Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #82693 > unrolled thread

Hello World

Started bySteven D'Aprano <steve+comp.lang.python@pearwood.info>
First post2014-12-20 23:57 +1100
Last post2014-12-22 19:05 +0000
Articles 20 on this page of 122 — 30 participants

Back to article view | Back to comp.lang.python


Contents

  Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-20 23:57 +1100
    Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 00:11 +1100
    Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-20 16:13 +0000
    Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-20 08:50 -0800
    Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-20 20:39 +0200
    Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-20 22:18 +0000
    Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 21:14 -0800
      Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-21 16:26 +1100
      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 16:31 +1100
      Re: Hello World Terry Reedy <tjreedy@udel.edu> - 2014-12-21 01:31 -0500
        Re: Hello World wxjmfauth@gmail.com - 2014-12-21 00:07 -0800
      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 17:44 +1100
        Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:44 -0800
          Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:45 -0800
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 10:26 +0200
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 18:46 +1100
        Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 12:43 +0000
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-08 23:53 +1100
            Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 13:37 +0000
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:06 +0200
              Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 14:21 +0000
                Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:31 +0200
                  Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 15:14 +0000
            Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-08 15:11 +0100
            Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 14:51 +0000
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 01:57 +1100
                Re: Hello World cl@isbd.net - 2015-01-17 15:18 +0000
              Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 09:29 -0700
                Re: Hello World cl@isbd.net - 2015-01-17 16:47 +0000
                  Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 18:06 +0000
                    Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-17 19:47 +0100
                      Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:09 -0700
                    Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 13:37 +1100
                      Re: Hello World Roy Smith <roy@panix.com> - 2015-01-17 22:18 -0500
                        Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 14:45 +1100
                          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:45 +1100
                          Re: Hello World Roy Smith <roy@panix.com> - 2015-01-18 07:26 -0500
                        Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2015-01-17 21:50 -0600
                        Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:44 +1100
                  Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-01-17 18:31 +0000
                    Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 10:46 +1100
                      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 11:04 +1100
                      Re: Hello World Jason Friedman <jsf80238@gmail.com> - 2015-01-17 18:19 -0700
                      Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:13 -0700
                        Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 12:03 +0200
                          Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:34 +0100
                            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 18:03 +0200
                              Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 19:39 +0100
                          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:10 +1100
                            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 22:50 +0200
                        Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:32 +0100
                      Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:00 +1100
                        Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:35 +0100
                          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 00:57 +1100
                            Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 16:48 +0100
                              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 04:08 +1100
                      Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:30 +0100
          Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2015-01-08 19:02 +0200
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-09 04:11 +1100
              Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 15:10 +0000
            Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-08 10:53 -0700
              Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2015-01-08 18:57 +0000
      Re: Hello World Devin Jeanpierre <jeanpierreda@gmail.com> - 2015-01-17 16:06 -0800
    Re: Hello World Tony the Tiger <tony@tiger.invalid> - 2014-12-21 19:22 +0000
      Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 22:02 +0200
      Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 09:51 +1100
        Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 18:50 -0500
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:10 +1100
            Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 19:12 -0500
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:36 +1100
            Re: Hello World mm0fmf <none@mailinator.com> - 2014-12-22 00:20 +0000
              Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-21 18:47 -0600
              Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 02:56 +0000
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 10:52 +0200
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 20:01 +1100
          Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:23 +0000
            Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 04:25 +1100
            Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:51 +0000
            Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-22 19:05 +0000
            Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-22 13:16 -0600
              Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 19:55 -0500
                Re: Hello World sohcahtoa82@gmail.com - 2014-12-22 17:03 -0800
                  Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-23 01:37 +0000
                  Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:39 +1100
                  Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-23 02:36 +0000
                  Re: Hello World Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2014-12-23 12:24 -0500
                Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:03 +1100
            Encryption - was Hello World Dave Angel <d@davea.name> - 2014-12-22 14:57 -0500
            Re: Encryption - was Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 09:29 +1100
            Re: Encryption - was Hello World Dave Angel <davea@davea.name> - 2014-12-22 18:22 -0500
        Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-21 18:37 -0800
        Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 08:21 +0200
          Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 17:33 +1100
            Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 09:46 +0200
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 18:56 +1100
          Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 20:18 +1100
            Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 11:34 +0200
              Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-22 19:38 -0800
            Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:15 -0500
              Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 00:23 +1100
                OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 13:09 +1100
                  Re: OFF TOPIC Snow Crash [was Re: Hello World] Grant Edwards <invalid@invalid.invalid> - 2014-12-23 16:20 +0000
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] Rustom Mody <rustompmody@gmail.com> - 2014-12-23 08:41 -0800
                      Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 12:51 +1100
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 14:18 +1100
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-24 11:50 +0000
                      Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:34 +1000
                    Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:27 +1000
                      Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-26 15:13 +1100
                        Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-26 10:03 +0000
              Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 15:26 +0200
                Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:41 -0500
          Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:13 -0500
            Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 02:22 +1100
              Re: Hello World Jussi Piitulainen <jpiitula@ling.helsinki.fi> - 2014-12-22 17:36 +0200
                Re: Hello World Chris Warrick <kwpolska@gmail.com> - 2014-12-22 17:03 +0100
              Re: Hello World Skip Montanaro <skip.montanaro@gmail.com> - 2014-12-22 09:39 -0600
                Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 03:54 +1100
              Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:48 +0000
          Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:26 +0000
      Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:18 +0000
        Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-22 19:05 +0000

