Re: [gentoo-user] Re: korganize-4.7.3 broken
On Tue, 10 Jan 2012 22:53:48 +, Mick wrote: I did not yet try deleting akonadi db and nepomuk and trying re-importing everything. I'm not sure if it is even worth it to bother with KDE anymore. You'd get rid of the whole of KDE just because the mail client sucks? You know, you can run non-KDE software on KDE :P -- Neil Bothwick deja vous - the act of forgetting someone's name /again/ despite being introduced to them several times. signature.asc Description: PGP signature
Re: [gentoo-user] Re: korganize-4.7.3 broken
On Wed, Jan 11, 2012 at 09:20:06AM +, Neil Bothwick wrote: On Tue, 10 Jan 2012 22:53:48 +, Mick wrote: I did not yet try deleting akonadi db and nepomuk and trying re-importing everything. I'm not sure if it is even worth it to bother with KDE anymore. You'd get rid of the whole of KDE just because the mail client sucks? You know, you can run non-KDE software on KDE :P Plus, KDE without akonadi took less than 100 MB of RAM after login in a test installation I did on a netbook. Even KDE3 startet at 120 back in the days. Unfortunately, a number of other useful programs depend on akonadi, such as KAlarm and even Akregator. -- Gruß | Greetings | Qapla' I forbid any use of my email addresses with Facebook services. Mankind’s most thruthful word is: perhaps. pgp4vdYfdPwaG.pgp Description: PGP signature
Re: [gentoo-user] Resetting the root passwd
On 2012-01-10 2:12 PM, Hinnerk van Bruinehsen h.v.bruineh...@fu-berlin.de wrote: The simpelest solution should be to copy the password-hash of a user whose password is know to you. Afterwards you can log in an change the password again. Thanks, I like that better and it worked like a charm, this way the root account is never unprotected (even for a minute)... although remote root login is disabled anyway... And for the future:http://xkcd.com/936/ ;) I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... http://passwordmaker.org/
Re: [gentoo-user] Resetting the root passwd
On Jan 11, 2012 5:57 PM, Tanstaafl tansta...@libertytrek.org wrote: On 2012-01-10 2:12 PM, Hinnerk van Bruinehsen h.v.bruineh...@fu-berlin.de wrote: The simpelest solution should be to copy the password-hash of a user whose password is know to you. Afterwards you can log in an change the password again. Thanks, I like that better and it worked like a charm, this way the root account is never unprotected (even for a minute)... although remote root login is disabled anyway... And for the future:http://xkcd.com/936/ ;) I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... http://passwordmaker.org/ While booting, pass init=/bin/bash in the kernel command line
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 7:35 AM, Nilesh Govindarajan cont...@nileshgr.com wrote: While booting, pass init=/bin/bash in the kernel command line I did... otherwise, it still requires you to know the password... ;)
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 07:26:07 -0500 Tanstaafl tansta...@libertytrek.org wrote: On 2012-01-10 2:12 PM, Hinnerk van Bruinehsen h.v.bruineh...@fu-berlin.de wrote: The simpelest solution should be to copy the password-hash of a user whose password is know to you. Afterwards you can log in an change the password again. Thanks, I like that better and it worked like a charm, this way the root account is never unprotected (even for a minute)... although remote root login is disabled anyway... And for the future:http://xkcd.com/936/ ;) I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... Of course it stores the password somewhere. How else could it log you in next time? It isn't magic, it retrieves the password from somewhere. http://passwordmaker.org/ -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 9:16 AM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wed, 11 Jan 2012 07:26:07 -0500 Tanstaafltansta...@libertytrek.org wrote: I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... Of course it stores the password somewhere. How else could it log you in next time? It isn't magic, it retrieves the password from somewhere. Nope, it generates it on the fly every time. It uses the current URL (or if you create a custom account for that URL, whatever you tell it to use), the username (if supplied), and a few other URL unique attributes to compute it, and if you create a custom account, it offers many other options... I highly recommend it... it does have a small learning curve, but the website will teach you most of what you need to know (I even authored a lot of the wiki)... http://passwordmaker.org/
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote: I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... Of course it stores the password somewhere. How else could it log you in next time? It isn't magic, it retrieves the password from somewhere. Nope, it generates it on the fly every time. It uses the current URL (or if you create a custom account for that URL, whatever you tell it to use), the username (if supplied), and a few other URL unique attributes to compute it, So it stores the data and method needed to recreate the password, same thing. Or does it not store the username, in which case you have to use the same username everywhere? -- Neil Bothwick If Satan ever loses his hair, there'll be hell toupee. signature.asc Description: PGP signature
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 11:27 AM, Neil Bothwick n...@digimed.co.uk wrote: On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote: I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... Of course it stores the password somewhere. How else could it log you in next time? It isn't magic, it retrieves the password from somewhere. Nope, it generates it on the fly every time. It uses the current URL (or if you create a custom account for that URL, whatever you tell it to use), the username (if supplied), and a few other URL unique attributes to compute it, So it stores the data and method needed to recreate the password, same thing. Or does it not store the username, in which case you have to use the same username everywhere? It would be easier for you to understand how it works if you would simply go read about it. The one piece that is not stored anywhere (but inside your head) is the Master Password. You can also use more than one Master Password, which I do (three to be exact, one for critical stuff (server root passwords, online banking, etc), one for less critical stuff, and one for incidental stuff... Like I said, there is a small learning curve involved with using it, but once you figure it out, you'll wonder how you ever got along without it.
