Plain text passwords

Byron

I did an extensive search of the forum and couldn't find any posts specifically about how to send my login info to FRC in a non-plaintext fashion.

I seem to recall SSL being mentioned by Scrym on one of the casts (and that it was in the works). https hangs for me presently.

Am I doing it wrong?

EDIT:
I assume I'm doing it wrong because I haven't found references to it in the forum, and this is a forum of peeps who probably don't like sending plaintext passwords across the big bad internet.

Apreche

There's no SSL on these forums. If someone is sniffing the network traffic, they can see your FRC Forum password. Why don't I have SSL? Because it costs money and it's just a forum. Nothing here is private or important. If your account is compromised, e-mail me and I can fix it. Yes, security is important. Gotta keep the family jewels in a safe. But this forum isn't family jewels. Would you take the notepad on your desk and put that in a safe? No, that's just stupid because it's not valuable. There are plenty of forum backups that are very secure, so even if my account is compromized I can just roll everything back. The machine itself is also quite secure even if the forum itself is not.

As long as you aren't dumb enough to use the same password for your bank's website that you use here, you have nothing to worry about.

George Patches

Because it costs money and it's just a forum.

You could just generate a certificate rather than buying one. Anyone who would care to use HTTPS would know to ignore the security error message.

Omnutia

That's a thought. Have a website that directs you to an HTTP HTML page that tells you to ignore the SSL certificate warning then proceed to the HTTPS site.

Byron

I can't afford Verisign or any of those either. I usually self-sign.

Because it costs money and it's just a forum.

You could just generate a certificate rather than buying one. Anyone who would care to use HTTPS would know to ignore the security error message.

If you do want to allow some encryption, I'd recommend creating your own CA cert first and then self signing an SSL cert with your CA cert. This is better than straight up self-signing an SSL cert. Peeps can install the CA cert (which will stop the security error from popping up), and you can self sign any other X500 or X509 thingies with that same cert. One cert to rule them all.

Apreche

Self signing is fine if you are making a private or internal site that only you yourself are visiting. It is not cool when it is a public facing site for the world. If you people really want to encrypt your connections, use an encrypted VPN or tunnel to a TOR proxy or some shit.

If you really want SSL, collect $160 amongst yourselves and send it to me. Personally, I can think of a lot better uses for $160. That's a lot of games on Steam.

Oh, and you'll have to give me that $160 every year. So over $10 a month.

Byron

If you really want SSL, collect $160 amongst yourselves and send it to me.

Do you accept Bitcoins?

_{Disclaimer: I do not actually have any Bitcoins. It is unlikely that I will ever have the official BCN, although I find the idea interesting and might find uses for the Bitcoin protocol among small groups, but not as a legal tender. Void where prohibited.}

Rochelle

Do you accept Bitcoins?

Relevant.

Don't give them money unless they are selling something like shirts or buttsex.

George Patches

Self signing is fine if you are making a private or internal site that only you yourself are visiting. It is not cool when it is a public facing site for the world.

I fail to see how it's really that different.

Byron

Do you accept Bitcoins?

Relevant.

where do you think I got the idea to offer Scott Bitcoins? Suppose I should have linked that thread in my disclaimer tho.

Not nine

to use the same password for your bank's website

I really don't get this shit. Which fucking bank is so fucking retarded as to have users set a static password? If I want to get to my account by the web I have to get out the calculator they gave me, insert my card and follow the few instructions. Same with verifying a money transfer. Verification codes hurray!

Andrew

Fucking BoA doesn't even allow characters other than alphanumeric ones. No !&$@#%^*+

Byron

Which fucking bank is so fucking retarded as to have users set a static password?

As I've heard (which could be false), it is much more common for European banks (specifically Swiss banks) to use secondary authentication of What You Have while US banks almost never do this (it is strictly What You Know: static and unchanging).

Speaking of RSA keyfobs, related.

George Patches

As I've heard (which could be false), it is much more common for European banks (specifically Swiss banks) to use secondary authentication of What You Have while US banks almost never do this (it is strictly What You Know: static and unchanging).

2 factor authentication is quite rare for anything in the US.

I've personally started using an online password safe.

Apreche

I've personally started using an online password safe.

I use a combination of Yubikey, SuperGenPass, and Password Card.

George Patches

I use a combination of Yubikey, SuperGenPass, and Password Card.

I use LastPass, which combines many of those things into one system.

Not nine

[Obligatory rage at retarded US bank policy][/Obligatory rage at retarded US bank policy]

Byron

2 factor authentication is quite rare for anything in the US.

lol both my banks have 2 factor authentication, but it's just Password + challenge questions. To invent a mathematical notation that looks like big O: O(What You Know) + O(What You Know) == O(What You Know) != O(What You Know) + O(What You Have) == O(What You Know) + O(What You Are)

George Patches

lol both my banks have 2 factor authentication, but it's just Password + challenge questions. To invent a mathematical notation that looks like big O: O(What You Know) + O(What You Know) == O(What You Know) != O(What You Know) + O(What You Have) == O(What You Know) + O(What You Are)

I don't really consider that 2 factor as you be social engineer the answer to a lot of those questions. Technically I suppose you're right. But I prefer some sort of key FOB.

