All this 2FA, SSH, token / key stuff is garbage. Rectal vascular mapping is the only legitimate security option.
I have one in my house! 🏡 Just reverse into it and Viola! The door opens! Works for the ref too! Hands free baby!
It took me a moment to notice those weren't specifically security terms...
"Please insert your webcam."
Meanwhile, my company has systems insisting on expiring ssh keys after 90 days...
Fools! You have to expire the whole system!
Reinstall everything every 90 days. It's the only way.
I'm surprised they'd expire the SSH keys rather than just requiring the password for the key to be rotated. I guess it's not too bad if the key itself is automatically rotated.
It would be more secure to have SSH keys that are stored on Yubikeys, though. Get the Yubikeys that check fingerprints (Yubikey Bio) if you're extra paranoid.
Problem they had was that ssh doesn't really have any way to enforce details of how the client key manifests and behaves. They could ship out the authentication devices after the security team trusted the public key, but that was more than they would have been willing to deal with.
Rotating the passphrase in the key wouldn't do any good anyway. If an attacker got a hold of your encrypted key to start guessing the passphrase, that instance of the key will never know that another copy has a passphrase change.
How about making it illegal to block copying and pasting on website forms. I'm literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.
Frankly I'm mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.
There are plugins that will disallow this. I think the one I use is "don't fuck with paste"
Browsers shouldn't allow half of the stuff that they allow. You have to do the same thing not just with copy and paste, but also searching on the page with ctrl + f. Like I don't care that websites won't to create their own experience. Don't mess with browser behavior.
Ooh, ooh. And for implementing any Javascript or jQuery or whatever that pops up some kind of smarmy message when you right click: Believe it or not, straight to jail.
Plus, that kind of thing is not going to prevent anyone from scraping images from anywhere if they have the capability to lift a finger to press F12.
Never thought to look for an extension for that. Thanks for mentioning it.
Think of the environment!
Less Delta-V to eject them from the solar system.
It takes way less Delta V to push them into solar escape velocity.
I circumvent that by right-clicking, then choosing "Inspect element", then switching to the tab "Console", then typing $0.value = "TheValueIWantToPaste". If right-clicking is also disabled, I use either F12 or Tools menu > DevTools.
Interesting that unicode support is suggested. Emoji passwords could be fun.
Emoji passwords made me think of the Lotus Notes password prompt with their little images that changed as I typed (which never really made sense to me).
Yes, I'm old...
my password is just 20 gigabytes of poop emojis.
Characters are characters. The system I just wrote will accept anything, because the first thing I do with it is hash it. If you want to make your password:
░▒▓█ ʥ۞ݔݯݲݸݴݺ '; drop table users; 🤣💩ʩ █▓▒░
Then go for it. More power to you for typing that out or, more likely, letting your password manager remember it. Make your password as entropic as you can manage, I don't care how you arrive there.
Yup. All I care is that your password isn't the entire works of Shakespeare or something like that. A couple hundred characters/bytes? You do you.
What really bothers me is when a website says something like: must have a special character, except these ones (proceeds to list everything except @ and !). And then the next one has the same rule, but different exceptions.
Passwords should be treated as a black box, just read it as bytes and throw it into the hash algorithm. You want to somehow enter a nyan cat? Be my guest, no guarantee the input box will accept it though.
also: "password is too long, max password length is 12 digits"
Why... like, sure, cap it at 256 or something reasonable. but ive run into as low as 9 digits.
One of the four major banks in Australia used to (or maybe still does?) limit passwords to 6 characters. No more, no less. Exactly 6. They're case insensitive, too.
One of the other banks used to silently truncate passwords (to 12 characters if I remember correctly). They removed the truncation one day, and there were so many issues because people who had passwords longer than 12 characters couldn't log in unless they knew to only enter the first 12 characters of it. It was a mess. Their phone support had a recorded message saying to only enter the first 12 characters if you have trouble logging in.
I had a simulator for school truncate after like 13 characters. And nowhere on their page did it specify a character limit. Would still accept an input of like 64 characters though. Got locked out of that account many times.
I've run into similar: on the account creation page there was no character limit on the input box nor stated in the password requirements, but on the login page the password input box was limited to 14 characters. So you could successfully create an account with a long password, you just couldn't log in because it wouldn't let you enter the whole password.
One thing they should change is the word "password." This implies that it's a short string. Changing it to "passphrase" will help people feel comfortable choosing credentials like "correct horse battery staple."
Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.
About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I'm good to go. If there's no internet available, the smart card will still get me into my computer. If I'm on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.
The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that's very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it's my new password. Apparently this is more secure??
My favorite are some of the work systems that I need to access, but only infrequently, yet still have ridiculous password expiration rules. Nearly every time I log in, before I can access the system I have to change my password because of course it's expired again. So I change the password, write it down because I'll never remember it months from now when I need to use that password exactly once to login and change my password yet again.
I just add 1 to the number at the end of my password every time they force a change.
I'm on 18 right now.
This is a most excellent place for technology news and articles.
