This discussion is now closed.
Check out other Related discussions
- What is English language 2.0?
- Edexcel and AQA
- MSc Psychology Conversion
- No Tiles on McDonald's MyStuff 2.0? e.g. onboarding, myschedule
- Choose career
- I’m so worried I’m picking the wrong course for University
- Chemistry
- Uni course
- 21 century
- How crucial is university prestige for Oxbridge postgrad applications?
- Overthinking my future and academic major! Advise me please
- alevel chem ideal gas equation question
- Abertay University vs Norwich University of the Arts for game art?
- help with resultant vertical velocity question please
- Chem equilibrium
- Myths about Computing degrees
- Is there any microbiologist here? 🙏🏻
- What does "outstanding academic merit and potential" mean in the humanities?
- What does "outstanding academic merit and potential" mean in the humanities?
- Official University of Suffolk 2023 Applicant Thread
Tech Society 2.0
Scroll to see replies
Original post by wizard710
Talk about security
At sheffield, we're only allowed a password that is no longer than 8 characters long, it can't use special characters and it must start with a lowercase letter
At sheffield, we're only allowed a password that is no longer than 8 characters long, it can't use special characters and it must start with a lowercase letter
What are 'special characters'? Surely that doesn't include punctuation.
Original post by Chrosson
Original post by Chrosson
What are 'special characters'? Surely that doesn't include punctuation.
it means everything that isn't A-Z, a-z or 0-9
Original post by wizard710
it means everything that isn't A-Z, a-z or 0-9
Someone needs to tell your admins that password restriction are to try and raise the bar of password strength, not lower it
Many systems are legacy back ends, often running on Unix, and apparently these can get their knickers in a serious twist if you use Unix shell characters as part of your password - this was the reason I was given by my university sysadmins back in the day. Legacy back ends are another reason why a lot of banks in particular don't like massively long and complex passwords as their Jurassic era database and transactional mainframe systems don't understand this bloody modern rubbish 
Still, a-z/A-Z/0-9 is still an alphabet of 62 characters. Use a ten character password and you've got a search space of 62^10 (the Latex wasn't working properly) or 839 299 365 868 340 224 possible combinations which is, as my Maths teacher used to say, 'quite a lot'. You may 'get lucky' and find your password somewhere near the start if you're brute forcing, but somehow, I think it's unlikely your generic PC World netbook will make a serious dent in any kind of feasible timeframe. The only people with the wherewithal and power are the likes of the NSA and they are rumoured to have been building gigantic rainbow tables for quite some time now.
Anyway, strict password requirements aren't always the best solution. The more complex the password, the more likely it is that somebody who isn't computer literate or has a poor memory will write it down. A lot of people favour the 'passphrase' approach, in which a password of ChrossonIsATSROverLordInTrainingAndAPSHelper (43 characters) is easier to remember than the shorter password of ^Dt8}t2&Z?c/tX7Ro,wg (20 characters). The longer plain English passphrase is easier to remember, is not a common phrase and is thus unlikely to appear in any dictionary lists. Its length also means that, despite the somewhat basic character set, you're still looking at a search space of 52^43 when bruteforcing which for 1337-h4><><0r t1mm3h is too much to handle.
If stored in a database, add a randomly generated per-user salt and a statically set 'pepper' (which is based somewhere on the server) to the hash of the plaintext password, doing this in an undisclosed and non-standard fashion. Then hash the whole lot. Now, if 1337-h4><><0r t1mm3h runs Havij and manages to grab your users table, he's very unlikely to get anywhere.
Ultimately, enforcing overly strict password policies ("Your password must be between 5 and 15 characters. It must contain at least one digit, at least one uppercase letter, at least one lowercase letter and at least one of the following symbols: ..." :fuhrer
just gives a potential attacker something to go on and for a determined individual it may be possible to build or adjust bruteforcing solutions with this in mind.
Still, a-z/A-Z/0-9 is still an alphabet of 62 characters. Use a ten character password and you've got a search space of 62^10 (the Latex wasn't working properly) or 839 299 365 868 340 224 possible combinations which is, as my Maths teacher used to say, 'quite a lot'. You may 'get lucky' and find your password somewhere near the start if you're brute forcing, but somehow, I think it's unlikely your generic PC World netbook will make a serious dent in any kind of feasible timeframe. The only people with the wherewithal and power are the likes of the NSA and they are rumoured to have been building gigantic rainbow tables for quite some time now.
