Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««23456»»

Inconsistency Expand / Collapse
Author
Message
Posted Friday, March 15, 2013 11:36 PM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, August 28, 2014 8:53 PM
Points: 1,388, Visits: 3,039
I moved from mainframe work into PC's in the late 80's, developing on OS/2. When Microsoft divorced IBM and re-named their version of that OS "NT", I was convinced that the big blue product would be recognized as superior and would be the end of MS dominance. I even bought into the Microsoft bashing (I hate to admit), referring to "win-doze". By the end of the 90's, I'd clipped and hung on our fridge a Nicole Hollander "Sylvia" cartoon that summed up my experience and new attitude (it's dated 8/12/98). I hope I'm not pushing copyright law too far by quoting it.

She introduces her character as 'the woman who worries about everything, doesn't have a computer, cell phone or smart card because she knows what's new today will be obsolete tomorrow.' Then, the character, sitting a desk lit by a hurricane lamp muses 'You'll notice that no one's bidding on old computers at Sotheby's. You can't give them away. No, they molder down in the basement... along with that Beta VCR you thought you were so clever buying because it was better than VHS and cheaper.'
Post #1431864
Posted Saturday, March 16, 2013 6:24 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 2:31 AM
Points: 2,909, Visits: 1,837
I think I've learnt that even the well informed and smart people only have a vague clue about what the future will hold.

Even the guys who guess right are only shown to be right in retrospect. Things can change in the blink of an eye and everything you thought was your comfort zone becomes a barren and rock strewn field.

The strange thing is that technology is like fashion. What was thought to be long dead comes back to life and is touted as the shiny, new and the next big thing!


LinkedIn Profile
Newbie on www.simple-talk.com
Post #1431885
Posted Saturday, March 16, 2013 6:54 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 7:54 AM
Points: 7,814, Visits: 9,562
Jim P. (3/15/2013)
Have you ever seen nthe XKCD view?
Yes, so I'll never use correct horse battery stable as a pasword now - the everbody and his dog knows it


Setting the screensaver to 10 minutes (which can be a conversation time with a coworker) by group policy and a lockout policy is about ridiculous.
I agree, doing settings by group policy that need to be under individual control is always ridiculous. Sometimes for privilaged logins 10 minutes is much too long, unless you put a "lock now" button in the systray and use it whenever you leave the desk, for other logins it can be too short.


Tom
Post #1431887
Posted Saturday, March 16, 2013 8:43 AM


SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Tuesday, September 23, 2014 7:42 PM
Points: 635, Visits: 2,215
L' Eomot Inversé (3/16/2013)
Yes, so I'll never use correct horse battery stable as a pasword now - the everbody and his dog knows it

How about autos world needs gas.

Four simple words is still much harder to crack.

We just had a the financial user from a nursing home call in and say that the clinical users had given her their user names and passwords in case she needed to add a diagnosis to make the claims work. WTF?




----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
Post #1431902
Posted Saturday, March 16, 2013 10:40 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 7:54 AM
Points: 7,814, Visits: 9,562
Jim P. (3/16/2013)

How about autos world needs gas.

Four simple words is still much harder to crack.
I think the XKCD cartoon actually under estimates the entropy of four common words. Lets call that 11 bits per word - I suspect that most people intelligent enough to be able to type a password have an active vocabulary quite a lot bigger than 2000 words. Even so, I have a large number of different passwords, and I'm not going to remember them all, so I need a password safe or dictionary and I want that to be locked by something with a lot more than 44 bits and even for some of the passwords themselves I want nearly twice that. So I use quite long passphrases - much more than 4 words - and make sure they are something I already know (ie quoting something that's already there) and not something I might forget. That's one of my beliefs that has changed: I used to think it sensible to introduce the odd error into the phrase, but soon experience taught me that this increased the chances of forgetting it by a large factor - years ago I lost my PGP keys that way (and of course couldn't revoke them) - so now I believe it's better to keep the orignal phrase without perturbation - the perturbation has only negligible effect on the probability of the phrase being found by guessing. Within the safe or dictionary the original passwords can or course have much less entropy - I don't think I have any need for more than 80 bits for any of the individual passwords (except for ones that are protecting the private keys of public key encryption pairs), and most things could have much less entropy than that.

We just had a the financial user from a nursing home call in and say that the clinical users had given her their user names and passwords in case she needed to add a diagnosis to make the claims work. WTF?

Not crazy, or at least no exceptionally so, just ordinary people doing what ordinary people do.


