Swatting flies with Jackhammers



  • I've been sort of looking around for a password generator program -- just to generate a few passwords for some encrypted zip files I send to our customers.  I didn't really need anything fancy, so I've been happy to use some of the free web-based generators in the past, but today I noticed there was a password generator program on Giveaway Of the Day.

    If you scroll down to the first comment you might get an idea why I'm posting this here. 

    First of all, I should note, the program runs fine.  Some of the commenters noted that it was only a trial version, but that was fixed later and a fully-functioning version was provided.  As far as I could see, it wasn't buggy or very difficult to use, or any of that -- nothing wtf about how well it works (at least for as much as I tried it).

    But holy shit!  This thing is a password generator, for christ sake.  It's made to look like office 2007 with hundreds of toolbar options, a ribbon, visual-studio-style properties-adjustment boxes...

    Take a look at the screenshot, you'll see how 'fully featured' this thing is 


  • Considered Harmful

    While this may be overkill for your needs, it looks like it could be very useful and appropriate in the proper domain.  For example, the company I work for hosts several hundreds of websites.  They all need unique and secure database and administrative login information, and periodically they need to be changed.  This application looks like it could meet our needs nicely, if it also generate hashes, and salts, and update our databases automatically.  Oh look, there's an API available.

    My point is, not everyone is using this product to swat flies.  If you are, then maybe you should find a more appropriate solution.



  •  Forcrying out loud...

    Options for password generator:

    1) Enter the username

    2) Press "Go" or "Go, exclude special characters" (yes some stupid places don't alow spec chars in passwords!)

    3) Copy-paste as many characters as you want

     

    How you get a program that requires you to pay for it, requires .net, requires 5mb, and so on... beyond me. A random number generator where you control the seed is more than enough, as long as the algorithm never changes for the random number generator... I hope it does not require windows vista!



  • I like OS X's Password Assistant.  It's not even a full-blown app, just a dialog.

    [img]http://img228.imageshack.us/img228/7503/passzg3.png[/img] 



  • @joe.edwards@imaginuity.com said:

    While this may be overkill for your needs, it looks like it could be very useful and appropriate in the proper domain.  For example, the company I work for hosts several hundreds of websites.  They all need unique and secure database and administrative login information, and periodically they need to be changed.  This application looks like it could meet our needs nicely, if it also generate hashes, and salts, and update our databases automatically.  Oh look, there's an API available.

    My point is, not everyone is using this product to swat flies.  If you are, then maybe you should find a more appropriate solution.

     

    OK, I could see that, although I'm not sure if you would be getting a whole lot more than you would from built-in php functions.

    And of course, you'd probably want to buy the server or developer editions. As opposed to the standard, professional, basic, or premium editions. This actually has more editions than Windows Vista. I get it, it's just a way to try to market to as much people as possible.  But I can't see many people buying the standard edition, since it wouldn't be useful for much more than simple single-user desktop password generation.

     

     



  • I was going to comment on how arias326&iodizing isn't "memorable" in my book, but then I typed this response without having to look, so I guess maybe it is.



  • @vt_mruhlin said:

    I was going to comment on how arias326&iodizing isn't "memorable" in my book, but then I typed this response without having to look, so I guess maybe it is.
    If you look closely, you see that he was able to select the difficulty.  That's pretty memorable for 17 characters at a reasonably high quality setting.



  • Wow, it has unicode support.



  •  @vt_mruhlin said:

    I was going to comment on how arias326&iodizing isn't "memorable" in my book, but then I typed this response without having to look, so I guess maybe it is.

    Memorable is pronounceable. If you can pronounce it you can memorize it as opposed to all my passwords: 4c|2y1ng0u7l0uD



  • For crying out loud; how stupid can you be to post your password in a forum?



  • @sobani said:

    For crying out loud; how stupid can you be to post your password in a forum?

     

     

    Mine is CoMpUtEr

    Tweak letter case in words to create secure, yet easy-to-remember passwords and usernames, i.e. "CoMpUtEr" 

     



  • @shadowman said:

    I've been sort of looking around for a password generator program -- just to generate a few passwords for some encrypted zip files I send to our customers.

    pwgen

    Also be aware that zip encryption is either insecure or incompatible, depending on which variant you use.



