On Tue, Jan 17, 2012 at 12:22:35AM +, Ed W wrote:
> Note I personally believe there are valid reasons to store
> plaintext passwords - this seems to cause huge criticism due to
> the ensuing disaster which can happen if the database is pinched,
> but it does allow for enhanced security in the p
On 05/01/2012 01:19, Pascal Volk wrote:
On 01/03/2012 09:40 PM Charles Marcus wrote:
Hi everyone,
Was just perusing this article about how trivial it is to decrypt
passwords that are stored using most (standard) encryption methods (like
MD5), and was wondering - is it possible to use bcrypt wit
On 01/05/2012 12:31 PM Charles Marcus wrote:
> …
> You said above that 'yes, I can use it with dovecot' - but what about
> postfix and mysql... where/how do they fit into this mix? My thought was
> that there are two issues here:
>
> 1. Storing them in bcrypted form, and
For MySQL the bcrypted
On 01/05/2012 11:36 AM, Charles Marcus wrote:
On 2012-01-05 11:21 AM, Willie Gillespie wrote:
If the phone knows the password and I have the phone, then I have the
password. Similarly, if I compromise the workstation that knows the
password, then I also have the password.
Interesting... I tho
On 01/05/2012 01:37 PM, Charles Marcus wrote:
> On 2012-01-05 11:31 AM, Michael Orlitzky wrote:
>> Ugh, sorry. I went to the link that someone else quoted:
>>
>>https://www.grc.com/haystack.htm
>
>> Gibson*is* a renowned crackpot.
>
> Don't know about that, but I do know from long experience
On 2012-01-05 11:31 AM, Michael Orlitzky wrote:
Ugh, sorry. I went to the link that someone else quoted:
https://www.grc.com/haystack.htm
Gibson*is* a renowned crackpot.
Don't know about that, but I do know from long experience Spinrite rocks!
Maybe
--
Best regards,
Charles
On 2012-01-05 11:21 AM, Willie Gillespie wrote:
If the phone knows the password and I have the phone, then I have the
password. Similarly, if I compromise the workstation that knows the
password, then I also have the password.
Interesting... I thought they were stored encrypted. I definitely u
On 01/05/12 11:14, Charles Marcus wrote:
>
> Ummm... yes, he does... from tfa:
>
> "Salts Will Not Help You
>
> It’s important to note that salts are useless for preventing dictionary
> attacks or brute force attacks. You can use huge salts or many salts or
> hand-harvested, shade-grown, organic
On 1/5/2012 9:14 AM, Charles Marcus wrote:
On 2012-01-05 10:28 AM, Michael Orlitzky wrote:
On 01/05/12 06:26, Charles Marcus wrote:
You realize they're just walking around with a $400 post-it note with
the password written on it, right?
Nope, you are wrong - as I have patiently explained be
On 2012-01-05 10:28 AM, Michael Orlitzky wrote:
On 01/05/12 06:26, Charles Marcus wrote:
To prevent rainbow table attacks, salt your passwords. You can make them
a little bit more difficult in plenty of ways, but salt is the
/solution/.
Go read that link (you obviously didn't yet, because he
On 01/05/12 10:28, Michael Orlitzky wrote:
>>
>> Nope, you are wrong - as I have patiently explained before. They do not
>> *need* to write their password down.
>>
>
> They have them written down on their phones. If someone gets a hold of
> the phone, he can just read the password off of it.
I sh
On 01/04/12 21:06, Patrick Domack wrote:
>
> But still, the results are all the same, if they get the hash, it can be
> broken, given time. Using more cpu expensive methods make it take longer
> (like adding salt, more complex hash). But the end result is they will
> have it if they want it.
>
U
On 01/05/12 06:26, Charles Marcus wrote:
>
>> To prevent rainbow table attacks, salt your passwords. You can make them
>> a little bit more difficult in plenty of ways, but salt is the
>> /solution/.
