Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
On 04/16/2011 05:53 PM, Stuart Jansen wrote: > They're all physical objects that are easy to steal, yet you (hopefully) > realize immediately that because we keep them physically close they're > sufficiently secure. Write down a password and it becomes the equivalent > of of a physical security token, just keep it safe. Would you actually advise the public to write down their passwords, knowing that people leave their wallets or purses unattended quite frequently? Stealing a written password requires only a glance or a camera. There could easily be no evidence whatsoever of the password theft. Written passwords are not at all equivalent to physical security tokens. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
On Sun, Apr 17, 2011 at 10:48 AM, Andrew McNabb wrote: > I agree with you, but some (or most?) people who write down passwords > end up leaving them stuck to their monitor. As you mentioned, it > becomes like a physical security token, so it's important to be careful > with it. Too many people aren't. Arguably, if people can get to your monitor, they could probably also do something like install a keylogger on your keyboard. Of course, that would increase the complexity of the attack, but even so there is a limit to how much one can trust a computer that isn't physically secure. -- John C. McCabe-Dansted /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
On Sat, Apr 16, 2011 at 05:53:50PM -0600, Stuart Jansen wrote: > > I'm tired of hearing that writing down passwords is insecure. Do you > consider your car key insecure? Your house key? Your credit card? > They're all physical objects that are easy to steal, yet you (hopefully) > realize immediately that because we keep them physically close they're > sufficiently secure. Write down a password and it becomes the equivalent > of of a physical security token, just keep it safe. I agree with you, but some (or most?) people who write down passwords end up leaving them stuck to their monitor. As you mentioned, it becomes like a physical security token, so it's important to be careful with it. Too many people aren't. -- Andrew McNabb http://www.mcnabbs.org/andrew/ PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Flame/Rant - Qwest!!
snip > > > Comcast has been good to me and my family for the past year or so. The > speed is a consistent 15 Mbps, latency is often under 100 ms, and packet > loss is very low. I've been using MRTG to chart service downtime and > Comcast has done a lot better than Qwest did. > > I have a friend 5 miles away who has had a much lower success rate with > Comcast. I suspect either Comcast supports my area better or the > hardware on my end is better: a Motorola SB6120, a Buffalo > WZR-HP-G300NH, and a Trendnet TEG-S80G. All three devices can easily > handle 10X the line speed. > > Even though my experience has been great, I hesitate to recommend > Comcast to anyone because their monthly cost is relatively high, their > corporate practices are greedy, and my friends have not had the same > experience. > > Shane > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > I have Comcast in Payson. It has strange problems. SSH connections usually stay up, but the HTTP connections just stop working at least once a day until I reboot my router. I used to have Qwest DSL and it would disconnect several times a night. I have to do system software upgrades on 200-250 systems every 4 weeks. This made qwest completely unacceptable and comcast tolerable (thanks to screen). Unfortunately utopia isn't installing in Payson, even though it is one of cities belonging to it. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
Thus said Shane Hathaway on Sat, 16 Apr 2011 16:31:16 MDT: > Maybe you're saying we should scare people into using better > passwords, but I suggest people don't react well to being frightened. Being informed of risks is not the same thing as frightening someone. I I was suggesting that you expose them to the *true* risk of having their account compromised due to insecure passwords. If the risk they incur is merely that someone might obtain access to their private stash of family photos, then they will know how secure to keep their password. And yes, if the system contains high risk material, then I would argue that an extremely difficult password written down on a piece of paper and stored in a wallet is very secure, compared to a weak password policy which allows people to use dictionary based passwords. It all depends on where the system is located, how it is accessed. I don't think there is a universal password policy that applies everywhere. > In particular, I think we humans are very good at handling words, > while we are not as good at handling individual characters. We can't > easily treat our linguistic memory as digital. You might be right on this point. In this case, you should require a minimum of 32 characters, that way people will naturally start using passphrases instead of passwords (you can help saying ``pick a sentence for your passphrase.'' Andy /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Flame/Rant - Qwest!!