Re: [gentoo-user] Resetting the root passwd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Neil Bothwick wrote: On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote: I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... Of course it stores the password somewhere. How else could it log you in next time? It isn't magic, it retrieves the password from somewhere. Nope, it generates it on the fly every time. It uses the current URL (or if you create a custom account for that URL, whatever you tell it to use), the username (if supplied), and a few other URL unique attributes to compute it, So it stores the data and method needed to recreate the password, same thing. Or does it not store the username, in which case you have to use the same username everywhere? Most of my passwords are some hash[1] of a common passcode[2] and some site-specific or service-specific mnemonic. I imagine this would work similarly, using the absolute URL in place of a mnemonic. The downside would be if the server changed its URL rewriting scheme. - From their perspective, they didn't break anything as long as things 301 redirect to where they should. But it does break things that make assumptions about absolute URLs. (I've seen that break StumbleUpon thump-up counts, for example.) [1] The hash algorithm is something I can easily do in my head, not some massive, crypto-secure, heavily-mathematical thing. [2] I change the passcode I use for new passwords every several months, but I can usually guess which one I used for any given site within three tries. It works out, and is a nice in-head way to have a different password for every site. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPDbqfAAoJEC/SB0LItoL+OdQIALK/0qjkmQrfBENrj5WrEs0h 6oDe599TNya4XCTdOJbBmNAZ2JxCbXq+O1zunqSzHXHLE38n3vTHHPUHQNa/2I1k NQBLATfobr4edWqvdKO4LjhQLkKq7sL8I/rEA6ol2M019/WviIDNKmyJfPM3LfpK m3XZ3ATHDX5yC52cydYKXk1UbMQb6YZqPMzhmkpn4Vm7SL/Sj7RNdkQ+XAbLCyRo BWL4/oy3IZFuMd5r7x3ktKoQtzW85rUIpZrR8ZmoAFI+lXv+7JhuUwayM3kZga0O WeBLkv+efU0GP2s66ePPtjMeN7Z9AFpOG7OKO6VXwwjb1bPLkLUdALjyawzi2NE= =n6Cc -END PGP SIGNATURE-
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 11:35:57 -0500, Tanstaafl wrote: So it stores the data and method needed to recreate the password, same thing. Or does it not store the username, in which case you have to use the same username everywhere? It would be easier for you to understand how it works if you would simply go read about it. The one piece that is not stored anywhere (but inside your head) is the Master Password. Ah, you didn't mention that part. Now it makes some sense. -- Neil Bothwick If at first you don't succeed you'll get lots of advice. signature.asc Description: PGP signature
Re: [gentoo-user] Resetting the root passwd
Tanstaafl wrote: On 2012-01-11 11:27 AM, Neil Bothwick n...@digimed.co.uk wrote: On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote: I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... Of course it stores the password somewhere. How else could it log you in next time? It isn't magic, it retrieves the password from somewhere. Nope, it generates it on the fly every time. It uses the current URL (or if you create a custom account for that URL, whatever you tell it to use), the username (if supplied), and a few other URL unique attributes to compute it, So it stores the data and method needed to recreate the password, same thing. Or does it not store the username, in which case you have to use the same username everywhere? It would be easier for you to understand how it works if you would simply go read about it. The one piece that is not stored anywhere (but inside your head) is the Master Password. You can also use more than one Master Password, which I do (three to be exact, one for critical stuff (server root passwords, online banking, etc), one for less critical stuff, and one for incidental stuff... Like I said, there is a small learning curve involved with using it, but once you figure it out, you'll wonder how you ever got along without it. I use Lastpass for my stuff. It is encypted locally but available anywhere. It works pretty well. These things sure beat trying to remember a really strong password. My bank and credit card passwords are off the chart. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 11:36 AM, Michael Mol mike...@gmail.com wrote: Most of my passwords are some hash[1] of a common passcode[2] and some site-specific or service-specific mnemonic. I imagine this would work similarly, using the absolute URL in place of a mnemonic. The downside would be if the server changed its URL rewriting scheme. - From their perspective, they didn't break anything as long as things 301 redirect to where they should. But it does break things that make assumptions about absolute URLs. (I've seen that break StumbleUpon thump-up counts, for example.) This is not a problem with Passwordmaker as long as you use a custom account, because all you hev to do if the URL changes is add/edit the URL pattern (used to detect the account/page). The 'text' used for *calculating* the password wouldn't change then. [1] The hash algorithm is something I can easily do in my head, not some massive, crypto-secure, heavily-mathematical thing. I do something similar with Passwordmaker... I have a specific way I 'modify' the password (add a few specific characters at certain places in the password) before logging in, but I only do this with critical sites/passwords. [2] I change the passcode I use for new passwords every several months, but I can usually guess which one I used for any given site within three tries. It works out, and is a nice in-head way to have a different password for every site. I almost never change my passwords, unless there is a good reason to. With a strong password, it simply isn't necessary. But if you need to, it is dead easy in Passwordmaker - just add a '1' to the modifier field for that account, then start incrementing it whenever you change it.