>
> Go read that link (you obviously didn't yet, because he claims that
> salting passwords is ne
Quoting Noel Butler :
On Thu, 2012-01-05 at 04:05 +0100, Pascal Volk wrote:
On 01/05/2012 03:36 AM Noel Butler wrote:
>
> Because with multiple servers, we store them all in (replicated)
> mysql :) (the same with postfix/dovecot).
> and as I'm sure you are aware, Apache does not understand s
On 2012-01-04 8:19 PM, Pascal Volk
wrote:
On 01/03/2012 09:40 PM Charles Marcus wrote:
Hi everyone,
Was just perusing this article about how trivial it is to decrypt
passwords that are stored using most (standard) encryption methods (like
MD5), and was wondering - is it possible to use bcrypt
On 2012-01-03 8:58 PM, Michael Orlitzky wrote:
On 01/03/2012 08:25 PM, Charles Marcus wrote:
What I'm worried about is the worst case scenario of someone getting
ahold of the entire user database of *stored* passwords, where they can
then take their time and brute force them at their leisure, o
On 2012-01-03 8:37 PM, David Ford wrote:
part of my point along that of brute force resistance, is that
when security becomes onerous to the typical user such as requiring
non-repeat passwords of "10 characters including punctuation and mixed
case", even stalwart policy followers start tending t
On Wed, 2012-01-04 at 22:16 -0500, David Ford wrote:
>
> with multiple servers, we use pam & nss, with a replicated ldap backed.
public accessible mode :P oh dont start me on that, but luckily I'm
not subjected to its dangers...and telling Pascal bout Bourbon made me
realise its time to hea
On Thu, 2012-01-05 at 04:05 +0100, Pascal Volk wrote:
> On 01/05/2012 03:36 AM Noel Butler wrote:
>
> >
> > Because with multiple servers, we store them all in (replicated)
> > mysql :) (the same with postfix/dovecot).
> > and as I'm sure you are aware, Apache does not understand standard
> >
> Because with multiple servers, we store them all in (replicated) mysql
> :) (the same with postfix/dovecot). and as I'm sure you are aware,
> Apache does not understand standard crypted MD5, hence why there is
> the second option of apache_md5_crypt()
with multiple servers, we use pam & nss, wit
On 01/05/2012 03:36 AM Noel Butler wrote:
>
> Because with multiple servers, we store them all in (replicated)
> mysql :) (the same with postfix/dovecot).
> and as I'm sure you are aware, Apache does not understand standard
> crypted MD5, hence why there is the second option of apache_md5_crypt(
On Thu, 2012-01-05 at 03:26 +0100, Pascal Volk wrote:
> On 01/05/2012 02:59 AM Noel Butler wrote:
> > We use Crypt::PasswdMD5 -
> > unix_md5_crypt() for all general password storage including mail/ftp
> > etc, except for web, where we need to use apache_md5_crypt().
>
> Huh, why do you need to
On Wed, 2012-01-04 at 21:06 -0500, Patrick Domack wrote:
> Quoting Noel Butler :
>
> > On Tue, 2012-01-03 at 20:58 -0500, Michael Orlitzky wrote:
> >
> >
> >> To prevent rainbow table attacks, salt your passwords. You can make them
> >> a little bit more difficult in plenty of ways, but salt is t
On 01/05/2012 02:59 AM Noel Butler wrote:
> We use Crypt::PasswdMD5 -
> unix_md5_crypt() for all general password storage including mail/ftp
> etc, except for web, where we need to use apache_md5_crypt().
Huh, why do you need to store passwords in Apaches md5 crypt() format?
,--[ Apache config
Quoting Noel Butler :
On Tue, 2012-01-03 at 20:58 -0500, Michael Orlitzky wrote:
To prevent rainbow table attacks, salt your passwords. You can make them
a little bit more difficult in plenty of ways, but salt is the /solution/.
Agreed...
We use Crypt::PasswdMD5 -
unix_md5_crypt() for a
On Tue, 2012-01-03 at 20:58 -0500, Michael Orlitzky wrote:
> To prevent rainbow table attacks, salt your passwords. You can make them
> a little bit more difficult in plenty of ways, but salt is the /solution/.
Agreed...
We use Crypt::PasswdMD5 -
unix_md5_crypt() for all general password st
On 01/03/2012 09:40 PM Charles Marcus wrote:
> Hi everyone,
>
> Was just perusing this article about how trivial it is to decrypt
> passwords that are stored using most (standard) encryption methods (like
> MD5), and was wondering - is it possible to use bcrypt with
> dovecot+postfix+mysql (or
On 1/3/2012 5:25 PM, Charles Marcus wrote:
I think ya'll are missing the point... not sure, because I'm still not
completely sure that this is saying what I think it is saying (that's
why I asked)...
I'm sure I'm not missing the point. My comment was that password length
and complexity are p
On 01/03/2012 08:25 PM, Charles Marcus wrote:
What I'm worried about is the worst case scenario of someone getting
ahold of the entire user database of *stored* passwords, where they can
then take their time and brute force them at their leisure, on *their*
*own* systems, without having to hamme
On 01/03/2012 08:25 PM, Charles Marcus wrote:
>
> I think ya'll are missing the point... not sure, because I'm still not
> completely sure that this is saying what I think it is saying (that's
> why I asked)...
>
> I'm not worried about *active* brute force attacks against my server
> using the sta
On 2012-01-03 6:12 PM, WJCarpenter wrote:
On 1/3/2012 2:38 PM, Simon Brereton wrote:
http://xkcd.com/936/
As they saying goes, entropy ain't what it used to be.
https://www.grc.com/haystack.htm
However, both links actually illustrate the same point: once you get
past dictionary attacks, the
On 1/3/2012 2:38 PM, Simon Brereton wrote:
http://xkcd.com/936/
As they saying goes, entropy ain't what it used to be.
https://www.grc.com/haystack.htm
However, both links actually illustrate the same point: once you get
past dictionary attacks, the length of the password is dominant factor
On 3 January 2012 17:30, Charles Marcus wrote:
> On 2012-01-03 5:10 PM, WJCarpenter wrote:
>>
>> In his description, he uses the example of passwords which are
>> "lowercase, alphanumeric, and 6 characters long" (and in another place
>> the example is "lowercase, alphabetic passwords which are ≤7
On 01/03/2012 05:30 PM, Charles Marcus wrote:
> On 2012-01-03 5:10 PM, WJCarpenter wrote:
>> In his description, he uses the example of passwords which are
>> "lowercase, alphanumeric, and 6 characters long" (and in another place
>> the example is "lowercase, alphabetic passwords which are ≤7
>>
On 2012-01-03 5:10 PM, WJCarpenter wrote:
In his description, he uses the example of passwords which are
"lowercase, alphanumeric, and 6 characters long" (and in another place
the example is "lowercase, alphabetic passwords which are ≤7
characters", I guess to illustrate that things have gotten
On 2012-01-03 4:03 PM, David Ford wrote:
md5 is deprecated, *nix has used sha1 for a while now
That link lumps sha1 in with MD5 and others:
"Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?"
--
Best regards,
Charles
Was just perusing this article about how trivial it is to decrypt
passwords that are stored using most (standard) encryption methods (like
MD5), and was wondering - is it possible to use bcrypt with
dovecot+postfix+mysql (or posgres)?
Ooop... forgot the link:
http://codahale.com/how-to-safely
md5 is deprecated, *nix has used sha1 for a while now
On 2012-01-03 3:40 PM, Charles Marcus wrote:
Hi everyone,
Was just perusing this article about how trivial it is to decrypt
passwords that are stored using most (standard) encryption methods (like
MD5), and was wondering - is it possible to use bcrypt with
dovecot+postfix+mysql (or posgres)?
Hi everyone,
Was just perusing this article about how trivial it is to decrypt
passwords that are stored using most (standard) encryption methods (like
MD5), and was wondering - is it possible to use bcrypt with
dovecot+postfix+mysql (or posgres)?
--
Best regards,
Charles
40 matches
Mail list logo