Gammon Forum : Forum : Test : testing forum security changes

Log on

Gammon Forum

Entire forum

Forum

Test

testing forum security changes

testing forum security changes

It is now over 60 days since the last post. This thread is closed. Refresh page

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Thu 04 Jun 2009 09:51 PM (UTC)

Amended on Thu 04 Jun 2009 09:59 PM (UTC) by Nick Gammon

Message

testing improved security ...

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Conner USA (381 posts)

bio

Date

Reply #1 on Thu 04 Jun 2009 10:30 PM (UTC)

Message

Did it work?

-=Conner=-
--
Come test your mettle in the Land of Legends at telnet://tcdbbs.zapto.org:4000
or, for a little family oriented medieval fun, come join us at The Castle's Dungeon BBS at telnet://tcdbbs.zapto.org
or, if you just want information about either, check our web page at http://tcdbbs.zapto.org

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #2 on Thu 04 Jun 2009 11:42 PM (UTC)

Message

Yes .... muahahahah!

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

David Haley USA (3,881 posts)

bio

Date

Reply #3 on Fri 05 Jun 2009 05:02 PM (UTC)

Message

Can one inquire as to what was improved? Given your evil cackle it sounds kind of ominous... ;)

David Haley aka Ksilyan
Head Programmer,
Legends of the Darkstone

http://david.the-haleys.org

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #4 on Sat 06 Jun 2009 12:27 AM (UTC)

Message

Nothing sinister. As it would be a bit of a disaster if someone guessed my password, as I have administrative rights for the whole forum, I have added a check that my login must be from my static IP address.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Worstje Netherlands (899 posts)

bio

Date

Reply #5 on Sat 06 Jun 2009 04:44 AM (UTC)

Message

That is totally going to break you up one day. While traveling for example, or when your ISP has random issues and you get another IP. ;)

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #6 on Sat 06 Jun 2009 05:35 AM (UTC)

Message

Well, I have ways of amending the IP address (which requires knowledge of a randomly-generated password) ;)

What I really want is one of the cryptographic token devices (my bank gave me one for using with the online banking) which generates a new code every 30 seconds.

I haven't seen them made available as a consumer item, it would be a handy thing to have. I suppose I could make one using a PIC chip, an LCD display, and a bit of programming.

I notice Blizzard have released such a thing as an iPhone app, so you can optionally use the code it generates when logging into BattleNet, which protects you somewhat against password phishing.

I had a system a while ago, not sure if it still works, to generate a list of once-only passwords for using when travelling. So, even if a PC in an internet cafe isn't secure (eg. it remembers passwords, or the traffic is logged) then each password is only good for the first time it is used.

Just to get on my soapbox for a moment, the problem with passwords is that are either:

Easy to remember, but not secure; or
Nice and long, with random characters, and (almost) totally secure BUT you have to write it down somewhere because you can't remember it

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Worstje Netherlands (899 posts)

bio

Date

Reply #7 on Sat 06 Jun 2009 07:25 AM (UTC)

Message

You clearly gave it plenty of thought. ;)

You'll now see you'll forget to log out while in your internet cafe, and end up in all the trouble you can imagine and then some.

The problem with thinking of long and useful passwords is thinking of them in the future. I have found a somewhat useful guideline. For banking.. I remember one bank in one game rather fondly, so I ended up using the name of the ingame bank president as my password, plus some obfuscation. It takes me a while to recall at first, but soon it is second nature.

I reckon passwords by association are a good way to handle the theoretical password dilemma - just don't be too predictable nor falling back to the same passwords all the time.

top

Posted by

Conner USA (381 posts)

bio

Date

Reply #8 on Sat 06 Jun 2009 05:52 PM (UTC)

Message

I've found that, in my opinion, the password game comes down to a matter of "how important is the security this password needs to provide?" because in some cases it's much more worthwhile to use a simple password you can recall easily than to worry about creating yourself a really secure password anyway.

Personally, I tend to take things that are really important to me and generate passwords based on phrases about them, for those passwords that I consider high security issues, and for most things I just use one of a half dozen or so passwords that I keep for "everything else". That way, even if someone learns my "standard" passwords, most sites will lock them out before they guess which one I used and even if they get in, it wasn't something critical to me anyway. For the things that are critical, they've got the wrong set entirely. ;)

As for the dire predictions of locking yourself out while traveling or because your ISP had a random glitch and changed your IP on you. The simple solution is while your traveling be on vacation from the forum administration and should your ISP screw up, make them correct their screw up.

I will agree with Worstje about one aspect of his posts though, it does sound like you thought this out pretty thoroughly and have already established contingencies for yourself in a very sensible manner.

As for the cryptographic token devices.. I can't imagine that battlenet player security merits that degree of security.. honestly, I can't think of too much beyond banking (financial stuff in general) and government security type stuff that really does. If you really want one though, you could try a google search for them and check out sites like [url]http://www.scdeveloper.com/Readers/CryptoMate.htm[/url] which features one for sale for $59.95 that offers full encryption support and is small enough to carry everywhere. (just the first link I followed from the search I did: [url]http://www.google.com/search?q=cryptographic+token+devices&btnG=Search&hl=en&safe=off&client=opera&rls=en&hs=Tff&num=100&sa=2[/url] so your results may vary...)