Page 3 of 7 — ← Prev page 1 2 [3] 4 5 6 7  Next page →


#83958

FromSteven D'Aprano <steve+comp.lang.python@pearwood.info>
Date2015-01-18 10:46 +1100
Message-ID<54baf443$0$13002$c3e8da3$5496439d@news.astraweb.com>
In reply to#83939
Mark Lawrence wrote:

> Bah humbug, this has reminded me of doing secure work whereby each
> individual had two passwords, both of which had to be changed every
> thirty days, and rules were enforced so you couldn't just increment the
> number at the end of a word or similar.

I hate and despise systems that force you to arbitrarily change a good
strong password after N days for no good reason.

The utterly bad reason often given by people who don't understand
probability is that if hackers try to guess your password by brute-force,
changing the password regularly will make it harder for them. That's simply
wrong, and is based on a misunderstanding of probability.

The merely poor reason given by the more thoughtful sys admins is, if the
password hashes get stolen, the hacker has a maximum of N days (and
possibly less) to crack the hashes and recover the passwords before they
get changed. That's okay as far as it goes, but it's the wrong solution for
the problem. The right solution is to salt the passwords, and to secure the
hashes from theft. Users should only be forced to change their password if
the hashes are stolen, not at arbitrary intervals.

The problem with regular password changes is that it makes it significantly
harder remember passwords, especially one that you might only use rarely.
It encourages users to pick weak, trivial passwords that can be trivially
incremented each time the computer insists they change it, "blahblah-JAN"
or "blahblahblah1", or to simply write the password down or a Post-it note
on their computer. In isolation, regular password changes seems like a good
idea, but in practice they are not.

Password management is hard enough without having to throw away perfectly
good, strong, memorable passwords every N days "just in case".



-- 
Steven

[toc] | [prev] | [next] | [standalone]


#83959

FromChris Angelico <rosuav@gmail.com>
Date2015-01-18 11:04 +1100
Message-ID<mailman.17820.1421539506.18130.python-list@python.org>
In reply to#83958
On Sun, Jan 18, 2015 at 10:46 AM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> The merely poor reason given by the more thoughtful sys admins is, if the
> password hashes get stolen, the hacker has a maximum of N days (and
> possibly less) to crack the hashes and recover the passwords before they
> get changed. That's okay as far as it goes, but it's the wrong solution for
> the problem.

Related to that is another reason I've heard: if your password is
figured out by some means other than hash theft [1], there's a maximum
of N days to make use of it. But let's face it, if someone gets hold
of one of your accounts, it won't take long to do serious damage. Even
if it's not a high-profile target like email or banking, a service
with your password known by someone else is a problem *now*, not
"after a month of research" or something.

Password maximum age is the wrong solution to a few problems, and is
itself a problem. Don't do it.

