Useless Conversation

[voodoolily]

Interesting, never seen that before. Also unique because Thais don't usually cook it (although there are a lot of Viets and Thai raised Chinese.. that's probably where it's coming from). Anyways yeah, definitely add it your arsenal my friend ;)

It was one of those shi-shi $10 lychee martini "Thai" restaurants that I'd never eat at if I weren't away on business with an expense account and clients to impress. But those duck buns were amazing.

[WayAbvPar]

Wild Ginger does a good duck bun thing but it is with plum sauce instead of cilantro. Pretty tasty.

[voodoolily]

Wild Ginger does a good duck bun thing but it is with plum sauce instead of cilantro. Pretty tasty.

I think that's the place. I though it came with some little herbs to add to your bun? Maybe I'm thinking of another dish I had somewhere else.

[lamaros]

I want and bought Tom Waits' Orphans, because I didn't have it for some reason. And it's awesome and has made me want to share something awesome, so:

http://www.youtube.com/watch?v=XrkThaBWa5c

[MrHat]

Ding 28

[Cyrrex]

Grats.  Two more levels and you can raid with us.

[Yegolev]

Fifteen-character passwords can fuck right off.  On the other hand, I found KeePass.

[Cyrrex]

Anyone who insists on a fifteen character password for anything is beyond stupid.  It does not improve your security...on the contrary, it means people are going to do shit like use post it notes and stick it right on the monitor.  Or whatever.  A simple 6 to 8 digit, requiring at least one numeric character and one capital letter, is all you need.  The possible combinations are staggering with just that requirement.  You have a better chance of winning the lotter than guessing a random person's password.

[Yegolev]

The best part is that my userid has no special privileges.  Well, maybe the best part is that I can use real security holes and passwd tools to circumvent most of this.  Or maybe that I now have my passwd written down on my desk.

[Righ]

Six digit passwords are too short. Using a single Intel Core 2 Duo 2.0GHz processor (nothing fancy in today's terms) it would take 4 hours to brute force the entire range of possibilities of a six digit password that uses upper and lower case letters, numeric digits, common punctuation and symbols. That's one of my spare machines upstairs. I have enough unused processor power in my house to break six character passwords in minutes if I want to.

Add one more digit and you go from hours up to a couple of weeks. Add two more and it becomes unreasonable to brute force attack the passwords using personal hardware. Of course, most people don't use difficult passwords, so the degree of obfuscation typically consists of concatenations of English words with common letter substitutions. It doesn't take long to crack 'Y0uW@nk3r' using a dictionary/substitution attack, since you can do the whole English language in upper and lower cases in a single second.

If you have something good to hide, you're in even bigger trouble. I cracked passwords for a very large company using an array of processors. We were able to brute force a significant number of complex 8 character passwords in a few hours. It typically only takes one password on a sensitive system to gain full control. Privilege escalation from the local command prompt is much easier than trying to gain root remotely from network service - people pay a lot security attention to overflows in network code, much less to the hundreds of root/administrator level commands available locally on the server.

[voodoolily]

Ding 28

I already wished you a happy birthday on Facebook.

[MrHat]

Ding 28

I already wished you a happy birthday on Facebook.

I already said thank you for wishing me a happy birthday on Facebook.

[voodoolily]

Anyone who insists on a fifteen character password for anything is beyond stupid.  It does not improve your security...on the contrary, it means people are going to do shit like use post it notes and stick it right on the monitor.  Or whatever.  A simple 6 to 8 digit, requiring at least one numeric character and one capital letter, is all you need.  The possible combinations are staggering with just that requirement.  You have a better chance of winning the lotter than guessing a random person's password.

Yep. It's not like banks make people change their PIN numbers every month. I had a perfectly good, secure password that I could remember, and now instead I have to arbitrarily add a +1 to my password every month.

[K9]

Interesting post Righ, I don't really no much about IT security. I would have assumed that most places would have some sort of flood reaction that would suspend accounts, and that this is the best defense against brute forcing?

The alternative, which a lot of banks seem to use, is the 'pick characters X, Y and Z out of your password and enter them in order Y-Z-X' which seems like it would be hard to both brute force and to keylog, even for short number sequences.

[Cyrrex]

Six digit passwords are too short. Using a single Intel Core 2 Duo 2.0GHz processor (nothing fancy in today's terms) it would take 4 hours to brute force the entire range of possibilities of a six digit password that uses upper and lower case letters, numeric digits, common punctuation and symbols. That's one of my spare machines upstairs. I have enough unused processor power in my house to break six character passwords in minutes if I want to.

