On 28 May 2015, at 22:18, Rich Kulawiec wrote:
On Thu, May 28, 2015 at 03:13:37PM -0400, William Herrin wrote:
My first dog's name was a random and unpronounceable 30-character
string.
I think this (Bill's) is a very good practice.
That's what I should do. Instead, I pull down the list
On Wed, May 27, 2015 at 8:42 AM, Joel Maslak jmas...@antelope.net wrote:
I also suspect not every telco validates number porting requests against
social engineering properly.
What national wireless provider _does_ validate porting requests
against social engineering?
As far as I knew, as
Op 29 mei 2015, om 08:42 heeft Joe Abley jab...@hopcount.ca het volgende
geschreven:
[...]
and around this point, I start to think
- I've had enough of this
- this is too hard
- I don't even remember what I am signing up for at this point
- I am going to look for amusing cats on
On Thu, 28 May 2015, Rich Kulawiec wrote:
I think this (Bill's) is a very good practice. It's not that difficult
to enumerate the name of every pro sports team in the US, the 100 most
popular dog names, the 200 most common street names, etc. This attack
can be mitigated by limiting
On 29/05/15 10:35 -0400, Peter Beckman wrote:
I use completely random strings for security questions. The company doesn't
care what my answer is, so instead of knowing that my favorite sports team
is [REDACTED] they can see that it is WheF7?ydk/cBG8MgZf7w
Go WheF7?ydk/cBG8MgZf7w!
I store all
I can't write my autobiography because it'd contain the answers to too
many security questions!
--
-Barry Shein
The World | b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool
Use a ghost writer. ;-)
Owen
On May 29, 2015, at 10:42 AM, Barry Shein b...@world.std.com wrote:
I can't write my autobiography because it'd contain the answers to too
many security questions!
--
-Barry Shein
The World | b...@theworld.com |
On Fri, May 29, 2015 at 1:42 AM, Joe Abley jab...@hopcount.ca wrote:
That's what I should do. Instead, I pull down the list of candidate
questions and think to myself...
...
- I don't have a favourite colour
My favourite color is Red, but the answer is rejected because it's
less than 6
On Fri, May 29, 2015 at 12:32:34PM -0400, Justin M. Streiner wrote:
There are providers (banks, etc) who will disable an online account that
has had X failed login attempts. While that's good for preventing
$bad_guy from continuing to try to brute-force-guess the password,
it creates a
On Fri, 29 May 2015 13:42:55 -0400, Barry Shein said:
I can't write my autobiography because it'd contain the answers to too
many security questions!
--
-Barry Shein
Congrats. The best .sig fodder I've seen in quite some time.
pgpmFlE_Cj2qM.pgp
Description: PGP signature
I use completely random strings for security questions. The company doesn't
care what my answer is, so instead of knowing that my favorite sports team
is [REDACTED] they can see that it is WheF7?ydk/cBG8MgZf7w
Go WheF7?ydk/cBG8MgZf7w!
I store all of the security questions in my password manager
On Thu, May 28, 2015 at 03:13:37PM -0400, William Herrin wrote:
On Wed, May 27, 2015 at 1:16 AM, Octavio Alvarez
octalna...@alvarezp.org wrote:
I would definitely opt-out from any kind of secret questions that I
couldn't type by myself.
Many many sites still think this is a good idea.
On May 28, 2015 10:11 AM, Christopher Morrow morrowc.li...@gmail.com
wrote:
On Thu, May 28, 2015 at 5:29 AM, Robert Kisteleki rob...@ripe.net wrote:
Bcrypt or PBKDF2 with random salts per password is really what anyone
storing passwords should be using today.
One thing to remember is
Somewhat in the weeds here, but I still find it odd/curious that Google is
still using SHA-1 fingerprinted SSL certificates.
Weren't they making a big deal of pushing SHA-2 fingerprinted SSL certs a
while back?
On Wed, May 27, 2015 at 12:16 AM, Octavio Alvarez octalna...@alvarezp.org
wrote:
On
On 05/26/2015 08:44 AM, Owen DeLong wrote:
I think opt-out of password recovery choices on a line-item basis is
not a bad concept.
For example, I’d want to opt out of recovery with account creation
date. If anyone knows the date my gmail account was created, they
most certainly aren’t me.