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote: I use Lastpass for my stuff. It is encypted locally but available anywhere. It works pretty well. Heard good things about it, but I prefer something that doesn't store the passwords anywhere, ever... These things sure beat trying to remember a really strong password. My bank and credit card passwords are off the chart. Yeah, but what about those moron banks that only allow you to use lowercase letters - and only a max of 6 - for the password? I'm not sure if it as big a problem as it was, but I have changed banks over things like that, and told them why in the process.
Re: [gentoo-user] Resetting the root passwd
Tanstaafl wrote: On 2012-01-11 11:36 AM, Michael Mol mike...@gmail.com wrote: Most of my passwords are some hash[1] of a common passcode[2] and some site-specific or service-specific mnemonic. I imagine this would work similarly, using the absolute URL in place of a mnemonic. The downside would be if the server changed its URL rewriting scheme. - From their perspective, they didn't break anything as long as things 301 redirect to where they should. But it does break things that make assumptions about absolute URLs. (I've seen that break StumbleUpon thump-up counts, for example.) This is not a problem with Passwordmaker as long as you use a custom account, because all you hev to do if the URL changes is add/edit the URL pattern (used to detect the account/page). The 'text' used for *calculating* the password wouldn't change then. [1] The hash algorithm is something I can easily do in my head, not some massive, crypto-secure, heavily-mathematical thing. I do something similar with Passwordmaker... I have a specific way I 'modify' the password (add a few specific characters at certain places in the password) before logging in, but I only do this with critical sites/passwords. [2] I change the passcode I use for new passwords every several months, but I can usually guess which one I used for any given site within three tries. It works out, and is a nice in-head way to have a different password for every site. I almost never change my passwords, unless there is a good reason to. With a strong password, it simply isn't necessary. But if you need to, it is dead easy in Passwordmaker - just add a '1' to the modifier field for that account, then start incrementing it whenever you change it. Pretty sure I understand the thing. The biggest driver for me to change my passcode are leaks...whether it's something like Sony's Play Station Network leak, or whether I typed something into the wrong terminal, or whether something stole focus at the wrong moment. Critical sites get their password changed first, on the off chance someone knows enough about me to guess my username, mnemonic and hash. Less critical sites follow. Actually happened Sunday morning. Typed a password into the wrong window, and now I've got a new passcode.
Re: [gentoo-user] Resetting the root passwd
Tanstaafl wrote: On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote: I use Lastpass for my stuff. It is encypted locally but available anywhere. It works pretty well. Heard good things about it, but I prefer something that doesn't store the passwords anywhere, ever... I have to many places to remember all the passwords tho. Having just one or two password isn't a good idea either. These things sure beat trying to remember a really strong password. My bank and credit card passwords are off the chart. Yeah, but what about those moron banks that only allow you to use lowercase letters - and only a max of 6 - for the password? I'm not sure if it as big a problem as it was, but I have changed banks over things like that, and told them why in the process. I agree with that. My bank made some changes that I didn't agree with too. I sent them information about how their process was tested by MIT and some University in California and it failed the test badly. I then figured out a way to work around that and still have my really good password. If they won't let me have a good password, I won't be doing anything online. I'll just pick up the phone and call them to check on balances and such until they fix it. My bank does allow customers to disable online access. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 1:47 PM, Dale rdalek1...@gmail.com wrote: Tanstaafl wrote: On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote: I use Lastpass for my stuff. It is encypted locally but available anywhere. It works pretty well. Heard good things about it, but I prefer something that doesn't store the passwords anywhere, ever... I have to many places to remember all the passwords tho. Having just one or two password isn't a good idea either. That is precisely *why* I love passwordmaker... each and every site has a unique 15 or 20 character strong password that I don't *have* to remember, all I have to remember is my Master Password for that category of account... If they won't let me have a good password, I won't be doing anything online. I'll just pick up the phone and call them to check on balances and such until they fix it. My bank does allow customers to disable online access. Which won't help if/when they get hacked. If you don't care enough to change banks, they'll probably never change their policy. If they lose enough accounts because of it, someone is gonna take notice, and some moron admin will get canned for being so stupid.
Re: [gentoo-user] Resetting the root passwd
Tanstaafl writes: On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote: These things sure beat trying to remember a really strong password. My bank and credit card passwords are off the chart. Yeah, but what about those moron banks that only allow you to use lowercase letters - and only a max of 6 - for the password? I'm not sure if it as big a problem as it was, but I have changed banks over things like that, and told them why in the process. My banking PIN also has only six characters, but I don't worry too much about this. An attacker only has a few tries before online access is being disabled. And even if he would succeed, all he gains is to see my account balance and my past transactions. In order to actually do something, he would also need the correct TAN. In the past I had a list of those, but nowadays this is no longer possible, instead I get the TAN via SMS when I make a transaction. Wonko
Re: [gentoo-user] Resetting the root passwd
Tanstaafl wrote: On 2012-01-11 1:47 PM, Dale rdalek1...@gmail.com wrote: Tanstaafl wrote: On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote: I use Lastpass for my stuff. It is encypted locally but available anywhere. It works pretty well. Heard good things about it, but I prefer something that doesn't store the passwords anywhere, ever... I have to many places to remember all the passwords tho. Having just one or two password isn't a good idea either. That is precisely *why* I love passwordmaker... each and every site has a unique 15 or 20 character strong password that I don't *have* to remember, all I have to remember is my Master Password for that category of account... Well, Lastpass does the same thing. I do make up my own tho. I at least have a chance at guessing it. ;-) If they won't let me have a good password, I won't be doing anything online. I'll just pick up the phone and call them to check on balances and such until they fix it. My bank does allow customers to disable online access. Which won't help if/when they get hacked. If you don't care enough to change banks, they'll probably never change their policy. If they lose enough accounts because of it, someone is gonna take notice, and some moron admin will get canned for being so stupid. If I call the bank and tell them to disable online access, even I can't access my account online. If a hacker can hack in and get my info, then that has nothing to do with passwords. The hacker has gained access to the server as a whole at that point. The biggest thing I don't like, my bank runs windoze. A really old version at that. I hope they update that thing. o_O Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words! Miss the compile output? Hint: EMERGE_DEFAULT_OPTS=--quiet-build=n
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 11:04:01 -0500 Tanstaafl tansta...@libertytrek.org wrote: On 2012-01-11 9:16 AM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wed, 11 Jan 2012 07:26:07 -0500 Tanstaafltansta...@libertytrek.org wrote: I couldn't live without Passwordmaker (Firefox Addon), with it, I can have as strong and random passwords as I want on every site, it auto fills the username/password for me (if it is a web login page), but doesn't store any password anywhere... Of course it stores the password somewhere. How else could it log you in next time? It isn't magic, it retrieves the password from somewhere. Nope, it generates it on the fly every time. It uses the current URL (or if you create a custom account for that URL, whatever you tell it to use), the username (if supplied), and a few other URL unique attributes to compute it, and if you create a custom account, it offers many other options... I highly recommend it... it does have a small learning curve, but the website will teach you most of what you need to know (I even authored a lot of the wiki)... http://passwordmaker.org/ I haven't read the site yet, but just on the basis of your description, all I'm seeing is a teeny-weeny amount of entropy leading to passwords that are very easy for computers to compute. The algorithm is probably known and there can't be that many unique attributes to a URL, leading to a very small pool of random data. In fact, I see this as a distinct possibility: http://xkcd.com/936/ Feel free to correct me if I'm wrong. -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 3:56 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wed, 11 Jan 2012 11:04:01 -0500 Tanstaafltansta...@libertytrek.org wrote: http://passwordmaker.org/ I haven't read the site yet, but just on the basis of your description, all I'm seeing is a teeny-weeny amount of entropy leading to passwords that are very easy for computers to compute. The algorithm is probably known and there can't be that many unique attributes to a URL, leading to a very small pool of random data. In fact, I see this as a distinct possibility: http://xkcd.com/936/ Feel free to correct me if I'm wrong. You are wrong, but you'll need to read the site to learn why...
Re: [gentoo-user] Re: korganize-4.7.3 broken
On Wednesday 11 Jan 2012 12:14:18 Frank Steinmetzger wrote: On Wed, Jan 11, 2012 at 09:20:06AM +, Neil Bothwick wrote: On Tue, 10 Jan 2012 22:53:48 +, Mick wrote: I did not yet try deleting akonadi db and nepomuk and trying re-importing everything. I'm not sure if it is even worth it to bother with KDE anymore. You'd get rid of the whole of KDE just because the mail client sucks? You know, you can run non-KDE software on KDE :P Plus, KDE without akonadi took less than 100 MB of RAM after login in a test installation I did on a netbook. Even KDE3 startet at 120 back in the days. Unfortunately, a number of other useful programs depend on akonadi, such as KAlarm and even Akregator. Well, I'm not using the whole KDE environment on my machine, only certain applications. Kmail and Konqueror are the must haves for me. My wife uses the full KDE and I'll have to break the news to her that Kmail which she prefers to T'bird may no longer be usable. I do hope things improve with Kmail. Meanwhile, I'll put some more effort into configuring and learning how to use mutt. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 16:07:41 -0500 Tanstaafl tansta...@libertytrek.org wrote: On 2012-01-11 3:56 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wed, 11 Jan 2012 11:04:01 -0500 Tanstaafltansta...@libertytrek.org wrote: http://passwordmaker.org/ I haven't read the site yet, but just on the basis of your description, all I'm seeing is a teeny-weeny amount of entropy leading to passwords that are very easy for computers to compute. The algorithm is probably known and there can't be that many unique attributes to a URL, leading to a very small pool of random data. In fact, I see this as a distinct possibility: http://xkcd.com/936/ Feel free to correct me if I'm wrong. You are wrong, but you'll need to read the site to learn why... The site doesn't say much. It has one page, no internal links (quite a few external ones) and a single link to an image. But still, one can infer some of the methods of operation. There's a master password and a few bits of easily guessable[1] entropy in the additional data the user can configure. It has one weakness that reduces it back to the same password being re-used. And that is that there is a single master password. An attacker would simply need to acquire that using various nefarious means (shoulder surfing, social engineering, hosepipe decryption) and suddenly you are wide open[2]. I don't see that it increases cryptographic security by very much (it does by a little) but it will increase real-life effective security by a lot. It removes most of the threat from shoulder-surfing and StickyNoteSyndrome (much like ssh agents do too). In a corporate environment[3], that is the major threat we face, the onbe that keeps me awake at night, the one ignored by all security auditors and the one understood by a mere three people in the company... :-( [1] Easily guessable by a computer [2] I have my paranoia hat on currently [3] for example, mine -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] Resetting the root passwd
I tell you the right way todo it. Make it easy as possible, not so difficult like the others in the thread! Download system rescuecd (which is a nice gentoo system with lots of beautiful tools running out of the box): http://www.sysresccd.org/Download download, burn and boot from the cd. This is a gentoo live cd, with maintenance tools! After you started from the cd, create a directotry, let us say: /mnt/gentooX and mount your partition inside, where the entire tree lives in it. if /dev/sda5 or whatever has the entire tree: mount /dev/sda5 /mnt/gentooX optionally mount the other partitions from your harddisk, if opt is in your harddisk an own partition, otherwise look in your harddisk, in this case: /mnt/gentooX/etc/fstab which shows you the partition table! chroot the new environment: mount -t proc none /mnt/gentoo/proc if you need networking, otherwise leave this step away. cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf chroot /mnt/gentoo /bin/bash env-update source /etc/profile after you did this, your are on your harddisks environment as root, and you easily can issue this command: passwd root Tamer Am 10.01.2012 19:46, schrieb Tanstaafl: Ok, I did something really dumb... I changed the root passwd for a system I manage last week, but neglected to write it down, and now what I *thought* I had changed it to isn't working... I know, I know, really *really* dumb, but that's where I am... I know I can boot into Single User mode, remount the root partition read/write, and edit /etc/shadow (removing the encrypted passwd), then rest it using passwd, but... Some of the accounts in /etc/shadow have a '*' where the encrypted passwd would be, and some have a '!'... (ie, one is sshd:!:... and another is halt:*:...) Does it matter what I change it to? Should I use a *, !, or nothing at all (so that there is *nothing* between the two :: that would normally contain the encrypted passwd)? Thanks...
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 4:51 PM, Alan McKinnon alan.mckin...@gmail.com wrote: The site doesn't say much. It has one page, no internal links (quite a few external ones) and a single link to an image. Weird... the wiki tree is gone... there are a *ton* of pages there, I'll have to poke the maintainers... maybe they were updating mediawiki and broke something... But still, one can infer some of the methods of operation. There's a master password and a few bits of easily guessable[1] entropy in the additional data the user can configure. It has one weakness that reduces it back to the same password being re-used. And that is that there is a single master password. Like I said, you can use more than one. The trick is remembering which one you used with which accounts. I use different Master Passwords for different Account Groups. An attacker would simply need to acquire that using various nefarious means (shoulder surfing, social engineering, hosepipe decryption) and suddenly you are wide open[2]. That is true for *any* password scheme... but there are simple ways to mitigate the risks... 1. Use multiple Master Passwords... 2. Change the character set used (I always do this) 3. Add additional character modifications to each password (figure out one way that you can easily remember and do it the same for each password) 4. I don't see that it increases cryptographic security by very much (it does by a little) Actually, it does, and once the site is back up I'll post here and you can go read all about it...
Re: [gentoo-user] Resetting the root passwd
Alan McKinnon wrote: On Wed, 11 Jan 2012 16:07:41 -0500 Tanstaafl tansta...@libertytrek.org wrote: On 2012-01-11 3:56 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wed, 11 Jan 2012 11:04:01 -0500 Tanstaafltansta...@libertytrek.org wrote: http://passwordmaker.org/ I haven't read the site yet, but just on the basis of your description, all I'm seeing is a teeny-weeny amount of entropy leading to passwords that are very easy for computers to compute. The algorithm is probably known and there can't be that many unique attributes to a URL, leading to a very small pool of random data. In fact, I see this as a distinct possibility: http://xkcd.com/936/ Feel free to correct me if I'm wrong. You are wrong, but you'll need to read the site to learn why... The site doesn't say much. It has one page, no internal links (quite a few external ones) and a single link to an image. But still, one can infer some of the methods of operation. There's a master password and a few bits of easily guessable[1] entropy in the additional data the user can configure. It has one weakness that reduces it back to the same password being re-used. And that is that there is a single master password. An attacker would simply need to acquire that using various nefarious means (shoulder surfing, social engineering, hosepipe decryption) and suddenly you are wide open[2]. I would expect it to use a strong forward-only hash. I can't do that in my head, but that's what I'd expect this software to do. A MITM between the computer and the remote host should only result in a single password lost. I don't see that it increases cryptographic security by very much (it does by a little) but it will increase real-life effective security by a lot. It removes most of the threat from shoulder-surfing and StickyNoteSyndrome (much like ssh agents do too). In a corporate environment[3], that is the major threat we face, the onbe that keeps me awake at night, the one ignored by all security auditors and the one understood by a mere three people in the company... :-( I was convinced you completely missed the point, but I think you found it here. [1] Easily guessable by a computer [2] I have my paranoia hat on currently [3] for example, mine I'm seriously unconvinced that concatenating words significantly increases the difficulty of the problem. Just as a mentalist will presume you're thinking about '7', your average demographic would probably draw from a small pool of source words, even latching on to catchphrases and other memes. You're likely to see steamingmonkeypile, nyanyanyan, dontsaycandleja- and hasturhasturhast- used more than once, for example. I'd give a better list of likely results, but I don't want to run too far afoul of good taste in public posting. :)
Re: [gentoo-user] Resetting the root passwd
On 2012-01-11 5:05 PM, Tanstaafl tansta...@libertytrek.org wrote: Actually, it does, and once the site is back up I'll post here and you can go read all about it... Even weirder... The menu tree is actually still there, but it is displayed way down the page, so something definitely is broken. I've already emailed the maintainer... But, you can peruse the site from the menu tree, you'll just have to scroll way down to get to it... www.passwordmaker.org
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 17:08:04 -0500
Michael Mol mike...@gmail.com wrote:
I'm seriously unconvinced that concatenating words significantly
increases the difficulty of the problem. Just as a mentalist will
presume you're thinking about '7', your average demographic would
probably draw from a small pool of source words, even latching on to
catchphrases and other memes. You're likely to see
steamingmonkeypile, nyanyanyan, dontsaycandleja- and
hasturhasturhast- used more than once, for example. I'd give a
better list of likely results, but I don't want to run too far afoul
of good taste in public posting. :)
I agree. Longer pass{words,phrases} only increases the difficulty of
the problem, but not significantly so.
--
Alan McKinnnon
alan.mckin...@gmail.com
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 17:05:28 -0500 Tanstaafl tansta...@libertytrek.org wrote: On 2012-01-11 4:51 PM, Alan McKinnon alan.mckin...@gmail.com wrote: The site doesn't say much. It has one page, no internal links (quite a few external ones) and a single link to an image. Weird... the wiki tree is gone... there are a *ton* of pages there, I'll have to poke the maintainers... maybe they were updating mediawiki and broke something... But still, one can infer some of the methods of operation. There's a master password and a few bits of easily guessable[1] entropy in the additional data the user can configure. It has one weakness that reduces it back to the same password being re-used. And that is that there is a single master password. Like I said, you can use more than one. The trick is remembering which one you used with which accounts. I use different Master Passwords for different Account Groups. An attacker would simply need to acquire that using various nefarious means (shoulder surfing, social engineering, hosepipe decryption) and suddenly you are wide open[2]. That is true for *any* password scheme... but there are simple ways to mitigate the risks... 1. Use multiple Master Passwords... 2. Change the character set used (I always do this) I like this one :-) yes, I know it's really just security by obscurity in disguise but I still like it. It's like anti-spam measures - effective at first till the spammers catch on then you go find another method. But in the interim you did have something workableto use 3. Add additional character modifications to each password (figure out one way that you can easily remember and do it the same for each password) 4. I don't see that it increases cryptographic security by very much (it does by a little) Actually, it does, and once the site is back up I'll post here and you can go read all about it... -- Alan McKinnnon alan.mckin...@gmail.com
RE: [gentoo-user] Resetting the root passwd
From: Alan McKinnon [mailto:alan.mckin...@gmail.com]
Sent: Wednesday, January 11, 2012 5:48 PM
On Wed, 11 Jan 2012 17:08:04 -0500
Michael Mol mike...@gmail.com wrote:
I'm seriously unconvinced that concatenating words significantly
increases the difficulty of the problem. Just as a mentalist will
presume you're thinking about '7', your average demographic would
probably draw from a small pool of source words, even latching on to
catchphrases and other memes. You're likely to see
steamingmonkeypile, nyanyanyan, dontsaycandleja- and
hasturhasturhast- used more than once, for example. I'd give a
better list of likely results, but I don't want to run too far afoul
of good taste in public posting. :)
I agree. Longer pass{words,phrases} only increases the difficulty of the
problem, but not significantly so.
After I read the aforementioned xkcd comic, my main question was how he
defined the various bits of entropy for each thing done to a password.
That seemed to be a crucial determining factor in why the common words
password appeared so much harder than the goofy gibberish one. Some seemed
more obvious to me than others.
I'm also curious, using the latest modern password-cracking techniques, if
his assessment really is accurate. As in, which of the following two
passwords would take longer to crack:
#purpl3.R$!n#
dovesymbolcarprince
--K
Re: [gentoo-user] Resetting the root passwd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12.01.2012 00:09, Mike Edenfield wrote:
From: Alan McKinnon [mailto:alan.mckin...@gmail.com] Sent:
Wednesday, January 11, 2012 5:48 PM
On Wed, 11 Jan 2012 17:08:04 -0500 Michael Mol
mike...@gmail.com wrote:
I'm seriously unconvinced that concatenating words
significantly increases the difficulty of the problem. Just as
a mentalist will presume you're thinking about '7', your
average demographic would probably draw from a small pool of
source words, even latching on to catchphrases and other memes.
You're likely to see steamingmonkeypile, nyanyanyan,
dontsaycandleja- and hasturhasturhast- used more than once,
for example. I'd give a better list of likely results, but I
don't want to run too far afoul of good taste in public
posting. :)
I agree. Longer pass{words,phrases} only increases the difficulty
of the problem, but not significantly so.
After I read the aforementioned xkcd comic, my main question was
how he defined the various bits of entropy for each thing done to
a password. That seemed to be a crucial determining factor in why
the common words password appeared so much harder than the goofy
gibberish one. Some seemed more obvious to me than others.
I'm also curious, using the latest modern password-cracking
techniques, if his assessment really is accurate. As in, which of
the following two passwords would take longer to crack:
#purpl3.R$!n#
dovesymbolcarprince
--K
Since both passwords are of nearly same length, the argument from the
comic is not fulfilled: if you would use
armageddonholycowencryptionworkshop you would have a relatively easy
to remember, long password.
Password length is far more important than using special characters... [1]
[1]
http://www.infoworld.com/d/security-central/password-size-does-matter-531
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPDh7sAAoJEJwwOFaNFkYcV8MIAK9VekY88JElF9n9dEOSFOq1
g/RajBSrAaVbR/WV84DQ8xGGOLSIFMUFRWXTRcVEufCw0fXu6OBvKIsXhgZbWK1v
DEYsQInIk73YGIeyCImd95nXZbswD7cbpGA7g9h/0u2d8+tbvqSIP/fNAKAUU0Yi
uj3YiBz3ZXF+PZhvN5H0ZbKo1h7FOspzrd8UeSAzCBYJJeFEnpihWsfDiYdMYZrz
AnAN6tk/llWfYsJkVaVpsjwHjzsDCCgUhmqL30kV2l24ngg5WeEXDcuuEoFdQGIK
eV6CP6NSxSIPfQ4qEi2FTKzPLhHR6YhT/EVfYwis/OyYMSXatW+s7oNaqdjGAbg=
=aKCH
-END PGP SIGNATURE-
Re: [gentoo-user] Resetting the root passwd
Alan McKinnon wrote:
On Wed, 11 Jan 2012 17:08:04 -0500
Michael Molmike...@gmail.com wrote:
I'm seriously unconvinced that concatenating words significantly
increases the difficulty of the problem. Just as a mentalist will
presume you're thinking about '7', your average demographic would
probably draw from a small pool of source words, even latching on to
catchphrases and other memes. You're likely to see
steamingmonkeypile, nyanyanyan, dontsaycandleja- and
hasturhasturhast- used more than once, for example. I'd give a
better list of likely results, but I don't want to run too far afoul
of good taste in public posting. :)
I agree. Longer pass{words,phrases} only increases the difficulty of
the problem, but not significantly so.
I use those online password strength testers. I don't use the exact
characters tho. I replace a character with a similar one. I may
replace the letter A with the letter Z. I leave cases the same tho
since they make a difference. I at least try to get them to 100% and
for sites like my bank, I add a few more weird characters for good measure.
The password I use for my banks has both upper and lower case, a few
numbers and some of the thingys above the numbers on the top row. You
know, !@#$%^*(). Mine is reasonably long but it is not based on
anything related to me. It's just sort of a random thing that I can
remember pretty well but HATE to type in. That's why I like Lastpass.
It fills them in for me so that I can have a really nice strong password
but I don't have to type it in each time.
On a security related question. Why does so many people have their
facebook accounts and other similar sites hacked? Do hackers just guess
their passwords or do they break into the websites? I have facebook,
myspace, google+ and a couple others and have had them for years. I
have never had mine hacked into, at least not yet. I'm just curious.
Is it a windoze thing? lol
Dale
:-) :-)
--
I am only responsible for what I said ... Not for what you understood or how
you interpreted my words!
Miss the compile output? Hint:
EMERGE_DEFAULT_OPTS=--quiet-build=n
Re: [gentoo-user] Re: korganize-4.7.3 broken
On Wednesday 11 January 2012 21:41:47 Mick wrote: My wife uses the full KDE and I'll have to break the news to her that Kmail which she prefers to T'bird may no longer be usable. I do hope things improve with Kmail. Me too. At least in the meantime you can put a set of atoms into package.mask to keep the working version of kmail. I had to do that because the 4.7 upgrade was horribly broken on this box. -- Rgds Peter Linux Counter 5290, 1994-04-23
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 17:48:50 -0600 Dale rdalek1...@gmail.com wrote: On a security related question. Why does so many people have their facebook accounts and other similar sites hacked? Do hackers just guess their passwords or do they break into the websites? I have facebook, myspace, google+ and a couple others and have had them for years. I have never had mine hacked into, at least not yet. I'm just curious. Is it a windoze thing? lol Nothing like that. Most people think they are very clever about passwords but they are actually rather dumb about it. Easiest way to break into many people's FaceBook page is to scrape their FaceBook page and throw a lexical analyser at it (that being the same class of software that search engines use - it looks for patterns in text. The software does not have the human bias we all have, so it can find relations that our minds are wired to ignore). The more public the person's FaceBook page is and the more activity it has on it, the greater the odds that they will leak enough information about themselves so that software can make a reasonable prediction about what sort of passwords they use. When you approach this problem with an understanding of human psychology you almost always find that the range of possible passwords for people is far far smaller than we think. I'll even tell you who are the WORST offenders: Geeks. Geeks are their own worst enemies, and their accounts are very valuable targets to crackers. Geeks are a niche class of humans and are prone to think the same way (not all the time of course, they just share much more in common with each other than the big group called humanity). Too many geeks think they are being cute with their clever password schemes. Here's a common one: something from Lord of The Rings translated to l337-speak sigh. And the geek who does it is blind to the fact that he's doing it - simple observer bias about self. That's not true for all geeks of course - some really do have well-nigh uncrackable passwords. But I find that when a geek is a victim of his own bias and does something dumbish, it's usually a spectacular level of dumbishness. -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] Resetting the root passwd
On Wed, 11 Jan 2012 18:09:40 -0500
Mike Edenfield kut...@kutulu.org wrote:
I agree. Longer pass{words,phrases} only increases the difficulty
of the problem, but not significantly so.