ChrisA

[1] eg http://xkcd.com/792/

[toc] | [prev] | [next] | [standalone]


#83971

FromJason Friedman <jsf80238@gmail.com>
Date2015-01-17 18:19 -0700
Message-ID<mailman.17830.1421574638.18130.python-list@python.org>
In reply to#83958

[Multipart message — attachments visible in raw view] — view raw

>
>
> Password maximum age is the wrong solution to a few problems, and is
> itself a problem. Don't do it.
>
> Bruce Schneier (mostly) agrees with you:
https://www.schneier.com/blog/archives/2010/11/changing_passwo.html.

[toc] | [prev] | [next] | [standalone]


#83972

FromMichael Torrie <torriem@gmail.com>
Date2015-01-17 19:13 -0700
Message-ID<mailman.17831.1421574655.18130.python-list@python.org>
In reply to#83958
On 01/17/2015 05:04 PM, Chris Angelico wrote:
> Related to that is another reason I've heard: if your password is
> figured out by some means other than hash theft [1], there's a maximum
> of N days to make use of it. But let's face it, if someone gets hold
> of one of your accounts, it won't take long to do serious damage. Even
> if it's not a high-profile target like email or banking, a service
> with your password known by someone else is a problem *now*, not
> "after a month of research" or something.
> 
> Password maximum age is the wrong solution to a few problems, and is
> itself a problem. Don't do it.

Most password policies are the wrong solution.  They don't seem to
increase the time to guess the password given the hash, and they
certainly don't physically secure anything, as passwords that have to be
changed often and to bizarre notions of upper case, lower case, digits,
non-alphanumeric characters, are guaranteed to be written down and
pasted to the monitor.

Like many of you I use a password manager these days.  It's pretty
slick.  But really it shows the absurdity of the situation.  Instead of
passwords we should all just use private/public keypairs and store the
private keys in a digital wallet.  Forget this password garbage with
it's 50-70 bits of entropy.  Let's go for 2048-bit keys and be done with
it, if we're going to require the use of password managers.

[toc] | [prev] | [next] | [standalone]


#83974

FromMarko Rauhamaa <marko@pacujo.net>
Date2015-01-18 12:03 +0200
Message-ID<87bnlwl81r.fsf@elektro.pacujo.net>
In reply to#83972
Michael Torrie <torriem@gmail.com>:

> Most password policies are the wrong solution.

I believe passwords themselves are the wrong solution. I believe in a
physical, government-issue object capable of challenge-response. It can
then be beefed up with extra measures depending on the need.


Marko

[toc] | [prev] | [next] | [standalone]


#83980

FromMichael Ströder <michael@stroeder.com>
Date2015-01-18 14:34 +0100
Message-ID<m9gcna$kgf$3@dont-email.me>
In reply to#83974
Marko Rauhamaa wrote:
> I believe in a
> physical, government-issue object
            ^^^^^^^^^^^^^^^^
Did you forget the smiley? Or where were you during the last 1,5 years?

Ciao, Michael.

[toc] | [prev] | [next] | [standalone]


#83986

FromMarko Rauhamaa <marko@pacujo.net>
Date2015-01-18 18:03 +0200
Message-ID<871tmskrds.fsf@elektro.pacujo.net>
In reply to#83980
Michael Ströder <michael@stroeder.com>:

> Marko Rauhamaa wrote:
>> I believe in a
>> physical, government-issue object
>             ^^^^^^^^^^^^^^^^
> Did you forget the smiley? Or where were you during the last 1,5 years?

You can juggle the issues all you want. In the end, there's no escaping
the governments' underwriting role. The TLS "chain of trust" we have
today is a joke and can be spoofed easily not only by governments but
really by anybody.

Authentication is still separate from privacy, which could be secured
from the governments if there were a will.


Marko

[toc] | [prev] | [next] | [standalone]


#83996

FromMichael Ströder <michael@stroeder.com>
Date2015-01-18 19:39 +0100
Message-ID<m9gujm$5bu$1@dont-email.me>
In reply to#83986
Marko Rauhamaa wrote:
> Michael Ströder <michael@stroeder.com>:
> 
>> Marko Rauhamaa wrote:
>>> I believe in a
>>> physical, government-issue object
>>             ^^^^^^^^^^^^^^^^
>> Did you forget the smiley? Or where were you during the last 1,5 years?
> 
> You can juggle the issues all you want. In the end, there's no escaping
> the governments' underwriting role. The TLS "chain of trust" we have
> today is a joke and can be spoofed easily not only by governments but
> really by anybody.

