Why not? All the mathematical models claimed that the US Financial credit market and the Housing Bubble wouldn't burst at the same time- they calculated that was a once in 75 million years event. Given the luck of the United States lately, a 1/600,000 year event going off right now would just be the icing on the cake.
A sword isn't included? He'd be better off becoming a 4th Degree Knight of St. Columba (the Scottish version of the Knights of Columbus)- at least they get swords!
And as I've maintained, modifying password is actually MANDATORY for a secure system. Are you telling me that you actually store passwords in plain text?!?!?!?!? And if you don't, then you are actually including non-printable characters in your encryption routine?
You miss the point. You don't change the password from what the user entered
I'll stop you right there with a *big* disagreement. You *ALWAYS* change the password from what the user entered before storage. Storage in plain text is a big no-no.
You many reject the password if it doesn't meet some sort of criteria, but you don't change it from what the user remembers especially if they have to enter the password twice.
Incorrect- you ALWAYS change the password from what the user remembers, using the same algorithm every time. The standard method is to push whatever the user enters through a one way encryption scheme, and store the one-way encryption in the database. Then when the user types in the password again, you once again push it through the one-way encryption scheme, and compare it to what is stored in the database. By definition, a one-way encryption scheme is a "lossy" encryption, that is, bits are removed. So why not just start your encryption scheme with a Trim? In fact, most password encryption schemes do exactly that.
Anything less is an insecure system, because all one would have to do is look up the password in the database to probably crack several different systems the user has used that password on.
That's what I brought up when I heard about this while I was still working for ODOT. Unfortunately, at the time I was already in deep water for disagreeing with the internet usage policy (as reported in my journal).
That is one of the $64 Trillion unanswered questions...supposedly from somebody who has a car to sell that gets less than 12MPG and that wants to advertise the tax savings.
It's either/or: If the gas pump detects your GPS computer, it charges you $.012/mile. Otherwise it charges you $.25/gallon. Or thereabouts, I haven't heard what the new gas tax portion is going to be.
Oh, and also it's only on NEW cars- old cars are grandfathered into the gas tax.
No need to- you just trim on every input of a string regardless. In fact, as a given, every password encryption routine I've ever heard of STARTS with a trim. Could it be the original programmer wasn't encrypting his passwords before storage?
Your password should NEVER be stored on the disk in the way it was typed- this is a major security risk.
No it wouldn't, because Trim("Password")=Trim(" Password "). An application that includes trim as the first step of the password encryption would work regardless of whether the person remembered the leading and/or trailing space or not.
Trimming the spaces would not be the right solution. In that case there would be support calls saying that their new password does not work.
Why would it not work, if you were trimming all user input strings, in every instance, like any good user interface design SHOULD? First time it's entered with the space, gets TRIMed, encrypted, and stored in the database. Next time it is entered on the login screen, it gets Trimed, encrypted, and compared to the password stored in the database. They're equal, so the user gets in.
What happens when the user then tries to enter their password and it has a space?
Assuming you're following the basic rule that "all user input of strings should be TRIMed", then your user enters their password with the space as normal, it gets trimed, encrypted, and compared to the stored encryption.
It is easier to tell the user not to use a space at the beginning or end of a password when creating it than it is to remember to use a trim everywhere you read a password from.
Well, you COULD make it part of the encryption routine- you are encrypting your user passwords, right?
Now, I would use the trim anyhow, but if the user thinks that their password has a space at the beginning of it they're going to use it all of the time and eventually run into some problem.
Not your problem if you're following the standard for user input of strings.
My answer has nothing to do with where the line is drawn, but rather how we decide punishment for the act. Right now, the Zero Tolerance Method with Lifelong Labeling is a bit draconian. I suggest instead that the punishment of the offender should be no longer than the time it takes the offendee to reach the "age of majority"- whatever that is.
How incredibly stupid must the programmer have been not to use the Trim function that is built into every language I've ever seen that handles strings?
Depends on the policies installed on the Exchange Server- at least in Outlook. I'm amazed at how many Exchange Admins set the policy that you can't send inline images (usually due to spam being a problem).
Simple question then (based on this an other post above), are you sure you want to allow procreation of your 10 year old daughter?
Don't have one, but don't see any reason to prevent it either. Teenage pregnancy is NOT the bugaboo modern society makes it out to be- and was the norm for MOST of human history.
What if she "consents" and is physically mature enough, and runs away to be with her "boyfriend"?
Then her "boyfriend" better be ready to get married, or I'll be coming after him with a shotgun.
If she is old enough to "consent" then she is old enough to decide to leave home, right?
Yep.
