By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.
So, you enable two-factor where you get an SMS, or add your mobile number to facebook / google, then you drop your mobile phone, which doesnt have a pin for the simcard. Someone finds the phone, takes the sim out, figures out the number, does a password reset in facebook / google using only the mobile number, and now basically owns you because they have access to your gmail / facebook accounts, and can password reset pretty much every account you have. Any SMS based 2-factor is also toast.
Security is always just as good as the weakest link, and two-factor is no magic bullet for password issues...
As I was just about to post how NIST recommended against 2FA using SMS it appears they updated their drafted guidelines today. Guess wait and see what the outcome is.
Exactly, if the "bad guy" knows what the key length must be he can assume that that will be the most of the users (if not all) key length and start with that number. IE start with minimum 8 characters instead of 1.
My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.
My current position has a 6 month expiry. I use a much stronger password.
This is common sense to me.
LK
You use a much stronger password. The average user would use "123456" and never change it unless a system forced them to.
Understanding the behavior of the average user is common sense, especially when considering adapting this "new-and-improved" suggestion.
If your implying that the average user will only do the bare minimum then it's very easy to assume what the user will do with their passphrase.
For example if you tell the user they must include an uppercase letter the user will have this at the beginning of their password. If you tell the user they need a special character they will more than likely include this and the number at the end of their password or as a different character within the passphrase (ie substitute 3 for e).
The argument here is that the "bad guy" already knows how users generate their passphrases given guidelines and if a user knows they will need to update it every X amount of time it will not be very complex. Therefore, to create a very complex password once, making it easy to remember, and to prevent the user from writing down their passphrase (issue with physical security)
Some additional readings: https://www.schneier.com/essays/archives/2014/02/choosing_a_secure_pa.html http://www.jbonneau.com/doc/BS12-USEC-passphrase_linguistics.pdf
If you think Nintendo, Konami, Square, and Capcom didn't have copies of all their officially licensed cartridges' ROMS, I think you're nuts.
As an individual who has worked in this industry and who's sole job was dedicated to securely distributing game content to QA, and managing all builds for a studio, I can confirm that the archive process (especially during the early days) can be non-existent. I don't want to name specifics but there's a specific story behind a AAA title from the 90s that almost didn't get it's anniversary edition because of the difficulty of obtaining the original assets. Keep in mind this still is a big company and not one of your small indie studios and last I checked they were still developing a process for archiving.
I read your entire post AC. I'm still waiting for your solution to this problem. Is it to let it all crash and burn? Seems better than a suggestion by Bruce Schneier.
So, based on the new found information, we can assume that Nintendo became tired of themselves developing every game for their proprietary platform and reducing their risk to other individuals.
If it is available, install Firefox as your mobile browser, then install uBlock Origin. Enable your favorite filters and enjoy much less mobile advertising and tracking.
I think this is an ignorant statement. Gawker Media owns more than just 'Gawker'. Their other websites have actual content. I'm pretty sure we can all agree losing Gizmodo, Kotaku, and Lifehacker would be a great loss.
List taken from wiki (https://en.wikipedia.org/wiki/Gawker_Media) Deadspin – Sports Gawker.com – New York City media and gossip, tabloid Gizmodo – Gadget and technology lifestyle Jalopnik – Cars and automotive culture Jezebel – Celebrity, Sex, Fashion for women Kotaku – Video games and East Asian pop culture Lifehacker – Productivity tips
So you would rather Autopilot average them all off. At best, we will be saving the drunks at the cost of some good drivers. This, even if we ever reach full adoption for drunks which we never will.
who's to say a drunk isn't a good driver when not drunk? or determine the value of one individuals life over another?
Slashdot Mirror
let's see how well the hillary defense holds up on this one.
Pay us $29.99 a month for Online Block Training. That's right! Pay us in USD and not even our own currency we want you to use!