That's why I'm internally using my own private CA and limit the trust stores
of various services to this CA.

> Authentication is still separate from privacy,

Not true because there's no authorization without authentication.

Ciao, Michael.

[toc] | [prev] | [next] | [standalone]


#83987

FromChris Angelico <rosuav@gmail.com>
Date2015-01-18 21:10 +1100
Message-ID<mailman.17834.1421597461.18130.python-list@python.org>
In reply to#83974
On Sun, Jan 18, 2015 at 9:03 PM, Marko Rauhamaa <marko@pacujo.net> wrote:
> Michael Torrie <torriem@gmail.com>:
>
>> Most password policies are the wrong solution.
>
> I believe passwords themselves are the wrong solution. I believe in a
> physical, government-issue object capable of challenge-response. It can
> then be beefed up with extra measures depending on the need.

I can't tell whether you're serious or not. Do you actually trust
"government-issue" more than anything else, or is your tongue firmly
in your cheek?

Also, which government?

ChrisA

[toc] | [prev] | [next] | [standalone]


#83997

FromMarko Rauhamaa <marko@pacujo.net>
Date2015-01-18 22:50 +0200
Message-ID<87vbk3ke3x.fsf@elektro.pacujo.net>
In reply to#83987
Chris Angelico <rosuav@gmail.com>:
> On Sun, Jan 18, 2015 at 9:03 PM, Marko Rauhamaa <marko@pacujo.net> wrote:
>> I believe passwords themselves are the wrong solution. I believe in a
>> physical, government-issue object capable of challenge-response. It
>> can then be beefed up with extra measures depending on the need.
>
> I can't tell whether you're serious or not. Do you actually trust
> "government-issue" more than anything else, or is your tongue firmly
> in your cheek?

I'm serious.

> Also, which government?

For example, the State of Finland (the place where I happen to reside).
Then, you would know you would be dealing with someone who is holding a
physical ID guaranteed by the Finnish government. After all, that's how
passports work; passports are trusted everywhere in the world.

That would be better than anything we have right now. As far as I know,
a system like that is in use in Estonia. In principle, an analogous
system is also there in Finland, but it is barely used yet (chicken and
egg). The practical online authentication in Finland is provided by
private banks. The private solution is effective but it costs businesses
money to use making it unavailable for individuals and nonprofits.


Marko

[toc] | [prev] | [next] | [standalone]


#83979

FromMichael Ströder <michael@stroeder.com>
Date2015-01-18 14:32 +0100
Message-ID<m9gclb$kgf$2@dont-email.me>
In reply to#83972
Michael Torrie wrote:
> Like many of you I use a password manager these days.  It's pretty
> slick.  But really it shows the absurdity of the situation.  Instead of
> passwords we should all just use private/public keypairs and store the
> private keys in a digital wallet.  Forget this password garbage with
> it's 50-70 bits of entropy.  Let's go for 2048-bit keys and be done with
> it, if we're going to require the use of password managers.

Yes, and that's easy e.g. with SSH. And in theory it's easy with SSL/TLS. But
support for client certs in browsers really suck (try to change the login once
you've chosen a client cert without closing the browser).

Ciao, Michael.

[toc] | [prev] | [next] | [standalone]


#83973

FromChris Angelico <rosuav@gmail.com>
Date2015-01-18 21:00 +1100
Message-ID<mailman.17832.1421575264.18130.python-list@python.org>
In reply to#83958
On Sun, Jan 18, 2015 at 1:13 PM, Michael Torrie <torriem@gmail.com> wrote:
> Like many of you I use a password manager these days.  It's pretty
> slick.  But really it shows the absurdity of the situation.  Instead of
> passwords we should all just use private/public keypairs and store the
> private keys in a digital wallet.  Forget this password garbage with
> it's 50-70 bits of entropy.  Let's go for 2048-bit keys and be done with
> it, if we're going to require the use of password managers.