On Wed, May 27, 2015 at 1:16 AM, Octavio Alvarez
octalna...@alvarezp.org wrote:
I would definitely opt-out from any kind of secret questions that I
couldn't type by myself.
Many many sites still think this is a good idea.
My first dog's name was a random and unpronounceable 30-character
Bcrypt or PBKDF2 with random salts per password is really what anyone
storing passwords should be using today.
Indeed. A while ago I had a brainfart and presented it in a draft:
https://tools.ietf.org/html/draft-kistel-encrypted-password-storage-00
It seemed like a good idea at the time :-)
On Thu, May 28, 2015 at 5:29 AM, Robert Kisteleki rob...@ripe.net wrote:
Bcrypt or PBKDF2 with random salts per password is really what anyone
storing passwords should be using today.
Indeed. A while ago I had a brainfart and presented it in a draft:
On 05/28/2015 02:29 AM, Robert Kisteleki wrote:
Bcrypt or PBKDF2 with random salts per password is really what anyone
storing passwords should be using today.
Indeed. A while ago I had a brainfart and presented it in a draft:
On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said:
that link, since I have two-step verification set up, I was presented
with a demand for a number provided by the Google Authenticator
app on my phone. I provided that number and only then was I allowed
to reset the password.
And you have to
On 5/27/2015 03:17, valdis.kletni...@vt.edu wrote:
On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said:
that link, since I have two-step verification set up, I was presented
with a demand for a number provided by the Google Authenticator
app on my phone. I provided that number and only then was
On (2015-05-27 14:19 +0200), Owen DeLong wrote:
Hey,
If someone has the ability to hijack your BGP, then you???ve got bigger
problems than
having them take over your Gmail account.
This is second reply to this notion. I don't understand what is attempted to
communicate. I'm sure no one on
On 27 May 2015, at 13:19, Owen DeLong wrote:
If someone has the ability to hijack your BGP, then you’ve got
bigger problems than
having them take over your Gmail account.
Could we perhaps summarise this entire thread with if you have tighter
security requirements for your e-mail than a
Security is an illusion - Confucius probably
On Wed, May 27, 2015 at 8:42 AM, Joel Maslak jmas...@antelope.net wrote:
I also suspect not every telco validates number porting requests against
social engineering properly.
A telephone number isn't something you have, it is something your
On May 26, 2015, at 6:11 PM, Saku Ytti s...@ytti.fi wrote:
On (2015-05-26 17:44 +0200), Owen DeLong wrote:
Hey,
I think opt-out of password recovery choices on a line-item basis is not a
bad concept.
This sounds reasonable. At least then you could decide which balance of
You can also register a U2F key.
On Wed, May 27, 2015 at 3:17 AM, valdis.kletni...@vt.edu wrote:
On Wed, 27 May 2015 09:13:47 +0530, Anil Kumar said:
that link, since I have two-step verification set up, I was presented
with a demand for a number provided by the Google Authenticator
app
I also suspect not every telco validates number porting requests against
social engineering properly.
A telephone number isn't something you have, it is something your provider
has.
On Wednesday, May 27, 2015, Saku Ytti s...@ytti.fi wrote:
On (2015-05-27 14:19 +0200), Owen DeLong wrote:
Hey,
The OP was correct, if they can send you your cleartext password then
their security practices are inadequate, period.
Unless I misunderstand what you're saying (I sort of hope I do) this
is Security 101.
As I've said a couple of times already, but perhaps without the capital
letters, from a
On May 27, 2015, at 11:22, John R. Levine jo...@iecc.com wrote:
As I've said a couple of times already, but perhaps without the capital
letters, from a security point of view, generating a NEW PASSWORD and sending
it in cleartext is no worse than sending you a one time reset link. Either
On May 27, 2015 at 14:22 jo...@iecc.com (John R. Levine) wrote:
The OP was correct, if they can send you your cleartext password then
their security practices are inadequate, period.
Unless I misunderstand what you're saying (I sort of hope I do) this
is Security 101.
As I've
One weakness with sending a new cleartext password rather than a link
is that a cleartext password (probably) has to be engineered to be
easy to type in and maybe even remembered.
