My Pet Peeve: Maximum Length Passwords
-
@Lorne-Kates said in My Pet Peeve: Maximum Length Passwords:
:adblock_noscript_requestpolicy_ghostery_InsecureOutdatedBrowser_fire:
-
@ben_lubar said in My Pet Peeve: Maximum Length Passwords:
@sh_code said in My Pet Peeve: Maximum Length Passwords:
Also now as I'm really googling various hashing algos
There are only three algorithms you need to look at:
- bcrypt
- PBKDF2
- scrypt
How about those HMAC-MD5 and HMAC-SHA* variations?
-
@MiffTheFox said in My Pet Peeve: Maximum Length Passwords:
I guess projectors and similar screen sharing are the one case where masking password fields is useful.
Hilarity earlier this year when someone was doing a presentation to the company using an iPad (I think it was) hooked up to a big TV, but the device locked itself at one point and everyone got to see the unlock code being entered - can't remember whether it was a "press buttons in this order" type of code or an actual password1 which we could see being typed on the on-screen keyboard. Either way, you could see exactly what needed to be done to unlock it.
1 Yes, technically an actual password is also a "press buttons in this order" code. But you know what I mean.
-
@flabdablet said in My Pet Peeve: Maximum Length Passwords:
The biggest issue
is that the kids just don't remember what to do each time.This is why usability is a thing. LastPass seems to be better (having used both) because it tends to jump in your face and suggest "Hey! I know the login for this site! Can you confirm your password?", but it's harder to work with in a multi-user environment because it's a browser extension. Still, I wonder if you can set it up to not ever stay logged in past the browser closing?
-
@Yamikuronue said in My Pet Peeve: Maximum Length Passwords:
Still, I wonder if you can set it up to not ever stay logged in past the browser closing?
course if you do run that way and have a good password and/or 2FA that will annoy the ever living shit out of you..... "i want to know your password! ... uhh... what was your password! password please!"
-
@accalia Yeah but this is for kids at their school, so they probably don't have 2FA
-
@Yamikuronue said in My Pet Peeve: Maximum Length Passwords:
LastPass
Before I give up on KeePass, I'm going to try a few things. I'll re-jig the instructional powerpoint I made for the teachers so that it chunks the steps better, I'll script some canned KeePass databases for staff to play with, and I'll run some one-on-one training sessions.
I'm pretty sure that all I'm looking at here is teething issues for staff who are just fundamentally not confident with IT; the kind of person who has never once opened a View menu for fear of "breaking something", and thinks that the way to move a file from one folder to another is to open it in Word and then use Save As. We have several of those, and the idea of using two programs together to achieve some goal is outside their current comfort zone.
-
@flabdablet said in My Pet Peeve: Maximum Length Passwords:
I'll re-jig the instructional powerpoint I made for the teachers so that it chunks the steps better
Run it past someone before pushing it out. It's very easy to leave little critical things out because they're obvious to you. Ideal would be having a proper tester, but in the absence of that, anyone not a computer professional (and older than 18) will probably do a reasonable job.
-
@flabdablet said in My Pet Peeve: Maximum Length Passwords:
the kind of person who has never once opened a View menu for fear of "breaking something",
It's pretty ambitious to try and convert these people to using a password manager en masse. Not that I think people like this are stupid, but they can be very set in their ways
-
@cheong said in My Pet Peeve: Maximum Length Passwords:
@ben_lubar said in My Pet Peeve: Maximum Length Passwords:
@sh_code said in My Pet Peeve: Maximum Length Passwords:
Also now as I'm really googling various hashing algos
There are only three algorithms you need to look at:
- bcrypt
- PBKDF2
- scrypt
How about those HMAC-MD5 and HMAC-SHA* variations?
For password hashing? No.
-
@Jaloopa said in My Pet Peeve: Maximum Length Passwords:
It's pretty ambitious to try and convert these people to using a password manager en masse.
True. But as I've argued (successfully!) to the principal: we're a primary school. Such IT skills as we teach these kids are going to stick with them for the rest of their lives. Credential exfiltration and off-the-shelf identity theft are both rapidly growing industries; by the time our students are adults, basically everybody who isn't using password management software properly is going to be suffering as a result. Therefore, teaching kids how to use a password manager should be a higher priority than teaching them how to dress up their documents with fancy fonts and Word Art.
I'm also in the rather strong position of having told them that I intend to retire next year, which means that I can, if I want to be a prick about it, simply refuse to cooperate with policy I disagree with.
-
@flabdablet said in My Pet Peeve: Maximum Length Passwords:
Therefore, teaching kids how to use a password manager should be a higher priority than teaching them how to dress up their documents with fancy fonts and Word Art.
I might not necessarily agree with your choice of password manager (different situational optimisation profile) but I think you're dead right that they ought to get into the habit of protecting themselves. Top notch life skill.
-
@ben_lubar: How about using has as a key to generate another hash?
Is there people performing dictionary against "hash of hash" of weak passwords?
-
@dkf said in My Pet Peeve: Maximum Length Passwords:
I might not necessarily agree with your choice of password manager
Main advantages:
- A portable version exists, so kids can have both passwords and software on a USB stick they learn to use at school, then take it home and use it there without requiring parents to install software, or run any particular browser, or have technical expertise.
- I can script (and have scripted) the bulk creation of personalized password database files.
- Open source, 15 years of battle hardening, still actively maintained by original developer.
- Password database format directly usable by compatible software on phones, tablets, other non-Windows boxes.
- Not dependent on the continued business success of any particular cloud provider.
-
@flabdablet I prefer closer integration with the OS myself, and I really don't have the scripted-creation requirement. Different situations, different solutions to the problem get the highest score.
-
@flabdablet Too bad the UI is fucking terrible.
-
@blakeyrat I'm sure you're basing that opinion mainly on your exposure to KeePass 2.x, which does indeed suffer somewhat from second-system effect. The 1.x series has fewer options and is correspondingly cleaner.
Also, because the kids' first exposure is via password database files that have already been built for them, there's a lot less unfamiliar material to learn right out of the gate.
-
@HardwareGeek said in My Pet Peeve: Maximum Length Passwords:
@ben_lubar said in My Pet Peeve: Maximum Length Passwords:
PBKDF2
Problem Between Keyboard and Dwarf Fortress?
yup, happens when your dwarfputer programmer is incompetent.
seriously, it's 2016 already, migrate your webapp to something more performant and user friendly, redstone computer for example.
-
@Jaloopa said in My Pet Peeve: Maximum Length Passwords:
@Lorne-Kates said in My Pet Peeve: Maximum Length Passwords:
:adblock_noscript_requestpolicy_ghostery_InsecureOutdatedBrowser_fire:
The browser is plenty secure, if I'm not running untrusted third-party apps and plugins.
-
@flabdablet said in My Pet Peeve: Maximum Length Passwords:
KeePass
Fucking thread every time I see this in passing, something about it-- maybe the stupid capitalization, maybe the double "ee", maybe the Kee itself-- but it makes my mind autocomplete the word as StephaKnee.
Fuck.
-
@Lorne-Kates Sure it is. Because you never have security flaws that are remotely exploitable.
Inb4 js is disabled: You don't need js to exploit some of these kinds of vulnerabilities.
-
@Lorne-Kates the car is perfectly safe if I'm not driving it
-
@Jaloopa said in My Pet Peeve: Maximum Length Passwords:
@Lorne-Kates the car is perfectly safe if I'm not driving it
Anton Yelchin would disagree, except...
-
@flabdablet said in My Pet Peeve: Maximum Length Passwords:
teaching kids how to use a password manager
So, how did this go? Any advice for someone considering introducing this elsewhere?
-
@Greybeard said in My Pet Peeve: Maximum Length Passwords:
@flabdablet said in My Pet Peeve: Maximum Length Passwords:
teaching kids how to use a password manager
So, how did this go? Any advice for someone considering introducing this elsewhere?
I've been trying to convince my dad to use a password manager, but he says that his notebook full of (account username) + (guessable name)+(4 digit guessable number)+(optional single ASCII symbol) is better than any computer.
-
@ben_lubar Somehow, I suspect your dad is not a student in primary school.