@ different and strong passwords written down in his desk drawer to each account
:)Well, the folks in IT departments usually have something that sounds like clean desktop policy (approved by the vice president in charge of passwords...) > I like the hint they put in the headlines. It says "safe, faster, and > easier" and not "safer, faster, and easier." :) > > I see several objections to OpenID, the biggest one by far being the fact > that, assuming the most common implementation, you entrust authentication > to a lot of third parties, which means some of the breach and downtime > venues aren't controlled by you. You could technically run your own OpenID > auth server and allow only that server, but then no one can use their > current OpenID accounts and you miss the point of having it. > > Then we have the more obvious objections such as "one set of credentials > to rule them all? You must be mad!" But in the end, end-user security is > nothing but compromises and tradeoffs. If you were to choose between the > user having different but weak passwords in his head to each account, > different and strong passwords written down in his desk drawer to each > account, or only one strong password in his head to all accounts, what > would you choose? > > What indeed? > > [email protected] wrote: > >>:) do you mean these? http://openid.net/ >> >>> Not at all. There are plenty of free solutions out there, people only >>need >>> to start using them. And also boycott service providers with >>lacklustre >>> security practices. >>> >>> Yahoo! has been setting the standard for bad practices in general for >>many >>> years now. Why some people still insist on using them is beyond me. >>> >>> dkataike <[email protected]> wrote: >>> >>>> >>>> >>>> >>>>Sent from Samsung Mobile >>>> >>>>kizito Mudambo <[email protected]> wrote: >>>> >>>>we need to find a long term solution for these issues... look at >>>>man-in-the-middle attack, we are at the mercy of hackers unless if >>you >>>>use a pgp,gpg or military grade encryption... >>>> >>>>On Dec 10, 2012 8:22 PM, "[email protected]" >>>><[email protected]> wrote: >>>>Password authentication, when implemented correctly, is safe enough >>for >>>>low-sec purposes. While brute force is effective *eventually*, if >>five >>>>consecutive authentication failures leads to account lockdown and a >>red >>>>flag somewhere, such an attack will not be feasible. Unfortunately, >>in >>>>the last few years some larger soc sites (I'm looking at you, >>Twitter) >>>>have been inexcusably lax in their security, with no limits on >>>>authentication failures whatsoever. If you are in charge of a web >>site >>>>implementing password authentication and it does not have measures >>>>against repetitive failures, give yourself a good hard slap across >>the >>>>face and rectify this. >>>> >>>>That said, I've been a proponent of pre-shared key authentication for >>>>several years. All major browsers support this reasonably uniformly, >>>>and the reason we're not using it boils down to laziness and some >>>>drawbacks which are rapidly getting outmoded. Several years ago >>people >>>>used several different computers as temporary workstations as they >>only >>>>owned a non-portable desktop computer if they owned any computer at >>>>all. Nowadays we do our work with laptops, tablets, and smartphones. >>We >>>>seldom use another person's terminal anymore, because we always carry >>>>our own terminals in our bags and pockets. Using shared keys have >>>>suddenly become more feasible; I hope our providers get with the >>>>program soon. >>>> >>>>kizito Mudambo <[email protected]> wrote: >>>>doesnt yahoomail support 2 step authetication... the real truth is >>>>passwords are no longer safe enough no matter how strong they are.... >>>>the only way for now is two step authetication as simple as that >>>> >>>>On Dec 10, 2012 2:51 PM, "Colline Waiswa" <[email protected]> wrote: >>>> >>>> >>>>I dont know how the breach took place but i highly doubt it was >>guessed >>>>coz i think it had the characteristics of a good password. >>>>1: it was quite long ( over 10+ characters) >>>>2: had alternating capitation >>>>3: had atleast 1 special character >>>>4: was unrelated to my cat, team,etc >>>> >>>>Colline >>>> >>>> >>>>------------------------------ >>>>On Mon, Dec 10, 2012 3:08 AM PST Benjamin Tayehanpour wrote: >>>> >>>>>Most *targeted* breaches are, yes. If you know a specific user and >>you >>>>want >>>>>that user's account, specifically, then password-guessing is common. >>>>But >>>>>this was quite evidently not a targeted breach, otherwise spam would >>>>be the >>>>>least of his/her problems. Most non-targeted breaches (as in: "I >>have >>>>this >>>>>lovely piece of spam I want to distribute, so I need one thousand >>>>hacked >>>>>accounts") happen through lousy workstation security, with spyware >>or >>>>MITM >>>>>attacks swiping the credentials. >>>>> >>>>>I'm curious. What was your password, Colline? Since you've changed >>it >>>>it >>>>>shouldn't hurt to reveal it, right? >>>>> >>>>>On 10 December 2012 11:58, Victor van Reijswoud < >>>>>[email protected]> wrote: >>>>> >>>>>> Most breaches are because of poor passwords (except this one, of >>>>course :) >>>>>> ). Interesting overview here: >>>>>> >>>>http://nakedsecurity.sophos.com/2012/07/13/yahoo-voices-poor-passwords/ >>>>>> >>>>>> >>>>>> On Mon, Dec 10, 2012 at 11:19 AM, Benjamin Tayehanpour < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Any idea how the breach happened yet? Password-guessing for >>>>spam-related >>>>>> purposes is quite rare nowadays, with sophisticated brute force >>>>protection >>>>>> and especially if the password is a good strong one (which I >>assume, >>>>since >>>>>> you're a Linux user and thus have common sense). Did you have your >>>>password >>>>>> written down somewhere accessible? Did you save it with a password >>>>manager >>>>>> on a public computer? Did you link your account to some other >>>>account >>>>>> (Facebook/Twitter/&c.) which is compromised? >>>>>> >>>>>> On 10 December 2012 10:28, Colline Waiswa <[email protected]> >>>>wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Seeing as my sent mail folder is full of the that message sent to >>>>all my >>>>>>> contacts, i am pretty sure the mailbox was gotten into >>>>>>> >>>>>>> Colline >>>>>>> >>>>>>> ------------------------------ >>>>>>> On Mon, Dec 10, 2012 12:42 AM PST Mike Barnard wrote: >>>>>>> >>>>>>> >On 9 December 2012 17:37, Benjamin Tayehanpour >>>>>>> ><[email protected]>wrote: >>>>>>> > >>>>>>> > Without SPF protection, I could send e-mails which look like >>they >>>>>>> > originate from your account, and the receiver will have no >>means >>>>of >>>>>>> > verifying the sender address since SPF isn't implemented. >>That's >>>>one >>>>>>> of >>>>>>> > many reasons why Yahoo! is a bad e-mail service provider. I'm >>not >>>>>>> saying we >>>>>>> > should ban all users of Yahoo!; I'm saying Yahoo! as a service >>>>>>> provider >>>>>>> > should be boycotted due to the numerous flaws in their service. >>>>>>> > >>>>>>> > That said, I'm glad you managed to change the password so you >>>>didn't >>>>>>> lose >>>>>>> > the account. Such things can be a real pain otherwise! Do you >>>>know >>>>>>> how the >>>>>>> > breach happened? >>>>>>> > >>>>>>> > >>>>>>> >The "breach" will most likely happen again... I doubt that the >>>>person >>>>>>> >actually got into his mailbox. Most spam from yahoo addresses >>>>tends to >>>>>>> be >>>>>>> >from botnets that take advantage of the fact that one cannot >>>>>>> legitimately >>>>>>> >check whether its actually yahoo who sent the email. >>>>>>> > >>>>>>> > >>>>>>> >-- >>>>>>> >Mike >>>>>>> > >>>>>>> >Of course, you might discount this possibility, but remember >>that >>>>one >>>>>>> in a >>>>>>> >million chances happen 99% of the time. >>>>>>> >------------------------------------------------------------ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>>> >>>>>>> Send messages to this mailing list by addressing e-mails to: >>>>>>> [email protected] >>>>>>> Mailing list archives: >>http://www.mail-archive.com/[email protected]/ >>>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>>> >>>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>>> http://www.infocom.co.ug/ >>>>>>> >>>>>>> The above comments and data are owned by whoever posted them >>>>(including >>>>>>> attachments if any). The mailing list host is not responsible for >>>>them in >>>>>>> any way. >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>>>> Send messages to this mailing list by addressing e-mails to: >>>>>> [email protected] >>>>>> Mailing list archives: >>http://www.mail-archive.com/[email protected]/ >>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> http://www.infocom.co.ug/ >>>>>> >>>>>> The above comments and data are owned by whoever posted them >>>>(including >>>>>> attachments if any). The mailing list host is not responsible for >>>>them in >>>>>> any way. >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>>>> Send messages to this mailing list by addressing e-mails to: >>>>>> [email protected] >>>>>> Mailing list archives: >>http://www.mail-archive.com/[email protected]/ >>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> http://www.infocom.co.ug/ >>>>>> >>>>>> The above comments and data are owned by whoever posted them >>>>(including >>>>>> attachments if any). The mailing list host is not responsible for >>>>them in >>>>>> any way. >>>>>> >>>>I highly doubt >>>>_______________________________________________ >>>>The Uganda Linux User Group: http://linux.or.ug >>>> >>>>Send messages to this mailing list by addressing e-mails to: >>>>[email protected] >>>>Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>>Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>To unsub_______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