Easy way to do a lot of that is to layer most things on top of SSH. I
can pull/push git repositories using my SSH keypairs, I can access the
local network mounts that way, all sorts of things can be done with a
system that's already deployed. It's easy to put your own service on
top of SSH too. Want simplicity? Passwords are fine. Want security?
Push the encryption and authentication down to a lower layer, and save
yourself the trouble.

ChrisA

[toc] | [prev] | [next] | [standalone]


#83981

FromMichael Ströder <michael@stroeder.com>
Date2015-01-18 14:35 +0100
Message-ID<m9gcqh$kgf$4@dont-email.me>
In reply to#83973
Chris Angelico wrote:
> Want security?
> Push the encryption and authentication down to a lower layer, and save
> yourself the trouble.

Yes. And now for the next level: How to prevent unauthorized machines to
connect to your network…

Ciao, Michael.

[toc] | [prev] | [next] | [standalone]


#83982

FromChris Angelico <rosuav@gmail.com>
Date2015-01-19 00:57 +1100
Message-ID<mailman.17833.1421589430.18130.python-list@python.org>
In reply to#83981
On Mon, Jan 19, 2015 at 12:35 AM, Michael Ströder <michael@stroeder.com> wrote:
> Chris Angelico wrote:
>> Want security?
>> Push the encryption and authentication down to a lower layer, and save
>> yourself the trouble.
>
> Yes. And now for the next level: How to prevent unauthorized machines to
> connect to your network…

Extremely difficult, and in many cases quite unnecessary. No, you let
them on the network, and then make sure that won't hurt you more than
you're prepared to accept. For instance, someone could join my wifi
network - all they need is the WPA2 PSK, which is well known around
the place - and use/abuse our internet connection; but they couldn't
access my PostgreSQL databases, because the firewall doesn't permit
access to port 5432.

ChrisA

[toc] | [prev] | [next] | [standalone]


#83985

FromMichael Ströder <michael@stroeder.com>
Date2015-01-18 16:48 +0100
Message-ID<m9gkjo$l8h$1@dont-email.me>
In reply to#83982
Chris Angelico wrote:
> On Mon, Jan 19, 2015 at 12:35 AM, Michael Ströder <michael@stroeder.com> wrote:
>> Chris Angelico wrote:
>>> Want security?
>>> Push the encryption and authentication down to a lower layer, and save
>>> yourself the trouble.
>>
>> Yes. And now for the next level: How to prevent unauthorized machines to
>> connect to your network…
> 
> Extremely difficult, and in many cases quite unnecessary. No, you let
> them on the network, and then make sure that won't hurt you more than
> you're prepared to accept.

Somewhat true…

> For instance, someone could join my wifi
> network - all they need is the WPA2 PSK, which is well known around
> the place - and use/abuse our internet connection; but they couldn't
> access my PostgreSQL databases, because the firewall doesn't permit
> access to port 5432.

…but your firewall relies on authenticity of IP addresses. Fail!

Ciao, Michael.

[toc] | [prev] | [next] | [standalone]


#83991

FromChris Angelico <rosuav@gmail.com>
Date2015-01-19 04:08 +1100
Message-ID<mailman.17837.1421600945.18130.python-list@python.org>
In reply to#83985
On Mon, Jan 19, 2015 at 2:48 AM, Michael Ströder <michael@stroeder.com> wrote:
>> For instance, someone could join my wifi
>> network - all they need is the WPA2 PSK, which is well known around
>> the place - and use/abuse our internet connection; but they couldn't
>> access my PostgreSQL databases, because the firewall doesn't permit
>> access to port 5432.
>
> …but your firewall relies on authenticity of IP addresses. Fail!

No; I have two completely separate networks. If you're on the one that
anyone can easily get onto, it doesn't matter what your IP is, you do
not get access to certain ports on computers on the other side of the
firewall.