Tom
Post #1431913
Posted Sunday, March 17, 2013 5:30 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Sunday, March 17, 2013 10:06 PM
Points: 28, Visits: 86
Have you ever seen nthe XKCD view?


Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.

With this idea, your password (how you enter it) is changing slightly every time you access it. The system could get to know that you get tired mid-afternoon and have a slower typing speed or the first thing in the morning have a hard time getting the little finger over to that tricky "Q" key. Other times you like to enter the text "Mary had a little lamb" and highlight the "had" text.

That way it's not the data (user name & password) that really is authorised, it's your persona or you.

Post #1432047
Posted Sunday, March 17, 2013 7:44 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 7:54 AM
Points: 7,814, Visits: 9,562
Scott Anderson #2 (3/17/2013)
Have you ever seen nthe XKCD view?


Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.

This is one of the nastiest security myths that exists, and had done quite a lot of damage through having created systems which force people to change passwords frequently, thus ensuring that they can never remember them so they are always sitting there on a post-it note for everyone to see. Only someone completely incompetent at serious security believes in changing passwords often (unless they have a situation where compromise is unlikely to be dsetected within the period between changes).

The whole "frequent password changes" idea is total nonsense. Changing your password has no effect whatsoever on the chance of it being guessed, or being broken by brute force attack. The only effect it has is on the duration of a compromise - and since a the typical time for a broken password to do all the damage it can is rather short, changing your password every rather long time stands very little (approximately zero) chance of reducing the damage - far smaller a chance than the risk that consequences of changing (maybe communicating passwords, maybe time to learn passwords) will do rather a lot of damage.

If you change your password once a fortnight instead of once a year, you reduce the expected time that a broken password is valid if you don't notice it from six months to a week - so you gain some wonderful extra protection provided it takes you more than a week to notice that someone is misusing your account. What a pitiful benefit that is!


Tom
Post #1432066
Posted Sunday, March 17, 2013 10:06 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Sunday, March 17, 2013 10:06 PM
Points: 28, Visits: 86
Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.

This is one of the nastiest security myths that exists


Re-reading my comment, I didn’t fully qualify my brief comment, oops you are exactly right.

What I should have said was, as people generally re-use passwords across systems, thereby opening themselves up to multiple attacks vectors. If one of those systems is compromised then it’s not hard to find others to try it with. Like with Antivirus that only detects 99% of issues, all you need is to be unlucky to get that 1% which made that 99% not even matter. One can get in a habit of password re-use (or staleness) and suddenly find themselves in trouble. I agree, frequent password changes is never a good thing for the user. Yes, if your password cannot be worked out and the system containing it doesn't get hacked, you can safely use the same password and never need to change it, but does that really happen?

Only someone completely incompetent at serious security believes in changing passwords often (unless they have a situation where compromise is unlikely to be dsetected within the period between changes).


This one I don't agree with so much. How easy is it to detect a compromise? How do you know when others have your password? How many systems display the number of recent failed attempts (or even since the last successful login) or successful ones, plus when they do, do you even take note? Until something destructive or unwanted happens and especially if you are only a user and cannot access the logs, you wouldn't know what read-only activity has happened. No, a stale password is no benefit here.
Post #1432073
Posted Monday, March 18, 2013 4:58 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:56 AM
Points: 5,631, Visits: 3,512
Lynn Pettis (3/15/2013)
Okay, drop the religious debate. It will go where we really don't want it to go really fast.


Sorry. My facetious comment was not aimed at any religion but a jocular poke at TravisDBA as he appears to enjoy the banter. My mistake (about the post, not TravisDBA having a sense of humour), sorry.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1432135
Posted Monday, March 18, 2013 10:02 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Yesterday @ 2:16 PM
Points: 230, Visits: 2,186
In the last 1-2 years, I have given up on religious wars in technology (this should not be taken in any way to have anything to do with real religion). Just part of the list from the last 20 years or so: Mainframe-PC, Windows-UNIX, DB2-IMS/IDMS, Sybase-Oracle-Informix-Ingress, SQL Server-Oracle, PC-MAC, iPhone/Pad-Android, I don't argue about it anymore. Each technology is good for something, and works better for some people. Life is too short, and nobody convinces the other side anyway. I think that my oldest son misses these arguments, at least WRT Apple products
Post #1432242
« Prev Topic | Next Topic »

Add to briefcase «««23456»»

Permissions Expand / Collapse