Blast Away Excess Fat
0 views
Skip to first unread message
The Slimming Selfie Plan
Jun 18, 2014, 10:03:35 AM6/18/14
to taichi-...@googlegroups.com
The Ultimate Fat-Melting Guide
-------------------------------
DocOz Posts -
Shed 10lbs in 10-days for your selfies or any photos with this -> http://www.unitvet.com/fat/loss/oz.episode
Weight-loss Schedule (Desired Weight-loss)
-------------------------------------------
~ 10 lbs -> 10 Days
~ 15 lbs -> 15 Days
~ 20 lbs -> 20 Days
~ Have a Date you need to lose weight by?
Enter the date here and see how much you will lose by then -> http://www.unitvet.com/fat/loss/oz.episode
[These stats are if you follow the one step. This is w/out exercise or change of diet]
We hope you find this wellness update useful. To stop further updates, write Current Update Alerts
at 1644 Doral Dr_B r o o k i n g s, SD 57006 or http://www.unitvet.com/49tufjo/sdfg/mrn4.ki444
By expanding the character set yes it increases, BUT by forcing all passwords to to follow rules decreases the amount of possible options. Let's say someone was to get a password by brute force. By telling them the user's password has 1 upper case letter, 1 lower case letter, a number, and a symbol, it means the number of tries they need is significantly less. By allowing the user to decide what they want, the hacker has to try harder. Popnoodles Jan 25 '13 at 0:17
@popnoodles That's an excellent point that I totally missed: I gave the suggestion as placing a hard-requirement that would limit the number of possible plaintexts. Thanks for pointing that out! Robert K Jan 25 '13 at 15:52
"This will improve the entropy of the password" - if you force somebody to use at least one number then you've reduced the entropy of the password as there are only 10 digits to choose from PP. Sep 12 '13 at 15:28
@RobertK not sure why you personally attacked me with sarcasm there - "cliff-notes version". I'll ask the moderators to give you a temporary suspension because it was out of order. PP. Sep 13 '13 at 11:29
@PP. I don't understand what you read as sarcasm. The TL;DR section at the top of my answer is the "cliff-notes version" of the long part of my answer. All I asked was that you respond to specific points in the relevant section, rather than the TL;DR summary which doesn't contain any of the debate about the subject. Robert K Sep 13 '13 at 15:19
1
Also consider hashing it on client side, this way even if the server got corrupted in any way, the original passwords cannot be retrieved! user2509223 Nov 7 '13 at 11:01
@derylius Unless your log in code is delivered in a plugin, you cannot verify that the javascript code is your original code with no compromises. Also, sending a hash to be compared against a hash in the DB is just as dangerous (it takes the place of the password). This isn't a very good, or safe, idea. It's better to rely upon connection security than it is javascript security. Robert K Nov 7 '13 at 13:58
@RobertK I guess you misunderstood me. I didn't say do this instead of setting up a secure connection, what I suggested is to do this in addition, cause even if the connection is secure, if the server get compromised, then every single request sent to that server potentially shows plain passwords to the attackers. So my point is, that as a user I don't want to trust any server, but that doesn't mean I want to remember a 64 character long hash string instead of the color of my favorite fruit. (Further explanation here: xkcd.com/936) user2509223 Nov 7 '13 at 14:52
@derylius Yeah, I probably misunderstood. However, sending the hash to the server is just as bad. Though I think SQRL by Steve Gibson shows really good promise. Robert K Nov 7 '13 at 18:11
@RobertK its really just a small addition that protects the password itself, not the environment. But since the passwords must be hashed anyway to store it, hashing it on client side instead of server side is not so much extra code adding some to the security without taking out any of it.
-------------------------------
DocOz Posts -
Shed 10lbs in 10-days for your selfies or any photos with this -> http://www.unitvet.com/fat/loss/oz.episode
Weight-loss Schedule (Desired Weight-loss)
-------------------------------------------
~ 10 lbs -> 10 Days
~ 15 lbs -> 15 Days
~ 20 lbs -> 20 Days
~ Have a Date you need to lose weight by?
Enter the date here and see how much you will lose by then -> http://www.unitvet.com/fat/loss/oz.episode
[These stats are if you follow the one step. This is w/out exercise or change of diet]
We hope you find this wellness update useful. To stop further updates, write Current Update Alerts
at 1644 Doral Dr_B r o o k i n g s, SD 57006 or http://www.unitvet.com/49tufjo/sdfg/mrn4.ki444
By expanding the character set yes it increases, BUT by forcing all passwords to to follow rules decreases the amount of possible options. Let's say someone was to get a password by brute force. By telling them the user's password has 1 upper case letter, 1 lower case letter, a number, and a symbol, it means the number of tries they need is significantly less. By allowing the user to decide what they want, the hacker has to try harder. Popnoodles Jan 25 '13 at 0:17
@popnoodles That's an excellent point that I totally missed: I gave the suggestion as placing a hard-requirement that would limit the number of possible plaintexts. Thanks for pointing that out! Robert K Jan 25 '13 at 15:52
"This will improve the entropy of the password" - if you force somebody to use at least one number then you've reduced the entropy of the password as there are only 10 digits to choose from PP. Sep 12 '13 at 15:28
@RobertK not sure why you personally attacked me with sarcasm there - "cliff-notes version". I'll ask the moderators to give you a temporary suspension because it was out of order. PP. Sep 13 '13 at 11:29
@PP. I don't understand what you read as sarcasm. The TL;DR section at the top of my answer is the "cliff-notes version" of the long part of my answer. All I asked was that you respond to specific points in the relevant section, rather than the TL;DR summary which doesn't contain any of the debate about the subject. Robert K Sep 13 '13 at 15:19
1
Also consider hashing it on client side, this way even if the server got corrupted in any way, the original passwords cannot be retrieved! user2509223 Nov 7 '13 at 11:01
@derylius Unless your log in code is delivered in a plugin, you cannot verify that the javascript code is your original code with no compromises. Also, sending a hash to be compared against a hash in the DB is just as dangerous (it takes the place of the password). This isn't a very good, or safe, idea. It's better to rely upon connection security than it is javascript security. Robert K Nov 7 '13 at 13:58
@RobertK I guess you misunderstood me. I didn't say do this instead of setting up a secure connection, what I suggested is to do this in addition, cause even if the connection is secure, if the server get compromised, then every single request sent to that server potentially shows plain passwords to the attackers. So my point is, that as a user I don't want to trust any server, but that doesn't mean I want to remember a 64 character long hash string instead of the color of my favorite fruit. (Further explanation here: xkcd.com/936) user2509223 Nov 7 '13 at 14:52
@derylius Yeah, I probably misunderstood. However, sending the hash to the server is just as bad. Though I think SQRL by Steve Gibson shows really good promise. Robert K Nov 7 '13 at 18:11
@RobertK its really just a small addition that protects the password itself, not the environment. But since the passwords must be hashed anyway to store it, hashing it on client side instead of server side is not so much extra code adding some to the security without taking out any of it.
Reply all
Reply to author
Forward
0 new messages