Update: the new admin/moderation team and changes discussions will begin soon
-
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
@boomzilla said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
Due to being so terrible I couldn’t even log in
Hah. That reminds me of the time @accalia set her password to the text of War and Peace and crashed the forum.
Passwords aren’t hashed before being sent over the net?
I'm no expert, but that seems like bad practice. You should have encrypted communication but the hashing should be done by the server because you should never trust the client to do anything, otherwise why bother hashing passwords at all if you'll accept the hash as clear text?
-
@boomzilla I’m also no expert and have no idea what’s standard practice, but personally I’d hash on both sides. Client side for canonicalizing the input (and never letting the server see the actual password) and server for obvious security reasons. That way you don’t need idiotic restrictions on input length etc. (the server can simply reject stuff that’s 5MB in size).
-
@topspin Double hashing, then? Sometimes people do that. Comparing the client-supplied
hash(password)
against server-storedhash(password)
is a bad idea, though, because it makes the hash equivalent to clear-text password.
-
@cabrito said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
Passwords aren’t hashed before being sent over the net?
Ok, I know you must be but....
Not at all. I don’t see how more hashing makes anything less secure, and I never said only on the client side.
User enters
password
-> sendH1 = hash(password)
over encrypted connection -> server computesH2 = hash(H1)
and storesH2
in the DB or compares it to the DB value, respectively. (Add in salting as necessary)That way the server never sees the real password even temporarily (even though for this site and all with the same scheme
H1
is effectively the password) and doesn’t need to deal with arbitrary input. Anything that’s longer than expected gets rejected immediately.
-
@error said in Update: the new admin/moderation team and changes discussions will begin soon:
I feel like, with the frequency of my posting about work stuff, and the size of my employer, someone could correlate several of my posts and identify me from that.
Everyone knows you're in the military, General Error. Dunno why you were so obsessed about reading my floppy disks in the 90s
-
@sockpuppet7 said in Update: the new admin/moderation team and changes discussions will begin soon:
my floppy disks
It was a typo.
-
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
someone who'd know me could easily figure it out,
LOL, anyone who knows me would recognize me immediately from my avatar! (Tho since she passed away in 2015, that number is decreasing)
-
@boomzilla said in Update: the new admin/moderation team and changes discussions will begin soon:
Hah. That reminds me of the time @accalia set her password to the text of War and Peace and crashed the forum.
And now we know why some websites implement (as part of) their password rules as:
- Longer than 8 characters
- Shorter than 7 characters
-
@sockpuppet7 said in Update: the new admin/moderation team and changes discussions will begin soon:
@error said in Update: the new admin/moderation team and changes discussions will begin soon:
I feel like, with the frequency of my posting about work stuff, and the size of my employer, someone could correlate several of my posts and identify me from that.
Everyone knows you're in the military, General Error. Dunno why you were so obsessed about reading my floppy disks in the 90s
Isn't Colonel Panic in his chain of command?
-
@Mason_Wheeler Along with Major Fault.
-
@cvi And of course let's not forget about Private Method...
-
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
@cabrito said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
Passwords aren’t hashed before being sent over the net?
Ok, I know you must be but....
Not at all. I don’t see how more hashing makes anything less secure, and I never said only on the client side.
User enters
password
-> sendH1 = hash(password)
over encrypted connection -> server computesH2 = hash(H1)
and storesH2
in the DB or compares it to the DB value, respectively. (Add in salting as necessary)That way the server never sees the real password even temporarily (even though for this site and all with the same scheme
H1
is effectively the password) and doesn’t need to deal with arbitrary input. Anything that’s longer than expected gets rejected immediately.How is this better than sending the unhashed password over an encrypted connection?
Not only does H1 become the effective password (so now anyone intercepting it just needs H1 which they can use instead of password later) but the client knows the hashing mechanism which makes it easier to attack.
-
@dfdub said in Update: the new admin/moderation team and changes discussions will begin soon:
I always thought these megathreads were created to break Discourse and piss off @end
-
@loopback0 said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
@cabrito said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
Passwords aren’t hashed before being sent over the net?
Ok, I know you must be but....
Not at all. I don’t see how more hashing makes anything less secure, and I never said only on the client side.