Having raised three girls to maturity and beyond, I can assure you that there is very little likelihood that most girls, while physically mature enough to bear children, are NOT socially mature enough.
And who actually is "socially mature enough"? I've always said teenage pregnancy is more a lack of living wage jobs for teenagers than it has anything to do with "maturity", which is a concept I find to be totally abstract and untestable.
And lets not forget the Gypsies along the eastern edge of the US that often do marry off little girls, often 8 - 10 years old.
Yes, they do. In fact, EVERY ethnic group has young marriage someplace in the past.
Again, I'm not sure a 8-10 year old can give consent. I'm not sure that most 16 year olds understand the decisions they are making. I'm not even sure that some adults can understand... but that is another point altogether LOL.
Your choices are half chance- but so are everybody else's. I'm going to be hammering duty and honor into my son long before he's 10. Because the key isn't understanding the decision before you make it- it's having the courage to live with and take care of the consequences afterwards.
PS: You missed a question, so here it is again (and this REALLY goes to the heart of what I'm arguing for): Where I have a tendency to agree, I've got to repeat my question above: In a world where Zulu tribes believe that every menstruation is an abortion, where children as young as 12 get married, and where due to pollution and better nutrition precocious puberty can exist in a girl as young as 8, how the hell do you tell when childhood ends and adulthood begins?
In other words, your 2 year old example, while a part of the slippery slope, isn't valid because despite precocious puberty, there has never been a mother younger than 6. Given my belief in the line being the ability to have children (sex for procreation rather than recreation), there's a good argument against fucking 2 year olds, but there isn't a good argument against fucking a girl who has had her first menarche and already has breasts. Yet the law in many places in the United States would define that as child sex abuse (oh, and for the record, my wife was 28 when we got married).
Three in 2008 alone.
Well, either that or I'm the type of gambler who believes that bad luck draws more bad luck.
Why not? All the mathematical models claimed that the US Financial credit market and the Housing Bubble wouldn't burst at the same time- they calculated that was a once in 75 million years event. Given the luck of the United States lately, a 1/600,000 year event going off right now would just be the icing on the cake.
A sword isn't included? He'd be better off becoming a 4th Degree Knight of St. Columba (the Scottish version of the Knights of Columbus)- at least they get swords!
They are saying that they NEVER change the original string. That would, to me, indicate that they're storing the original string.
There's a huge difference between hashing/encrypting and modifying the actual input.
Really? In what way? And if so, how is a Trim different from any other hash function?
Yep. Pretty much. I don't think the environmentalists have done the math yet.
Heck, my wife's SUV gets better mileage than that- at least on Highway.
And as I've maintained, modifying password is actually MANDATORY for a secure system. Are you telling me that you actually store passwords in plain text?!?!?!?!? And if you don't, then you are actually including non-printable characters in your encryption routine?
You miss the point. You don't change the password from what the user entered
I'll stop you right there with a *big* disagreement. You *ALWAYS* change the password from what the user entered before storage. Storage in plain text is a big no-no.
You many reject the password if it doesn't meet some sort of criteria, but you don't change it from what the user remembers especially if they have to enter the password twice.
Incorrect- you ALWAYS change the password from what the user remembers, using the same algorithm every time. The standard method is to push whatever the user enters through a one way encryption scheme, and store the one-way encryption in the database. Then when the user types in the password again, you once again push it through the one-way encryption scheme, and compare it to what is stored in the database. By definition, a one-way encryption scheme is a "lossy" encryption, that is, bits are removed. So why not just start your encryption scheme with a Trim? In fact, most password encryption schemes do exactly that.
Anything less is an insecure system, because all one would have to do is look up the password in the database to probably crack several different systems the user has used that password on.
Now that's the first post I've seen where somebody was actually THINKING.
However, in normal password routines, you apply the 6 character minimum rule before the encryption starting with a Trim. So no problem.
Doesn't matter if the first thing in your encryption routine is a Trim, because Trim(" Password")=Trim("Password").
That's what I brought up when I heard about this while I was still working for ODOT. Unfortunately, at the time I was already in deep water for disagreeing with the internet usage policy (as reported in my journal).
That is one of the $64 Trillion unanswered questions...supposedly from somebody who has a car to sell that gets less than 12MPG and that wants to advertise the tax savings.
It's either/or: If the gas pump detects your GPS computer, it charges you $.012/mile. Otherwise it charges you $.25/gallon. Or thereabouts, I haven't heard what the new gas tax portion is going to be.
Oh, and also it's only on NEW cars- old cars are grandfathered into the gas tax.