ChrisA

[toc] | [prev] | [next] | [standalone]


#83978

FromMichael Ströder <michael@stroeder.com>
Date2015-01-18 14:30 +0100
Message-ID<m9gchn$kgf$1@dont-email.me>
In reply to#83958
Steven D'Aprano wrote:
> Mark Lawrence wrote:
> 
>> Bah humbug, this has reminded me of doing secure work whereby each
>> individual had two passwords, both of which had to be changed every
>> thirty days, and rules were enforced so you couldn't just increment the
>> number at the end of a word or similar.
> 
> I hate and despise systems that force you to arbitrarily change a good
> strong password after N days for no good reason.
> 
> The utterly bad reason often given by people who don't understand
> probability is that if hackers try to guess your password by brute-force,
> changing the password regularly will make it harder for them. That's simply
> wrong, and is based on a misunderstanding of probability.

But there's a probability > 0 that one of the systems where an admin has to
use his/her password was hacked and that passwords gets stolen there. It's
hard to find out in case of skilled hackers.

=> have more than one account for different security areas and have password
aging in place.

Ciao, Michael.

[toc] | [prev] | [next] | [standalone]


#83357

FromSteve Hayes <hayesstw@telkomsa.net>
Date2015-01-08 19:02 +0200
Message-ID<mtdtaalemtguc30127u5ifnbblrgndnrd3@4ax.com>
In reply to#83327
On 08 Jan 2015 12:43:33 GMT, albert@spenarnc.xs4all.nl (Albert van der Horst)
wrote:

>I don't trust sudo because it is too complicated.
>(To the point that I removed it from my machine.)
>I do

How do you do that?

I avoided Ubuntu because it had sudo, and then discovered that Fedora had it
as well. 


-- 
Steve Hayes from Tshwane, South Africa
Web:  http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

[toc] | [prev] | [next] | [standalone]


#83359

FromChris Angelico <rosuav@gmail.com>
Date2015-01-09 04:11 +1100
Message-ID<mailman.17481.1420737102.18130.python-list@python.org>
In reply to#83357
On Fri, Jan 9, 2015 at 4:02 AM, Steve Hayes <hayesstw@telkomsa.net> wrote:
> On 08 Jan 2015 12:43:33 GMT, albert@spenarnc.xs4all.nl (Albert van der Horst)
> wrote:
>
>>I don't trust sudo because it is too complicated.
>>(To the point that I removed it from my machine.)
>>I do
>
> How do you do that?
>
> I avoided Ubuntu because it had sudo, and then discovered that Fedora had it
> as well.

Uhh, 'apt-get remove sudo'? That ought to work on any Debian-based
system. With Debian itself, you get the option during installation of
setting a root password, in which case it won't install sudo by
default.

ChrisA

[toc] | [prev] | [next] | [standalone]


#83927

Fromalbert@spenarnc.xs4all.nl (Albert van der Horst)
Date2015-01-17 15:10 +0000
Message-ID<54ba7b71$0$15929$e4fe514c@dreader35.news.xs4all.nl>
In reply to#83359
In article <mailman.17481.1420737102.18130.python-list@python.org>,
Chris Angelico  <rosuav@gmail.com> wrote:
>On Fri, Jan 9, 2015 at 4:02 AM, Steve Hayes <hayesstw@telkomsa.net> wrote:
>> On 08 Jan 2015 12:43:33 GMT, albert@spenarnc.xs4all.nl (Albert van der Horst)
>> wrote:
>>
>>>I don't trust sudo because it is too complicated.
>>>(To the point that I removed it from my machine.)
>>>I do
>>
>> How do you do that?
>>
>> I avoided Ubuntu because it had sudo, and then discovered that Fedora had it
>> as well.
>
>Uhh, 'apt-get remove sudo'? That ought to work on any Debian-based

That works. That is exactly what I did.

>system. With Debian itself, you get the option during installation of
>setting a root password, in which case it won't install sudo by
>default.
>
>ChrisA
-- 
Albert van der Horst, UTRECHT,THE NETHERLANDS
Economic growth -- being exponential -- ultimately falters.
albert@spe&ar&c.xs4all.nl &=n http://home.hccnet.nl/a.w.m.van.der.horst

[toc] | [prev] | [next] | [standalone]


Page 3 of 7 — ← Prev page 1 2 [3] 4 5 6 7  Next page →

Back to top | Article view | comp.lang.python


csiph-web