I personally find using the BBB in issues like has always fixed the problem :) On Sat, Apr 16, 2011 at 8:32 PM, Brad Midgley wrote: > Joshua > >> So, who does everyone use? I'm in Lehi and Qwest has similar problems. I'm >> trying Clear, but I'm not impressed with their speeds. You can basically >> have one person doing something online. Any more than that and it degrades >> exponentially. > > this sounds like the perfect candidate for a vpn. Your ISP should not > be shaping traffic, so make it a lot harder for them to analyze it. I > used to do this with a verizon "unlimited" connection that would > disconnect if they could tell I was masquerading connections behind > it. > > -- > Brad Midgley > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > -- Nick Barker /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Flame/Rant - Qwest!!
Joshua > So, who does everyone use? I'm in Lehi and Qwest has similar problems. I'm > trying Clear, but I'm not impressed with their speeds. You can basically > have one person doing something online. Any more than that and it degrades > exponentially. this sounds like the perfect candidate for a vpn. Your ISP should not be shaping traffic, so make it a lot harder for them to analyze it. I used to do this with a verizon "unlimited" connection that would disconnect if they could tell I was masquerading connections behind it. -- Brad Midgley /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
On Sat, 2011-04-16 at 16:31 -0600, Shane Hathaway wrote: > K`4i-&]r > <*Xe>o]4 > ,ru7V;RO}x > CFp<7xY[? > K,$q42lC C3@-*TD\k > > These are all insecure passwords because nearly everyone will write them > down. Maybe you're saying we should scare people into using better > passwords, but I suggest people don't react well to being frightened. I'm tired of hearing that writing down passwords is insecure. Do you consider your car key insecure? Your house key? Your credit card? They're all physical objects that are easy to steal, yet you (hopefully) realize immediately that because we keep them physically close they're sufficiently secure. Write down a password and it becomes the equivalent of of a physical security token, just keep it safe. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
On 04/16/2011 03:49 PM, Andy Bradford wrote: > Thus said Shane Hathaway on Sat, 16 Apr 2011 12:41:31 MDT: > >> I want to include this idea in the password meters I create for web >> applications. I need a better password scoring algorithm. I don't want >> to *require* any minimum password complexity (other than a minimum >> password length), but I do want to help the user choose a good >> password. > > Inform them of the risks of using a bad password and what kinds of > information will be compromised due to a bad password, let them make > their own risk assessment. Offer a button that says ``Generate a secure > password for me,'' and then call apg -a 1 -M SLNC (or whatever options > you think are good for your appliations), serve it up to them over SSL, > and see if they take it. If this isn't enough to convince them to use a > stronger password, then they have been warned. Hmm, "apg -a 1 -M SLNC" produces: K`4i-&]r <*Xe>o]4 ,ru7V;RO}x CFp<7xY[? K,$q42lChttp://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Flame/Rant - Qwest!!