Anyway, strict password requirements aren't always the best solution. The more complex the password, the more likely it is that somebody who isn't computer literate or has a poor memory will write it down. A lot of people favour the 'passphrase' approach, in which a password of ChrossonIsATSROverLordInTrainingAndAPSHelper (43 characters) is easier to remember than the shorter password of ^Dt8}t2&Z?c/tX7Ro,wg (20 characters). The longer plain English passphrase is easier to remember, is not a common phrase and is thus unlikely to appear in any dictionary lists. Its length also means that, despite the somewhat basic character set, you're still looking at a search space of 52^43 when bruteforcing which for 1337-h4><><0r t1mm3h is too much to handle.
If stored in a database, add a randomly generated per-user salt and a statically set 'pepper' (which is based somewhere on the server) to the hash of the plaintext password, doing this in an undisclosed and non-standard fashion. Then hash the whole lot. Now, if 1337-h4><><0r t1mm3h runs Havij and manages to grab your users table, he's very unlikely to get anywhere.
Ultimately, enforcing overly strict password policies ("Your password must be between 5 and 15 characters. It must contain at least one digit, at least one uppercase letter, at least one lowercase letter and at least one of the following symbols: ..." :fuhrer
just gives a potential attacker something to go on and for a determined individual it may be possible to build or adjust bruteforcing solutions with this in mind.(edited 12 years ago)
Original post by ch0llima
Many systems are legacy back ends, often running on Unix, and apparently these can get their knickers in a serious twist if you use Unix shell characters as part of your password - this was the reason I was given by my university sysadmins back in the day. Legacy back ends are another reason why a lot of banks in particular don't like massively long and complex passwords as their Jurassic era database and transactional mainframe systems don't understand this bloody modern rubbish
Interesting, would read again.
But for the lucky wizard710 we have one lowercase char followed by at max 7 of [A-Za-z0-9], giving a search space of 26 * 62^7 if everyone uses the strongest passwords they can (as obviously the search space increases by including shorter passwords), an order of magnitude less.
I think the issue is encouraging weak passwords though. The work factor can make brute forcing prohibitive, but when you have to start with a lowercase char it almost begs for a dictionary attack...
Ooh, you updated your post.
Which salts stomp on. I wish I was confident everyone uses them...
I absolutely agree. I sent an email to github recently with a complaint that their password restrictions (must have a number) is stupidly restrictive. I know my passwords are secure at over 15 characters with punctuation and mixed case, so they can bugger off.
So minimum requirements are not necessarily a good thing, although they are understandable. But this is not the case here. Intentionally restricting the search space and positively encouraging weak passwords (as highlighted in the post above) is inane.
Not forgetting a work function. In fact, one can get the salt and pepper but there's no way around having to perform the hash function over a million times per password.
Agreed. Education on strong passwords is better.
Original post by ch0llima
The only people with the wherewithal and power are the likes of the NSA and they are rumoured to have been building gigantic rainbow tables for quite some time now.
Which salts stomp on. I wish I was confident everyone uses them...
Anyway, strict password requirements aren't always the best solution. The more complex the password, the more likely it is that somebody who isn't computer literate or has a poor memory will write it down. A lot of people favour the 'passphrase' approach, in which a password of ChrossonIsATSROverLordInTrainingAndAPSHelper (43 characters) is easier to remember than the shorter password of ^Dt8}t2&Z?c/tX7Ro,wg (20 characters). The longer plain English passphrase is easier to remember, is not a common phrase and is thus unlikely to appear in any dictionary lists. Its length also means that, despite the somewhat basic character set, you're still looking at a search space of 52^43 when bruteforcing which for 1337-h4><><0r t1mm3h is too much to handle.
I absolutely agree. I sent an email to github recently with a complaint that their password restrictions (must have a number) is stupidly restrictive. I know my passwords are secure at over 15 characters with punctuation and mixed case, so they can bugger off.
So minimum requirements are not necessarily a good thing, although they are understandable. But this is not the case here. Intentionally restricting the search space and positively encouraging weak passwords (as highlighted in the post above) is inane.
If stored in a database, add a randomly generated per-user salt and a statically set 'pepper' (which is based somewhere on the server) to the hash of the plaintext password, doing this in an undisclosed and non-standard fashion. Then hash the whole lot. Now, if 1337-h4><><0r t1mm3h runs Havij and manages to grab your users table, he's very unlikely to get anywhere.
Not forgetting a work function. In fact, one can get the salt and pepper but there's no way around having to perform the hash function over a million times per password.
Ultimately, enforcing overly strict password policies ("Your password must be between 5 and 15 characters. It must contain at least one digit, at least one uppercase letter, at least one lowercase letter and at least one of the following symbols: ..." 
) just gives a potential attacker something to go on and for a determined individual it may be possible to build or adjust bruteforcing solutions with this in mind.
) just gives a potential attacker something to go on and for a determined individual it may be possible to build or adjust bruteforcing solutions with this in mind.Agreed. Education on strong passwords is better.
(edited 12 years ago)
Was wondering who would post that.
