I have a single memorized passphrase and generate a new password for each site by hashing it with the hostname. This bookmarklet asks for the passphrase, grabs the hostname from the current URL, MD5s them, and inserts the first 8 characters of the result into each password field on the current page. It's all done locally in Javascript so nothing secret is passed across the 'net which makes it secure except for shoulder-surfers and keyloggers - good enough for most stuff. And it has the great advantage that there's no locked file of passwords to lose.
Re:Password generation Javascript bookmarklet
on
Javascrypt
·
· Score: 1
I agree about the master password being a point of vulnerability if it gets key-captured, or shoulder-surfed, and salts wouldn't help any in that case, but this isn't meant for your most vital passwords to servers or bank accounts, it's meant for all those damned e-commerce and community site registrations for which you end up making up and forgetting crap passwords or using the same one repeatedly...
I've been poking around trying to generate Web-site passwords by hashing the hostname and a master password, and I've come up with this bookmarklet which takes the first 8 chars of the hex representation of the MD5 hash.
This means you only have to remember one master password, and each site you register for gets its own unique password - instead of using the same throwaway password all over so you've given your whole online identity to each site's admins...
I've been meaning to find a crypto guy to ask if I could just use CRC32 to hash the input string, since MD5 is too much Javascript to bookmark in IE. I know it's not a secure way to checksum a file, but given a CRC32 hash and part of the input, can you recover the other part? Anybody?
I don't see why a Medeco would be much harder if you can get the blanks, which I'd assume a professional thief could. The pin-ends are slanted, but they must be slanted the same way for all locks on a master, right? So if you have one key you can see which way each pin goes, and with a fine hand file the same slant in your test masters...
Hey, kid, what if you found out that your school has made millions of dollars selling your A paper in stores all over the country, and you got nothing except a contractual obligation to write more papers?
...they avoid giving its dimensions among the specs -- or showing it in a user's hands? If this thing is much bigger than the iPod, then the hell with it. And FireWire is a necessity.
And the Lyra -- hell, the picture in the article makes it look like it's about the size of my head! Kidding, but the article says it weighs twice what the iPod does, so the hell with it too.
That said, when someone ships one of these suckers can copy songs over FireWire unit-to-unit, I'll hock my iPod and switch!
Content filtering doesn't work reliably. I use this simple.procmailrc to keep an accept-list and let new senders with real return addresses add themselves easily. No-one has ever complained, and I get no spam at all.
Read it, please: they found an admitted bug in SQL Server 6.5.
I like this quote, from a Russian engineer: "By
the way, I was astonished to learn that MS staff is seriously proposing such stupid advises as change of data formats to avoid MS SQL Server SYSTEM problems."
Re:Eliminating spam from YOUR mailbox is feasible
on
RFC for Spammers
·
· Score: 1
Here's my page about doing this easily with procmail, including my simple.procmailrc. Life without spam is good...
Spam? What is this spam you speak of?
on
Buried in email?
·
· Score: 2
I use procmail with an accept-list and I get no spam (I define spam as UCE with a forged From header). Here's my.procmailrc.
Postfix sleeps for 5 seconds (by default) before returning an SMTP error, which makes this kind of spam attack unprofitably slow. I assume other SMTP servers have this option...
As a deadbead Covad customer myself...
on
DSL Woes
·
· Score: 2
I know that FlashCom has been stiffing Covad, because I've been stiffing Flashcom. Not out of any desire to be cheap, but because their billing system was broken all last year, and when they finally did start billing me they did so by HTML e-mail with no address to which I could send a check!
Of course when I called them to explain and ask how to pay they put me on eterna-hold and then promised that I'd get a call from someone real soon...
So, I'm $500 in the hole to Flashcom, who obviously hasn't paid Covad for the service they're providing me. Now Flashcom's bankrupt and I'm sitting here using Covad's DSL for free.
If they drop me, I'll just go back to Verizon, whose DSL I dropped when they went to PPPoE but wouldn't mind now that my access routers can log in for me.
What a mess. This isn't Covad suckage, the DSL itself has been great - but the structure of the market makes it impossible for them to win.
I don't get any spam - I use procmail to verify senders on all incoming e-mail. It works, and it only inconveniences each sender the first time they mail you from a given address.
The irony involved in the Times' posting their article on how TV will follow music down the digital gravity well on their registration-required Web site, and our using the back door to read it for free, is tasty.
Slashdot Mirror
I have a single memorized passphrase and generate a new password for each site by hashing it with the hostname. This bookmarklet asks for the passphrase, grabs the hostname from the current URL, MD5s them, and inserts the first 8 characters of the result into each password field on the current page. It's all done locally in Javascript so nothing secret is passed across the 'net which makes it secure except for shoulder-surfers and keyloggers - good enough for most stuff. And it has the great advantage that there's no locked file of passwords to lose.
