Turn on thread page Beta
    Offline

    2
    ReputationRep:
    Ooh, you updated your post.

    (Original post by ch0llima)
    The only people with the wherewithal and power are the likes of the NSA and they are rumoured to have been building gigantic rainbow tables for quite some time now.
    Which salts stomp on. I wish I was confident everyone uses them...
    Anyway, strict password requirements aren't always the best solution. The more complex the password, the more likely it is that somebody who isn't computer literate or has a poor memory will write it down. A lot of people favour the 'passphrase' approach, in which a password of ChrossonIsATSROverLordInTraining AndAPSHelper (43 characters) is easier to remember than the shorter password of ^Dt8}t2&Z?c/tX7Ro,wg (20 characters). The longer plain English passphrase is easier to remember, is not a common phrase and is thus unlikely to appear in any dictionary lists. Its length also means that, despite the somewhat basic character set, you're still looking at a search space of 52^43 when bruteforcing which for 1337-h4><><0r t1mm3h is too much to handle.
    I absolutely agree. I sent an email to github recently with a complaint that their password restrictions (must have a number) is stupidly restrictive. I know my passwords are secure at over 15 characters with punctuation and mixed case, so they can bugger off.

    So minimum requirements are not necessarily a good thing, although they are understandable. But this is not the case here. Intentionally restricting the search space and positively encouraging weak passwords (as highlighted in the post above) is inane.
    If stored in a database, add a randomly generated per-user salt and a statically set 'pepper' (which is based somewhere on the server) to the hash of the plaintext password, doing this in an undisclosed and non-standard fashion. Then hash the whole lot. Now, if 1337-h4><><0r t1mm3h runs Havij and manages to grab your users table, he's very unlikely to get anywhere.
    Not forgetting a work function. In fact, one can get the salt and pepper but there's no way around having to perform the hash function over a million times per password.
    Ultimately, enforcing overly strict password policies ("Your password must be between 5 and 15 characters. It must contain at least one digit, at least one uppercase letter, at least one lowercase letter and at least one of the following symbols: ..." :fuhrer:) just gives a potential attacker something to go on and for a determined individual it may be possible to build or adjust bruteforcing solutions with this in mind.
    Agreed. Education on strong passwords is better.
    Offline

    16
    ReputationRep:


    tbh.
    Offline

    2
    ReputationRep:
    Was wondering who would post that.
    Offline

    2
    ReputationRep:
    (Original post by Chrosson)
    Someone needs to tell your admins that password restriction are to try and raise the bar of password strength, not lower it :facepalm2:
    I think it is a limitation of this stupid Novell system that runs on top of windows and manages all our login things etc.

    Edit:

    In the end though, I would be very interested to know how many people are still using their default password that they were given to them which is <surname><number> so it is very easy to log in as people
    Offline

    14
    (Original post by wizard710)
    In the end though, I would be very interested to know how many people are still using their default password that they were given to them which is <surname><number> so it is very easy to log in as people
    They should really be forcing a password change on first logon
    Offline

    2
    ReputationRep:
    I'm having hotmail trouble...I can't sign in to my main account, just doesn't load there's no problem signing in to windows live messenger or with any other hotmail account
    Offline

    16
    ReputationRep:
    (Original post by someperson)
    I'm having hotmail trouble...I can't sign in to my main account, just doesn't load there's no problem signing in to windows live messenger or with any other hotmail account
    Microsoft has been having DNS issues with Hotmail, Skydrive and Office Online for some days now. Could still be an issue...
    Offline

    2
    ReputationRep:
    (Original post by Mad Vlad)
    Microsoft has been having DNS issues with Hotmail, Skydrive and Office Online for some days now. Could still be an issue...
    i thought it was solved but obviously not looks like other users have started having problems the past few hours too
    Offline

    16
    ReputationRep:
    (Original post by someperson)
    i thought it was solved but obviously not looks like other users have started having problems the past few hours too
    http://downrightnow.com/hotmail
    Offline

