| | Re: LUGNET Memberships Todd Lehman
|
| | (...) ouch. How easy is it for a thief to get your customer number? How many digits is your PIN? (...) natch. :) (...) Disable accounts on repeated fails and you make it trivial to DoS someone. Disable IP addresses and you lock out the innocent on (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | |
| | | | Re: LUGNET Memberships Joakim Olsson
|
| | | | Hi there! Excuse me if i am totally lost here... Is it not so that a 6 letter password containing letters from A to Z and 0 to 9, can have 36^6 different combinations and contains 48 bits in a unique order? A binary value containing 0 or 1 in 8 (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | | (...) 36^6 is about equal to 2^31. Maybe it was typical 5-character pw's that resulted in 24-26 bits of true information...I don't remember for sure, it was many months ago. OK, yes, <calculator poking> 36^5 is about equal to 2^26. Also, IIRC, I (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | | Re: LUGNET Memberships Geoffrey Hyde
|
| | | | | I've been on a few BBSes, quite a while back now, and believe me, some of the passwords that I came up with were quite alphanumeric, and rather random. A hacker's chance of guessing a random, or even semi-random, password is therefore theoretically (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | Re: LUGNET Memberships Kevin Loch
|
| | | | (...) Not if you only disable loggin in as that user from that ip. (...) I think a minimum of 6 characters is a good limit. It's the character diversity that is causeing problems. Also, you could make failed attempts take a few extra seconds to (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | | (...) Is there a way to tell if a given IP address is a shared proxy server or not? If you disable login access as one user from a given IP address, then you effectively disable login access as _all_ users from that IP address, because it would be (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | | Re: LUGNET Memberships Kevin Loch
|
| | | | | (...) Um, yes I know that. It's also possible to generate "human random" dictionaries that speed up brute force of "strong" passwords where users are forced within certain limits. BTW, I wonder what the keyspace is of all (8 chars and less as (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | | Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | (...) (URL) [...] On the other hand, a server could probably get around that by (...) I'm very tempted to head in that direction. Even not relaxing the strictness of the validator, I think it would be wise. (...) Cooking hacking is the logical place (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Kevin Loch
|
| | | | | (...) The BrickShelf uses the cookie returned *and* the ip address that the cookie was issued to for reauthenticate login. Nobody has complained about loosing login yet via multiple proxies (i.e. aol). Also, cookies can be made *much* more difficult (...) (24 years ago, 25-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Larry Pieniazek
|
| | | | | | (...) As is mine. Todd has one opinion of where that is. Some people think it is too strict. Some are happy. I wonder if any think it is too lenient? (...) I know it is affecting me. Todd sent me a new password and I set two more that hopefully I (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | |
| | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | | | (...) I didn't plan for that. In the beginning, I honestly didn't think that anyone would ever forget their password (or at least not have it written down somewhere that they could find it). I'll have to come up with something. Since the pw's are (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | |
| | | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Larry Pieniazek
|
| | | | | | | | (...) No that would work, I wrote down the password you sent me and the two new ones I chose and they are pretty memorable, I hope. Implement something that generates a new password AND wipes out ALL the old ones in one fell swoop. Then send me the (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | |
| | | | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Frank Filz
|
| | | | | | | | | (...) A solution to this could be to do the following: - when someone asks for a password reset, create a new password for them, put it in the list, also put it in a special "reset account" password file (along with the ID). - when the user receives (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | | |
| | | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Steve Bliss
|
| | | | | | | (...) Huh? Todd, I hope you meant to write, "I didn't think about dealing with people forgetting their passwords". People forget passwords *all* *the* *time*. That's why so many sites have such ridiculously unsecure password requirements -- so (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | |
| | | | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | | | (...) No, I meant exactly that: I didn't think that anyone would ever (a) forget their password or (b) not be able to just go look it up. When you put it in a cookie, you don't even have to remember it beyond that, unless you move to different (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | |
| | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | | (...) But doesn't that make somebody have to log in again if they use *any* kind of non-static-IP connection -- i.e., a typical dial-up or DHCP connection -- and not limited only to shared proxy servers? If they're on a typical ISP dial-up PPP (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | |
| | | | | | | Re: Password checks (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | (...) I agree! In a cookie, you can put complete random garbage that only the authentication server knows how to interpret. And if certain bits contain an index, you can even use a one-time pad or other complex mapping to encrypt the data so that (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | Re: LUGNET Memberships Matthew Miller
|
| | | | (...) My old bank (US Trust) used my social security number + PIN for phone access to my account. Eep. (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | Re: LUGNET Memberships Dan Jezek
|
| | | | (...) I'm amazed on how complex and sophisticated the Lugnet password system is. There are the password suggestions, Password strength analyzer which even includes an internal dictionary and gives you the CPU time that it took to analyze the (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | | (...) Yup, it's a serious system. Most systems don't take pw issues seriously. (...) We'll see how many people find it funny nine months from now. --Todd (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | | Re: LUGNET Memberships Mike Faunce
|
