SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Inconsistency


Inconsistency

Author
Message
john.arnott
john.arnott
SSCommitted
SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)

Group: General Forum Members
Points: 1968 Visits: 3059
I moved from mainframe work into PC's in the late 80's, developing on OS/2. When Microsoft divorced IBM and re-named their version of that OS "NT", I was convinced that the big blue product would be recognized as superior and would be the end of MS dominance. I even bought into the Microsoft bashing (I hate to admit), referring to "win-doze". By the end of the 90's, I'd clipped and hung on our fridge a Nicole Hollander "Sylvia" cartoon that summed up my experience and new attitude (it's dated 8/12/98). I hope I'm not pushing copyright law too far by quoting it.

She introduces her character as 'the woman who worries about everything, doesn't have a computer, cell phone or smart card because she knows what's new today will be obsolete tomorrow.' Then, the character, sitting a desk lit by a hurricane lamp muses 'You'll notice that no one's bidding on old computers at Sotheby's. You can't give them away. No, they molder down in the basement... along with that Beta VCR you thought you were so clever buying because it was better than VHS and cheaper.'
David.Poole
David.Poole
SSCertifiable
SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)

Group: General Forum Members
Points: 7587 Visits: 3285
I think I've learnt that even the well informed and smart people only have a vague clue about what the future will hold.

Even the guys who guess right are only shown to be right in retrospect. Things can change in the blink of an eye and everything you thought was your comfort zone becomes a barren and rock strewn field.

The strange thing is that technology is like fashion. What was thought to be long dead comes back to life and is touted as the shiny, new and the next big thing!

LinkedIn Profile

Newbie on www.simple-talk.com
TomThomson
TomThomson
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14298 Visits: 12197
Jim P. (3/15/2013)
Have you ever seen nthe XKCD view?
Yes, so I'll never use correct horse battery stable as a pasword now - the everbody and his dog knows it Laugh


Setting the screensaver to 10 minutes (which can be a conversation time with a coworker) by group policy and a lockout policy is about ridiculous.
I agree, doing settings by group policy that need to be under individual control is always ridiculous. Sometimes for privilaged logins 10 minutes is much too long, unless you put a "lock now" button in the systray and use it whenever you leave the desk, for other logins it can be too short.

Tom

Jim P.
Jim P.
SSC Eights!
SSC Eights! (907 reputation)SSC Eights! (907 reputation)SSC Eights! (907 reputation)SSC Eights! (907 reputation)SSC Eights! (907 reputation)SSC Eights! (907 reputation)SSC Eights! (907 reputation)SSC Eights! (907 reputation)

Group: General Forum Members
Points: 907 Visits: 2215
L' Eomot Inversé (3/16/2013)
Yes, so I'll never use correct horse battery stable as a pasword now - the everbody and his dog knows it Laugh

How about autos world needs gas.

Four simple words is still much harder to crack.Wow

We just had a the financial user from a nursing home call in and say that the clinical users had given her their user names and passwords in case she needed to add a diagnosis to make the claims work. WTF? Crazy



----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
TomThomson
TomThomson
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14298 Visits: 12197
Jim P. (3/16/2013)

How about autos world needs gas.

Four simple words is still much harder to crack.Wow
I think the XKCD cartoon actually under estimates the entropy of four common words. Lets call that 11 bits per word - I suspect that most people intelligent enough to be able to type a password have an active vocabulary quite a lot bigger than 2000 words. Even so, I have a large number of different passwords, and I'm not going to remember them all, so I need a password safe or dictionary and I want that to be locked by something with a lot more than 44 bits and even for some of the passwords themselves I want nearly twice that. So I use quite long passphrases - much more than 4 words - and make sure they are something I already know (ie quoting something that's already there) and not something I might forget. That's one of my beliefs that has changed: I used to think it sensible to introduce the odd error into the phrase, but soon experience taught me that this increased the chances of forgetting it by a large factor - years ago I lost my PGP keys that way (and of course couldn't revoke them) - so now I believe it's better to keep the orignal phrase without perturbation - the perturbation has only negligible effect on the probability of the phrase being found by guessing. Within the safe or dictionary the original passwords can or course have much less entropy - I don't think I have any need for more than 80 bits for any of the individual passwords (except for ones that are protecting the private keys of public key encryption pairs), and most things could have much less entropy than that.

We just had a the financial user from a nursing home call in and say that the clinical users had given her their user names and passwords in case she needed to add a diagnosis to make the claims work. WTF? Crazy

Not crazy, or at least no exceptionally so, just ordinary people doing what ordinary people do.

