My Pet Peeve: Maximum Length Passwords
-
@SamC said:
what is the password to your encrypted password store?
Mine's 20 randomly selected lowercase letters and digits. I spent two minutes a day for a week typing it into never-saved editor windows and now my fingers know it by themselves and I never have to think about it. There's also a written copy in a physically secure location just in case I lose my marbles.
That password has about 103 bits of entropy. To exceed 100 bits of entropy with a password that could contain uppercase letters as well needs at least 17 characters. For me, avoiding Shift was worth the extra characters.
correct horse battery staple takes more typing than my master password and has roughly 60 bits less entropy; that is, it's roughly one million million million times less secure. Given that correct entry of a master password is a behaviour reinforced literally every day, I can see no justification at all for using one anywhere near that weak.
-
@morbiuswilters said:
@drurowin said:
It's not that I don't want to keep a list of passwords, I don't want to use the fucking things AT ALL. It makes me feel like I have something to hide. For sites that do require me to use a password, and won't back down on that, I use 1pass1word1. It's the same on my Vodafone account, my Twitter, my Facebook, my Gmail, etc.It could be argued that because I've specifically requested not to have a password on my online banking account that I've authorized anyone to view my account information.
Trying to argue that you implicitly gave out your account information when you declined a password is exactly the kind of shit a sane business doesn't want to get dragged into. Especially if it's just to satisfy some nutjob customer who can't be arsed to keep a fucking list of passwords. I'm shocked there's a bank incompetent enough to even let you get away with this.
-
@drurowin said:
It makes me feel like I have something to hide.
I wish furries felt like they had more to hide.
-
@morbiuswilters said:
@drurowin said:
What do you have against furries anyhow?It makes me feel like I have something to hide.
I wish furries felt like they had more to hide.
-
@drurowin said:
What do you have against furries anyhow?
As much throbbing gristle as he can manage as frequently as possible, judging from the vehemence.
-
@flabdablet said:
@drurowin said:
He does kinda strike me like the "homophobic in public but secretly closet gay redneck" type.What do you have against furries anyhow?
As much throbbing gristle as he can manage as frequently as possible, judging from the vehemence.
-
@flabdablet said:
Filed under: the lady doth protest too much
Thank you for leading me to Google this phrase and discover that (like much of Shakespeare) it actually means something completely different than it sounds like and how it is used popularly.
-
@drurowin said:
@morbiuswilters said:
@drurowin said:
What do you have against furries anyhow?It makes me feel like I have something to hide.
I wish furries felt like they had more to hide.
What could a sane person possibly have against freaks who get off on dressing up in a stained fox costume? And then who insist on flooding every corner of the Internet they visit with artifacts of their perversion?
-
@flabdablet said:
@drurowin said:
What do you have against furries anyhow?
As much throbbing gristle as he can manage as frequently as possible, judging from the vehemence.
Goddamn, am I the only non-furry here?
-
@drurowin said:
He does kinda strike me like the "homophobic in public but secretly closet gay redneck" type.
I'm not homophobic, "secretly closet gay", or a redneck. But sooo close.
-
@joe.edwards said:
@flabdablet said:
Filed under: the lady doth protest too much
Thank you for leading me to Google this phrase and discover that (like much of Shakespeare) it actually means something completely different than it sounds like and how it is used popularly.Yeah, chalk one up to illiteracy, I s'pose. But by this point the popular meaning has overtaken the actual meaning.
Here's another people get wrong: "The exception that proves the rule."
-
@morbiuswilters said:
Here's another people get wrong: "The exception that proves the rule."
Oh, I know. It means when a unit test tries an invalid input and verifies an exception was thrown, proving the rule is enforced.
-
@joe.edwards said:
Filed under: And wherefore means why not where.
"Why art though Romeo?" That doesn't make any sense!
-
@morbiuswilters said:
Here's another people get wrong: "The exception that proves the rule."
Which begs the question: what do they teach them in these schools?
