On 04/27/2011 09:19 PM, Aaron Toponce wrote:
> On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote:
>> In one of my prior lives, in a city far, far away, I worked for a
>> company that was required to do a "Sneakers" style penetration test.
>> This was a basic penetration test, not quite
On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote:
> In one of my prior lives, in a city far, far away, I worked for a
> company that was required to do a "Sneakers" style penetration test.
> This was a basic penetration test, not quite so grand as having Dan
> Aykroyd sitting in a se
Good story
On Wed, Apr 27, 2011 at 6:09 PM, Daniel Fussell wrote:
> On 04/27/2011 02:49 PM, Andrew McNabb wrote:
> > On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote:
> >> In the worst case,
> >> the business may not open it's doors tomorrow. Don't believe me? I
> >> watched an
On 04/27/2011 02:49 PM, Andrew McNabb wrote:
> On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote:
>> In the worst case,
>> the business may not open it's doors tomorrow. Don't believe me? I
>> watched an $800 million company disappear literally overnight due to one
>> board member'
On Wed, Apr 27, 2011 at 2:30 PM, Daniel Fussell wrote:
>
> fall. But when all is said and done, social engineering is frequently
> the easiest and most successful attack.
>
>
I absolutely agree. While at BYU, I had a student, who loved security,
perform an audit on our systems and group. I told
On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote:
> In the worst case,
> the business may not open it's doors tomorrow. Don't believe me? I
> watched an $800 million company disappear literally overnight due to one
> board member's lack of respect for security and common sense.
On 04/25/2011 07:18 PM, Matthew Gardner wrote:
> This whole conversation really comes down to this: what's your prior
> on the kinds of attacks that you expect? Because people have
> different beliefs about which attacks are likely, they come to
> different conclusions about security. If you
This whole conversation really comes down to this: what's your prior on the
kinds of attacks that you expect? Because people have different beliefs
about which attacks are likely, they come to different conclusions about
security. If you believe that someone who gains physical access to your
mach
Bottom Line: If you password system requirements make other links in the
chain weaker, then the chain as a whole is weaker.
> Everything Aaron said was right. Everything you used as counter examples
> was unrelated.
>
>
That's exactly my point!
How many passwords Jack the Ripper can reverse per m
On Mon, 2011-04-25 at 13:52 -0600, AJ ONeal wrote:
> How can you use jack the ripper to get into any of these?
Uhm... that's not what jack the ripper is for. Jack the ripper is
orthogonal to proper policy like locking accounts after a certain number
of failed login attempts.
After successfully co
On Mon, Apr 25, 2011 at 01:52:40PM -0600, AJ ONeal wrote:
>If you have physical access to my machine, you don't need jack the ripper.
>Just pop in a boot CD.
>All logins are done online these days.
>On an unprotected system where you're the only user and the site is using
>an ev
Aaron,
You can't make 4 million attemps a second.
How can you use jack the ripper to get into any of these?
- computer
- VPS (through ssh)
- blogspot account
- email
- bank account
- windows 7 activation code
If you have physical access to my machine, you don't need jack the
On Mon, Apr 25, 2011 at 01:16:01PM -0600, Robert LeBlanc wrote:
>I really think you mean the opposite of this. Salt enhances the flavor of
>food, the article was so off base that it would need a lot of salt to make
>it�palatable.
Touché.
--
. o . o . o . . o o . . . o .
. . o
On Mon, Apr 25, 2011 at 12:50 PM, Aaron Toponce wrote:
>
> I guess I would take that article with a very, very small grain of salt.
>
I really think you mean the opposite of this. Salt enhances the flavor of
food, the article was so off base that it would need a lot of salt to make
it palatable.
On 4/16/2011 8:40 AM, AJ ONeal wrote:
> This is near and dear to my heart so I had to evangelize:
> http://www.baekdal.com/tips/password-security-usability
I have some problems with his writeup.
First, there's no reference to entropy, the key to search spaces. Anyone
who's anyone that knows anyth
On Tue, Apr 19, 2011 at 8:47 AM, Stuart Jansen wrote:
> On Tue, 2011-04-19 at 08:36 -0600, Brandon Pedersen wrote:
>> I have to point out that no one has yet shown that "this is fun" is
>> exactly 10 times more secure. ;-)
>
> http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.
On Tue, Apr 19, 2011 at 8:37 AM, Daniel Dilts wrote:
>> I have to point out that no one has yet shown that "this is fun" is
>> exactly 10 times more secure. ;-)
>
> Yes. Because it is exactly 10.0354762893 times more secure.
Ah, dang floating point arithmetic...always gets me
---
On Tue, 2011-04-19 at 08:36 -0600, Brandon Pedersen wrote:
> I have to point out that no one has yet shown that "this is fun" is
> exactly 10 times more secure. ;-)
http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html
BYU Unix Users Group
http://uug.b
>
> I have to point out that no one has yet shown that "this is fun" is
> exactly 10 times more secure. ;-)
Yes. Because it is exactly 10.0354762893 times more secure.
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibili
I have to point out that no one has yet shown that "this is fun" is
exactly 10 times more secure. ;-)
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Departm
On Mon, Apr 18, 2011 at 4:13 PM, John Shaver wrote:
> On Mon, Apr 18, 2011 at 4:10 PM, Daniel Fussell wrote:
> >
> > Just use 12345. Experience shows that's the best password. Just ask any
> > Bank Manager, they all use it.
> >
> > ;-Daniel
> >
>
> "That's the stupidest [password] I've ever he
>
> Just use 12345. Experience shows that's the best password. Just ask any
> Bank Manager, they all use it.
>
> ;-Daniel
>
>
byucougars1 is preferred by BYU professors
AJ ONeal
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the respon
On Mon, Apr 18, 2011 at 4:10 PM, Daniel Fussell wrote:
>
> Just use 12345. Experience shows that's the best password. Just ask any
> Bank Manager, they all use it.
>
> ;-Daniel
>
"That's the stupidest [password] I've ever heard of in my life! That's
the kinda thing an idiot would have on his lu
On 04/16/2011 02:21 PM, AJ ONeal wrote:
More importantly, why isn't SSO being used instead?
And in the rare case that authorization depends on discrete
authentication, what is the password being used for?
If it's a *bank password*, then J4fS<2 is terribly insecure.
Just use 12345. Experi
On Sunday, April 17, 2011 10:47:02 PM Joshua Lutes wrote:
> I have thought it ridiculous that banks force such weak passwords on me
> but now I wonder, given the discussion and the reading, if it might not
> be by design. You can only enter in the wrong password four or five
> times before you get
On Sun, Apr 17, 2011 at 6:47 PM, Robert LeBlanc wrote:
> I hate passwords/passphrases. Actually, I hate programmers who are idiots
> that program password/phrase requirements. I really hate when I can't use my
> strong password on banking website (where you should have a strong password)
> because
On Sun, Apr 17, 2011 at 7:47 PM, Robert LeBlanc wrote:
> I hate passwords/passphrases. Actually, I hate programmers who are idiots
> that program password/phrase requirements. I really hate when I can't use my
> strong password on banking website (where you should have a strong password)
> because
On Sun, Apr 17, 2011 at 6:41 PM, Alberto Trevino wrote:
> > It mentions both dictionaries and common words actually.
>
> You are right. The author did mention using combination of common words.
> However, I am very, very suspect of his numbers.
>
> In his example of the word "orange", he says it
> It mentions both dictionaries and common words actually.
You are right. The author did mention using combination of common words.
However, I am very, very suspect of his numbers.
In his example of the word "orange", he says it takes 3 minutes using common
words to crack. Yet, in his example o
On Sat, Apr 16, 2011 at 11:53 PM, Stephen M. McQuay wrote:
> On Sat, Apr 16, 2011 at 04:46:38PM -0600, Brent Thomson wrote:
>> I've always thought it was unfortunate that the term "password" caught
>> on instead of "pass phrase", "pass code", or "secret" since "password"
>> seems to imply that you
On Sat, Apr 16, 2011 at 04:46:38PM -0600, Brent Thomson wrote:
> I've always thought it was unfortunate that the term "password" caught
> on instead of "pass phrase", "pass code", or "secret" since "password"
> seems to imply that you should select an actual word and just one word.
I had no idea
I've always thought it was unfortunate that the term "password" caught
on instead of "pass phrase", "pass code", or "secret" since "password"
seems to imply that you should select an actual word and just one word.
-Brent
BYU Unix Users Group
http://uug.byu.edu/
The opinio
More importantly, why isn't SSO being used instead?
And in the rare case that authorization depends on discrete authentication,
what is the password being used for?
If it's a *bank password*, then J4fS<2 is terribly insecure.
He has it written in his wallet.
(My bank requires a short (6 min, 8
It mentions both dictionaries and common words actually.
Sent from my Android
On Apr 16, 2011 12:01 PM, "Alberto Treviño" wrote:
> On Saturday, April 16, 2011 8:40:27 AM AJ ONeal wrote:
>> This is near and dear to my heart so I had to evangelize:
>> http://www.baekdal.com/tips/password-security-u
On Saturday, April 16, 2011 8:40:27 AM AJ ONeal wrote:
> This is near and dear to my heart so I had to evangelize:
> http://www.baekdal.com/tips/password-security-usability
>
> I disagree only slightly in that
>
> * lookup tables for any password less than 12 characters are readily
> available
My strategy for passwords has been to write a couplet and then use the first
letter of each word along with the syllable timing as a password. Maybe I
should just skip the encoding and use the actual words. I have been told
that my ten to fifteen character abbreviations are too long by some sites
This is near and dear to my heart so I had to evangelize:
http://www.baekdal.com/tips/password-security-usability
I disagree only slightly in that
- lookup tables for any password less than 12 characters are readily
available
- devices can be tried several hundred times a second
The c
37 matches
Mail list logo