Tom

Scott Anderson #2
Scott Anderson #2
SSC Rookie
SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)

Group: General Forum Members
Points: 28 Visits: 89
Have you ever seen nthe XKCD view?


Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.

With this idea, your password (how you enter it) is changing slightly every time you access it. The system could get to know that you get tired mid-afternoon and have a slower typing speed or the first thing in the morning have a hard time getting the little finger over to that tricky "Q" key. Other times you like to enter the text "Mary had a little lamb" and highlight the "had" text.

That way it's not the data (user name & password) that really is authorised, it's your persona or you.
TomThomson
TomThomson
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14298 Visits: 12197
Scott Anderson #2 (3/17/2013)
Have you ever seen nthe XKCD view?


Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.

This is one of the nastiest security myths that exists, and had done quite a lot of damage through having created systems which force people to change passwords frequently, thus ensuring that they can never remember them so they are always sitting there on a post-it note for everyone to see. Only someone completely incompetent at serious security believes in changing passwords often (unless they have a situation where compromise is unlikely to be dsetected within the period between changes).

The whole "frequent password changes" idea is total nonsense. Changing your password has no effect whatsoever on the chance of it being guessed, or being broken by brute force attack. The only effect it has is on the duration of a compromise - and since a the typical time for a broken password to do all the damage it can is rather short, changing your password every rather long time stands very little (approximately zero) chance of reducing the damage - far smaller a chance than the risk that consequences of changing (maybe communicating passwords, maybe time to learn passwords) will do rather a lot of damage.

If you change your password once a fortnight instead of once a year, you reduce the expected time that a broken password is valid if you don't notice it from six months to a week - so you gain some wonderful extra protection provided it takes you more than a week to notice that someone is misusing your account. What a pitiful benefit that is!

Tom

Scott Anderson #2
Scott Anderson #2
SSC Rookie
SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)SSC Rookie (28 reputation)

Group: General Forum Members
Points: 28 Visits: 89
Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.

This is one of the nastiest security myths that exists


Re-reading my comment, I didn’t fully qualify my brief comment, oops you are exactly right.

What I should have said was, as people generally re-use passwords across systems, thereby opening themselves up to multiple attacks vectors. If one of those systems is compromised then it’s not hard to find others to try it with. Like with Antivirus that only detects 99% of issues, all you need is to be unlucky to get that 1% which made that 99% not even matter. One can get in a habit of password re-use (or staleness) and suddenly find themselves in trouble. I agree, frequent password changes is never a good thing for the user. Yes, if your password cannot be worked out and the system containing it doesn't get hacked, you can safely use the same password and never need to change it, but does that really happen?

Only someone completely incompetent at serious security believes in changing passwords often (unless they have a situation where compromise is unlikely to be dsetected within the period between changes).


This one I don't agree with so much. How easy is it to detect a compromise? How do you know when others have your password? How many systems display the number of recent failed attempts (or even since the last successful login) or successful ones, plus when they do, do you even take note? Until something destructive or unwanted happens and especially if you are only a user and cannot access the logs, you wouldn't know what read-only activity has happened. No, a stale password is no benefit here.
Gary Varga
Gary Varga
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16455 Visits: 6534
Lynn Pettis (3/15/2013)
Okay, drop the religious debate. It will go where we really don't want it to go really fast.


Sorry. My facetious comment was not aimed at any religion but a jocular poke at TravisDBA as he appears to enjoy the banter. My mistake (about the post, not TravisDBA having a sense of humour), sorry.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
lptech
lptech
SSC-Addicted
SSC-Addicted (475 reputation)SSC-Addicted (475 reputation)SSC-Addicted (475 reputation)SSC-Addicted (475 reputation)SSC-Addicted (475 reputation)SSC-Addicted (475 reputation)SSC-Addicted (475 reputation)SSC-Addicted (475 reputation)

Group: General Forum Members
Points: 475 Visits: 3361
In the last 1-2 years, I have given up on religious wars in technology (this should not be taken in any way to have anything to do with real religion). Just part of the list from the last 20 years or so: Mainframe-PC, Windows-UNIX, DB2-IMS/IDMS, Sybase-Oracle-Informix-Ingress, SQL Server-Oracle, PC-MAC, iPhone/Pad-Android, I don't argue about it anymore. Each technology is good for something, and works better for some people. Life is too short, and nobody convinces the other side anyway. I think that my oldest son misses these arguments, at least WRT Apple products :-)
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search