User enters
password
-> sendH1 = hash(password)
over encrypted connection -> server computesH2 = hash(H1)
and storesH2
in the DB or compares it to the DB value, respectively. (Add in salting as necessary)That way the server never sees the real password even temporarily (even though for this site and all with the same scheme
H1
is effectively the password) and doesn’t need to deal with arbitrary input. Anything that’s longer than expected gets rejected immediately.How is this better than sending the unhashed password over an encrypted connection?
Not only does H1 become the effective password (so now anyone intercepting it just needs H1 which they can use instead of password later) but the client knows the hashing mechanism which makes it easier to attack.Because the point of not letting someone get your password for a site isn't really not letting them get your password for that site. It's not letting them also get your password for all the other sites you use the same password on. And assuming that two different sites don't use the exact same client-side hashing method, this could help there.
-
@Mason_Wheeler said in Update: the new admin/moderation team and changes discussions will begin soon:
the other sites you use the same password on.
Don't do that though.
-
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
@Tsaukpaetra said in Update: the new admin/moderation team and changes discussions will begin soon:
@HardwareGeek said in Update: the new admin/moderation team and changes discussions will begin soon:
@Tsaukpaetra said in Update: the new admin/moderation team and changes discussions will begin soon:
Blakeyrat continually moans about that.
He moans that you've been paid
That I "apparently don't do jack" and get paid, yes.
And no, that's not a direct quote.
What? I was of the impression that you do 3-4 jobs for the price of one?
The problem with having to do multiple jobs at once is, you end up decreasing output exponentially instead of linearly.
Human brains aren't all that good with real-time multitasking at the high level.
-
@loopback0 said in Update: the new admin/moderation team and changes discussions will begin soon:
How is this better than sending the unhashed password over an encrypted connection?
It makes arbitrary length and special-character restrictions go away, because the server sees a fixed-length hash, regardless of the plain-text password.
-
@PleegWat said in Update: the new admin/moderation team and changes discussions will begin soon:
@jinpa said in Update: the new admin/moderation team and changes discussions will begin soon:
@dfdub said in Update: the new admin/moderation team and changes discussions will begin soon:
@Luhmann said in Update: the new admin/moderation team and changes discussions will begin soon:
@dfdub said in Update: the new admin/moderation team and changes discussions will begin soon:
megathreads
Isn't this a lot to do with and interfacing ...
I always thought these megathreads were created to break Discourse and piss off @end, who liked to have unrelated discussions in separate threads.
What was he banned for? Looking at his most recent posts (2015), they don't seem that bad.
It's coding horror. He self-renamed and self-banned.
Oh, is that who it was? I somehow missed out on a lot of that drama, and the name @end has always made me think of someone I knew on another forum waaaaaaaay back in the day who went by "end" and was best known for being really laid back but having a habit of using weird, archaic words all the time.
-
@HardwareGeek said in Update: the new admin/moderation team and changes discussions will begin soon:
@loopback0 said in Update: the new admin/moderation team and changes discussions will begin soon:
How is this better than sending the unhashed password over an encrypted connection?
It makes arbitrary length and special-character restrictions go away, because the server sees a fixed-length hash, regardless of the plain-text password.
You can make arbitrary length and special character restrictions go away either way.
-
@Mason_Wheeler we'll gather them with Public Function.
Filed under: these pony names are getting out of hand
-
@loopback0 said in Update: the new admin/moderation team and changes discussions will begin soon:
@HardwareGeek said in Update: the new admin/moderation team and changes discussions will begin soon:
@loopback0 said in Update: the new admin/moderation team and changes discussions will begin soon:
How is this better than sending the unhashed password over an encrypted connection?
It makes arbitrary length and special-character restrictions go away, because the server sees a fixed-length hash, regardless of the plain-text password.
You can make arbitrary length and special character restrictions go away either way.
Well, yes, but it makes them go away even if the back-end is .
-
@loopback0 said in Update: the new admin/moderation team and changes discussions will begin soon:
How is this better than sending the unhashed password over an encrypted connection?
It's more about protecting the user than the site. If the site never sees the unhashed password, they can't leak it.
Not only does H1 become the effective password (so now anyone intercepting it just needs H1 which they can use instead of password later) but the client knows the hashing mechanism which makes it easier to attack.
How is it any easier to attack? Knowing the structure of the hash output is no different from knowing the password rules for a site.
If anything it will increase the time for an attack. They will either spend time computing the hashes for each possible combination of inputs that matches the site rules; or they will spend time submitting hashes that could not have stemmed from a valid input.