Typically one uses some concatenation of CVC
(consonant-vowel-consonant) with common punctuations and/or digits
On May 27, 2015 at 10:28 b...@herrin.us (William Herrin) wrote:
On Tue, May 26, 2015 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:
On Tue, May 26, 2015 at 12:28 PM, Aaron C. de Bruyn aa...@heyaaron.com
wrote:
If they can e-mail you your existing password (*cough*Netgear*cough*),
On Tue, May 26, 2015 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:
On Tue, May 26, 2015 at 12:28 PM, Aaron C. de Bruyn aa...@heyaaron.com
wrote:
If they can e-mail you your existing password (*cough*Netgear*cough*),
it means they are storing your credentials in the database
un-encrypted.
On Wed, 27 May 2015 16:11:19 +0300, Saku Ytti said:
This is second reply to this notion. I don't understand what is attempted to
communicate. I'm sure no one on nanog thinks BGP hijacks are rare, difficult
or yield to consequences when called out.
What *is* rare is a BGP hijack done solely to
On Wed, May 27, 2015 at 1:51 PM, Barry Shein b...@world.std.com wrote:
On May 27, 2015 at 10:28 b...@herrin.us (William Herrin) wrote:
On Tue, May 26, 2015 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:
It means they are storing it unhashed
which is probably what you mean.
It
On Wed, May 27, 2015 at 01:51:35PM -0400, Barry Shein wrote:
Getting a copy of the database of hashes and login names is basically
useless to an attacker.
Not any more, if the hash algorithm isn't sufficiently strong:
25-GPU cluster cracks every standard Windows password in 6
On 26 May 2015 at 23:43, Anil Kumar aku...@anilkumar.com wrote:
According to this page, the 2-factor authentication does kick in when you
finally try to reset the password.
http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature
“… I
On Wed, May 27, 2015 at 4:52 PM, Harald Koch c...@pobox.com wrote:
Y'all are way too trusting ;)
Or we are much more comfortable with our knowledge. Six in one,
If I recall from a brief experiment yesterday, three of the four options on
that page are variations on I'd like to bypass
On Wed, May 27, 2015 at 6:04 PM, Peter Beckman beck...@angryox.com wrote:
[snip]
I was thinking about using the last 2 digits of the year as the cost
factor, but that might not scale with hardware linearly.
It is strongly recommended that when used for password storage, the
work factor for
LinkedIn used SHA-1, a fast algorithm. At 350-billion guesses per second on
the mentioned rig for fast algorithms, yeah, you can get through a lot of
passwords quickly. Hopefully LinkedIn has changed their ways.
In that same article:
...functions such as Bcrypt, PBKDF2, and SHA512crypt are
I was thinking about using the last 2 digits of the year as the
cost factor, but that might not scale with hardware linearly.
How about: 2 ^ (last 2 digits of year / 2)
This would track per Moore's Law.
John
John Souvestre - New Orleans LA
I am truly relieved that this was just a misunderstanding!
-b
On May 27, 2015 at 16:05 b...@herrin.us (William Herrin) wrote:
On Wed, May 27, 2015 at 1:51 PM, Barry Shein b...@world.std.com wrote:
On May 27, 2015 at 10:28 b...@herrin.us (William Herrin) wrote:
On Tue, May 26, 2015
Good name in man and woman, dear my lord,
Is the immediate jewel of their souls.
Who steals my purse steals trash; 'tis something, nothing;
'Twas mine, 'tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him,
And
In message 20150526161151.ga14...@pob.ytti.fi, Saku Ytti writes:
On (2015-05-26 17:44 +0200), Owen DeLong wrote:
Hey,
I think opt-out of password recovery choices on a line-item basis is not a
bad concept.
This sounds reasonable. At least then you could decide which balance of
On 26 May 2015 at 11:32, Alex Brooks askoorb+na...@gmail.com wrote:
Can you not set account recory options which change the way password
reset requests are handled.
https://support.google.com/accounts/answer/183723 Gives some guidance?
Alex
Unfortunately, setting these options does not
On May 27, 2015, at 8:09 AM, Harald Koch c...@pobox.com wrote:
On 26 May 2015 at 11:32, Alex Brooks askoorb+na...@gmail.com wrote:
Can you not set account recory options which change the way password
reset requests are handled.
https://support.google.com/accounts/answer/183723 Gives
On Tue, May 26, 2015 at 2:15 PM, valdis.kletni...@vt.edu wrote:
On Tue, 26 May 2015 19:11:51 +0300, Saku Ytti said:
OTOH, recovery by receiving a token at a previously registered alternate
email address
seems relatively secure to me and I wouldn???t want to opt out of that.