  • I have a password generating program I wrote about 15 seconds ago.  Here's the source:

    @hunter2.sh said:

    #!/bin/sh

    echo "hunter2";

    I plan to distribute this as FOSS.  It's really lightweight and requires no other libraries (except what's needed for sh to run).



  •  @belgariontheking said:

    I have a password generating program I wrote about 15 seconds ago.  Here's the source:

    @hunter2.sh said:

    #!/bin/sh

    echo "hunter2";

    I plan to distribute this as FOSS.  It's really lightweight and requires no other libraries (except what's needed for sh to run).

    We need to round you up some swampies...


  • Considered Harmful

    @belgariontheking said:

    I have a password generating program I wrote about 15 seconds ago.  Here's the source:

    @********.sh said:

    #!/bin/sh

    echo "********";

    I plan to distribute this as FOSS.  It's really lightweight and requires no other libraries (except what's needed for sh to run).

    <FONT size=2>you can go hunter2 my hunter2-ing hunter2</FONT>



  • @belgariontheking said:

    I have a password generating program I wrote about 15 seconds ago.  Here's the source:

    @hunter2.sh said:

    #!/bin/sh

    echo "hunter2";

    I plan to distribute this as FOSS.  It's really lightweight and requires no other libraries (except what's needed for sh to run).

    No Windows version? Not all of us are Unix geeks.



  • @SuperousOxide said:

    @belgariontheking said:

    I have a password generating program I wrote about 15 seconds ago.  Here's the source:

    @hunter2.sh said:

    #!/bin/sh

    echo "hunter2";

    I plan to distribute this as FOSS.  It's really lightweight and requires no other libraries (except what's needed for sh to run).

    No Windows version? Not all of us are Unix geeks.


    Windows doesn't provide a development environment suitable for that program. It would be too much effort to port it.



  • @asuffield said:

    pwgen

    Also be aware that zip encryption is either insecure or incompatible, depending on which variant you use.

     

    Yeah, I tried pwgen; it seemed more aimed towards storing passwords than generating them, and I was actually happier with one of the web apps I found.  Although for some reason it *feels* less secue using some random website.  (But really, what are they gonna do?  Store all of the generated passwords and try them on everything in the world?  Although I suppose a malicious website could combine that with a keylogger or some other exploits if you had an unpatched browser or whatever,  but then why even bother with the pw generator?)

    We're using winzip, which has 256-bit AES encryption , but has the incompatibility issue.   I guess everyone is just supposed to have winzip to be able to extract what we send them.  But I don't really get to make any decisions about that stuff.

     



  • @shadowman said:

    Yeah, I tried pwgen; it seemed more aimed towards storing passwords than generating them

    How can this be, when it doesn't even provide a method of storing them?



  • @SuperousOxide said:

    @belgariontheking said:

    I have a password generating program I wrote about 15 seconds ago.  Here's the source:

    @hunter2.sh said:

    #!/bin/sh

    echo "hunter2";

    I plan to distribute this as FOSS.  It's really lightweight and requires no other libraries (except what's needed for sh to run).

    No Windows version? Not all of us are Unix geeks.

     

     

    @hunter2.bat said:

    echo hunter2 

     

     Wee, I ported a FOSS program



  • @shadowman said:

    Although for some reason it *feels* less secue using some random website.  (But really, what are they gonna do?  Store all of the generated passwords and try them on everything in the world?

    Hash your IP address with the time, and send you the first few characters as a "password". No storage required.

     

    There's an old story about a corrupt bank card issuer. You may be aware that all ATMs give you three attempts to enter your PIN before they swallow the card. You may also be aware that also almost nobody bothers to change their PIN from the default supplied by the bank.

    The corrupt issuer's "random" number generator that created default PINs had only three possible output values. The people responsible ran a large card theft operation, until they got caught.

    I wonder not why nobody else thought of that, but rather how many other people are still doing that. 



  • @Jonathan Holland said:

    @SuperousOxide said:

    @belgariontheking said:

    I have a password generating program I wrote about 15 seconds ago.  Here's the source:

    @hunter2.sh said:

    #!/bin/sh

    echo "hunter2";

    I plan to distribute this as FOSS.  It's really lightweight and requires no other libraries (except what's needed for sh to run).