-
@Unperverted-Vixen said in Update: the new admin/moderation team and changes discussions will begin soon:
How is it any easier to attack? Knowing the structure of the hash output is no different from knowing the password rules for a site.
Because you don't just know the output, but how that output is generated. If you don't know how it's calculated, you've either got to work it out before you start generating them or you've got to start generating them for multiple possibilties and hope one of those is correct.
-
@loopback0 Whether the browser is sending a hashed or unhashed password to the server, an attacker will know how the output is generated. (Printable ASCII or a defined subset thereof, with minimum and possibly maximum lengths.)
While a hash will have stricter limits than a traditional password/passphrase (always the same length, likely a more restricted character set), the length is long enough* that making a dictionary attack isn't made any quicker.
*Assuming a reasonable hash is chosen, e.g. SHA-256 or longer.
-
@loopback0 because you don’t need to worry about dealing with “War and Peace” as a password.
Also knowing the hashing mechanism doesn’t make it easier. If you don’t hash before (the alternative) you also know that the mechanism is “identity”.
-
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
@loopback0 because you don’t need to worry about dealing with “War and Peace” as a password.
Also knowing the hashing mechanism doesn’t make it easier. If you don’t hash before (the alternative) you also know that the mechanism is “identity”.I guess there's an advantage to crashing the user's browser instead of the server.
-
@loopback0 I mean, yes there is.
-
@Mason_Wheeler
Not to be confused with Private Parts ... He's the one who has trouble keeping his pants up
-
@dcon said in Update: the new admin/moderation team and changes discussions will begin soon:
@boomzilla said in Update: the new admin/moderation team and changes discussions will begin soon:
Hah. That reminds me of the time @accalia set her password to the text of War and Peace and crashed the forum.
And now we know why some websites implement (as part of) their password rules as:
- Longer than 8 characters
- Shorter than 7 characters
Does War and Peace have more than 7 characters, though? I never read it, but my intuition says it doesn't.
-
@cvi said in Update: the new admin/moderation team and changes discussions will begin soon:
@Mason_Wheeler Along with Major Fault.
@Mason_Wheeler said in Update: the new admin/moderation team and changes discussions will begin soon:
@cvi And of course let's not forget about Private Method...
-
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
Not at all. I don’t see how more hashing makes anything less secure, and I never said only on the client side.
User enters password -> send H1 = hash(password) over encrypted connection -> server computes H2 = hash(H1) and stores H2 in the DB or compares it to the DB value, respectively. (Add in salting as necessary)Yes, that make sense. My brain at its first coffee must have conflate with an http scenario, sorry for the noise
-
@loopback0 Are you smoking hash or something?
-
@Luhmann it's also wise to blackhole private void, who sucked everything.
-
@Tsaukpaetra said in Update: the new admin/moderation team and changes discussions will begin soon:
Human brains aren't all that good with
real-timemultitasking at the high level.I've been preaching that, but for whatever dumb reason "good at multitasking" is something the higher-ups seem to value. If I need to juggle 5 projects at once, I might make all deadlines but you can bet that internally we won't be satisfied with the result of any of those projects.
EDIT: And good lord, are we off-topic again...
-
I want the new rules to be enough to get @blakeyrat posting his rants again.
-
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
banned everyone of us on meta.d.
Hey, I was only banned on meta.d for like a year, and I believe @end even took me off his Twitter block list.
Hey, I'm right, I can see his Twitter feed now.
I never interacted with him on Twitter...
-
@JazzyJosh said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
banned everyone of us on meta.d.
Hey, I was only banned on meta.d for like a year, and I believe @end even took me off his Twitter block list.
Hey, I'm right, I can see his Twitter feed now.
I never interacted with him on Twitter...
I was banned and had my account anonymized. Not sure why I was singled out like that. But it did reveal that I could create a new account with the same username, and that things like badges are linked by username instead of some arbitrary ID.
-
@abarker said in Update: the new admin/moderation team and changes discussions will begin soon:
But it did reveal that I could create a new account with the same username, and that things like badges are linked by username instead of some arbitrary ID.
HAH
-
@Gąska said in Update: the new admin/moderation team and changes discussions will begin soon:
Does War and Peace have more than 7 characters, though?
-
-
@sockpuppet7 said in Update: the new admin/moderation team and changes discussions will begin soon:
I want the new rules to be enough to get @blakeyrat posting his rants again.
You really don't.
You think that you do, but the collateral damage on making that happen would be immeasurable.
-
@JazzyJosh said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
banned everyone of us on meta.d.
Hey, I was only banned on meta.d for like a year, and I believe @end even took me off his Twitter block list.
Hey, I'm right, I can see his Twitter feed now.
I never interacted with him on Twitter...
I am not convinced that @end on twitter is the same as our @end .
-
@Polygeekery said in Update: the new admin/moderation team and changes discussions will begin soon:
@sockpuppet7 said in Update: the new admin/moderation team and changes discussions will begin soon:
I want the new rules to be enough to get @blakeyrat posting his rants again.
You really don't.
You think that you do, but the collateral damage on making that happen would be immeasurable.
The possibility had occurred to me in the past that the general tone of the forums was fallout from his presence. It has been a couple of years since he has posted, and the tone has not changed substantially, so I no longer think that likely.
-
@jinpa said in Update: the new admin/moderation team and changes discussions will begin soon:
@JazzyJosh said in Update: the new admin/moderation team and changes discussions will begin soon:
@topspin said in Update: the new admin/moderation team and changes discussions will begin soon:
banned everyone of us on meta.d.
Hey, I was only banned on meta.d for like a year, and I believe @end even took me off his Twitter block list.
Hey, I'm right, I can see his Twitter feed now.
I never interacted with him on Twitter...
I am not convinced that @end on twitter is the same as our @end .
I think this was mentioned upthread, or maybe elsewhere, but our @end was @codinghorror originally. I don't believe the current @codinghorror is connected in any way. When he couldn't handle this forum anymore, he renamed his account and banned himself.
-
@jinpa said in Update: the new admin/moderation team and changes discussions will begin soon:
@Polygeekery said in Update: the new admin/moderation team and changes discussions will begin soon:
@sockpuppet7 said in Update: the new admin/moderation team and changes discussions will begin soon:
I want the new rules to be enough to get @blakeyrat posting his rants again.
You really don't.
You think that you do, but the collateral damage on making that happen would be immeasurable.
The possibility had occurred to me in the past that the general tone of the forums was fallout from his presence. It has been a couple of years since he has posted, and the tone has not changed substantially, so I no longer think that likely.
That's not what I meant.
Blakey is one of the primary "Everyone I disagree with is a Nazi" people. He has actually accused some on the forums of being actual Nazis.
To get blakey back on the forums one would need to get rid of every person who is stronger or more outspoken than he is. I think he at least partially left these forums because that there are now people who will push back at him.
-
@Polygeekery said in Update: the new admin/moderation team and changes discussions will begin soon:
To get blakey back on the forums one would need to get rid of every person who is stronger or more outspoken than he is. I think he at least partially left these forums because that there are now people who will push back at him.
He also did not like being told to back off by staff who had not been around as long as or longer than he had. I recall one time from when I was a mod and I had to ask him to back off and he straight up told me that he didn't care what I said because I had only been on the forum since right before the switch to
-
@Polygeekery said in Update: the new admin/moderation team and changes discussions will begin soon:
I think he at least partially left these forums because that there are now people who will push back at him.
And partially because now there's Discord server so, unlike his previous 5 attempts, he can leave the forum for good without leaving the forum at all.
-
@abarker I think the people who are nostalgic for the golden age of Blakey also need to realize that he was a large part of the reason for many people leaving. He was and is a bully. He is, to the best of my knowledge, why several people left the forums. At least one of those subsequently returned under a different pseudonym and posted much less.
Now I'm sure that someone is thinking something something blah blah, but you did something.
If anyone except Weng has left these forums because of me then I apologize and please point out where I caused it. There's a good chance it may have been a misunderstanding as I don't come across well in text.
-
@Polygeekery Was Blakey a bully? That wasn't the impression I had before I'd gotten distracted and wandered off for a couple of years. Hair trigger, yes. Bully, not so much.
It seems to me that broke Blakey. As I recall, he was in the anti camp and got overall more abrasive and less fun than in the CS days. I mean, he was still Blakey, but more so; and it just went downhill from there.
-
@GOG said in Update: the new admin/moderation team and changes discussions will begin soon:
Hair trigger, yes. Bully, not so much.
That could reasonably be considered a subjective opinion. But there was one member that routinely drew his ire. He would even go in to their threads and be abusive towards them.