Those are Kazuo Kawasaki frames - they are great, but mine cost about $600 with prescription lenses.
it's run by a Republican who raised money for Bush and promised in a 2003 fund-raising letter that he was "committed to helping Ohio deliver its electoral votes for the president next year".
I agree about the master password being a point of vulnerability if it gets key-captured, or shoulder-surfed, and salts wouldn't help any in that case, but this isn't meant for your most vital passwords to servers or bank accounts, it's meant for all those damned e-commerce and community site registrations for which you end up making up and forgetting crap passwords or using the same one repeatedly...
I've been poking around trying to generate Web-site passwords by hashing the hostname and a master password, and I've come up with this bookmarklet which takes the first 8 chars of the hex representation of the MD5 hash.
This means you only have to remember one master password, and each site you register for gets its own unique password - instead of using the same throwaway password all over so you've given your whole online identity to each site's admins...
I've been meaning to find a crypto guy to ask if I could just use CRC32 to hash the input string, since MD5 is too much Javascript to bookmark in IE. I know it's not a secure way to checksum a file, but given a CRC32 hash and part of the input, can you recover the other part? Anybody?
wardrive around your apartment until you can get on some random neighbor's open 802.11 network...
I don't see why a Medeco would be much harder if you can get the blanks, which I'd assume a professional thief could. The pin-ends are slanted, but they must be slanted the same way for all locks on a master, right? So if you have one key you can see which way each pin goes, and with a fine hand file the same slant in your test masters...
Prakash drew inspiration for the company from the sci-fi novel A Fire Upon The Deep, by Stanford computer science professor, Vernon Ving
That's "Vernor Vingh".
Hey, kid, what if you found out that your school has made millions of dollars selling your A paper in stores all over the country, and you got nothing except a contractual obligation to write more papers?
I do this with a simple procmail script. In fact, you don't need the password and manual authorization: spammers don't read their return mail.
This is blocking 100 spams a day for me right now. I still get maybe 3 non-spam UCEs a week from real people. And no one has ever compained about it.
...they avoid giving its dimensions among the specs -- or showing it in a user's hands? If this thing is much bigger than the iPod, then the hell with it. And FireWire is a necessity.
And the Lyra -- hell, the picture in the article makes it look like it's about the size of my head! Kidding, but the article says it weighs twice what the iPod does, so the hell with it too.
That said, when someone ships one of these suckers can copy songs over FireWire unit-to-unit, I'll hock my iPod and switch!
Sorry, I meant to link it:
http://angel.net/~nic/spam-x.html
If you can run procmail try my challenge/response script:
http://angel.net/~nic/spam-x.html
It just requires new senders to reply to its autoreply, but it's been foolproof so far.
Content filtering doesn't work reliably. I use this simple .procmailrc to keep an accept-list and let new senders with real return addresses add themselves easily. No-one has ever complained, and I get no spam at all.
Read it, please: they found an admitted bug in SQL Server 6.5. I like this quote, from a Russian engineer: "By the way, I was astonished to learn that MS staff is seriously proposing such stupid advises as change of data formats to avoid MS SQL Server SYSTEM problems."
Here's my page about doing this easily with procmail, including my simple .procmailrc. Life without spam is good...
I use procmail with an accept-list and I get no spam (I define spam as UCE with a forged From header). Here's my .procmailrc.
Postfix sleeps for 5 seconds (by default) before returning an SMTP error, which makes this kind of spam attack unprofitably slow. I assume other SMTP servers have this option...
I know that FlashCom has been stiffing Covad, because I've been stiffing Flashcom. Not out of any desire to be cheap, but because their billing system was broken all last year, and when they finally did start billing me they did so by HTML e-mail with no address to which I could send a check!
Of course when I called them to explain and ask how to pay they put me on eterna-hold and then promised that I'd get a call from someone real soon...
So, I'm $500 in the hole to Flashcom, who obviously hasn't paid Covad for the service they're providing me. Now Flashcom's bankrupt and I'm sitting here using Covad's DSL for free.
If they drop me, I'll just go back to Verizon, whose DSL I dropped when they went to PPPoE but wouldn't mind now that my access routers can log in for me.
What a mess. This isn't Covad suckage, the DSL itself has been great - but the structure of the market makes it impossible for them to win.
I don't get any spam - I use procmail to verify senders on all incoming e-mail. It works, and it only inconveniences each sender the first time they mail you from a given address.
channel.nytimes.com.
The irony involved in the Times' posting their article on how TV will follow music down the digital gravity well on their registration-required Web site, and our using the back door to read it for free, is tasty.