It wouldn't matter. Strong passwords help prevent dictionary attacks against password hashes. In this case, it appears the passwords were encrypted, not hashed. So instead of cracking the users' passwords, the attacker need only attack the encryption key and they would get all the users' passwords regardless of how strong they were.
My kids both like pokemon. I don't blame them... its collectible, and collecting is fun.
What did we collect when I was a kid? Hockey cards? Baseball cards? Same idea but a hell of a lot less fun. Especially if you didn't really care about the sport...
I'm vaguely surprised that Pokemon hasn't been replaced by something newer, but I'm not surprised that its still around. Nintendo has done well with the marketing.
Not just collectible, playable. I'm in my 40s and through my son got into the video games recently and was surprised to find a really well developed and balanced gaming system that was both simple to understand yet nuanced enough to allow for extremely detailed and varied strategies. Online we found in-depth analysis on team and move strategies and a worldwide community of online players. This isn't just cute monsters, that's the marketing aspect, Pokemon is an excellent game.
We are now doing the card game as well, recently joining a local league - and getting our asses kicked.
This is more than they ever imagined for the 11 other members of my immediate family, who still call me whenever they need to hook or unhook a (VCR|DVD|CD) player.
A company trying (remember the networks are not too fond of this) to offer a service many customers would like and use is not a bad thing. Given the nice high-speed video feed they have into millions of homes, why shouldn't they look to provide a more user flexible service that would attract and keep customers.
This is the essence of competitive innovation
Nobody is saying that you can't keep your DVR and the extra features it affords you, but please don't begrudge those that would love to see DVR like functionality across all cableboxes in the house, the potential for virtually unlimited storage, no set-up, no wires, etc. If there are catches like no ff through commercials, then this is part of the personal tradeoff vs. DVR that the consumer gets to make.
sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.
Yes, OpenID could be used for this, but there already exists an open standard for this that is supported by nearly ever major vendor - SAML. Why invent another wheel.
Actually OpenID is saying more like "you are the same person who claimed this identity before", it is making no claims that you actually are who you say you are.
Authentication (username - password/tokencode/biometric/whatever) is generally the first step to establish a digital identity. This reqires some trusted source to be able to judge if the credentials are sufficient to establish the identity.
From my quick reading, OpenID doesn't try to do this and leaves this up to the "identity provider" which can be a centralized service or even my own home system. OpenID is more concerned with mapping whatever identity the user chooses to use consistently across the sites they visit.
This makes sense for sites that care more about consistenty mapping a user to an ID, but don't really care who the user is (like Slashdot), but makes absolutely no sense for any site that actually needs to know something about its users (banking, commercial, etc.) Until such time that there is a commercially trusted source of identity (yah right), sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.
IMO: This is doomed to blogspace and sites where liability is not an issue. If you're serious about SSO, look to SAML.
Halliluia, someone who understands. Schrage really shows his ignorance making the ATM/password comparison and not discussing the fundamental difference between single and multi-factor auth.
Frankly, he doesn't mention multi-factor auth at all but touts "suspicion engines" as a viable strategy. Egads!
Slashdot Mirror
It wouldn't matter. Strong passwords help prevent dictionary attacks against password hashes. In this case, it appears the passwords were encrypted, not hashed. So instead of cracking the users' passwords, the attacker need only attack the encryption key and they would get all the users' passwords regardless of how strong they were.
My kids both like pokemon. I don't blame them... its collectible, and collecting is fun.
What did we collect when I was a kid? Hockey cards? Baseball cards? Same idea but a hell of a lot less fun. Especially if you didn't really care about the sport...
I'm vaguely surprised that Pokemon hasn't been replaced by something newer, but I'm not surprised that its still around. Nintendo has done well with the marketing.
Not just collectible, playable. I'm in my 40s and through my son got into the video games recently and was surprised to find a really well developed and balanced gaming system that was both simple to understand yet nuanced enough to allow for extremely detailed and varied strategies. Online we found in-depth analysis on team and move strategies and a worldwide community of online players. This isn't just cute monsters, that's the marketing aspect, Pokemon is an excellent game. We are now doing the card game as well, recently joining a local league - and getting our asses kicked.
This is more than they ever imagined for the 11 other members of my immediate family, who still call me whenever they need to hook or unhook a (VCR|DVD|CD) player.
A company trying (remember the networks are not too fond of this) to offer a service many customers would like and use is not a bad thing. Given the nice high-speed video feed they have into millions of homes, why shouldn't they look to provide a more user flexible service that would attract and keep customers.
This is the essence of competitive innovation
Nobody is saying that you can't keep your DVR and the extra features it affords you, but please don't begrudge those that would love to see DVR like functionality across all cableboxes in the house, the potential for virtually unlimited storage, no set-up, no wires, etc. If there are catches like no ff through commercials, then this is part of the personal tradeoff vs. DVR that the consumer gets to make.
sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.
Yes, OpenID could be used for this, but there already exists an open standard for this that is supported by nearly ever major vendor - SAML. Why invent another wheel.
Actually OpenID is saying more like "you are the same person who claimed this identity before", it is making no claims that you actually are who you say you are.
Authentication (username - password/tokencode/biometric/whatever) is generally the first step to establish a digital identity. This reqires some trusted source to be able to judge if the credentials are sufficient to establish the identity.
From my quick reading, OpenID doesn't try to do this and leaves this up to the "identity provider" which can be a centralized service or even my own home system. OpenID is more concerned with mapping whatever identity the user chooses to use consistently across the sites they visit.
This makes sense for sites that care more about consistenty mapping a user to an ID, but don't really care who the user is (like Slashdot), but makes absolutely no sense for any site that actually needs to know something about its users (banking, commercial, etc.) Until such time that there is a commercially trusted source of identity (yah right), sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.
IMO: This is doomed to blogspace and sites where liability is not an issue. If you're serious about SSO, look to SAML.
Halliluia, someone who understands. Schrage really shows his ignorance making the ATM/password comparison and not discussing the fundamental difference between single and multi-factor auth.
Frankly, he doesn't mention multi-factor auth at all but touts "suspicion engines" as a viable strategy. Egads!
Folks, file this article where it belongs.