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #9 on Sat 06 Jun 2009 10:17 PM (UTC)

Message

I was thinking of one of these things:

You don't plug it into anything, you just carry it, thus it is a security item that you possess, rather than something you know. When prompted, you press the button and the gadget displays a number, which you type into the web page. I think the whole thing works based on the time of day.

It probably wouldn't be that hard to make - you register a code on the back of the device with your web site (the bank in this case), and what I am guessing happens is that it hashes up that code, with the current time rounded to 30 seconds, to give a number which it shows on the front. The bank also knows the current time, and your registered code, and hashes them together too, and thus if you have the same result, you must possess the device.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

Conner USA (381 posts)

bio

Date

Reply #10 on Sun 07 Jun 2009 06:34 PM (UTC)

Message

I was issued a device like that at one job I had back in 2000, I don't know what it's hashing with an have no idea what algorithm it'd use but I do know generally how they work and you could probably make one the way you described easily enough. In fact, if yours hashed the time rounded to the nearest 30 seconds with the code you assigned it and that's not the way the rest of them work, yours would just be that much more secure. I hadn't delved deeply enough into my search to see if anyone was marketing a device that wasn't usb based, but if the company I'd worked for at the time was able to issue me one, someone's got them available for 'public' purchase. On the other hand, it may be that whoever sells them does so in rather large minimum order quantities which could make them a bit prohibitive for private use like you've got in mind.

top

Posted by

David Haley USA (3,881 posts)

bio

Date

Reply #11 on Mon 08 Jun 2009 03:49 PM (UTC)

Message

I sometimes wish my bank issued RSA gizmos like that. At work we need to log in to the VPN using one.

Unlike yours, we don't have to register a code on the device itself. What we do is have a password, say 12345, and then to log on to the VPN, you add the RSA token to your password. So if your password is 12345, and the RSA token reads 123456, you would enter: 12345123456

My assumption is that it works similarly to what you described under the hood, although it probably has some more hashing going on so that it doesn't have to store passwords in clear on its end.

Quote:
Just to get on my soapbox for a moment, the problem with passwords is that are either:

* Easy to remember, but not secure; or
* Nice and long, with random characters, and (almost) totally secure BUT you have to write it down somewhere because you can't remember it

I have many passwords that are easy for me to remember because I apply well-known (to me... :P) transformation algorithms to words or phrases that are also well-known (again to me). This lets me relatively easily shuffle words between websites, although I guess the transformation is still a common point of failure.

For this reason I am extremely irritated by websites that restrict the kinds of characters I can use (seriously -- no punctuation??), as it messes up my transformation, and I end up having to pick passwords that I can't remember nearly as well.

I "write things down" using a program called PasswordSafe that encrypts things on disk. So I still have one password to unlock that safe, and if you do a lot of passwords are right there, but I figure it's "relatively safe" considering that it's only on my local hard drive. I guess my desktop computer would have to be physically stolen or hacked into in order to get access to the file in the first place, and then you'd have to know the password.

David Haley aka Ksilyan
Head Programmer,
Legends of the Darkstone

http://david.the-haleys.org

top

Posted by

Nick Gammon Australia (22,975 posts)

bio Forum Administrator

Date

Reply #12 on Mon 08 Jun 2009 09:18 PM (UTC)

Message

Yes I use PasswordSafe as well, bearing in mind it is a fairly obvious place for attackers to start their attack at. Get one password and you have the lot! Plus, the password for this still has to be memorable, but secure. Oh well.

Your idea of memorable phrases is a good one, and one that is recommended by some security sites. You still need it to be fairly long. I discuss this a bit here:

http://www.gammon.com.au/forum/bbshowpost.php?id=4988

To quote myself for a bit:

Quote:

Use the calculator to work out;

log (combinations) / log (2)

You can use log to the base 10, or natural logs, you will get the same answer.

eg.

log (26) / log (2) = 4.7004

Now multiply by the length of the word you are planning to use. For example, "swordfish" = 9 characters.

entropy = 4.7004 * 9 = 42.30 bits

In your case David, assuming your password uses the characters 0x20 to 0x7F you have 96 combinations (128 - 32). So you have log (96) / log (2) bits of entropy per character which is 6.584 bits. So, say you want to have 128 bits of entropy in your password (ie. the equivalent to a randomly-generated 128 bit key) you need a password which is about 19 characters long (128 / 6.584). And if letters figure much more frequently than punctuation the entropy takes a dive.

Thus I am hoping that your transformation does not end up with only a 10-letter password.

- Nick Gammon

www.gammon.com.au, www.mushclient.com

top

Posted by

David Haley USA (3,881 posts)

bio

Date

Reply #13 on Mon 08 Jun 2009 10:22 PM (UTC)

Message

That's a good point. My passwords (the ones I actually care about, e.g. for my bank, computers, etc.) are typically no shorter than 10 characters, and sometimes go up to 20. The transformation itself is more a way to remember it if I forget the actual sequence; usually I end up memorizing the sequence itself after typing it enough times.

David Haley aka Ksilyan
Head Programmer,
Legends of the Darkstone

http://david.the-haleys.org

top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.

42,656 views.

It is now over 60 days since the last post. This thread is closed. Refresh page

Go to topic: Search the forum

top

Quick links: MUSHclient. MUSHclient help. Forum shortcuts. Posting templates. Lua modules. Lua documentation.

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.