So, you enable two-factor where you get an SMS, or add your mobile number to facebook / google, then you drop your mobile phone, which doesnt have a pin for the simcard. Someone finds the phone, takes the sim out, figures out the number, does a password reset in facebook / google using only the mobile number, and now basically owns you because they have access to your gmail / facebook accounts, and can password reset pretty much every account you have. Any SMS based 2-factor is also toast.
Security is always just as good as the weakest link, and two-factor is no magic bullet for password issues...
As I was just about to post how NIST recommended against 2FA using SMS it appears they updated their drafted guidelines today. Guess wait and see what the outcome is.
Exactly, if the "bad guy" knows what the key length must be he can assume that that will be the most of the users (if not all) key length and start with that number. IE start with minimum 8 characters instead of 1.
My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.
My current position has a 6 month expiry. I use a much stronger password.
This is common sense to me.
LK
You use a much stronger password. The average user would use "123456" and never change it unless a system forced them to.
Understanding the behavior of the average user is common sense, especially when considering adapting this "new-and-improved" suggestion.
If your implying that the average user will only do the bare minimum then it's very easy to assume what the user will do with their passphrase.
For example if you tell the user they must include an uppercase letter the user will have this at the beginning of their password. If you tell the user they need a special character they will more than likely include this and the number at the end of their password or as a different character within the passphrase (ie substitute 3 for e).
The argument here is that the "bad guy" already knows how users generate their passphrases given guidelines and if a user knows they will need to update it every X amount of time it will not be very complex. Therefore, to create a very complex password once, making it easy to remember, and to prevent the user from writing down their passphrase (issue with physical security)
Some additional readings:
https://www.schneier.com/essays/archives/2014/02/choosing_a_secure_pa.html
http://www.jbonneau.com/doc/BS12-USEC-passphrase_linguistics.pdf
If you think Nintendo, Konami, Square, and Capcom didn't have copies of all their officially licensed cartridges' ROMS, I think you're nuts.
As an individual who has worked in this industry and who's sole job was dedicated to securely distributing game content to QA, and managing all builds for a studio, I can confirm that the archive process (especially during the early days) can be non-existent. I don't want to name specifics but there's a specific story behind a AAA title from the 90s that almost didn't get it's anniversary edition because of the difficulty of obtaining the original assets. Keep in mind this still is a big company and not one of your small indie studios and last I checked they were still developing a process for archiving.
I read your entire post AC. I'm still waiting for your solution to this problem. Is it to let it all crash and burn? Seems better than a suggestion by Bruce Schneier.
So, based on the new found information, we can assume that Nintendo became tired of themselves developing every game for their proprietary platform and reducing their risk to other individuals.
Cool.
If it is available, install Firefox as your mobile browser, then install uBlock Origin. Enable your favorite filters and enjoy much less mobile advertising and tracking.
tor is available for android.
^^ this. they've been spamming my inbox as of late trying to get me to come back.
speaking of which ... remember when the photographs of the TSA keys got leaked?
https://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/
after all cryptography has only been around since caesar. https://en.wikipedia.org/wiki/Caesar_cipher
When did Slashdot turn into a place where comments you disagree with are downvoted instead of using comments to have a discussion?
you must be new here.
I think this is an ignorant statement. Gawker Media owns more than just 'Gawker'. Their other websites have actual content. I'm pretty sure we can all agree losing Gizmodo, Kotaku, and Lifehacker would be a great loss.
List taken from wiki (https://en.wikipedia.org/wiki/Gawker_Media)
Deadspin – Sports
Gawker.com – New York City media and gossip, tabloid
Gizmodo – Gadget and technology lifestyle
Jalopnik – Cars and automotive culture
Jezebel – Celebrity, Sex, Fashion for women
Kotaku – Video games and East Asian pop culture
Lifehacker – Productivity tips
So you would rather Autopilot average them all off. At best, we will be saving the drunks at the cost of some good drivers. This, even if we ever reach full adoption for drunks which we never will.
who's to say a drunk isn't a good driver when not drunk? or determine the value of one individuals life over another?
time to invest in carrier pigeons or perhaps carrier drones.