It's
On Tue, 26 May 2015 19:11:51 +0300, Saku Ytti said:
OTOH, recovery by receiving a token at a previously registered alternate
email address
seems relatively secure to me and I wouldn???t want to opt out of that.
It's probably machine sent in seconds or minute after request, so doing
Hi,
On Tue, May 26, 2015 at 3:26 PM, Markus unive...@truemetal.org wrote:
Did you know that anyone, anywhere in the world can get into a gmail account
merely by knowing its creation date (month and year is sufficient) and the
last login date (try today)? What a joke.
Can you not set account
Haha I cringe when I do a password recovery at a site and they either email
the current pw to me in plain text or just as bad reset it then email it in
plain text. Its really sad that stuff this bad is still so common.
On Tue, May 26, 2015 at 11:44 AM, Owen DeLong o...@delong.com wrote:
On
On (2015-05-26 17:44 +0200), Owen DeLong wrote:
Hey,
I think opt-out of password recovery choices on a line-item basis is not a
bad concept.
This sounds reasonable. At least then you could decide which balance of
risk/convenience fits their use-case for given service.
OTOH, recovery by
I get what you are saying but my point was more about lack of crypto or
reversible crypto than stealing the account.
I am all in favor of using crypto when it improves security. But I am
also in favor of not obsessing about it in places where it makes no
difference.
I like what Owen is
On May 26, 2015, at 5:22 PM, Saku Ytti s...@ytti.fi wrote:
On (2015-05-26 16:26 +0200), Markus wrote:
Hey,
Did you know that anyone, anywhere in the world can get into a gmail account
merely by knowing its creation date (month and year is sufficient) and the
Without any comment on
In article caknnfz_apy8khbxj0umgoq6ufcd640jtxe9a+2tqu-d761-...@mail.gmail.com
you write:
Haha I cringe when I do a password recovery at a site and they either email
the current pw to me in plain text or just as bad reset it then email it in
plain text. Its really sad that stuff this bad is still
On Tue, May 26, 2015 at 12:28 PM, Aaron C. de Bruyn aa...@heyaaron.com
wrote:
If they can e-mail you your existing password (*cough*Netgear*cough*),
it means they are storing your credentials in the database
un-encrypted.
No, it doesn't mean that at all. It means they are storing it
On Tue, May 26, 2015 at 9:06 AM, John Levine jo...@iecc.com wrote:
If they do a reset, what difference does it make whether they send the
password in plain text or as a one-time link? Either way, if a bad
guy can read the mail, he can steal the account.
If they can e-mail you your existing
If they can e-mail you your existing password (*cough*Netgear*cough*),
it means they are storing your credentials in the database
un-encrypted.
What I had in mind was creating a new password and mailing you that.
R's,
John
*facepalm*
Right. Sorry.
Forgot which group I was addressing. ;)
I swear half of the United States forgot their passwords over the
three-day weekend.
-A
On Tue, May 26, 2015 at 12:39 PM, John R. Levine jo...@iecc.com wrote:
If they can e-mail you your existing password
On (2015-05-26 16:26 +0200), Markus wrote:
Hey,
Did you know that anyone, anywhere in the world can get into a gmail account
merely by knowing its creation date (month and year is sufficient) and the
Without any comment on what gmail is or is not doing, the topic interests me.
How should
Did you know that anyone, anywhere in the world can get into a gmail
account merely by knowing its creation date (month and year is
sufficient) and the last login date (try today)? What a joke.
Try it by yourself, its fun.
Even worse, once the attacker had control of your account once, and
: Tuesday, May 26, 2015 5:32 PM
Aan: Markus; nanog
Onderwerp: Re: gmail security is a joke
Hi,
On Tue, May 26, 2015 at 3:26 PM, Markus unive...@truemetal.org wrote:
Did you know that anyone, anywhere in the world can get into a gmail account
merely by knowing its creation date (month and year
On Tue, May 26, 2015 at 10:26 AM, Markus unive...@truemetal.org wrote:
Did you know that anyone, anywhere in the world can get into a gmail account
merely by knowing its creation date (month and year is sufficient) and the
last login date (try today)? What a joke.
We don't even know if this
62 matches
Mail list logo