Original post by Chrosson
Original post by Chrosson
Someone needs to tell your admins that password restriction are to try and raise the bar of password strength, not lower it
I think it is a limitation of this stupid Novell system that runs on top of windows and manages all our login things etc.
Edit:
In the end though, I would be very interested to know how many people are still using their default password that they were given to them which is <surname><number> so it is very easy to log in as people
(edited 12 years ago)
Original post by wizard710
In the end though, I would be very interested to know how many people are still using their default password that they were given to them which is <surname><number> so it is very easy to log in as people
They should really be forcing a password change on first logon
I'm having hotmail trouble...I can't sign in to my main account, just doesn't load 
there's no problem signing in to windows live messenger or with any other hotmail account 
there's no problem signing in to windows live messenger or with any other hotmail account Original post by someperson
I'm having hotmail trouble...I can't sign in to my main account, just doesn't load there's no problem signing in to windows live messenger or with any other hotmail account
there's no problem signing in to windows live messenger or with any other hotmail account Microsoft has been having DNS issues with Hotmail, Skydrive and Office Online for some days now. Could still be an issue...
Original post by Mad Vlad
Microsoft has been having DNS issues with Hotmail, Skydrive and Office Online for some days now. Could still be an issue...
i thought it was solved but obviously not
looks like other users have started having problems the past few hours tooOriginal post by someperson
i thought it was solved but obviously not looks like other users have started having problems the past few hours too
looks like other users have started having problems the past few hours toohttp://downrightnow.com/hotmail
Original post by Mad Vlad
thanks but i've checked
i can now log in...but i can't read the emails
EDIT: working finally
(edited 12 years ago)
I think I underestimated how much of a b*tch it was going to be to digitise my entire DVD collection, wish me luck =P
Why is Excel so inefficient?
At work I've got a large datasheet (making the workbook about 75MB) with about 10 pivot tables - I know that this is the problem, but whenever I refresh the pivot tables, it uses the RAM, but then doesn't 'flush' it so if I refresh these tables 2 or 3 times, Excel sits hogging a good 1.2GB of RAM when in reality it's not doing anything.
At work I've got a large datasheet (making the workbook about 75MB) with about 10 pivot tables - I know that this is the problem, but whenever I refresh the pivot tables, it uses the RAM, but then doesn't 'flush' it so if I refresh these tables 2 or 3 times, Excel sits hogging a good 1.2GB of RAM when in reality it's not doing anything.
Good luck have you got a GPU?
have you got a GPU?Original post by wizard710
Original post by wizard710
Good luck have you got a GPU?
have you got a GPU?Haha thanks, currently on disk 9 of about 150 =P only a small one 256MB GeForce 320M if I remember correctly.
Original post by Chrosson
Not forgetting a work function. In fact, one can get the salt and pepper but there's no way around having to perform the hash function over a million times per password.
This bit confused me and I'm not sure quite what you mean. Which 'work function' are you talking about? What I think you're getting at is that having the salt and pepper isn't terribly helpful because you have to repeatedly run the appropriate hashing/salting solution potentially millions of times before you bruteforce the correct plaintext?
Obviously, as the hash has been salted and peppered you're looking at some crazy number of attempts...Related discussions
- What is English language 2.0?
- Edexcel and AQA
- MSc Psychology Conversion
- No Tiles on McDonald's MyStuff 2.0? e.g. onboarding, myschedule
- Choose career
- I’m so worried I’m picking the wrong course for University
- Chemistry
- Uni course
- 21 century
- How crucial is university prestige for Oxbridge postgrad applications?
- Overthinking my future and academic major! Advise me please
- alevel chem ideal gas equation question
- Abertay University vs Norwich University of the Arts for game art?
- help with resultant vertical velocity question please
- Chem equilibrium
- Myths about Computing degrees
- Is there any microbiologist here? 🙏🏻
- What does "outstanding academic merit and potential" mean in the humanities?
- What does "outstanding academic merit and potential" mean in the humanities?
- Official University of Suffolk 2023 Applicant Thread
Latest
Trending
Last reply 1 day ago
YouTube Vs Spotify Which is Better Platform for musiciansLast reply 2 weeks ago
Touch screen doesn’t respond sometimes on iPhone 11Last reply 1 month ago
what kind of laptop to bring to uni?! macs vs windows, etc.Last reply 3 months ago
noise cancelling headphones suggestions for uni students?Trending
Last reply 1 day ago
YouTube Vs Spotify Which is Better Platform for musiciansLast reply 2 weeks ago
Touch screen doesn’t respond sometimes on iPhone 11Last reply 1 month ago
what kind of laptop to bring to uni?! macs vs windows, etc.Last reply 3 months ago
noise cancelling headphones suggestions for uni students?
