On Tue, Mar 4, 2014 at 3:46 AM, Steven D'Aprano
wrote:
> On Tue, 04 Mar 2014 00:55:45 +1100, Chris Angelico wrote:
>
>> But it's an attack vector that MUST be considered, which is why I never
>> tell the truth in any "secret question / secret answer" boxes. Why some
>> sites think "mother's maiden
On Mon, 03 Mar 2014 08:41:10 -0500, Roy Smith wrote:
> In article ,
> Chris Angelico wrote:
>
>> The greatest threats these days are from the network, not from someone
>> physically walking into an office. (That said, though, the low-hanging
>> fruit from walking into an office can be *extremel
On Tue, 04 Mar 2014 00:55:45 +1100, Chris Angelico wrote:
> But it's an attack vector that MUST be considered, which is why I never
> tell the truth in any "secret question / secret answer" boxes. Why some
> sites think "mother's maiden name" is at all safe is beyond my
> comprehension. And that's
On 2014-03-03 13:55, Chris Angelico wrote:
On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith wrote:
I used to work at which had a typical big company IT
department which enforced all sorts of annoying pseudo-security rules.
As far as I could figure out, however, all you needed to get them to
reset an
On Tue, Mar 4, 2014 at 12:41 AM, Roy Smith wrote:
> I used to work at which had a typical big company IT
> department which enforced all sorts of annoying pseudo-security rules.
> As far as I could figure out, however, all you needed to get them to
> reset anybody's password and tell you the new
In article ,
Chris Angelico wrote:
> The greatest threats these days are from the network, not from someone
> physically walking into an office. (That said, though, the low-hanging
> fruit from walking into an office can be *extremely* tempting. Pulling
> off a basic password leech off sticky no
On Sun, Mar 2, 2014 at 10:44 PM, Chris Angelico wrote:
> Of course, the whole concept depends on being able to use long
> memorable passwords. Any system that sets a maximum password length of
> anything less than about 30-40 characters is causing its users
> problems. There's almost never any rea
On Mon, Mar 3, 2014 at 3:38 PM, Steven D'Aprano wrote:
> Oh really? Chances are you're wallet is *full* of pieces of paper that
> people would steal, given half the chance.
Alas no... around here, wallets get filled with pieces of plastic [1],
of which my wallet is sadly devoid. And I can't imagi
On Sun, 02 Mar 2014 18:52:40 -0700, Ian Kelly wrote:
> On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
> wrote:
>> People have managed physical keys for *centuries*. Yes, there are a
>> class of threats where you lose your key, or someone steals it, or
>> makes a copy, but the risks are well-unde
On Mon, Mar 3, 2014 at 12:52 PM, Ian Kelly wrote:
> On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
> wrote:
>> People have managed physical keys for *centuries*. Yes, there are a class
>> of threats where you lose your key, or someone steals it, or makes a
>> copy, but the risks are well-underst
On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano
wrote:
> People have managed physical keys for *centuries*. Yes, there are a class
> of threats where you lose your key, or someone steals it, or makes a
> copy, but the risks are well-understood and can be managed even by your
> grandmother. We have
On Sun, 02 Mar 2014 15:10:06 -0800, Renato wrote:
> I would like to thank every one who posted a reply. I learnt a lot from
> you, guys! I appreciate your attention and your help :)
>
> I took a class on Computer Simulation last year. It was told that
> deterministic (pseudo-)random numbers are e
On Sun, Mar 2, 2014 at 4:10 PM, Renato wrote:
> I would like to thank every one who posted a reply. I learnt a lot from you,
> guys! I appreciate your attention and your help :)
>
> I took a class on Computer Simulation last year. It was told that
> deterministic (pseudo-)random numbers are exce
On Sun, 02 Mar 2014 15:01:09 -0500, Roy Smith wrote:
> Security is as much about cryptography as it is about human factors and
> business drivers. You can make things resistant to brute-force attacks
> by using longer keys, but people are still going to pick bad passwords.
