it does a reasonable job of identifying weaknesses in pw's, and it outputs a number in a range. It fails (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)  
      
           (canceled) —Scott Arthur
      
           Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Scott Arthur
       This is an interesting subject. However, I only know one person who keeps a written note of his password/ATM number etc. The only reason he does this is because he is dyslexic. Despite that, I'm sure that as more and more web services now ask for (...) (25 years ago, 25-Apr-00, to lugnet.admin.general)
     
          Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Larry Pieniazek
      (...) NONE of those are bad passwords for the level of security that LUGNET, now, or ever, (2) will require. To think differently implies that either there is something far far deeper and earth shatteringly important about to happen at some point (...) (25 years ago, 23-Apr-00, to lugnet.admin.general) ! 
    
         Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Kevin Loch
     (...) asked Not to mention that Lugnet != NSA. KL (25 years ago, 24-Apr-00, to lugnet.admin.general)
   
        Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Mike Stanley
   (...) I haven't posted with respect to this in a while, but I would like to say that if you use this current validator to validate what people can choose for passwords you might as well just not use it and keep sticking people with the ones you are (...) (25 years ago, 26-Apr-00, to lugnet.admin.general)  
   
        Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Todd Lehman
     (...) Thanks for the above data points. How badly did it fail them by? Did you catch this post from Monday?-- (URL) threshold number was below the all the number returned for the ones you tried that it failed? Would a threshold of, say, 50 (instead (...) (25 years ago, 26-Apr-00, to lugnet.admin.general)
    
         Re: PW validation (was: Re: Opinions wanted: article rating harmful?) —Mike Stanley
     (...) Pretty badly - I know they were all worthless. I didn't really pay attention to the numbers. I think they were as low negatively, though, as the "first leter from each word in a sentence" was positively, though. (...) I think they were all < (...) (25 years ago, 26-Apr-00, to lugnet.admin.general)
   
        Re: PW validation terms/labels —Larry Pieniazek
   I find the labels a bit pejorative, as they impose your thinking on what level of security is appropriate on what should just be strength metrics. For example at setting 1 "lax" it fails passwords that I consider perfectly adequate for the risk (...) (24 years ago, 5-May-00, to lugnet.admin.general)
   
        Re: PW validation terms/labels —Todd Lehman
   (...) OK, fair enough. Labels gone. Just pure numbers in the drop-down list now. (...) The label covers (covered) what the setting allows in the worst-case. If you poke around enough (or, as I've done, run scripts internally that hammer on it to (...) (24 years ago, 5-May-00, to lugnet.admin.general)  
   
        Re: PW validation terms/labels —Frank Filz
   (...) Perhaps part of the problem is the relative weights attached to various elements of strength of passwords. I would generally agree that a 4 character password should not be accepted (of course I suspect most of us have a significant amount of (...) (24 years ago, 5-May-00, to lugnet.admin.general, lugnet.off-topic.debate)
   
        Re: PW validation terms/labels —Todd Lehman
   (...) For the average person or script kiddle to crack a 4-digit PIN via brute force, they'd have to: (1) first actually get someone's card; and then (2) manually try out up to 10,000 combinations, and IIRC, ATM's are programmed to eat cards after a (...) (24 years ago, 5-May-00, to lugnet.off-topic.debate)
   
        Re: PW validation terms/labels —Frank Filz
   (...) (1) is certainly true, (2) is mostly true (there are many ATMs, including ones in stores which can not eat cards, and probably don't alert the cashier to take the card [possibly dangerous if the person using the card is a real criminal]). (...) (24 years ago, 5-May-00, to lugnet.off-topic.debate)
   
        Re: PW validation terms/labels —Todd Lehman
   (...) oh! OK. I totally totally totally agree with that! --Todd (24 years ago, 5-May-00, to lugnet.off-topic.debate)
 

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR