|
Ahhh but you see that's not its only purpose.
I suppose if I visited that section in a different mind-set I'd be disappointed and frustrated.
The experience I have is in fact, the opposite.
Perhaps that's because I consider it the go-to place for comedy. (It always delivers)
|
|
|
|
|
Are you implying that Richard is bald and nuts?
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Nelek wrote: Are you implying that Richard is bald and nuts? Definitely the first, and probably the second.
|
|
|
|
|
No; I'm stating that I am.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
They are probably not hashing the password.
I had a similar experience not long ago where, not only were they not hashing the password but, on signup, they sent me the password in clear text to my email (and every month since) and, they published my email on their website feed celebrating the fact that they had one more costumer.
I complained about all that and they told me that they stored the passwords in clear text so that they could better help costumers having trouble signing in.
When I then asked them to erase my account they told me they couldn't because it would break their system since it was not prepared to remove accounts. So much for the right to forget.
|
|
|
|
|
ElectronProgrammer wrote: they couldn't because it would break their system At which point you should offer your services to redo their website (spit) to conform to legal requirements, at a reasonably inflated price of course.
Never underestimate the power of human stupidity -
RAH
I'm old. I know stuff - JSOP
|
|
|
|
|
Unfortunately I do not know web programming (only some basic HTML 2.0 without CSS).
But I would be able to redo implement their database with proper password hashing .
|
|
|
|
|
The only tool you need is a sledge hammer to adjust their servers with. No webby code crap needed.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
ElectronProgrammer wrote: When I then asked them to erase my account they told me they couldn't because it would break their system since it was not prepared to remove accounts. That's the typical moment where a "you'll soon hear from my lawyer" (even when it might be a lie) is pretty handy.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
They probably don't sanitize their database inputs either, so... obligatory xkcd: Exploits of a Mom
(Doing this probably breaks the law. Kids, don't try this at home!)
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Far and away my favourite of the series.
|
|
|
|
|
Oh, Intel do this too, so I am sure it is alright. Right?
They also store previous passwords so you can not re-use them. Useful... not!
|
|
|
|
|
Why would one need plain text for that?..
|
|
|
|
|
Mark Tumilty wrote: They also store previous passwords so you can not re-use them.
It's crazy. And just today I got an email from google on one of my "subscription account emails -- used for dumping ground" that said,
Google said:
"Google found some of your passwords online. Anyone who finds them can access your accounts.
Your Google Account is still secure. This leak came from somewhere else on the web, and you can secure your saved passwords now using Password Manager."
How do they know my password? If they know it, why don't they tell me the pwd so I can know which one they are talking about. It's crazy.
|
|
|
|
|
Google can take the password displayed online and test it against your account.
They do not need to know it.
Login to google from your own link and change it.
|
|
|
|
|
englebart wrote: Google can take the password displayed online and test it against your account.
I really had to think about what you meant.
You mean they hash the one they found online and then test it against the hash that they stored for my password. Hmmm...Interesting.
thanks for making me think that through more clearly.
|
|
|
|
|
Quote: nly 32 chars pwd -- Usually use 64 Wow, do you hash the passwords in your brain?
"In testa che avete, Signor di Ceprano?"
-- Rigoletto
|
|
|
|
|
No need to hash : ThisByteThisByteThisByteThisByteThisByteThisByteThisByteThisByte.
|
|
|
|
|
CPallini wrote: Wow, do you hash the passwords in your brain?
All my passwords are sha-256 hashes. For realz.
I wrote this program[^] which allows you to draw your password.
It's all FOSS (fully open source software), runs on all major platforms, and you can get all the source code at my github[^].
And you can even try it in your browser[^] with nothing to install.
|
|
|
|
|
A password generator you activate with a key and a pattern?
You liar!!!!
Nice job.
"In testa che avete, Signor di Ceprano?"
-- Rigoletto
|
|
|
|
|
raddevus wrote: web site login
I am not into web design, but is this still done by hand ? I would have thought that you had libraries or templates to take care of such a general website requirement.
|
|
|
|
|
Rage wrote: but is this still done by hand ? I would have thought that you had libraries or templates to take care of such a general website requirement.
That is spot on! This is the entire issue. There are so many ways to do authentication and it changes constantly and it's just a huge cluster out there. It's confusing and annoying and you could probably make a trillion $ if you could just summarize it and make it work easily for devs.
If you take the time to even do a basic search about it you'll fall down a rabbit hole and into another dimension, because the Internet is clogged up with all the ideas about authentication from the Epoch til now. It's all just a huge ball of mud.
|
|
|
|
|
Use sources like OWASP. They have great, simple (for security) guides.
If only my teammates would use them.
|
|
|
|
|
Sometimes I really hate Windows. Two triggers for this are updates change the power management settings to default, so the screensaver doesn't work any more, and the Caps Lock key loses its toggled state at every reboot or sleep cycle.
I had the second one solved a few years ago, with a scheduled task at bootup to run a simple custom NumLockChanger program. About 9 months ago or so it stopped working. Played with it a bit, and for some reason could never get it to work, although it had previously responded to the 31/131 task just fine. Cussed a lot, and never got to the bottom of it.
Changed the event being responded to to 'unlocking of workstation' yesterday. Now it works fine, although I don't have the NumLock key activated during password entry. Good enough! Microsoft - don't change this any more!!! And fix the power management bug!
1 out of 2 - success!
|
|
|
|
|
David O'Neil wrote: the screensaver doesn't work any more
If only I was that lucky.
I'm on a domain that has a policy that forces the lock screen to show up after 5 minutes of inactivity. (I'm assuming that "screensaver" in this case is interchangeable--who needs a screensaver in this day and age?)
I would love to have that disabled, especially since the machine is a remote VM that can only be access over VPN. Having its screen locking automatically provides absolutely zero benefit to anyone.
|
|
|
|