| | | | | | | "Todd Lehman" <lehman@javanet.com> wrote in message news:G1HDIu.J6p@lugnet.com... (...) other (...) I (...) So ... are you going to tell us what is going to happen nine months from now or just leave us hanging? IMHO, the password checker and system (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | |
| | | | | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | | | | | (...) A combination of things... first, by then there will be more things in place that will matter more; second, the pw validator will very likely be less stringent; third, I predict that within the next nine months, a major online banking site (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | |
| | | | | | | | | | Re: LUGNET Memberships Kevin Loch
|
| | | | | | | | | (...) Actually I found PayPal's pw filter to be fairly stringent. KL (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | | |
| | | | | | | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | | | | | | | (...) What do you think about this?-- (URL) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | | | |
| | | | | | | | | | | | Re: LUGNET Memberships Geoffrey Hyde
|
| | | | | | | | | | Todd - an interesting but minor question to these thread links - if I wanted the thread unraveled all the way back to it's source post, how would I do that? Cheers ... Geoffrey Hyde Todd Lehman <lehman@javanet.com> wrote in message (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | | | |
| | | | | | | | | | | | Thread views (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | | | | | | (...) When you're viewing an article at the website (such as through one of the links as shown above), scroll down to the bottom of the page and click one of the "Entire Thread on One Page" links. You can see the thread in nested thread form or in (...) (24 years ago, 28-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | | | |
| | | | | | | | | | Re: LUGNET Memberships Dan Jezek
|
| | | | | | | | (...) I was thinking more from the perspective of what you are going to create that will have a span of 9 months and not what might happen on the internet outside of LUGNET in 9 months. This still doesn't explain why you have a sophisticated (...) (24 years ago, 28-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | |
| | | | | | | | | | pw checking (was: Re: LUGNET Memberships) Todd Lehman
|
| | | | | | | | (...) Well, enough new things that I think it will be hard for anyone to continue belittling the checking anymore. Plus, as I said before, it's possible (and likely, I hope) that the checking will be less stringent. Right now I'm guesstimating that (...) (24 years ago, 28-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | | |
| | | | | | | Re: LUGNET Memberships Matthew Miller
|
| | | | | | | (...) I don't find it funny; I'm just glad it hasn't been a problem. It'd be nice to hack in some sort of GPG-based authentication system.... (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | |
| | | | | | | Re: LUGNET Memberships Kevin Loch
|
| | | | | | (...) Huh? Ther is only one thing I can think of that has a nine month completion cycle, and it doesn't have a thing to do with passwords. Could you elaborate? KL (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | |
| | | | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | | | | (...) LOL, no not that. :) --Todd (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | | |
| | | | | | | | Re: LUGNET Memberships Dan Jezek
|
| | | | | | (...) Maybe Todd will finally unveil his gigantic space minifig colony. He's been promising it since '98 .... That would be something to see! I'm not laughing any more :-O - Dan (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | | |
| | | | | | | | Space mining colony Todd Lehman
|
| | | | | | (...) Still on the back burner. (URL) (24 years ago, 27-Sep-00, to lugnet.people)
|
| | | | | | |
| | | | | | | | Re: Space mining colony Eric Joslin
|
| | | | | | (...) whatever you'd qualify them as that I've seen look ultra-sweet. But I'm hardly one to talk about low model output. I have at least three things I want to build in my head. Wait. I mean, I have at least three models in my head that I want to (...) (24 years ago, 27-Sep-00, to lugnet.people)
|
| | | | | | |
| | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | (...) That's a problem. It does fail too many good pw's, partially because it tries to be too clever in transmogrifications and 20 different language lookups in its dictionary of 3 million words. (It was just as easy to put in that many as it was to (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: LUGNET Memberships Dan Jezek
|
| | | | (...) ^^^...^^^ Ouch! I can only imagine the time it took you to key all that data in. (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: LUGNET Memberships Todd Lehman
|
| | | | | (...) FTP standard ASCII text document, one word per line. Convert to ISO-8859-1 if necessary (character-based search & replace, quick). Feed to indexer via pipe. Walk away, sip coffee, come back later, it's all done. No typing. --Todd (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | Re: LUGNET Memberships Larry Pieniazek
|
| | | | (...) Imagine it is all you *can* do, as Todd didn't actually do the typing, he said he got lists of words readily available from the 'net that are made available (by whom?) to aid in building stronger password checkers. (and also to aid in building (...) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: LUGNET Memberships Matthew Miller
|
| | | | (...) University of Oxford. <ftp://ftp.ox.ac.uk/...rdlists/>. Wordlists have non-password related uses too, apparently. :) (24 years ago, 26-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: LUGNET Memberships Larry Pieniazek
|
| | | | (...) What? You mean there's more to LUGNET than sparring about passwords and spam? As to the link, thanks, new I had scene it B4. I never knead dictionaries, personally, except when siteing to refute... Just ask me, I'll be glad to tell you wot a (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Password Tips Kevin Loch
|
| | | | (...) I just figured out how to easially pass the LUGNET pw test. Use lots of special characters. This one: ^n).F6'%#*><}{#: scores a whopping 900% with no warnings. Just make sure you throw in a number a lower case letter and an upper case letter (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |
| | | | | | Re: Password Tips Todd Lehman
|
| | | | | (...) Gee, that was so funny I almost forgot to laugh. There are plenty of 6-character pw's that you can use that have 5 letters and one number or special character, and plenty of 7-character pw's that you can use that are all lowercase letters. I (...) (24 years ago, 27-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | | |
| | | | | | Re: Password Tips Larry Pieniazek
|
| | | | (...) Easially? (...) Hey, we better enhance the tester to prevent that password, it's kind of sort of easy to remember. <GD&R> Seriously, I like the active anti cracker defense idea a lot better and I think that's the better way to solve the (...) (24 years ago, 28-Sep-00, to lugnet.people, lugnet.admin.general)
|
| | | | |