On 04/16/2011 01:19 PM, Joshua Marsh wrote: > On Sat, Apr 16, 2011 at 12:48, Nicholas Leippe wrote: > >> On Sat, Apr 16, 2011 at 12:04 PM, Ryan Simpkins >> wrote: >>> >>> When dealing with Qwest, caveat emptor! >> >> I coulda told ya that. :) >> >> Hope you get it worked out. >> > > So, who does everyone use? I'm in Lehi and Qwest has similar problems. I'm > trying Clear, but I'm not impressed with their speeds. You can basically > have one person doing something online. Any more than that and it degrades > exponentially. Comcast has been good to me and my family for the past year or so. The speed is a consistent 15 Mbps, latency is often under 100 ms, and packet loss is very low. I've been using MRTG to chart service downtime and Comcast has done a lot better than Qwest did. I have a friend 5 miles away who has had a much lower success rate with Comcast. I suspect either Comcast supports my area better or the hardware on my end is better: a Motorola SB6120, a Buffalo WZR-HP-G300NH, and a Trendnet TEG-S80G. All three devices can easily handle 10X the line speed. Even though my experience has been great, I hesitate to recommend Comcast to anyone because their monthly cost is relatively high, their corporate practices are greedy, and my friends have not had the same experience. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
Thus said Shane Hathaway on Sat, 16 Apr 2011 12:41:31 MDT: > I want to include this idea in the password meters I create for web > applications. I need a better password scoring algorithm. I don't want > to *require* any minimum password complexity (other than a minimum > password length), but I do want to help the user choose a good > password. Inform them of the risks of using a bad password and what kinds of information will be compromised due to a bad password, let them make their own risk assessment. Offer a button that says ``Generate a secure password for me,'' and then call apg -a 1 -M SLNC (or whatever options you think are good for your appliations), serve it up to them over SSL, and see if they take it. If this isn't enough to convince them to use a stronger password, then they have been warned. Andy /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
On 04/16/2011 02:21 PM, AJ ONeal wrote: > More importantly, why isn't SSO being used instead? Let's say you're developing a public web site and you want people to access it more securely than they would access a blog. What kind of authentication would you use? I doubt it would make sense to use Facebook, Twitter, Google, and so on as a SSO service since people frequently use poor passwords with those services. OpenID has major usability problems. Are there any other SSO options that public web sites can use? (Shibboleth, Kerberos, client SSL certs, and others require client-side configuration, making them useless for public web sites.) > And in the rare case that authorization depends on discrete > authentication, what is the password being used for? > If it's a *bank password*, then J4fS<2 is terribly insecure. > > He has it written in his wallet. Agreed, that's why all password fields should allow passphrases and password meters should rank "this is fun" at least as high as "J4fS<2". > (My bank requires a short (6 min, 8 max) password with randomness. Your bank is foolish to disallow more than 8 characters. > If it's *e-mail*, the strength of the password is incredibly important, Correct. In today's environment, e-mail passwords are effectively SSO passwords. > With the e-mail password you can get the plain-text password sent to you > from any blog or like account. I assume you're also talking about clueful web site operators who store only a salted password hash, never the plaintext password; clueful web sites still allow you to reset your password by sending a secret URL to your email address. > The strongest password is one that you don't write down or give out. > Mathematically fits the bill in my book. I think "mathematically" should be allowed as a password, but not scored very high, since I believe it is much more guessable than a phrase even as simple as "this is fun". Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