Yes. But:
> You can f
I would like to thank every one who posted a reply. I learnt a lot from you,
guys! I appreciate your attention and your help :)
I took a class on Computer Simulation last year. It was told that deterministic
(pseudo-)random numbers are excellent for simulations, because they allow
debugging and
On Mon, Mar 3, 2014 at 7:01 AM, Roy Smith wrote:
> We recently got a frothing email from a user, which basically said, "You
> farking idiots, you emailed me my password in plain text!" It turns
> out, his user name was the same as his password and what we had sent him
> (in response to an account
In article ,
Christian Heimes wrote:
> On 01.03.2014 21:11, Chris Angelico wrote:
> > The problem isn't SHA-256. The problem is insecure passwords, the way
> > we've been taught to make them by the banks. Hence, XKCD 936.
>
> Your argumentation is just wrong. You are saying "It's OK to use a
>
On 01.03.2014 21:11, Chris Angelico wrote:
> The problem isn't SHA-256. The problem is insecure passwords, the way
> we've been taught to make them by the banks. Hence, XKCD 936.
Your argumentation is just wrong. You are saying "It's OK to use a
totally insecure way to hash passwords because passw
On Sun, Mar 2, 2014 at 9:07 AM, Christian Heimes wrote:
> On 01.03.2014 21:25, Roy Smith wrote:
>> In article ,
>> Christian Heimes wrote:
>>
>>> With software like [1] and a fast GPU
>>> it is possible to do more than 10*10^9 checks/second for SHA-256.
>>
>> Just out of curiosity, how does tha
On 01.03.2014 21:25, Roy Smith wrote:
> In article ,
> Christian Heimes wrote:
>
>> With software like [1] and a fast GPU
>> it is possible to do more than 10*10^9 checks/second for SHA-256.
>
> Just out of curiosity, how does that differ from 10^10 checks/second?
I find 10 * 10^9 easier to
In article ,
Christian Heimes wrote:
> With software like [1] and a fast GPU
> it is possible to do more than 10*10^9 checks/second for SHA-256.
Just out of curiosity, how does that differ from 10^10 checks/second?
--
https://mail.python.org/mailman/listinfo/python-list
On Sun, Mar 2, 2014 at 6:54 AM, Christian Heimes wrote:
> Yes, for most applications brute force is still the best option to crack
> the password. Passwords are usually rather short, have a low entropy and
> modern hardware is insanely fast. With software like [1] and a fast GPU
> it is possible t
On 01.03.2014 19:45, Chris Angelico wrote:
> On Sun, Mar 2, 2014 at 5:31 AM, Christian Heimes wrote:
>> encrypted = hashlib.sha256(login+'NaCl protects your
>> passwords'+password).hexdigest()
>> encrypted
>>> 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c'
>>
>> Pl
On Sun, Mar 2, 2014 at 5:31 AM, Christian Heimes wrote:
> encrypted = hashlib.sha256(login+'NaCl protects your
> passwords'+password).hexdigest()
> encrypted
>> 'b329f2674af4d8d873e264d23713ace4505c211410eb46779c27e02d5a50466c'
>
> Please don't do that. It's insecure and not the prope
On Sun, Mar 2, 2014 at 5:38 AM, Tim Chase wrote:
> That said, if the user has access to the source code, there's nothing
> preventing them from changing
>
> if hash(provided_password) == existing_hash:
> do_magic()
>
> into just
>
> if True:
> do_magic()
>
> and re-running the program.
On 2014-03-02 05:11, Chris Angelico wrote:
> On Sun, Mar 2, 2014 at 4:49 AM, Renato wrote:
> > My question is: is there a way of preventing the user from
> > reading the script's content?
Not really. It might be a bit obfuscated, but
>> Is there any strategy I could use to hide the passwords f
On 01.03.2014 19:11, Chris Angelico wrote:
> On Sun, Mar 2, 2014 at 4:49 AM, Renato wrote:
>> Hello everybody, I implemented a password validation with a Python 2.7.5
>> script in OpenSUSE 13.1. The user calls it passing 'login' and 'password' as
>> arguments. I made a dictionary in the format h
On Sun, Mar 2, 2014 at 4:49 AM, Renato wrote:
> Hello everybody, I implemented a password validation with a Python 2.7.5
> script in OpenSUSE 13.1. The user calls it passing 'login' and 'password' as
> arguments. I made a dictionary in the format hashtable = {'login':'password'}
> and I use thi
28 matches
Mail list logo
