- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
He doesn't sound familiar?
Admin
Didn't they do a collab with DJ Mystik or something? I'm feeling a bit of whoosh in my hair, if I tip my toes I might just catch it!
Admin
Yep.
Admin
So much this. So many people fail to understand password complexity. Making someone add a "special character" (what's so special about them anyway?) makes the job of rememebering the password harder for the human but the cracking software doesn't care.
The single most important factor is length (:giggity:). Screw you and your "complexity requirements", let the users user long, easy to remember passwords.
This ugly site has the goods. Use this to generate the master password for your password manager and never remember any other password again.
Admin
FTFY, though overall entropy is effectively length × per-symbol entropy. And symbols are not characters…
Admin
Isn't entropy the same thing as password strength? So he's saying the single most important contributor to entropy is password length.
Admin
FTFY
Admin
So there are other factors that are more important than length? What are they?
Admin
All sorts of things.
Admin
From what alternate universe did you derive this statement?
Admin
That would be the universe where every statement is followed by the phrase "...That's what SHE said."
Admin
He crossed out "most important" and replaced it with "easiest" and said "FTFY". I don't see how to interpret that other than as a claim that password length is not, in fact, the most important factor in entropy. I asked for an explanation and got a joke instead, so either he was kidding in the first place or is not interested in defending his claim.
Admin
Except that does not, then, imply that some other factor is more important. Password length and per-symbol entropy are both important, and which is more important varies based on how much of the other you already have. If your password is alphanumeric+special characters but it's only 6 characters long, length is more important. If your password is 65 characters long but it's made up of 6 lower case dictionary words, per-symbol entropy is more important.
Admin
And there are far more symbols (words) in even a simple, learners dictionary than there are characters that it is easy to type in a password. 10006 is 1018 is approximately 261, so the simplest dictionary password with 6 words is almost as good as an 8 byte random bitstring where all the bits are entirely independent of all the others, which nobody ever does in reality…
Admin
Yeah. But it would be much better to then add more entropy by modifying the words with memorable (but unusual) symbols to combat the likelihood that a dictionary attack will be able to brute force your password in any reasonable amount of time. It would be substantially more effective at increasing overall password strength than, say, adding another word.
Admin
Switching from a thousand-word dictionary to something a bit longer would make a bigger difference. With a 50k dictionary, you're talking around 94–95 bits worth of entropy. That's quite a lot (heh; about 500 years at 1018 attempts a second) yet still potentially quite memorable for you because words are much easier to handle that way.
Adding another word is easier for people than mucking around with standard substitutions. Leave that sort of thing to password generators/managers like LastPass…
Admin
True, but most places also have a maximum password size in the area of 15 to 30 characters. (which is stupid, of course, but unlikely to change) So, based on how many words you have, the size of the dictionary you use is limited to shorter words only.
Admin
Only if the attacker knows which words are in your dictionary or has some way of deducing that information.
Admin
Also true
Admin
Entropy is the goal, not the factor in reaching the goal. In your effort to be a pedantic dickweed you went too far and became wrong.
You even wrote it out long-form in your first sentence! Two factors, one of which is length. It's easy to increase, easy to remember and more or less unlimited.
Admin
Did you even read the link I posted? You're dead wrong.
Admin
Uh, no.
Admin
Did you even read the link I posted? You're dead wrong too.
So much wrong, just as predicted. Such a seemingly simple thing, choosing a strong password, yet very few know how to do it. It's not entirely your fault, you've been told the wrong things your entire computing life, but you could have at least applied some mathematical rigour yourself to confirm.
Start by reading the link I posted. Here it is again: http://world.std.com/~reinhold/diceware.html
Admin
No, because you presented it as
and
"This site is ugly and does a thing you don't need." wasn't a compelling "go read this site and be enlightened".
Admin
Uh, yes.
Not only is it likely to change, it is changing. Slowly. UNIX passwords of 7 characters are long gone. NTLM passwords limited to 16 (I think) characters are long gone.
Admin
Our sincerest apologies, but the corporate firewall has blocked
http://world.std.com/~reinhold/diceware.htmlas "Hosting". Error 589: Unable to comply, OKAdmin
So I gave you two pieces of very good advice in one go and you overloaded and went "Nuh uh! You nearly got me to learn something there but I'm on to you!".
Let me try again: Go read this site and be enlightened: http://world.std.com/~reinhold/diceware.html
Have you done that? Your brain might be hurting from all the learning you're doing, but now it's time for a new learning: Get a password manager. Use it.
Admin
Most commercial sites and applications I use restrict password length to somewhere between 15 and 30 characters. This is not likely to change, because bigger passwords take more storage space and bandwidth, which adds up for large companies with millions of customers, and is not something they have any real drive to change, because most people use bare minimum passwords like fucking morons anyway.
Admin
My condolences. I also must suffer behind a braindead corporate filter.