Add one more digit and you go from hours up to a couple of weeks. Add two more and it becomes unreasonable to brute force attack the passwords using personal hardware. Of course, most people don't use difficult passwords, so the degree of obfuscation typically consists of concatenations of English words with common letter substitutions. It doesn't take long to crack 'Y0uW@nk3r' using a dictionary/substitution attack, since you can do the whole English language in upper and lower cases in a single second.

If you have something good to hide, you're in even bigger trouble. I cracked passwords for a very large company using an array of processors. We were able to brute force a significant number of complex 8 character passwords in a few hours. It typically only takes one password on a sensitive system to gain full control. Privilege escalation from the local command prompt is much easier than trying to gain root remotely from network service - people pay a lot security attention to overflows in network code, much less to the hundreds of root/administrator level commands available locally on the server.

Okay, I'll give you 8 characters...but I don't think the average company's password policy has anything to do with preventing brute force attacks.  I'm rather certain of it, in fact, having been in various positions of enforcing said policies for many years.  They are more worried about your colleague guessing your password and commiting fraud than they are from super sekrit password breaking agencies tranfering billions of dollars into Swiss bank accounts.  As such, shorter passwords that don't change too frequently end up being more effective.

[bhodi]

Brute force approaches to logins can be slowed or circumvented by limited login attempts / lockouts / timeout delays, yes.

It's almost always more effective to go after user desktops when trying to gain access to a hardened system, which essentially means keyloggers, which won't be stopped by any of that.

70%+ of security breaches originate by employees of said company. They have a right to be more worried.

Your average company's policy is derived from 'best practices' security documents - this is the REAL reason that everyone changes passwords every 90 days. It's not really more secure but the 90 day opinion is very pervasive. You're totally wrong on 'shorter' passwords if, as Righ says, shorter = less than 8 characters.

[WayAbvPar]

Wild Ginger does a good duck bun thing but it is with plum sauce instead of cilantro. Pretty tasty.

I think that's the place. I though it came with some little herbs to add to your bun? Maybe I'm thinking of another dish I had somewhere else.

They might serve herbs and stuff with it...been several years since I have been there. And you probably have a keener eye for that sort of thing than do I.

[Righ]

Interesting post Righ, I don't really no much about IT security. I would have assumed that most places would have some sort of flood reaction that would suspend accounts, and that this is the best defense against brute forcing?

Absolutely - there should be no way of doing this using a network brute force attack. That said, there often is - you'd be a fool to try and brute force the front door using an SSH or FTP server since those are usually not only set up to slow multiple attempts but are also alarmed. It's amazing how many other common passworded services such as POP & IMAP are not. Further, there are lots of 'leaky' network protocols that share an encrypted form of the password, and if you give somebody even restricted guest access to a server (even through a non-interactive network service) that usually grants them read access to those encrypted passwords. So phase one of an attack is usually stealing the encrypted passwords so that they can be attacked in the comfort of one's own 'lab'.

In fact, it's just come to me what the 15 character length was popularized by. Older implementations of NTLM and all modern NTLM systems that have to talk to those older (Windows 2000 etc) systems. There's a vulnerability in the hashing, so it is trivial to capture the encrypted password using smbrelay and then engineer the password. With passwords of 15 characters and greater, the hashing is done differently so its not possible to use this trick. The best thing is to keep all that sort of network traffic that includes encrypted passwords safely behind your firewalls on the corporate network. Where big companies still insist on 15 character passwords tends to be when folks like me ask them whether they think they can trust every one of the thousands of consultants (like me) that they have inside their firewalls. :)

The alternative, which a lot of banks seem to use, is the 'pick characters X, Y and Z out of your password and enter them in order Y-Z-X' which seems like it would be hard to both brute force and to keylog, even for short number sequences.

There are many ways to skin this particular cat. I actually like long passwords. I usually find it easier to type something akin to a sentence than a crazy mess of letters in some 8 character acronym. If I ran my own business, I'd use two-factor authentication using one time passwords. It's cheaper than cleaning up the messes that putting lots of lazy people into deciding personal passwords creates.

[Yegolev]

They are more worried about your colleague guessing your password and commiting fraud than they are from super sekrit password breaking agencies tranfering billions of dollars into Swiss bank accounts.

This is fascinating and would explain a great deal.  The new standard for Regular People is eight characters.  I am not Regular People although my userid has no special rights, so I get a fifteen-character rule.  Naturally this will prevent my root-knowing peers from comitting fraud with my userid.

I suppose if someone were to log in to my laptop, they could use my ssh key to get to a UNIX box and go nuts from there.

Where big companies still insist on 15 character passwords tends to be when folks like me ask them whether they think they can trust every one of the thousands of consultants (like me) that they have inside their firewalls. :)

I'm pretty sure this is it, especially with the drive to outsource the whole IT division.