GauntletWizard

2 factor authentication is quite rare for anything in the US.

lol both my banks have 2 factor authentication, but it's just Password + challenge questions. To invent a mathematical notation that looks like big O: O(What You Know) + O(What You Know) == O(What You Know) != O(What You Know) + O(What You Have) == O(What You Know) + O(What You Are)

Two factor is not a big O operation; It's a set operation. Set(What you know, what you know) == Set(What you know); |Set(What you know)| == 1. Only if you have a set |Set(What you Know, (What you have OR What you are))| is it >= 2 factor security.

Byron

Two factor is not a big O operation; It's a set operation. Set(What you know, what you know) == Set(What you know); |Set(What you know)| == 1. Only if you have a set |Set(What you Know, (What you have OR What you are))| is it >= 2 factor security.

I approve! Set theory fits much better than trying to cram security into complexity analysis.

I think |Set(What You Have) Union Set(What You Are)| = 1, as you have what you are. |Set(What You Have) Union Set(What You Are)| = 2. Good notation.

Victor Frost

I use an algorithm for my passwords so, mentally, I use the same root password, but the actual password is different for each site. Of course, I use a different root password and algorithm for different tiers of importance.

Byron

I use an algorithm for my passwords so, mentally, I use the same root password, but the actual password is different for each site. Of course, I use a different root password and algorithm for different tiers of importance.

I do this too, but viewing one or two passwords would likely be enough to break my encryption scheme. My algorithm is simple so I can do it without thinking.

lackofcheese

Two factor is not a big O operation; It's a set operation. Set(What you know, what you know) == Set(What you know); |Set(What you know)| == 1. Only if you have a set |Set(What you Know, (What you have OR What you are))| is it >= 2 factor security.

I approve! Set theory fits much better than trying to cram security into complexity analysis.

I think |Set(What You Have) Union Set(What You Are)| = 1, as you have what you are. |Set(What You Have) Union Set(What You Are)| = 2. Good notation.

Set theory could be appropriate, but I take issue with some of this. |Set(What you know)| = 1 implies that the set has only 1 element, i.e. you only know 1 thing.

It could be argued that what you know and what you are are both proper subsets of what you have - you have what you know and what you are, but there are things that you have that aren't knowledge, and there are things that you have that aren't you. But that misses the whole point.

The whole point is brain vs body vs property, which are three distinct and relevant factors.

Ikatono

I use an algorithm for my passwords so, mentally, I use the same root password, but the actual password is different for each site. Of course, I use a different root password and algorithm for different tiers of importance.

I do this too, but viewing one or two passwords would likely be enough to break my encryption scheme. My algorithm is simple so I can do it without thinking.

From what I've heard, it still makes you significantly safer because it makes you a mid-level fruit in a sea of low-hanging fruit.

Byron

it makes you a mid-level fruit in a sea of low-hanging fruit.

You callin' me fruity?

Byron

The whole point is brain vs body vs property, which are three distinct and relevant factors.

At the present level of What You Are technology, I would argue it is not different than What You Have but it eventually might be. Let me give you an example:

If you have an RSA keyfob, I need only mug you or have a little bacon and eggs at your place to get it. If you have fingerprint or retinal authentication, I need only cut off your hand or rip out your eyeball with a spoon. These are, to a sociopath at any rate, not different.

Now let's say there was a biometric that analyzed your heartbeat using some DSP and pulls out some characteristics that are fixed throughout your life and whether you are out of shape, in shape, winded, or lazy. Although this sounds a bit far fetched, I bet it is possible if not necessarily plausible. Here's something you Have that I cannot possibly take away from you. That would count as What You Are but not so much as What You Have.

Of course passwords are stored in your brain. To my knowledge, we don't know how to get a melon baller up in there to extract passwords. Truth serums aren't terribly effective for such things, but might work. If you gotta dope someone, I think MDMA would be the best option, as then they feel love and trust for everybody. Get 'em rolling and ask them to get you in. Perhaps add a touch of roofies so they forget the whole thing.

At that point, a blood serum biometric would be handy, because it could simultaneously scan for mood altering toxins. Imagine, you can't unlock your phone because there's too much alcohol in your system. No more drunk dialing!

arr

I forget where, at the moment, but you can get a free SSL certificate that doesn't freak out most browsers (it doesn't show up as fancy as other certs but that's fine).

On my site the certificate says it's signed by StartCom, Ltd. if that's helpful.