More importantly, why isn't SSO being used instead? And in the rare case that authorization depends on discrete authentication, what is the password being used for? If it's a *bank password*, then J4fS<2 is terribly insecure. He has it written in his wallet. (My bank requires a short (6 min, 8 max) password with randomness. My muscle memory knows how to type it on a 100% full-sized qwerty keyword but I don't actually remember what it is, just how my fingers move. For the times when I'm mobile or using an 80% size keyboard I have to reach in to find it) Actually, all bank passwords are meaningless because every bank I've ever used asks the same 4 questions. A quick google search reveals that on facebook he's listed his mother's maiden name. His google profile shows that he's from Newport. He just tweeted a pic of spot, his dog. If it's a *corporate password*, J4fS<2 is terribly insecure. She has it written on a sticky on her monitor. It's also in the meeting room whiteboard. (Just go to a user-group meeting hosted at a medium-sized business some time) Generally speaking, you can just call the secretary, say that you lost your sticky with the IT guy's number. Wait until the end of the month and then call the IT guy and tell him that you got locked out trying to put in Thursday's password after you were forced to reset it Friday and forgot it over the weekend. If it's *e-mail*, the strength of the password is incredibly important, but J4fS<2 might work because it is typed every few days... just difficult to type on a mobile device. With the e-mail password you can get the plain-text password sent to you from any blog or like account. Then you can log into the bank account as well - even if you are too lazy for a quick google search. Furthermore, you can lock the user out so that she can't reset her bank password. The strongest password is one that you don't write down or give out. Mathematically fits the bill in my book. AJ ONeal On Sat, Apr 16, 2011 at 12:41 PM, Shane Hathaway wrote: > On 04/16/2011 08:40 AM, AJ ONeal wrote: > >> This is near and dear to my heart so I had to evangelize: >> http://www.baekdal.com/tips/password-security-usability >> > > I want to include this idea in the password meters I create for web > applications. I need a better password scoring algorithm. I don't want to > *require* any minimum password complexity (other than a minimum password > length), but I do want to help the user choose a good password. > > Would it be reasonable to score based on the number of unique characters in > the password? > > - "abc" gets 3 > - "aaa" gets 1 > - "this is fun" gets 8 > - "J4fS<2" gets 6 > - "abcdefgh" gets 8 > > This was OK until I got to "abcdefgh", which should have a very low score. > Maybe I could fix that by not increasing the score for obvious character > sequences (either alphabetical or QWERTY-style). Then "a1b2c3d4" would > still get too high a score, which I might fix by detecting interleaved > sequences as well. > > What about long words? The word "mathematically" has 14 characters and > would score 9 using the unique character count algorithm, but any dictionary > word is quite insecure. I can't just look for words in a dictionary, since > names and foreign words are equally insecure, so it would be unreasonable to > compile a list of all common words worldwide. > > Maybe the algorithm should look for word separators like spaces and dashes, > then score each word separately and multiply the scores of all the words. > Combining that with sequence detection: > > - "abc" gets 1 > - "aaa" gets 1 > - "this is fun" gets 4 * 2 * 3 = 24 > - "J4fS<2" gets 6 > - "abcdefgh" gets 1 > - "a1b2c3d4" gets 2 > - "mathematically" gets 9 > - "i loved what i had for breakfast" gets 1*5*4*1*3*3*8 = 1440 > > This is looking better, but I still want "J4fS<2" to get a higher score > than "mathematically". Maybe the algorithm should multiply the word score > by the number of character classes it contains. "J4fS<2" contains 4 > character classes (upper case, lower case, digit, and symbol), so it gets a > score of 6 * 4 = 24. OTOH, "Mathematically" would then get 18, so if a word > contains only letters, I don't want to boost that word's score. > > Does anyone have better suggestions? Or better... a complete password > scoring algorithm? :-) > > Shane > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Flame/Rant - Qwest!!
On Sat, Apr 16, 2011 at 12:48, Nicholas Leippe wrote: > On Sat, Apr 16, 2011 at 12:04 PM, Ryan Simpkins > wrote: > > > > When dealing with Qwest, caveat emptor! > > I coulda told ya that. :) > > Hope you get it worked out. > So, who does everyone use? I'm in Lehi and Qwest has similar problems. I'm trying Clear, but I'm not impressed with their speeds. You can basically have one person doing something online. Any more than that and it degrades exponentially. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Flame/Rant - Qwest!!