    No Windows version? Not all of us are Unix geeks.

     

     

    @hunter2.bat said:

    echo hunter2 

     

     Wee, I ported a FOSS program




    @pwgenpower.url said:
    javascript:confirm('Your new password: Hunter2\nJesus loves you!!1!!1');



    Weee! Ported it againn



    Who is going to make an enterprisey version?



  • @aythun said:

    @shadowman said:
    Yeah, I tried pwgen; it seemed more aimed towards storing passwords than generating them
    How can this be, when it doesn't even provide a method of storing them?
     

    Agreed.  pwgen is simply that.  A password generator.  And the passwords are phonetic too.  Can get some really good ones out of it :)

    I haven't seen a pre-built gnuwin32 version out there, but cygwin has it.  Also, having a cmd-line utility can make automating this stuff a lot easier. 



  • @skippy said:

    @aythun said:

    @shadowman said:
    Yeah, I tried pwgen; it seemed more aimed towards storing passwords than generating them
    How can this be, when it doesn't even provide a method of storing them?
     

    Agreed.  pwgen is simply that.  A password generator.  And the passwords are phonetic too.  Can get some really good ones out of it :)

    I haven't seen a pre-built gnuwin32 version out there, but cygwin has it.  Also, having a cmd-line utility can make automating this stuff a lot easier. 

     

     

    Hmmm.  Must have been thinking of something else, then.  I'll give it a shot. 



  • Bah. Editing time expired. 

    Anyway,  I see -- the thing I downloaded, that I thought was pwgen was a full-gui app for windows, from http://www.pwgen.com  I think that one is actually called 'pwgen.com' 

    I've been tricked.  :-(

    Anyway, I'm guessing the sourceforge pwgen is the real deal?  There also is a pwgen-win.

     



  • @asuffield said:

    There's an old story about a corrupt bank card issuer. You may be aware that all ATMs give you three attempts to enter your PIN before they swallow the card. You may also be aware that also almost nobody bothers to change their PIN from the default supplied by the bank.

    Can you change your bank card's PIN?
    How???



  • @tray said:

    @asuffield said:

    There's an old story about a corrupt bank card issuer. You may be aware that all ATMs give you three attempts to enter your PIN before they swallow the card. You may also be aware that also almost nobody bothers to change their PIN from the default supplied by the bank.

    Can you change your bank card's PIN?
    How???

     

    I was under the impression you could do it at any ATM...



  • No, you can't.


  • Discourse touched me in a no-no place

    @MasterPlanSoftware said:

    @tray said:

    Can you change your bank card's PIN? How???
     

    I was under the impression you could do it at any ATM...

    In the UK AFAICT, you can only change it at any bank sponsored ATM. (And sometimes only at one of the issuing bank's ATM.)

    I've yet to see one of the money-making (for the owner) 3rd party ATM's offer a change of PIN service.

      

    Background: We have two types of ATM - those supplied by the banks that don't charge a fee for withdrawal, and those supplied by 3rd parties that charge an arm and a leg for a withdrawal (15%+ of the amount withdrawn is not unusual.) 

    The latter are usually found in public bars and motorway services, and are filled up/maintained by the managers of the premises they're on, as opposed to bank staff doing it.



  • @PJH said:

    @MasterPlanSoftware said:

    @tray said:

    Can you change your bank card's PIN? How???
     

    I was under the impression you could do it at any ATM...

    In the UK AFAICT, you can only change it at any bank sponsored ATM. (And sometimes only at one of the issuing bank's ATM.)

    I've yet to see one of the money-making (for the owner) 3rd party ATM's offer a change of PIN service.

      

    Background: We have two types of ATM - those supplied by the banks that don't charge a fee for withdrawal, and those supplied by 3rd parties that charge an arm and a leg for a withdrawal (15%+ of the amount withdrawn is not unusual.) 

    The latter are usually found in public bars and motorway services, and are filled up/maintained by the managers of the premises they're on, as opposed to bank staff doing it.

     

    Well sure, I would agree with that. I thought that was common sense. I suppose I should have clarified.


  • Discourse touched me in a no-no place

    @tray said:

    No, you can't.
    Oh yes you can. </panto>


Log in to reply