-
@drurowin said:
He does kinda strike me like the "homophobic in public but secretly closet gay redneck" type.
I bet he runs an adblocker too.
-
@drurowin said:
He does kinda strike me like the "homophobic in public but secretly closet gay redneck" type.
Also, can I say how much I hate this stupid and oh-so-modern "argument"? "Oh, he doesn't like something. He must then be that thing!"
Yeah, that's fucking rational. Just like the Nazis were secretly Jews and the KKK was mostly made up of closeted blacks! It all makes so much sense!
Or maybe people just hate shit because it's not what they are. Wouldn't that be the more reasonable conclusion?
(BTW: I don't hate furries. I do think furries are sorta creepy and kind of annoying with their insistence on making such a public scene of their weird sex problem, but I don't hate them. And if your pathetic victim mentality won't let you recognize it, I'm just giving you shit; I'm not organizing a lynch mob. Seriously, stop being a crybaby.)
-
@flabdablet said:
@drurowin said:
He does kinda strike me like the "homophobic in public but secretly closet gay redneck" type.
I bet he runs an adblocker too.
But only on Deviant Art, when I'm looking for kitsune drawings to yiff to.
-
@morbiuswilters said:
Filed under: Does Deviant Art even have ads?
If I recall correctly, it was one of the few sites that lets you disable ads with a paid subscription... and so I sprang for that.
-
@morbiuswilters said:
maybe people just hate shit because it's not what they are. Wouldn't that be the more reasonable conclusion?
Superficial plausibility is no substitute for proper scientific evidence.
-
@blakeyrat said:
@locallunatic said:
Full of shit as usual. I'll repeat my question here, since you seem to have rather conveniently ignored it thus far: provide one example of an MX record for a public host that doesn't have a period in. If you can't then there's no point implementing the highly obscure parts of the standard to which you allude. Although my guess is that you'll require anyone doing this also has to support bang-paths as well....@blakeyrat said:
@Sutherlands said:If you validate it anyway other than checking for [@.*]
You failed. The period isn't required.If you are validating using something like that then having the period is part of the point. It's to catch people doing: myname@myispcom instead of myname@myisp.com, not to actually see if the address is technically valid.
You either follow the standard or you don't.
-
@MiffTheFox said:
Look down when entering a password, specifically where your hands are. The keyboard, whether physical or virtual, is as big a security risk, and there's no way to mask that.
True, but tracking the input requires much more effort (especially if you don't type in the vulture-nosedive-style). When you type fast and all fingers are moving, it is difficult to tell which buttons were actually pressed, or wether shift was pressed too. The password on the screen can be seen and remebered by accident (even more so if you use xkcd-style passwords).
@Lorne Kates said:
Here's a hard and fast rule when it comes to passwords: if you think that any character is special, you've failed. Resign your position and leave the industry.
Although it might be sensible to limit the password to ASCII.
-
@morbiuswilters said:
Goddamn, am I the only non-furry here?
*dramatically opens double-door closet*
Yes.
-
@morbiuswilters said:
BTW: I don't hate furries. I do think furries are sorta creepy and kind of annoying with their insistence on making such a public scene of their weird sex problem, but I don't hate them. And if your pathetic victim mentality won't let you recognize it, I'm just giving you shit; I'm not organizing a lynch mob. Seriously, stop being a crybaby.
I see only one person crying here.
-
@flabdablet said:
@morbiuswilters said:
What about Occam's razor?@morbiuswilters said:maybe people just hate shit because it's not what they are. Wouldn't that be the more reasonable conclusion?
Superficial plausibility is no substitute for proper scientific evidence.
Goddamn, am I the only non-furry here?
Nope. Despite my avatar, I'm not really into reptiles or any other animals for that matter. At least not sexually.Having said that, kittens in slow motion are pretty cool.
-
you are right about random character passwords morbs, but security has to work for users, not the other way around. a passphrase is not as good as a 20 character randomly generated password it is true, however, its a damn sight better than single dictionary words with random letters replaced with numbers (which IS the most common type of password people use)
the most common passwords for 2012: http://www.splashdata.com/press/PR121023.htm
this is what actual users actually do with their actual passwords. We can sit on our forums and say whatever the hell we like about it, but users will still pick shitty passwords. Users will still use the same password on multiple websites. Users will not have a password store with a master password, at least until it is standardised and built into browsers as standard. Users will not do what is best for them, unless it is easy for them to do.
Telling users to use a password like "my dog is named fido" instead of "f1d01234" is something that we might ACTUALLY be able to persuade people to do, because a phrase like that is workably memorable. I'm sorry that memorable passwords are bad passwords, but a long memorable pass phrase is a damn sight better than a short memorable password. pass phrases are much more attractive to actual users. users wont use random, ever, stop trying to argue based on the strongest secure password. You have to consider the strongest security you can convince actual normal people to actually use.
-
@Lorne Kates said:
@drurowin said:
You know, I don't have problems with that. I believe in the goodness of my fellow human being, as well.
And what happens when someone hacks your passwordless forum account, and posts dumb retarded shit like "passwords r dumb retarded shit" that makes you look like a dumb retarded shit?
Because that's whre I'm assuming this dumb retarded shit is coming from.
I think that's when he tackles you or something while you're distracted.
-
@flabdablet said:
I see that fairly often on shitty wifi routers. If you have a router that makes an XML file when you ask it to back up its settings, there's a good chance you won't be able to connect if you pick a WPA2 pre-shared key containing spaces.
I bricked shitty routers when I tried to set ` or $ in the WPA key.
-
@SamC said:
Yes, but what is the password to your encrypted password store?
In my case it's a string of nonsense words created by a Markov chain.
At work we're not allowed to install password managers, so for those I use the XKCD method.
-
@morbiuswilters said:
Filed under: Does Deviant Art even have ads?
They use Google ads. There was a minor boycott of the site around the turn of the decade because people thought it was distributing malware, turns out that someone bought an ad that ended up in the chain of ad syndication that had a drive-by download.
-
@PJH said:
]Full of shit as usual. I'll repeat my question here, since you seem to have rather conveniently ignored it thus far: provide one example of an MX record for a public host that doesn't have a period in.
I ignored it because your point is irrelevant. If the standard allows it, then it allows it. Whether or not any sites are currently using that part of the standard is not relevant at all.
For all you know, tomorrow a new company will open its doors and you'll be able to buy an email address from email@com and it'll be a huge success and you'll be alienating millions of users because your dumb ass was like, "derp we don't need to follow standards derp derp!"
Your thinking is bad and wrong. "We don't follow the standard because the app works today" is a great way for you to be panicking to fix it in 6 months when the world changes.
-
@blakeyrat said:
I ignored it because your point is irrelevant.
No - it really isn't. I presume by the lack of an answer from you that there aren't any, and you are indeed talking bollocks.
-
@PJH said:
@blakeyrat said:
I ignored it because your point is irrelevant.
No - it really isn't. I presume by the lack of an answer from you that there aren't any, and you are indeed talking bollocks.I guess we'll have to agree to disagree.
But in the meantime, I'm the one with a correct app and you're the one with a broken piece of shit app.
-
@PJH said:
I'll repeat my question here, since you seem to have rather conveniently ignored it thus far: provide one example of an MX record for a public host that doesn't have a period in.
; <<>> DiG 9.7.3 <<>> MX va
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48981
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;va. IN MX
;; ANSWER SECTION:
va. 3600 IN MX 10 raphaelmx1.posta.va.
va. 3600 IN MX 10 raphaelmx2.posta.va.
va. 3600 IN MX 100 raphaelmx3.posta.va.
;; AUTHORITY SECTION:
. 564013 IN NS m.root-servers.net.
. 564013 IN NS d.root-servers.net.
. 564013 IN NS h.root-servers.net.
. 564013 IN NS i.root-servers.net.
. 564013 IN NS e.root-servers.net.
. 564013 IN NS g.root-servers.net.
. 564013 IN NS f.root-servers.net.
. 564013 IN NS j.root-servers.net.
. 564013 IN NS k.root-servers.net.
. 564013 IN NS a.root-servers.net.
. 564013 IN NS c.root-servers.net.
. 564013 IN NS b.root-servers.net.
. 564013 IN NS l.root-servers.net.
;; Query time: 64 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Wed Jun 5 16:50:27 2013
;; MSG SIZE rcvd: 318
-
Users with email addresses like name@tld are like users who browse with script disabled in that they've probably already come to expect that nothing is going to work, through past experience.
Let's make the user experience of 99.999% of our users worse so that we can accommodate a demographic so small that no one seems sure that it actually exists.
-
@HPX said:
MX va
Oh, yeuck! They have done it, haven't they? Or at least made it possible - a quick search would seem to suggest that all va email addresses do actually have two parts after the @, and there aren't any user@va email addresses.
-
@blakeyrat said:
@PJH said:
]Full of shit as usual. I'll repeat my question here, since you seem to have rather conveniently ignored it thus far: provide one example of an MX record for a public host that doesn't have a period in.
I ignored it because your point is irrelevant. If the standard allows it, then it allows it.It's more of a trade off; yeah you don't support all valid addresses, but at the same time in the vast majority of addresses with no period after the @ are typos. It's disallowing somethings that are technically valid in order to help standard users (of course a better solution would probably be to say "hey this is probably a typo, double check" the first time and then let it through instead of just disallowing them).
-
@joe.edwards said:
Well to be fair, if I did relax the requirement on my site for at least one period after the @, va would still work and most other (see below) tld's wouldn't, since I check to see if there actually is an MX record for it.Users with email addresses like name@tld are like users who browse with script disabled in that they've probably already come to expect that nothing is going to work, through past experience.
Let's make the user experience of 99.999% of our users worse so that we can accommodate a demographic so small that no one seems sure that it actually exists.
Not that va are the only ones to do this (easy to find more when you know what you're looking for). From that list and a quick bash script I came up with the following list that for some reason have defined an MX server for their TLD:
AI AX CD CF DM GP GT HR IN IO KH KM LK MD MG MH MQ MR MX PA TT UA VA WS
-
-
@PJH said:
MX
So there's an MX record for .MX. I giggled likemorbsa retard at this.Edit: Wait a second. How did this thread turn into that other one? Fuck this, I need a drink.
-
@morbiuswilters said:
@flabdablet said:
You should go to FurAffinity, where you can see WTF code AND furry art.@drurowin said:
He does kinda strike me like the "homophobic in public but secretly closet gay redneck" type.
I bet he runs an adblocker too.
But only on Deviant Art, when I'm looking for kitsune drawings to yiff to.
-
@drurowin said:
You should go to FurAffinity, where you can see WTF code AND furry art.
Man, I can't believe I bought that "just a guy who likes to draw cats" line.
-
@joe.edwards said:
@drurowin said:
I got laughed off of DA, and Weazyl charges money. WHERE ELSE CAN I POST MY CRUDE LION DRAWINGS.You should go to FurAffinity, where you can see WTF code AND furry art.
Man, I can't believe I bought that "just a guy who likes to draw cats" line.Also, the site is hilariously broken, almost moreso than CS.
-
@Faxmachinen said:
At work we're not allowed to install password managers
How do they stop you running Portable KeePass off a USB drive?
-
@flabdablet said:
@Faxmachinen said:
At work we're not allowed to install password managers
How do they stop you running Portable KeePass off a USB drive?
With domain policies against loading usb drives and other forms of portable storage, I'd assume.
It doesn't happen where I work, but I've seen that done as a ward against viruses and company secrets going walkabout. Especially close to launch/release/sale.
My irritation is when a website RESTRICTS the characters in a password. "Oh, only [a-z][A-Z][0-9]." Why not post "Dictionary Attacks Welcome Here!" on your front page? What? I can make a password 6 characters long? Why not use the same one as on my luggage?
Users are dumb because they're uninformed (and/or lazy). They're uninformed because they don't seek out the information. They don't seek out the information because their job is to put widgets in a box, not think about security.
Our IT group gives out the same password over and over if you've forgotten yours and you call in. With sequential usernames. Yay security!
and, skotl : double-tap the shift key, it should turn blue, giving you a capslock. I have saved you 62 shift-taps.
-
@tweek said:
@flabdablet said:
@Faxmachinen said:
At work we're not allowed to install password managers
How do they stop you running Portable KeePass off a USB drive?
With domain policies against loading usb drives and other forms of portable storage, I'd assume.
It doesn't happen where I work, but I've seen that done as a ward against viruses and company secrets going walkabout. Especially close to launch/release/sale.I'd just load it up on my Pandora. Or, hell, my cell phone.
-
I have KeePassDroid on my cell phone and it's great for when I have to log into something from away from my PCs.
-
@Algorythmics said:
this is what actual users actually do with their actual passwords. We can sit on our forums and say whatever the hell we like about it, but users will still pick shitty passwords. Users will still use the same password on multiple websites. Users will not have a password store with a master password, at least until it is standardised and built into browsers as standard. Users will not do what is best for them, unless it is easy for them to do.
Yeah, but this wasn't a debate over what we can make end-users do. We were talking about the passwords that technical people should be using (guess what--end-users aren't readying xkcd comics on entropy). It's kind of hard for us to argue that normal people should use better passwords when tech people can't even figure this shit out.
@Algorythmics said:
Telling users to use a password like "my dog is named fido" instead of "f1d01234"...
"my dog is named fido" seems a lot worse than "f1d01234". You might brute-force the latter, but the former is just easier to guess, especially if you know the person is using a passphrase. See, one of the problems with passphrases is their security drops dramatically if you use an actual phrase, rather than a combination of random words.
-
@morbiuswilters said:
@Algorythmics said:
Telling users to use a password like "my dog is named fido" instead of "f1d01234"...
"my dog is named fido" seems a lot worse than "f1d01234". You might brute-force the latter, but the former is just easier to guess, especially if you know the person is using a passphrase. See, one of the problems with passphrases is their security drops dramatically if you use an actual phrase, rather than a combination of random words.
I'm not sure this holds up in practice. Even knowing someone on a deeply personal level, there are hundreds of pieces of information he might choose, but then each of those has hundreds of possible ways to phrase it. I know this keyspace is dramatically smaller than random words or random characters, but we're not talking about a dictionary or brute force attack anymore. Guessing - especially educated guessing - requires a lot more effort and isn't easily automated. With an automated attack, my dog is named fido is no more meaningful or likely than dragon penis fart ships.
-
@joe.edwards said:
Even knowing someone on a deeply personal level, there are hundreds of pieces of information he might choose, but then each of those has hundreds of possible ways to phrase it. I know this keyspace is dramatically smaller than random words or random characters, but we're not talking about a dictionary or brute force attack anymore.
Well, if you want to create a dictionary, it's not that hard. If somebody's using personal info, there are very few words and combinations they will use to describe something.
-
@morbiuswilters said:
@joe.edwards said:
Even knowing someone on a deeply personal level, there are hundreds of pieces of information he might choose, but then each of those has hundreds of possible ways to phrase it. I know this keyspace is dramatically smaller than random words or random characters, but we're not talking about a dictionary or brute force attack anymore.
Well, if you want to create a dictionary, it's not that hard. If somebody's using personal info, there are very few words and combinations they will use to describe something.
gsU9kc0OO2Lo7PwYqbqnArskBvV8VPeexqGuu438DVHEJnA0OdLo0aTkgBD2Iz3