As for secure passwords, I'm partial to keyboard patterns.

[Salamok]

Keep in mind the differences between a password and an encryption key,  6 digits is fine for an authentication system that has lockout after x attempts.  Once you are authenticated any encryption will be done using a cert that is much longer than 6 digits.  "Password" protecting a document or file is not an authentication type of thing and the password isn't really a password it is an encryption key, in those cases 6 characters is laughable.

On a side note do ATM machines have lockout after x attempts type of code?  With 4 digit pins it seems like they should.

[K9]

I think most ATMs have a 3 attempt lockout, then you have to get a new PIN sent from your bank. A useful precaution against both theives and drunken withdrawals 

Righ, thanks for expanding on that; I find this stuff really interesting.

[Righ]

Keep in mind the differences between a password and an encryption key,  6 digits is fine for an authentication system that has lockout after x attempts.

There isn't in the case where the encrypted password is exposed to the network, which is common inside most corporate networks. If there's a need to distinguish between the network traffic of Disgruntled Worker and Chief Financial Officer, you want longer passwords.

[voodoolily]

I am using the BabyPlus prenatal education system on Ooschie. He won't stop thumping in my belly anyways, so he may as well get some learnin' in there. No rest for the fetus!

[Yegolev]

Will it hurt your feelings if I call bullshit on that... bullshit?  I'm not saying it will harm your tiny person, I'm just saying what mother isn't going to say all those nice things about her little angel?

[bhodi]

Of course the most common penetration isn't via user passwords at all. It's through a system account that was created across your entire architecture by some consultant - installed on all your critical machines often with little oversight because it was a rushed job - backups, system monitoring, intrusion detction/security (oh the irony!), or an incorrectly configured system account (weblogic, apache, postfix, sendmail, jboss, oracle, mysql, postgres, ntp, radius) that sort of thing, accounts that are generally exempt from the password expiration rule and that are often made with 'temporary' or default passwords that people never get around to changing when they are put into production. SA, no password. Rock on.


Voodoolily: You've been had. Come on, you're smarter than this.

[gryeyes]

Apparently you guys did not read the "Science" link on their website.

[bhodi]

I just clicked that and then my head exploded.

[Yegolev]

IT Sec put a monitor on the AIX boxes which has a userid with UID 0.
Consulting blackhats crashed our HACMP clusters with port scans.
Auditors are handed terminals on the network with lots of time and tools, and we are instructed to ignore their activity.

Once again I find I want to switch concentrations.

[K9]

Sorry VDL, seems like a lot of woo and no substance. I doubt it will harm your kid, but there doesn't seem to be any evidence that it will benefit them.

[Rasix]

I am using the BabyPlus prenatal education system on Ooschie. He won't stop thumping in my belly anyways, so he may as well get some learnin' in there. No rest for the fetus!

This reminds me of the baby memory generator goggles in Donnie Darko.     You end up buying some much useless junk of negligible use early enough.  Don't start too early. 

[Yegolev]

The thing that played music for the fetus was silly.  We already had music players.

I have come to the decision that childhood is for being a child, not some maladjusted Doogie Howser.  I switched from classical music to fart jokes pretty early.

[voodoolily]

Out of the 98 user reviews on Amazon, I couldn't find any that said "I used this and my baby still screams, won't sleep through the night and isn't exceeding his milestones." I like to pretend Oosch is in there with his little glasses on, wearing an inquisitive look on his face. It doesn't hurt, and besides, it's the only "stupid" purchase I've made! And you just wait and see how smart my fetus will be!

[Yegolev]

And you just wait and see how smart my fetus will be!

Not to continue unduly, but I'm suspicious that the moms who might buy this would end up with above-average kids anyways.  Also see previous post(s) about parental bias.  It's really difficult to understand that the parents of that ugly, spoiled brat think she is completely adorable, but they do.

[Cyrrex]

And you just wait and see how smart my fetus will be!

Not to continue unduly, but I'm suspicious that the moms who might buy this would end up with above-average kids anyways.  Also see previous post(s) about parental bias.  It's really difficult to understand that the parents of that ugly, spoiled brat think she is completely adorable, but they do.

Ding!  A winner is you!

First kids are always funny, because you go nuts on all this kind of stuff.  Then the second one comes along, gets completely neglected in comparison, and somehow turns out better off anyway.

[gryeyes]

You don't even need to delve that deep to know its complete bullshit. Just look into the "sources" that  substantiate the products effectiveness. I mean besides Plato,Aristotle and the Talmud which he lists.    Its composed entirely of intentionally misleading conflated bullshit. Personal anecdotes of effectiveness aside the man is selling snake oil.