Can't use sshguard if I've never heard of it. However it does look superior, and I'm a fan of anything that doesn't pull in a crapton of python libs on install.

Because it's hard enough letting people use the servers already if no one can access the server then I'm going to be replaced rather quickly. Having said that. At this point, I see more attacks against SASL than SSH and root usually has password based logins disabled.

n00bs, eh? I've been in the software business for almost 40 years, you young whippersnapper.

I suggest you study texts on encryption, and maybe read the technical details of how a good cloud-based password manager like LastPass actually works. https://lastpass.com/whylastpa... https://lastpass.com/support.p...

Your super-whiz-bang method still requires a password, it seems. Without a password manager, users will still need to remember their password and many will either reuse passwords from other sites or choose simple ones. The image/caption thing you talk about is often used as an anti-phishing technique, but that's not authentication. If you're requiring the user to choose from among multiple pictures or captions, then that's effectively another one or two passwords. Yes, it will make it harder to attack YOUR site through the web interface, but doesn't itself strengthen protection of the users' passwords.

The goal for password managers is not to protect individual sites, it's to protect the users against their own misuse of passwords and reducing the risk when some site (not yours, hopefully) gets hacked and has their password database stolen. (How do you hash the passwords for your sites? Still using MD5?)

Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)

Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know. The reality is that passwords are what we use today and password managers make them easier to use in a more secure fashion, so that one has a different, strong password for every login. Two-factor authentication is also very helpful (and I enable that where supported.)

Currently the biggest weakness of passwords, other than most people using them poorly, is sites that store passwords insecurely. This, combined with the tendency of those NOT using password managers to reuse passwords, is what leads to the majority of account hacking.

LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.

I agree with the article - blocking password managers lowers security.

Or the way I do it: Complex passwords for a few critical accounts and my password manager. Sites that don't hold my personal or financial info get to use the password manager

My server logs disagree with your assumptions. Fail2ban is running constant blocks on botnets trying to guess passwords on SSH, FTP, SASL and webesites and this goes for my day job, my personal server and my evening contracts.

.. all at the behest of the tinfoil industry.

But you are a sheep. Just not Microsoft's sheep.

Like this white supremacist who found out that he's 14% African.

Just use Detroit: it's full of real roads and building, full of perils, and many parts of the city are virtually devoid of people.

And your entire argument is essentially framing the discourse into something no has demanded.

However, there is a bit of misrepresentation, as reddit originally posited that they were a bastion of free speech. And while it is fashionable to view it as reddit, out of the goodness of their hearts, provided a free platform for miscreants to corrupt the youth, the other side to that is users operated in good faith that reddit would keep their end of the agreement in creating free content.

Not like they can take their ball and go home now is it?

And regardless, criticizing reddit does fall under free speech, does it not? The government aspect is just a red herring.

Brilliant!

Similarly, being in prison doesn't prevent you from voicing your opinions. Nor does being fined millions of dollars (just earn more money, citizen, so you too can enjoy the same freedoms of billionaires!) Nor does it prevent you from setting up a website to discuss controversial opinions.

Except when it does (funny how credit card companies refused to process donations to Wikileaks right after the release of the Afghan War Diary. But that was just private companies exercising their rights not to make a profit, and had nothing to do with government collusion. Nosiree!).

You might be a little slow on the uptake, but the definition of censorship doesn't specify government and non-government, and as there have been numerous other websites that were harangued by both governments and private companies being leaned on by governments.

You probably think a private company contracted by the government to doesn't abridge 4th amendment protections because, get this, it isn't the government doing it.

Except for the legislative framework that made it legal in the first place.

Idiot.

The basically stupid idea is the ability to download and run Turing-complete code from unknown sources in supposed "safety". This has nothing to do with actual applications written in Java which is a reasonably secure language, certainly more secure than C or C++ (no buffer overflows, etc.).

The broken sandbox is completely orthogonal to whether or not Java is a POS. It's a feature, a broken feature, but not one that you're required to use and a well-written application, in any language, does not attempt to run Turing-complete code from unknown sources.

They don't expect the austerity measures to grow the economy. They expect the austerity measures to provide a hard landing rather than an outright crash. The idea is to loan them money until they are roughly self sustaining and no one expected that to be anything other than painful but still less painful than having the budget cut overnight when they can't get anymore loans.