Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Polls on the front page of Slashdot? Is the world coming to an end?! Nope; read more about it. ×

Comment: Re:Related to the Boston Marathon how? (Score 3, Insightful) 246

by hatemonger (#49415079) Attached to: Watching a "Swatting" Slowly Unfold
So you think police don't need to take threats seriously in places where they haven't already had terrorist attacks?

He most certainly is dropping the "Boston Marathon" name to get more clicks. If it was actually relevant enough to base the article title on, then the implications, history, and potentially different police response would all get talked about in the article. As it stands, it's only mentioned once in an otherwise unnecessary last paragraph. Because it's clickbait.

Comment: Re:Why? (Score 4, Insightful) 279

Profanity is a crutch.

Empty platitudes repeated by people who dislike profanity for the sake of feeling good about themselves. Profanity is one of many tools that people can use to express themselves, and it is completely unrelated the strength of the points being argued. The sun is fucking hot, the sky is damn blue, and shit like "profanity is the sign of a weak argument" is ignorant and fallacious.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 1) 267

by hatemonger (#49374991) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
For someone who does want an online identity, password management software is by far the best option for anyone with a moderately valuable one. Of course there isn't a perfect solution, but it would be wronger than wrong to suggest that since there are ways to subvert password management software, then it's no better than memorization. A good camera angle or keylogger will steal your memorized passwords as you type them just as easily as it will from a password manager. Easier, in many cases. And your "single point of failure" argument is weakened by the fact that even a moderate password locking a database of one of the popular password managers would be resistant to years of offline attack. I mean, sure, the lack of convenience is an argument against using a password manager, but it's also an argument against wearing a seatbelt. It's needlessly risky to type a memorized password into a site where you have no visibility on what they're doing with it, what security they have in place to detect breaches, or even if they'd notify you when your credentials were stolen. Monitoring your credit report is a valuable part of a defense in depth but not as an alternative to good password practices.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 1) 267

by hatemonger (#49371327) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
Not really. If "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1" isn't safe, your choice of mixed song lyrics probably isn't, either, asuming a malicious actor is trying to figure out the input when they know the MD5 output. And if they've compromised a site that was storing your password in plaintext, your password strength is completely irrelevant. Like I said, the real issue is password reuse, and it's impossible for a human to memorize good, unique passwords for every site they visit. Password managers are the only solution for people who value their online identity.

Comment: Re:How about... (Score 2) 267

by hatemonger (#49350023) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
Yes, "don't outrun the bear; outrun your companion" is a fair strategy in computer security. But if you're made of particularly juicy and delicious man-meats (which would be analogous to having your name be Brian Krebs or Jennifer Lawrence or being a Google employee or having a three letter twitter handle), some bears might decide that it's worth a little extra effort to run you down instead. It's a personal decision as to how much effort you're willing to put into protecting your online identity.

Comment: Re:Yes, but.... (Score 1) 267

by hatemonger (#49349971) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
I'm not so sure about "probably". I'd say it's probable that if they're restricting length then at some point they were being stupid like storing passwords in a VARCHAR(8), but lots of times those restrictions get kept for backwards compatibility even after they've upgraded how they're storing passwords. The best canary in the coalmine is whether they'll email or display your old password as part of the password reset process.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 1) 267

by hatemonger (#49349917) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
That's a tough battle to fight. Users, when faced with making a decision between fulfilling their immediate digital urge and being safe, will choose to fulfill their digital urge 99% of the time. If "being safe" was an option presented via dialogue box, 99% of the 1% that initially chose to be safe will repeat the action so they can make the digital urge fulfillment choice instead.

Comment: Re:How about... (Score 1) 267

by hatemonger (#49349835) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
So the bad guy just got the password database from hacking slashdot and sees your password is sahcorrecthorsebatterystaple. The bad guy pulls up another password leak from hellokittyislandadventure.com, and sees an account with the same email address uses the password hlocorrecthorsebatterystaple as a password. It's entirely possible they'll figure it out given enough data points. You're right that it's an edge case, since nowadays the bad guys aren't doing much of that since there are so many users using "letmein" and "Password1", so you have to make a decision. Given the number of places you're reusing your password strategy, your knowledge (or lack thereof) of trends in identity theft via password leaks, and the value you place in your online identity, is it worth using password management software instead of memorizing a password algorithm?

In favor of password managers, when banks do stupid stuff like that you can use the software to make truly random passwords that follow those requirements. No need to modify your algorithm to fit within stupid restrictions.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 1) 267

by hatemonger (#49349735) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
Well, no. That's an entirely different type of attack, requiring entirely different skills and resources. Script kiddies are perfectly able to download a bunch of leaked databases, look for username or email address matches between them, read the passwords in plaintext, guess that you're using the site name or url to modify your passwords, and then try your username and password on amazon or banking or webmail sites. They're not going to be able to say "Man, look at that guy's password! I should hack a trojan onto his computer by backtracing his IP address using a Visual Basic GUI!"

Also of note, KeePass has defenses against keyloggers.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 1) 267

by hatemonger (#49349623) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
Every everything is vulnerable. You have to make choices to minimize your vulnerability given the current risk environment. You're millions of times more likely to have your password leaked because it was stored in an insecure manner on a vulnerable server than to be subjected to a crowbar hack, so you should prioritize your defense accordingly.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 2) 267

by hatemonger (#49349557) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
Treating numerous accounts as "low security" and reusing your passwords across them is still dangerous, in my opinion, but it's up to you whether the effort of storing those extra passwords in your password management program is worth the added security. Information gleaned from multiple "low security" accounts could potentially be combined to get access to your high security accounts. And once you get password management software set up, I've found it's much easier than remembering and typing, even for the accounts I don't care about. Autofill is glorious, and I really love never having to play the game of "have I already registered for this site?"

Repel them. Repel them. Induce them to relinquish the spheroid. - Indiana University fans' chant for their perennially bad football team

Working...