No need to- you just trim on every input of a string regardless. In fact, as a given, every password encryption routine I've ever heard of STARTS with a trim. Could it be the original programmer wasn't encrypting his passwords before storage?
Your password should NEVER be stored on the disk in the way it was typed- this is a major security risk.
Later when the user will forget about the space, they will get frustrated that they can't log in.
Why wouldn't they be able to log in when they forget the space? Trim("Password")=Trim(" Password "), so they should still be able to log in.
No it wouldn't, because Trim("Password")=Trim(" Password "). An application that includes trim as the first step of the password encryption would work regardless of whether the person remembered the leading and/or trailing space or not.
Trimming the spaces would not be the right solution. In that case there would be support calls saying that their new password does not work.
Why would it not work, if you were trimming all user input strings, in every instance, like any good user interface design SHOULD? First time it's entered with the space, gets TRIMed, encrypted, and stored in the database. Next time it is entered on the login screen, it gets Trimed, encrypted, and compared to the password stored in the database. They're equal, so the user gets in.
NEVER blame the users for bad UI design.
What happens when the user then tries to enter their password and it has a space?
Assuming you're following the basic rule that "all user input of strings should be TRIMed", then your user enters their password with the space as normal, it gets trimed, encrypted, and compared to the stored encryption.
It is easier to tell the user not to use a space at the beginning or end of a password when creating it than it is to remember to use a trim everywhere you read a password from.
Well, you COULD make it part of the encryption routine- you are encrypting your user passwords, right?
Now, I would use the trim anyhow, but if the user thinks that their password has a space at the beginning of it they're going to use it all of the time and eventually run into some problem.
Not your problem if you're following the standard for user input of strings.
As long as you modify it in the same way as a part of the encryption routine, it won't matter.
ALL user-entered data should be trimed, as a minimum.
My answer has nothing to do with where the line is drawn, but rather how we decide punishment for the act. Right now, the Zero Tolerance Method with Lifelong Labeling is a bit draconian. I suggest instead that the punishment of the offender should be no longer than the time it takes the offendee to reach the "age of majority"- whatever that is.
How incredibly stupid must the programmer have been not to use the Trim function that is built into every language I've ever seen that handles strings?
Depends on the policies installed on the Exchange Server- at least in Outlook. I'm amazed at how many Exchange Admins set the policy that you can't send inline images (usually due to spam being a problem).
Simple question then (based on this an other post above), are you sure you want to allow procreation of your 10 year old daughter?
... but that is another point altogether LOL.
Don't have one, but don't see any reason to prevent it either. Teenage pregnancy is NOT the bugaboo modern society makes it out to be- and was the norm for MOST of human history.
What if she "consents" and is physically mature enough, and runs away to be with her "boyfriend"?
Then her "boyfriend" better be ready to get married, or I'll be coming after him with a shotgun.
If she is old enough to "consent" then she is old enough to decide to leave home, right?
Yep.
Having raised three girls to maturity and beyond, I can assure you that there is very little likelihood that most girls, while physically mature enough to bear children, are NOT socially mature enough.
And who actually is "socially mature enough"? I've always said teenage pregnancy is more a lack of living wage jobs for teenagers than it has anything to do with "maturity", which is a concept I find to be totally abstract and untestable.
And lets not forget the Gypsies along the eastern edge of the US that often do marry off little girls, often 8 - 10 years old.
Yes, they do. In fact, EVERY ethnic group has young marriage someplace in the past.
Again, I'm not sure a 8-10 year old can give consent. I'm not sure that most 16 year olds understand the decisions they are making. I'm not even sure that some adults can understand
Your choices are half chance- but so are everybody else's. I'm going to be hammering duty and honor into my son long before he's 10. Because the key isn't understanding the decision before you make it- it's having the courage to live with and take care of the consequences afterwards.
PS: You missed a question, so here it is again (and this REALLY goes to the heart of what I'm arguing for): Where I have a tendency to agree, I've got to repeat my question above: In a world where Zulu tribes believe that every menstruation is an abortion, where children as young as 12 get married, and where due to pollution and better nutrition precocious puberty can exist in a girl as young as 8, how the hell do you tell when childhood ends and adulthood begins?
In other words, your 2 year old example, while a part of the slippery slope, isn't valid because despite precocious puberty, there has never been a mother younger than 6. Given my belief in the line being the ability to have children (sex for procreation rather than recreation), there's a good argument against fucking 2 year olds, but there isn't a good argument against fucking a girl who has had her first menarche and already has breasts. Yet the law in many places in the United States would define that as child sex abuse (oh, and for the record, my wife was 28 when we got married).