| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Even if you have great passwords - can't just anyone in the intervening networks between the user and LUGNET just snoop in and copy down the unencrypted password? Richard (25 years ago, 22-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Not if it uses https, which I assume it will at some point. (25 years ago, 22-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) As long as it's using http and not https, yes. Once it's in a cookie, it's no longer plaintext, so it's less susceptible to snooping although still susceptible to playback attacks. --Todd (25 years ago, 22-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Aren't the contents of a cookie simply Base64-encoded? I mean, it's a wel-known and reversable format. Cheers, - jsproat (25 years ago, 22-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) I assume it's a one-way hash of some sort. I'd guess (without looking) that it's probably md5.... (25 years ago, 22-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) No, the last phase of encoding (and thus the first phase of decoding) for the sign-in cookie is a Base16 (ASCII hex [0-9A-F]) pass. This, however, is applied to an already-encrypted id/pw combo, which has been passed through a pad-style (...) (25 years ago, 22-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) So are you going to enforce that people HAVE to set their passwords to things that the validator feels don't suck, or are you going to give advice but allow it anyway? The former is rather draconian for a site that doesn't handle money. I've (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) That is its purpose. --Todd (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) But the validator doesn't find non-sucky passwords, it just finds the least randomised - ie, it will pass something like: 4h(i,>$s& but fail: 4h(i,>$s&-fun What's the point of allowing people to change from their highly randomised default (...) (25 years ago, 23-Apr-00, to lugnet.admin.general) !
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Draconian and rather big-parentish. Why can't I take the risk of a sucky password if I so choose? Not that I personally would, mind you. Now, unlike government jackbootedness, we do as consumers have a choice not to use Lugnet... but what (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) In that case, you may as well not bother allowing us to change passwords since we can only change to one just as random and hard to remember, which will also go up on a yellow sticky on the monitor like the current one is... (if I worked in an (...) (25 years ago, 23-Apr-00, to lugnet.admin.general) !
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
Todd Lehman skrev i meddelandet ... (...) I think that's unwise (to _force_ people to use an acknowledged pw). Two reasons: - one cannot choose a password that is easy to remember --> it will be written down in some easy accessible place. - by (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) It's finding _more_ random passwords in a technical sense of "random". (More random = containing no sequences. Or more accurately, no part of the number follows from any other part.) I agree that the super-cool validator may be overkill for (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) It's perfectly content to "pass" most 6- to 8- character pw's constructed by the first letter of successive words, especially if the pw includes a digit, a capital letter, or a special character. Those types of things tend to be "random" from (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Yup - you're right - my squiff (I meant *more*) :) (...) I'd be happy with a user-responsible password for membership logins (ie 90% of membership use including posting privilidges), but with authorisation through a LUGNET-validated password (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) You put more at risk than your own data or matters when you choose a sucky password. (Think about it.) (...) Increased probability of successful brute-force compromises. (...) Have I somehow given you the impression that that the only purpose (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) true, but can't you limit the number of attempts to, say, 5 in 30 minutes... that will make brute force attacks impractical... :) Dan (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) How without opening an equally dangerous door? --Todd (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Well, for a brute force attack to be successful, they have to try 100,000s of passwords... if you limit them to 5 tried every 30 minutes, it's pretty certain that they won't stumble upon the correct password before the password owner dies... (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Maybe I'm just miffed because it failed *all* of the passwords I use? :) If I did anything that even remotely required great security that would be a problem I guess! (...) *mumble*mumble* Look over there - a MISB Galaxy Explorer! (...) It's (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Me too. I mean, I'm not miffed (I have *much* better things to get miffed about) but it did fail, without exception, every password I have ever used. (...) I do. And the things I apply them to have checks for weak passwds. I suspect that they (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) In a row. Very important phrase I left out. (...) eric (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Can't or won't? (...) I don't believe that's the case. (URL) - the refutation of a password makes the customer irritated, especially if (...) I may have to make a short FAQ page. (...) SW:Ep1 M:Tron6989 70'sLEGO 2*4Brick Pi3.14159 12:34Sunday (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Are there any that it gave between 0% and 100% to? (i.e., not < 0% ?) (...) Eeek -- no! -- locking people out on a failed login attempt would certainly negate the danger of a brute-force of attack, but it would make an entirely new type of (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Oops, almost forgot to list the classic counterexample! E=mc^2 That uses a mix of... * At least one uppercase letter from A-Z * At least one lowercase letter from a-z * At least one numeric digit from 0-9 * At least one "special" character (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
Todd Lehman skrev i meddelandet ... (...) I'm not sure what you're asking here... What I tried to say was: If I have to construct a (for me) strange password, 'just to please the system' (that's how most users see it, at least), the probability of (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | (canceled)
|
|
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) a (...) I wouldn't. Look. I've read through the plan several times. There is nothing there that needs this *insane* level of protection. Nothing. Really. We are *not* talking missile lanuch codes here, people. Two levels of passwords is (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Who said that? Not me... ++Lar (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Denial of service. I could write a bot that wakes up every 4 minutes and tries 6 random passwords for your account (and theoretically every one else's too) thus denying you (or theoretically anyone) the ability to get on as a member, because (...) (25 years ago, 23-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) NONE of those are bad passwords for the level of security that LUGNET, now, or ever, (2) will require. To think differently implies that either there is something far far deeper and earth shatteringly important about to happen at some point (...) (25 years ago, 23-Apr-00, to lugnet.admin.general) !
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) oh, sorry. I was asking if you meant that people (a) actually wouldn't be _able_ to choose a password that was easy for them to remember or (b) actually could but wouldn't bother trying to come up with one that was easy for them to remember. (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) but not all. I don't. (...) I doubt most people that write down passwords apply any of these cyphers to them but I am just speculating on this particular point. (...) Fascinating... can you provide a reference for this assertion, or is it just (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation
|
|
(...) Ya, sorta... But not so much two different states of logins as two tiers of passwords which would both be required (only if you wanted it that way) before you'd be considered actually logged in. In other words, you could give two passwords (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
I can't believe that Larry posted this twice (accident maybe, maybe not). I am with Larry on this one. This is a problem that requires a simple solution. Please do not confuse simple with simplistic. It is a complicated problem; the solution, while (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) It was an accident and I would appreciate the first one being cancelled. There is a difference in phrasing of less than 1% between the first and second, but it's crucial. (...) I appreciate the support but I don't actually agree with John. At (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
From the last two posts, I think I have arrived at my own conclusion on this matter. Todd wants to protect his hard earned work by issuing complicated passwords that theoretically cannot be hacked. I can't blame Todd for this notion, it seems to (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | (canceled)
|
|
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) asked Not to mention that Lugnet != NSA. KL (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
(...) Thanks for your insightful and thoughtful comments, John! It's really not as complicated as it may seem. There is a simple pw tester, it does a reasonable job of identifying weaknesses in pw's, and it outputs a number in a range. It fails (...) (25 years ago, 24-Apr-00, to lugnet.admin.general)
|
|
| | (canceled)
|
|
|
|
| | Re: PW validation (was: Re: Opinions wanted: article rating harmful?)
|
|
This is an interesting subject. However, I only know one person who keeps a written note of his password/ATM number etc. The only reason he does this is because he is dyslexic. Despite that, I'm sure that as more and more web services now ask for (...) (25 years ago, 25-Apr-00, to lugnet.admin.general)
|