After I read the aforementioned xkcd comic, my main question was how
he defined the various bits of entropy for each thing done to a
password. That seemed to be a crucial determining factor in why the
common words password appeared so much harder than the goofy
gibberish one. Some seemed more obvious to me than others.
I'm also curious, using the latest modern password-cracking
techniques, if his assessment really is accurate. As in, which of the
following two passwords would take longer to crack:
#purpl3.R$!n#
dovesymbolcarprince
Interesting questions. Randall doesn't provide answers so though. I
suppose he knows his audience and assumes we'll understand the gist of
what he's getting at and not demand full proof from him - it's his
comic, not his PhD thesis :-)
I noticed something about your first sample password, and it reveals a
lot, I hinted at it in my reply to Dale. Look at the pattern one must
type to enter that password (assuming a qwerty keyboard):
A symbol, a partial word, then 7 nonsense symbols. The pattern of those
symbols is highly significant - composed entirely of keystrokes in the
upper left area and lower right area of the keyboard with a few Shifts
thrown in for good measure. Almost as if you dropped both hands on the
keyboard and wiggled your fingers without moving the entire hand much.
How much entropy? A truck load less than you think!
And how often do you think people will do that (or something similar)
when creating passwords? How easy will it be for a dev with a clue to
write cracker software that takes such biases
into account?
The second example looks better - four words that have no obvious
connection with each other and will not usually be found together.
Hence not much in the way of predictable pattern that I can see.
Personally, I advocate using smart password generators like apg. The
password truly is a random distribution of junk, but one that can be
pronounced (a key factor in remembering it). It's not too hard to
expand that to also use whole words, then you'd get a passphrase
without your own inherent bias in it. Just be careful that you don't
end up with a password containing the *developer's* own inherent
bias :-)
--
Alan McKinnnon
alan.mckin...@gmail.com
Re: [gentoo-user] ntpd crashing
On Tue, 2012-01-10 at 23:57 +, Peter Humphrey wrote: On Tuesday 10 January 2012 21:45:21 Jeff Cranmer wrote: Initially, the RTC options were not enabled in my kernel, but even after setting these, I'm still getting this error. I'm adding all the device drivers as modules and trying again to see if I can remove this error. I suspect it is the root cause of my ntp issues. It's possible that your kernel is creating /dev/rtc0 instead of /dev/rtc. What does ls -d /dev/rt* show? -- Rgds Peter Linux Counter 5290, 1994-04-23 There's nothing in /dev/rt* :-(
[gentoo-user] Re: Resetting the root passwd
On 01/11/2012 02:05 PM, Tanstaafl wrote: On 2012-01-11 4:51 PM, Alan McKinnon alan.mckin...@gmail.com wrote: The site doesn't say much. It has one page, no internal links (quite a few external ones) and a single link to an image. Weird... the wiki tree is gone... there are a *ton* of pages there, I'll have to poke the maintainers... maybe they were updating mediawiki and broke something... Or maybe the server was hacked :p
[gentoo-user] Re: removal of esound
Hartmut Figge: I may take it upstream to mozilla.org. No need for that. I just heard the notification sound with the new build of SM. :) Hartmut -- Usenet-ABC-Wiki http://www.usenet-abc.de/wiki/ Von Usern fuer User :-)
[gentoo-user] Backup of remote virtual server
Hi, I have a remote Gentoo virtual server and want to implement a better backup/restore plan. There is no physical access to the server, so any backup must be done over the Internet. Right now I just create the occasional tarball and download it, and have used tar+ssh to restore, but that's not complicated enough. ;) The whole data uncompressed is about 5GiB but of course I can exclude distfiles and save a lot of bytes. I don't need a dd backup of the whole disk, just backup of its contents (complete system including / and everything in it) I'm curious what you, collective Gentoo-users, may be using to solve this problem. rsync, rdiff-backup, rsnapshot, dirvish, bacula, tar+ssh...? To me, one of the most important things of any backup solution is the ease at which data can be restored. In my case, restoration would probably happen from remotely booting into a recovery liveCD or on a new Gentoo virtual server image. Thanks, Paul
Re: [gentoo-user] Backup of remote virtual server
On Thu, Jan 12, 2012 at 3:09 PM, Paul Hartman paul.hartman+gen...@gmail.com wrote: Hi, I have a remote Gentoo virtual server and want to implement a better backup/restore plan. There is no physical access to the server, so any backup must be done over the Internet. Right now I just create the occasional tarball and download it, and have used tar+ssh to restore, but that's not complicated enough. ;) The whole data uncompressed is about 5GiB but of course I can exclude distfiles and save a lot of bytes. I don't need a dd backup of the whole disk, just backup of its contents (complete system including / and everything in it) I'm curious what you, collective Gentoo-users, may be using to solve this problem. rsync, rdiff-backup, rsnapshot, dirvish, bacula, tar+ssh...? To me, one of the most important things of any backup solution is the ease at which data can be restored. In my case, restoration would probably happen from remotely booting into a recovery liveCD or on a new Gentoo virtual server image. Thanks, Paul tar czf – file| ssh server “cat file.tar.gz” - Standard output (I know a little Englis) -- tlze