    2
    ReputationRep:
    thanks but i've checked:p: i can now log in...but i can't read the emails:facepalm:


    EDIT: working finally
    Offline

    21
    ReputationRep:
    I think I underestimated how much of a b*tch it was going to be to digitise my entire DVD collection, wish me luck =P
    Offline

    13
    ReputationRep:
    Why is Excel so inefficient?

    At work I've got a large datasheet (making the workbook about 75MB) with about 10 pivot tables - I know that this is the problem, but whenever I refresh the pivot tables, it uses the RAM, but then doesn't 'flush' it so if I refresh these tables 2 or 3 times, Excel sits hogging a good 1.2GB of RAM when in reality it's not doing anything.
    Offline

    2
    ReputationRep:
    (Original post by Gofre)
    I think I underestimated how much of a b*tch it was going to be to digitise my entire DVD collection, wish me luck =P
    Good luck have you got a GPU?
    Offline

    21
    ReputationRep:
    (Original post by wizard710)
    Good luck have you got a GPU?
    Haha thanks, currently on disk 9 of about 150 =P only a small one 256MB GeForce 320M if I remember correctly.
    Offline

    14
    (Original post by Chrosson)
    Not forgetting a work function. In fact, one can get the salt and pepper but there's no way around having to perform the hash function over a million times per password.
    This bit confused me and I'm not sure quite what you mean. Which 'work function' are you talking about? What I think you're getting at is that having the salt and pepper isn't terribly helpful because you have to repeatedly run the appropriate hashing/salting solution potentially millions of times before you bruteforce the correct plaintext? :holmes: Obviously, as the hash has been salted and peppered you're looking at some crazy number of attempts...
    Offline

    2
    ReputationRep:
    (Original post by ch0llima)
    This bit confused me and I'm not sure quite what you mean. Which 'work function' are you talking about? What I think you're getting at is that having the salt and pepper isn't terribly helpful because you have to repeatedly run the appropriate hashing/salting solution potentially millions of times before you bruteforce the correct plaintext? :holmes: Obviously, as the hash has been salted and peppered you're looking at some crazy number of attempts...
    Yep, pretty much. I only learnt about it when reading around my post, but it makes good sense. See https://wiki.archlinux.org/index.php...pam.d.2Fpasswd

    Additionally, blowfish appears to accept a parameter to perform additional rounds. See http://en.wikipedia.org/wiki/Crypt_(...h-based_scheme and http://net.tutsplus.com/tutorials/ph...asswords-safe/ (ctrl-f "cost parameter")

    I suppose in the end it depends on how competent the sysadmins are.
    Offline

    0
    ReputationRep:
    (Original post by alexsheppard11)
    x
    You still got those recordings of the PC World you went to? they've become surprisingly relevant on a Bit-Tech thread.
    Offline

    1
    ReputationRep:
    (Original post by Tathrim)
    You still got those recordings of the PC World you went to? they've become surprisingly relevant on a Bit-Tech thread.
    I have this:
    http://www.youtube.com/user/alexshep...7216970026B187
    Offline

    0
    ReputationRep:
    Ta. Couldn't remember where you rehosted it.
    Offline

    2
    ReputationRep:
    (Original post by Gofre)
    Haha thanks, currently on disk 9 of about 150 =P only a small one 256MB GeForce 320M if I remember correctly.
    Ah right so you can't leverage that much to help you encode it I guess?
 
 
 
Poll
Who is most responsible for your success at university

The Student Room, Get Revising and Marked by Teachers are trading names of The Student Room Group Ltd.

Register Number: 04666380 (England and Wales), VAT No. 806 8067 22 Registered Office: International House, Queens Road, Brighton, BN1 3XE

Write a reply...
Reply
Hide
Reputation gems: You get these gems as you gain rep from other members for making good contributions and giving helpful advice.