- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Yeah, and if it's too hard to remember, it's probably going to end up sticky-noted on the side of the monitor.
CAPTCHA: odio - they forgot the 'us' on the end
Admin
so maybe u don't need to be beaten with large blunt objects but I wouldn't exaxtly call you a security expert either. Just consider the most effective attack ever: social engineering. Security CANNOT be removed from an understanding of how people behave!
This type of policy has proved time and again to produce passwords written down at PCs which is no security at all. Noone will ever remember such a password. A better solution is to focus on user education so that genuinely secure passwords can be used regardless of these arbitrary con straints.
Admin
Admin
What I hate is when you get used to dialing the phone through the computer, then go to a real phone and try and dial the same number subconciously.
Admin
My favourite technique for long passwords is to pick a couple of easy to remember bits of information, eg, phone number and a name (8 digits). Then put them together alternating, eg:
97851234 (phone number not a real number, I hope) lillian# (name with a special character added to make the length)
Then combine them alternating, so: 9 7 8 5 1 2 3 4 l i l l i a n #
So the password becomes: 9l7i8l5l1i2a3n4#
But it's still easy to remember because the two parts are easy to recall.
Admin
Ha. Pretty close to one place I worked at a few years back. They did min length of 8 and "only" remembered the last 15-20 passwords... But other than that, spot on. Thankfully I only worked there for a little over a month while the normal guy was on leave (wasn't his policy either, it was a head office one).
Admin
Admin
How come dictionary attacks are possible over the internet?
I would think the most basic security measure is to block the IP for some time after several authentications failures.
Admin
The only real useful password strength is length, as with all keys.
Since a lot of years back I always pick my passwords to be a complete sentence, for example:
"I will bring this shit to the end!"
Admin
Well, that opens the door for a DoS attack on the service and isn't very effective since IP-spoofing isn't that hard.
Admin
It might not be that hard to spoof but I'm guessing you'll get most of the script kiddies in that way. And why check by IP. Just record the username, and let them wait 1 second longer everytime they try that username...
Admin
Trying to understand the technology used here.
Alright. First one to answer the following question gets a cookie: How did the cracker manage to obtain the usernames?
Admin
Weyland is right. It just makes no sense to enforce some monstrosity like "ufAg4*v+ZkLm#98<8" on your users. Not even I'd like to remember and correctly type in such a freakword.
Passphrases are the way to go. For example, take an easy sentence "I was blind, then went on." and make it "I was blind579, thenwent ON!". There. Easy to remember, even with the obfuscation in place and not an ounce less secure than the crap above. Whole sentences can also be immune to dictionary attacks because they don't have to make sense, can contain made up words and also special chars, plus they are long enough to make brute force tiring.
"Want back: my 50 Mobogos!" - hard to forget but hard to crack.
Benjamin
Admin
The same way he got the password(s), obviously.
Admin
Admin
The Real WTF is that "Pallindrome" isn't one.
Admin
That is pretty much my companies password policy, except it is 12 characters. I had to change my password last week, a task which took me about an hour.
Admin
You know, if I were to write a brute-force dictionary password cracker, I'd build into it the ability to randomly substitute letters with numbers (say, an "A" with a "4", and an "I" or "L" with a "1"), and even make it tack on a few random digits at the end, something simple like "00" or "01".
Having come up with that idea, and knowing I'm not a motivated malicious Kr4xx0r with aw4s0m m4d sKillz, I'm convinced that someone has already done this.
-dZ.
Admin
Actually, no. It should be buttured.
Admin
I would consider changing my method now, if I were you.
Admin
So he writes good scripts, right? Set John the Ripper to run against each account for a preset time (go easy on 'em, maybe a minute or two) each time a password is changed, and if any of them get cracked, change it to something secure and mail the new password to their supervisor along with a nastygram about choosing good passwords.
Solved!
Admin
This made me laugh out loud. Thanks.
$|-|0v3 m% n0$3 1n $H17!
Catcha: jumentum. Sure did! j00?
Admin
Whoops! I mean... B|_|r13d 1n m% $h17
er.. whatever.
Admin
Hmmm... The email passwords apparently also allow shell access, as far as I can make out (James "remoted in" and attempted to send email from the command line). So:
How's that?
(PS: Is it bad that I automatically hit /-e-Tab to try to complete the "/etc/passwd" above?)
Admin
Is it just me or did the whole "Emails Per Hour Has Been Exceeded" seem like cPanel failure?. Then again the response that 'James' gave sounded like a level I tech at the host I work for.
Admin
Soo, James obviously screwed up. Everyone knows you can't trust users to choose secure passwords. That is soo obvious it is seldom even thought in basic security classes. It seem that this bozo is so elevated from reality that he still refuse to accept that his sub-par script completely disrupted this companys business. So he writes to the daily WTF, and immediatly get assurance from plenty other f*ck ups, that he is not a screw up...
Admin
Best password/-phrase invention method so far: pick sequences out of a phrase. "To be or not to be, that is the question. " becomes "Tbontb, titq. " Easy to remember for most, very resilient, especially with some l&&+ mixed in.
Admin
Admin
I member an engineer who used 20+ digit passwords. They were the solution to a mathematical equation. Each time he forgot the password, out came the pencil and paper and he would re-solve the equations...
To the best of my knowledge he still does this today, and has never been hacked.
tation ?!?!?
Admin
I member an engineer who used 20+ digit passwords. They were the solution to a mathematical equation. Each time he forgot the password, out came the pencil and paper and he would re-solve the equations...
To the best of my knowledge he still does this today, and has never been hacked.
tation ?!?!?