On Sat, Apr 16, 2011 at 12:04 PM, Ryan Simpkins wrote: > > When dealing with Qwest, caveat emptor! I coulda told ya that. :) Hope you get it worked out. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
On 04/16/2011 08:40 AM, AJ ONeal wrote: > This is near and dear to my heart so I had to evangelize: > http://www.baekdal.com/tips/password-security-usability I want to include this idea in the password meters I create for web applications. I need a better password scoring algorithm. I don't want to *require* any minimum password complexity (other than a minimum password length), but I do want to help the user choose a good password. Would it be reasonable to score based on the number of unique characters in the password? - "abc" gets 3 - "aaa" gets 1 - "this is fun" gets 8 - "J4fS<2" gets 6 - "abcdefgh" gets 8 This was OK until I got to "abcdefgh", which should have a very low score. Maybe I could fix that by not increasing the score for obvious character sequences (either alphabetical or QWERTY-style). Then "a1b2c3d4" would still get too high a score, which I might fix by detecting interleaved sequences as well. What about long words? The word "mathematically" has 14 characters and would score 9 using the unique character count algorithm, but any dictionary word is quite insecure. I can't just look for words in a dictionary, since names and foreign words are equally insecure, so it would be unreasonable to compile a list of all common words worldwide. Maybe the algorithm should look for word separators like spaces and dashes, then score each word separately and multiply the scores of all the words. Combining that with sequence detection: - "abc" gets 1 - "aaa" gets 1 - "this is fun" gets 4 * 2 * 3 = 24 - "J4fS<2" gets 6 - "abcdefgh" gets 1 - "a1b2c3d4" gets 2 - "mathematically" gets 9 - "i loved what i had for breakfast" gets 1*5*4*1*3*3*8 = 1440 This is looking better, but I still want "J4fS<2" to get a higher score than "mathematically". Maybe the algorithm should multiply the word score by the number of character classes it contains. "J4fS<2" contains 4 character classes (upper case, lower case, digit, and symbol), so it gets a score of 6 * 4 = 24. OTOH, "Mathematically" would then get 18, so if a word contains only letters, I don't want to boost that word's score. Does anyone have better suggestions? Or better... a complete password scoring algorithm? :-) Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
[OT] Flame/Rant - Qwest!!
I recently decided to try Qwest's new FTTN service. For those of you that know me, you know I'm very fair and try to be honest. Here is what happened: - I called Qwest and worked out all the details regarding their 20Mbps FTTN service. They assured me that there was a 30 day money back guarantee. All sounded great, and they were very helpful. - The morning of installation the service appeared to operate normally. 60ms to plug.org, full 20Mbps. w00t. Install happened in the morning. - That night, round-trips started peaking in the 300ms range. Total throughput to the Salt Lake Qwest bandwidth testing tool fell to less than 4Mbps. - For the week that followed (exactly 7 days) round-trip times would become very high in the evenings around 5pm. Bandwidth was terrible. It wouldn't improve until after midnight. - I called Qwest to resolve the situation. The tech, after having me reset the modem and do all the normal troubleshooting, said something along the lines of "Well, Ryan, I have to admit something. It turns out there is a known problem with congestion in your area, and there has been for about a month. It will be fixed in [two months]." The actual date was really two months away. There was no offer made to correct the bill or handle the situation. This is something they knew was a problem, yet still decided to sell me a service they couldn't properly deliver. - I canceled the service the next morning with Qwest billing. The billing rep made no attempt to adjust the bill. When I explained the reason I was canceling was due to network congestion, she kind of gave that "ohhh" sound like she had heard it before. - I got a bill a week later for $80. I called Qwest and explained I expected to pay nothing due to the fact I had the service less than 30 days, and that there was a refund promised. Billing said to wait, it would work itself out and I would get the adjustment notice in a few weeks. - Three weeks later, I got a bill from a collection agency (ERS). Qwest wanted $64 from me. This just got a lot more aggravating. When dealing with Qwest, caveat emptor! -Ryan /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
My strategy for passwords has been to write a couplet and then use the first letter of each word along with the syllable timing as a password. Maybe I should just skip the encoding and use the actual words. I have been told that my ten to fifteen character abbreviations are too long by some sites, though, so that might throw a kink into using passphrases. Joshua. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
[OT] Why the password "this is fun" is 10x more secure than "J4fS<2"
This is near and dear to my heart so I had to evangelize: http://www.baekdal.com/tips/password-security-usability I disagree only slightly in that - lookup tables for any password less than 12 characters are readily available - devices can be tried several hundred times a second The counter argument: - If the attacker has physical access to the device or database in the first place, all bets are off And, of course, the best password is the one that you can stick on the sticky note and no one will be any the wiser: "Call John at 6:30" "Meeting on Tuesday" "mail dropoff before 5" AJ ONeal /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */