On 11/06/12 12:38 AM, Alexander Harrowell wrote:
A question: password managers are obviously a great idea, and password
manager + synchronisation takes care of multiple devices.
Go ahead and use one of these password managers and load it with all
your passwords. Then load it's smartphone app
The Cambridge University Computer Lab has had a crack at this question
in their Technical Report 817 on Web authentication:
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
Their conclusion is to use the Mozilla password manager (or close
analogue, but they like it because it's open
From someone who supplies an out-of-country drivers license, I'd request to
see their passport. From someone who supplies an out-of-state drivers
license, I'd probably accept it, but the risks there are somewhat reduced at
least.
OK, someone shows you a Quebec driver's license. You ask for a
On Jun 11, 2012, at 2:35 PM, John Levine wrote:
OK, someone shows you a Quebec driver's license. You ask for a
passport, she says, I don't have one, and points at the blue word Plus
after the words Permis de Conduire at the top of the license. Now
what?
Banks and most retailers actually
- Original Message -
From: John Levine jo...@iecc.com
Although banks have different tradeoffs in risk management than you
might like, they're not dumb. I expect they figured that the increased
volume from not slowing down transactions and demanding more than makes
up for whatever the
Sent from my iPad
On Jun 11, 2012, at 11:35 AM, John Levine jo...@iecc.com wrote:
From someone who supplies an out-of-country drivers license, I'd request to
see their passport. From someone who supplies an out-of-state drivers
license, I'd probably accept it, but the risks there are
On 2012-06-11 15:05, Owen DeLong wrote:
OK, someone shows you a Quebec driver's license. You ask for a
passport, she says, I don't have one, and points at the blue word Plus
after the words Permis de Conduire at the top of the license. Now
what?
To the best of my knowledge, ICE stopped
On 12-06-11 03:14 PM, Simon Perreault wrote:
On 2012-06-11 15:05, Owen DeLong wrote:
OK, someone shows you a Quebec driver's license. You ask for a
passport, she says, I don't have one, and points at the blue word Plus
after the words Permis de Conduire at the top of the license. Now
what?
On 11-Jun-12 14:05, Owen DeLong wrote:
On Jun 11, 2012, at 11:35 AM, John Levine jo...@iecc.com wrote:
OK, someone shows you a Quebec driver's license. You ask for a passport,
she says, I don't have one, and points at the blue word Plus after the words
Permis de Conduire at the top of the
On Jun 11, 2012, at 3:14 PM, Simon Perreault wrote:
On 2012-06-11 15:05, Owen DeLong wrote:
OK, someone shows you a Quebec driver's license. You ask for a
passport, she says, I don't have one, and points at the blue word Plus
after the words Permis de Conduire at the top of the license. Now
--- g...@teksavvy.ca wrote:
From: Gabriel Blanchard g...@teksavvy.ca
How the heck did this conversation go from Linkedin to a Quebec drivers
license? I'm not sure how relevant this is to NANOG. Both subject matters that
is.
--
New to nanog, eh? ;-)
scott
On 6/8/12 16:05 , Alec Muffett wrote:
Does anybody have a good URL explaining that idea? It's been
kicking around for many years. I've never seen a convincing
writeup.
I've tried to do that in another mail - it's in the realms of
philosophy more than strategy; like if you're a really
On 6/10/12, Joel jaeggli joe...@bogus.com wrote:
How good does a password/phrase have to be in order to protect
against brute-force or dictionary attacks against the password itself?
? Entropy in language.
A typical english sentence has 1.2 bits of entropy per character,
you need
- Original Message -
From: Barry Shein b...@world.std.com
A friend would print in block letters in the sig area of his credit
cards ASK FOR PHOTO ID. He said that almost always cashiers et al
would give a cursory glance like they were checking his signature and
say thank you
On Sun, 10 Jun 2012, Joe Greco wrote:
One of the design goals of the V/MC system is that a cardholder is not
supposed to need anything other than their card and the ability to sign.
This seems to be different across the world. Here in Sweden, they don't
really look at your signature on the
On 6/10/12 00:25 , John Souvestre wrote:
On 6/10/12, Joel jaeggli joe...@bogus.com wrote:
How good does a password/phrase have to be in order to protect
against brute-force or dictionary attacks against the password
itself? ? Entropy in language. A typical english sentence has 1.2
bits of
On Sun, 10 Jun 2012 08:24:41 -0700, Joel jaeggli said:
I don't disagree, except regarding dictionary attacks. If the attack
isn't random then math based on random events doesn't apply. In the
case of a purely dictionary attack if you choose a non-dictionary
word and you are 100.000%
On 6/10/12, Joe Greco jgr...@ns.sol.net wrote:
[snip]
That and a minimum charge are among the two most common merchant
For MasterCard violations, report them!
In the US, Credit card processing networks were forbidden from
prohibiting merchants from establishing certain minimum charges to
use
I was under the impression (I should dig out my contract) that
merchant contracts also forbid charging more for a charge than for
cash or conversely discount for cash! but I see so many violations
of that particularly at gas stations I wonder if that's negotiable in
the contract.
I remember my
A merchant can offer a cash discount.
--John
On 6/10/2012 11:16 AM, Barry Shein wrote:
I was under the impression (I should dig out my contract) that
merchant contracts also forbid charging more for a charge than for
cash or conversely discount for cash! but I see so many violations
of that
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I believe
that what Barry says was the old reality.
Mike
--John
On 6/10/2012 11:16 AM, Barry Shein wrote:
I was under the impression (I should
- Original Message -
From: Michael Thomas m...@mtcc.com
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I
believe that what Barry says was the old reality.
Perhaps, but Cash/Credit
On 06/10/2012 11:33 AM, Jay Ashworth wrote:
- Original Message -
From: Michael Thomasm...@mtcc.com
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I
believe that what Barry says was the
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Jun 10 13:18:06
2012
From: Barry Shein b...@world.std.com
Date: Sun, 10 Jun 2012 14:16:10 -0400
To: Mikael Abrahamsson swm...@swm.pp.se
Subject: Re: Dear Linkedin,
Cc: NANOG nanog@nanog.org, Joe Greco jgr...@ns.sol.net
I
- Original Message -
From: Robert Bonomi bon...@mail.r-bonomi.com
Gas stations that offer a 'discount for cash' do not give that discount
even for 'house brand' cards -- which do not have any fees that are
payable to the issuer.
In fact, that's not true. Several chains, notably
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Jun 10 13:26:36
2012
Date: Sun, 10 Jun 2012 11:25:35 -0700
From: Michael Thomas m...@mtcc.com
To: John T. Yocum john.yo...@fluidhosting.com
Subject: Re: Dear Linkedin,
Cc: nanog@nanog.org
On 06/10/2012 11:22 AM, John T. Yocum
On 10-Jun-12 13:33, Jay Ashworth wrote:
From: Michael Thomas m...@mtcc.com
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I
believe that what Barry says was the old reality.
Perhaps, but
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Sun Jun 10 13:34:06
2012
Date: Sun, 10 Jun 2012 14:33:03 -0400 (EDT)
From: Jay Ashworth j...@baylink.com
To: NANOG nanog@nanog.org
Subject: OT: Credit card policies (was Re: Dear Linkedin,)
- Original Message -
From: Michael
On 10-Jun-12 14:01, Robert Bonomi wrote:
From: Jay Ashworth j...@baylink.com
Even Further Off-Topic, isn't debit supposed to be cash? Why do
I pay the Credit price for it?
It is, and *ISN'T*, 'cash'.
Unlike cash (and like a credit card), it is simply an instruction to a third
party to
The credit card companies should pull their heads out of their asses about this.
It is much better from an anti-fraud perspective for a stolen card not to
contain a specimen signature for the thief to learn to forge.
It is far preferable for the merchant to request ID and verify that the
On 6/10/12 12:23 , Stephen Sprunk wrote:
On 10-Jun-12 14:01, Robert Bonomi wrote:
From: Jay Ashworth j...@baylink.com
All of the above is completely irrelevant to the merchant.
Given that the thread now spans nine conversations threads and at least
122 messages and is buried in the finer
The agreements often prohibit minimums and cash discounts/card fees.
However, the Dodd-Frank act trumps the agreements as law contract.
Owen
Sent from my iPad
On Jun 10, 2012, at 11:16 AM, Barry Shein b...@world.std.com wrote:
I was under the impression (I should dig out my contract)
It is far preferable for the merchant to request ID and verify that the
signature matches the ID _AND_ the picture in the ID matches the
customer.
In the late 1990s I had a Visa card from (I think) Citibank that had my
picture embossed on the front of the card. I'm surprised this didn't
That and a minimum charge are among the two most common merchant
violations I see.
For MasterCard violations, report them!
http://www.mastercard.us/support/merchant-violations.html
Is that policy worldwide or just for the US?
The credit card companies should pull their heads out of their asses about t=
his.
It is much better from an anti-fraud perspective for a stolen card not to co=
ntain a specimen signature for the thief to learn to forge.
It is far preferable for the merchant to request ID and verify that
On Sun, 10 Jun 2012, Lyndon Nerenberg wrote:
In the late 1990s I had a Visa card from (I think) Citibank that had my
picture embossed on the front of the card. I'm surprised this didn't catch
on with more card issuers. I see that Bank of America offers this free of
charge to their Visa
On June 10, 2012 at 14:33 j...@baylink.com (Jay Ashworth) wrote:
- Original Message -
From: Michael Thomas m...@mtcc.com
On 06/10/2012 11:22 AM, John T. Yocum wrote:
A merchant can offer a cash discount.
I believe that the law just recently changed on that account. I
A few years ago I had a checkbook stolen. The genius bank branch
decided it was sufficient to just print new checks starting at a much
higher number and put it in the system rather than cancel the
account number. I protested but hey so long as they were responsible
for any fraud*.
Then thousands
On Sun, Jun 10, 2012 at 04:34:55PM -0400, valdis.kletni...@vt.edu wrote:
On Sun, 10 Jun 2012 12:29:46 -0700, Owen DeLong said:
It is far preferable for the merchant to request ID and verify that the
signature matches the ID _AND_ the picture in the ID matches the customer.
Maybe from the
Stephen Sprunk step...@sprunk.org opined:
On 10-Jun-12 14:01, Robert Bonomi wrote:
From: Jay Ashworth j...@baylink.com
Even Further Off-Topic, isn't debit supposed to be cash? Why do
I pay the Credit price for it?
It is, and *ISN'T*, 'cash'.
Unlike cash (and like a credit
On Jun 10, 2012, at 12:25 PM, Joe Greco wrote:
The credit card companies should pull their heads out of their asses about t=
his.
It is much better from an anti-fraud perspective for a stolen card not to co=
ntain a specimen signature for the thief to learn to forge.
It is far
In such a circumstance I use the following:
Close this account. Either send me a check for the remaining balance or
deposit into my newly created account at your institution. Whichever you
prefer.
Owen
On Jun 10, 2012, at 2:45 PM, Barry Shein wrote:
A few years ago I had a checkbook stolen.
On Jun 10, 2012, at 3:06 PM, Brett Frankenberger wrote:
On Sun, Jun 10, 2012 at 04:34:55PM -0400, valdis.kletni...@vt.edu wrote:
On Sun, 10 Jun 2012 12:29:46 -0700, Owen DeLong said:
It is far preferable for the merchant to request ID and verify that the
signature matches the ID _AND_ the
- Original Message -
From: Brett Frankenberger rbf+na...@panix.com
But the same reasoning still applies. The card issuers don't want you
have to show ID, becuase you might decide it's too much trouble, and
just use some other method to pay.
Except for Amex, who have always
On Sun, Jun 10, 2012 at 03:47:20PM -0700, Owen DeLong wrote:
On Jun 10, 2012, at 3:06 PM, Brett Frankenberger wrote:
Eliminating fraud isn't an objective of card issuers. Making money is.
Fraud reduction is only done when the savings from the reduced fraud
exceeds both the cost of the
Don't know if someone already posted this but there forcing people the reset
there passwords, but it let's you reset it to the same password as before...
How many people are going to use the same pass? I'd say a good portion,
LinkedIn needs some new isec employees
On Jun 10, 2012, at 6:11 PM,
Eliminating fraud isn't an objective of card issuers. Making money is.
Fraud reduction is only done when the savings from the reduced fraud
exceeds both the cost of the fraud preventing measure and any revenue
that is lost because of inconveniencing customers.
Right, but
- Original Message -
From: Barry Shein b...@world.std.com
This applies just as well to fraud-prevention measures, a cost is a
cost is a cost, your perceived morality of the cost makes no
difference, money is fungible! Which means, money doesn't care! You'd
have to make up the cost of
On June 10, 2012 at 19:47 apishd...@gmail.com (Ameen Pishdadi) wrote:
Don't know if someone already posted this but there forcing people
the reset there passwords, but it let's you reset it to the same
password as before... How many people are going to use the same pass?
I'd say a good portion,
On Fri, Jun 8, 2012 at 9:48 PM, Michael Thomas m...@mtcc.com wrote:
Linkedin has a blog post that ends with this sage advice:
The sagest of which is to ask you to change your password on LinkedIn
itself, *before* actually plugging the hole that led to the passwords
leaking in the first place.
:: https://agilebits.com/onepassword (1Password) is one solution to
:: managing web site passwords.
Only if you have an OS you have to pay for: apple or ms.
The 1password password store has a perfectly usable local-only HTML
app that lives in its data folder.
My biggest problem still is the multiple computer issue. I am on at least 3-5
physical computers and 1-20 virtual machines, and 2 cellphones a day. I
honestly do not want to store a database of passwords encrypted or not on an
open service.
As I have never had a virus or malware on any of
A friend would print in block letters in the sig area of his credit
cards ASK FOR PHOTO ID. He said that almost always cashiers et al
would give a cursory glance like they were checking his signature and
say thank you and hand him back his card.
Maybe someone mentioned this but merchant card
Original Message -
From: Lyndon Nerenberg lyn...@orthanc.ca
The only way to ensure your personal passwords are never compromised
is to kill yourself after destroying all physical copies of those
passwords. While ultimately secure, you won't be able to do your daily
online banking.
- Original Message -
From: Barry Shein b...@world.std.com
A friend would print in block letters in the sig area of his credit
cards ASK FOR PHOTO ID. He said that almost always cashiers et al
would give a cursory glance like they were checking his signature and
say thank you and hand
On 06/09/12 15:43, Jay Ashworth wrote:
- Original Message -
From: Barry Sheinb...@world.std.com
A friend would print in block letters in the sig area of his credit
cards ASK FOR PHOTO ID. He said that almost always cashiers et al
would give a cursory glance like they were checking his
On Sat, Jun 9, 2012 at 10:52 AM, joseph.sny...@gmail.com wrote:
My biggest problem still is the multiple computer issue. I am on at least
3-5 physical computers and 1-20 virtual machines, and 2 cellphones a day.
I honestly do not want to store a database of passwords encrypted or not
on an
On 6/9/12, Scott Howard sc...@doc.net.au wrote:
[snip]
Security is all about trade-offs. In this case it's the trade-off between
storing an excrypted password database on a 3rd party server, v's re-using
passwords and having (potentially) weaker passwords as a result of not
[snip]
Yes. Using
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you visit
on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand that I am
supposed to remember
each one of them
On 2012-06-08, at 12:48 PM, Michael Thomas wrote:
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant,
neither does
yours. So what you're telling me and the rest of the world is impossible.
https://agilebits.com/onepassword (1Password) is one solution to managing
On 06/08/2012 09:48 AM, Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that
you visit on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand
I have accounts at probably 100's of sites. Am I to understand that I am
supposed to remember
each one of them and dutifully update them every month or two?
Yes; of course if most of those accounts are moribund and unused then you don't
need to change them so often, but the passwords you use
Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you
visit on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand that I am
supposed to
--- lyn...@orthanc.ca wrote:
From: Lyndon Nerenberg lyn...@orthanc.ca
On 2012-06-08, at 12:48 PM, Michael Thomas wrote:
I'm sorry, my brain doesn't hold that many passwords. Unless you're
a savant, neither does yours. So what you're telling me and the rest
of the world is impossible.
t
::
On Fri, Jun 8, 2012 at 12:48 PM, Michael Thomas m...@mtcc.com wrote:
So the implication is that I have 100's of passwords all unique and that I
must
change every one of them to be something new and unique every few months.
And remember each of them. And not write them down.
I'm sorry, my
On Fri, Jun 8, 2012 at 1:02 PM, Scott Weeks sur...@mauigateway.com wrote:
:: https://agilebits.com/onepassword (1Password) is one solution to
:: managing web site passwords.
Only if you have an OS you have to pay for: apple or
On 2012-06-08 15:48, Michael Thomas wrote:
* Make sure you update your password on LinkedIn (and any site that you
visit on the Web) at least once every few months.
* Do not use the same password for multiple sites or accounts.
* Create a strong password for your account, one that includes
On 2012-06-08, at 1:02 PM, Scott Weeks wrote:
Only if you have an OS you have to pay for: apple or ms.
I don't pay for them. $WORK pays for them.
If you're complaint is about 1Password not running on your particular operating
systems, then pick a solution that *does* run on your OS. There
--- j...@retina.net wrote:
From: John Adams j...@retina.net
I use 1password, you might use LastPass. They both work on
Android, iPhone, Linux, Mac, Windows.
No, according to their site 1password does not work on
*nix, however lastpass says it does
On 06/08/2012 10:02 AM, Scott Weeks wrote:
--- lyn...@orthanc.ca wrote:
From: Lyndon Nerenberglyn...@orthanc.ca
On 2012-06-08, at 12:48 PM, Michael Thomas wrote:
I'm sorry, my brain doesn't hold that many passwords. Unless you're
a savant, neither does yours. So what you're telling me and the
I'm surprised no one mentioned a locally stored (and backed up of
course) gpg encrypted file for securing all of your passwords. Very
simple solution for the technically inclined.
Derrick
On Fri, Jun 08, 2012 at 01:08:34PM -0700, Scott Weeks wrote:
--- j...@retina.net wrote:
From: John
- Original Message -
From: Michael Thomas m...@mtcc.com
I'm sorry, my brain doesn't hold that many passwords. Unless you're a
savant, neither does
yours. So what you're telling me and the rest of the world is
impossible.
What's most pathetic about this is that somebody actually
On 06/08/2012 12:56 PM, Paul Graydon wrote:
Use a password safe. Simple. Most of them even include secure password
generators. That way you only have one password to remember stored in a
location you have control over (and is encrypted), and you get to adopt secure
practices with websites.
On 06/08/2012 10:22 AM, Michael Thomas wrote:
On 06/08/2012 12:56 PM, Paul Graydon wrote:
Use a password safe. Simple. Most of them even include secure
password generators. That way you only have one password to remember
stored in a location you have control over (and is encrypted), and
On 06/08/2012 01:24 PM, Paul Graydon wrote:
On 06/08/2012 10:22 AM, Michael Thomas wrote:
On 06/08/2012 12:56 PM, Paul Graydon wrote:
Use a password safe. Simple. Most of them even include secure password
generators. That way you only have one password to remember stored in a
location you
Does your password safe know how to change the password on each
website every several months?
Not far off, actually; my 1Password has an auto-login-page feature which you
can often wire to be the same as the password-change URL.
So, nyah.
-a
On 06/08/2012 01:24 PM, Paul Graydon wrote:
Oh come on.. now you're just being ridiculous, even bordering on childish.
LinkedIn are offering solid advice, routed in safe practices. If you don't
want to do it that's your problem. Stop bitching just because security is hard.
PS: when security
On 2012-06-08, at 1:22 PM, Michael Thomas wrote:
Does your password safe know how to change the password on each
website every several months?
Yes.
PS: when security is hard, people simply don't do it. Blaming the victim
of poor engineering that leads people to not be able to perform best
practices is not the answer.
Passwords suck, but they are the best that we have at the moment in terms of
being cheap and free from infrastructure -
On 06/08/2012 01:35 PM, Lyndon Nerenberg wrote:
On 2012-06-08, at 1:22 PM, Michael Thomas wrote:
Does your password safe know how to change the password on each
website every several months?
Yes.
I run a website. If it can change it on mine, I'd like to understand
how it manages to do that.
On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
PS: when security is hard, people simply don't do it.
I think this is exactly right.
The idea that we are going to train everyone on earth to keep eleventy
billion distinct passwords in their heads -- or in a password safe
that
On 06/08/2012 01:41 PM, Alec Muffett wrote:
PS: when security is hard, people simply don't do it. Blaming the victim
of poor engineering that leads people to not be able to perform best
practices is not the answer.
Passwords suck, but they are the best that we have at the moment in terms of
KeePass, KeyPassDroid and Dropbox.
I'm sure it will just get simpler as time goes on.
My mom uses a key database just fine.
On Jun 8, 2012 4:49 PM, Andrew Sullivan asulli...@dyn.com wrote:
On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
PS: when security is hard, people
On Fri, Jun 08, 2012 at 05:00:14PM -0400, Tyler Haske wrote:
KeePass, KeyPassDroid and Dropbox.
Yes, of course, I'll just upload all my passwords to a place totally
under the control of someone (well, actually, _two_ other ones) else,
and then pray that there never turns out to be a nasty attack
On 2012-06-08, at 2:07 PM, Andrew Sullivan wrote:
I'm not trying to be dismissive. Those are excellent stopgap
measures. They're not a solution.
There is no solution. Security is about risk management, nothing more.
The only way to ensure your personal passwords are never compromised is
On 8 Jun 2012, at 21:55, Michael Thomas wrote:
With apps and browsers that
can remember passwords why are we still insisting that users generate
and remember their own bad passwords? That's one reason that I
find the finger wagging tone of that Linkedin post extremely problematic --
they
Yes; of course if most of those accounts are moribund and unused then you
don't need
to change them so often, but the passwords you use frequently should be
changed at
regular intervals.
It's pretty commonsensical once the threat is understood.
Given that most compromised passwords these days
On Fri, Jun 8, 2012 at 2:00 PM, Tyler Haske tyler.ha...@gmail.com wrote:
KeePass, KeyPassDroid and Dropbox.
I'm sure it will just get simpler as time goes on.
I second this! I deploy KeePass via MS GPO. No formal training on the
application for the end-users but we do one-on-one with end users
On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote:
PS: when security is hard, people simply don't do it. Blaming the victim
of poor engineering that leads people to not be able to perform best
practices is not the answer.
Passwords suck, but they are the best that we have at the moment in
On Fri, Jun 08, 2012 at 12:48:38PM -0700, Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you
visit on the Web) at least once every few months.
Um, no.
If the site in question has security
I have accounts at probably 100's of sites. Am I to understand
that I am supposed to remember each one of them and dutifully
update them every month or two?
Yes; of course if most of those accounts are moribund and unused then you
don't need to change them so often, but the passwords you
On 8 Jun 2012, at 22:59, John Levine wrote:
Given that most compromised passwords these days are stolen by malware
or phishing, I'm not understanding the threat, unless you're planning
to change passwords more frequently than the interval between malware
stealing your password and the bad
Does anybody have a good URL explaining that idea? It's been kicking around
for many years. I've never seen a convincing writeup.
I've tried to do that in another mail - it's in the realms of philosophy more
than strategy; like if you're a really security-aware person and take great
care
On 09/06/12 05:48, Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you
visit on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand that
On Fri, 08 Jun 2012 16:07:56 -0400, Simon Perreault said:
And how about Do not store your passwords using unsalted sha1?
Heck. I'd let them use pepper or mustard or teriyaki sauce if they wanted.
Figuring out which one was used adds to the entropy. ;)
pgppD53VERlTa.pgp
Description: PGP
On 06/08/2012 05:59 PM, Ted Cooper wrote:
They have some things correct in this and some are complete hogwash.
Changing your password does not provide any additional security. It is
meant to give protection against your credentials having being
discovered, but if they have been compromised in
On Fri, 08 Jun 2012 15:33:29 -0700, Hal Murray said:
Yes; of course if most of those accounts are moribund and unused then you
don't need to change them so often, but the passwords you use frequently
should be changed at regular intervals.
It's pretty commonsensical once the threat is
Yes, well, I'm being cynical ...
Yes, but are you being cynical enough?
--
Is 14 months a excusable length of time for someone not to have
changed their password after a break?
That cuts both ways. Who is changing the password, the good guys or the bad
guys?
--
These are my
On Fri, Jun 08, 2012 at 03:17:25PM -0700, Owen DeLong wrote:
On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote:
PS: when security is hard, people simply don't do it. Blaming the victim
of poor engineering that leads people to not be able to perform best
practices is not the answer.
Does your bank request/require that you change the PIN
on your ATM card every few months?
ATM cards are not passwords, they are a coarse form of two-factor
authentication - You have the card, you have the PIN.
You have to possess both in order to transact - at least in in theory.
1 - 100 of 101 matches
Mail list logo