Admin
"This site is ugly" isn't good advice. Neither is "it does a thing you don't need".
If you tried to make the "you should be using a password manager" advice point, you sure beat around the bush.
Maybe later.
Admin
I said it has the goods. Maybe that's too colloquial? What the phrase means is: Go read the site and be enlightened.
Also, in "generate the master password for your password manager" is an implied "use a fucking password manager you goddamn cretin".
Admin
From what you said it sounded like "has the goods" implied that it could "generate the master password for your password manager", since that's what you said it would do.
Anyway, the first two things I saw were a broken image and a link to a Java applet. The next thing I saw was an over-complicated hardware solution to an easily-solved software problem: dice rolling, combined with an extra-healthy dose of paranoia (burn your notes, pulverize the ashes, flush them down the toilet). Followed shortly by "we recommend you keep a copy written down". :facepalm:
And finally, we have a testimonial from a dude who's trying to teach his sister how to use PGP for her email, presumably so that her husband won't find out she was boning her brother. (That's not really in the story, but I can read between the lines.)
Admin
It describes a method that can be used for that. It also tells you what you've been taught wrong about password security, and tells you how to do better.
The link followed a paragraph about letting users use long, easy to remember passwords, which is what Diceware is all about.
Like I said, ugly site. I don't know why you saw the Java applet link first though.
Still don't get it? You need to do more reading.
Adjust the paranoia to your desired level. The burn, pulverise, flush comment I took as part joke, part reminder that your notes can be used to make cracking your password easier.
You skipped "in a safe place", presumably an actual safe or similar.
It's an anecdote, meant to illustrate how poorly people pick passwords, and a claim that Diceware could have helped her pick a good one first try.
:giggity:?
So when you read about a brother and sister that want to exchange personal correspondence securely, you go straight to incest?
Admin
It was bolded, set out with extra space, and right in the middle of a bunch of
<hr>'s. It's almost like he wanted to draw attention to it or something.Admin
No! 31 is unsafe! You should use 128!
Admin
When I read about an adult male and female that want to exchange personal correspondence securely, I go straight to sex. The incest thing just happened to be a bonus in this case.
Admin
That was a joke, right?
Admin
No. Have cryptographers invented a miraculous lossless compression algorithm that maintains size as input increases indefinitely or something? Is this some kind of new voodoo from quantum computing?
Admin
No, why would you need or want lossless compression of a password? Use a one-way hash algorithm, which outputs the same length string regardless of the length of the input.
For example, here's the SHA-512 output for "hi" (base64 encoded): FQoU7VvqbMcxz4bEFWasQnqNtI7xuf1iZmSzv7uZBx+kySLzPd44cZuMg1Tit6udd+Dmf8EoQ5IKcS5z1Vjhlw==
And here it is for "the quick brown fox jumped over the lazy dog":
V93QSStBuOzqZ2ZwoAj8m/1XBiL7n9jhBZlc7pYIVtBcSuFGQ/zeOWg8FJg7siHjOtCB8adZD1Hjd1F6ng3/qg==
Besides storage requirements being a constant, this has the advantage that passwords cannot be retrieved even if an attacker has full access to the database, and the hashing algorithm is known.
Admin
Actually, you use bcrypt. Same advantages, but without the weaknesses of straight hashing.
Admin
actually you use oauth2 and let some other poor soul take care of handling the password correctly. the hacker can't hack your accounts if you never even see the password
Admin
Assuming that the other party can deliver the sort of identity information that you need for the application. Also, oauth2 is pretty miserable when you want to support API-style access as well. Yes, you can do things with API keys and whatnot, but then you're getting back into implementing your own.
The only downside of bcrypt is if you're making a lot of requests in no-session-mode. BTDT. :facepalm:
Admin
not really actually, there's offline oauth that works.
grive (google drive synching for linux) did a fantastic job of it where it instructed you to visit a particular google url to authenticate and receive yoru oauth token, and to then tell it what that token was. then grive remembered that token and only prompted you to reauth when the token was invalidated.
another nice thing you can do with oauth(and openid) is you can do restricted permissions to remote resources. so your API can request tokens that allow read access but not write access for example.
Admin
But the vast proportion of that is custom code, and the applications have to deal with all that complexity. It doesn't help that if you build an authenticator for Google (so that you can provide your own service) then you've not got an authenticator for Facebook or Twitter or … Yes, that doesn't matter if you need to access a specific remote resource (like Google Drive) with the token, but that's not the only use case, not even close.
Delegated credentials are a complicated mess. Have been for at least 15 years.
Admin
While you guys are on the subject... Say a company had a large existing user base, where the login is by email. Say they wanted to allow users to log in with external identity providers (google, fb, etc). Would it be appropriate to examine the email address associated with the token and grant access to the account matching that email address with no further verification?
Admin
Depends on what else the token contains, I'd think.