Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #82693 > unrolled thread
| Started by | Steven D'Aprano <steve+comp.lang.python@pearwood.info> |
|---|---|
| First post | 2014-12-20 23:57 +1100 |
| Last post | 2014-12-22 19:05 +0000 |
| Articles | 20 on this page of 122 — 30 participants |
Back to article view | Back to comp.lang.python
Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-20 23:57 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 00:11 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-20 16:13 +0000
Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-20 08:50 -0800
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-20 20:39 +0200
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-20 22:18 +0000
Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 21:14 -0800
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-21 16:26 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 16:31 +1100
Re: Hello World Terry Reedy <tjreedy@udel.edu> - 2014-12-21 01:31 -0500
Re: Hello World wxjmfauth@gmail.com - 2014-12-21 00:07 -0800
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 17:44 +1100
Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:44 -0800
Re: Hello World CM <cmpython@gmail.com> - 2014-12-20 23:45 -0800
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 10:26 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-21 18:46 +1100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 12:43 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-08 23:53 +1100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-08 13:37 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:06 +0200
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 14:21 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-08 16:31 +0200
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2015-01-08 15:14 +0000
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-08 15:11 +0100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 14:51 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 01:57 +1100
Re: Hello World cl@isbd.net - 2015-01-17 15:18 +0000
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 09:29 -0700
Re: Hello World cl@isbd.net - 2015-01-17 16:47 +0000
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 18:06 +0000
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-17 19:47 +0100
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:09 -0700
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 13:37 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2015-01-17 22:18 -0500
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 14:45 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:45 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2015-01-18 07:26 -0500
Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2015-01-17 21:50 -0600
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 18:44 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2015-01-17 18:31 +0000
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-01-18 10:46 +1100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 11:04 +1100
Re: Hello World Jason Friedman <jsf80238@gmail.com> - 2015-01-17 18:19 -0700
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-17 19:13 -0700
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 12:03 +0200
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:34 +0100
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 18:03 +0200
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 19:39 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:10 +1100
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2015-01-18 22:50 +0200
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:32 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-18 21:00 +1100
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:35 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 00:57 +1100
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 16:48 +0100
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-19 04:08 +1100
Re: Hello World Michael Ströder <michael@stroeder.com> - 2015-01-18 14:30 +0100
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2015-01-08 19:02 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2015-01-09 04:11 +1100
Re: Hello World albert@spenarnc.xs4all.nl (Albert van der Horst) - 2015-01-17 15:10 +0000
Re: Hello World Michael Torrie <torriem@gmail.com> - 2015-01-08 10:53 -0700
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2015-01-08 18:57 +0000
Re: Hello World Devin Jeanpierre <jeanpierreda@gmail.com> - 2015-01-17 16:06 -0800
Re: Hello World Tony the Tiger <tony@tiger.invalid> - 2014-12-21 19:22 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-21 22:02 +0200
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 09:51 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 18:50 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:10 +1100
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-21 19:12 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 11:36 +1100
Re: Hello World mm0fmf <none@mailinator.com> - 2014-12-22 00:20 +0000
Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-21 18:47 -0600
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 02:56 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 10:52 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 20:01 +1100
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:23 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 04:25 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:51 +0000
Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-22 19:05 +0000
Re: Hello World Tim Chase <python.list@tim.thechases.com> - 2014-12-22 13:16 -0600
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 19:55 -0500
Re: Hello World sohcahtoa82@gmail.com - 2014-12-22 17:03 -0800
Re: Hello World MRAB <python@mrabarnett.plus.com> - 2014-12-23 01:37 +0000
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:39 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-23 02:36 +0000
Re: Hello World Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2014-12-23 12:24 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 12:03 +1100
Encryption - was Hello World Dave Angel <d@davea.name> - 2014-12-22 14:57 -0500
Re: Encryption - was Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 09:29 +1100
Re: Encryption - was Hello World Dave Angel <davea@davea.name> - 2014-12-22 18:22 -0500
Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-21 18:37 -0800
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 08:21 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 17:33 +1100
Re: Hello World Steve Hayes <hayesstw@telkomsa.net> - 2014-12-22 09:46 +0200
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-22 18:56 +1100
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-22 20:18 +1100
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 11:34 +0200
Re: Hello World Rustom Mody <rustompmody@gmail.com> - 2014-12-22 19:38 -0800
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:15 -0500
Re: Hello World Chris Angelico <rosuav@gmail.com> - 2014-12-23 00:23 +1100
OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 13:09 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] Grant Edwards <invalid@invalid.invalid> - 2014-12-23 16:20 +0000
Re: OFF TOPIC Snow Crash [was Re: Hello World] Rustom Mody <rustompmody@gmail.com> - 2014-12-23 08:41 -0800
Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 12:51 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-24 14:18 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-24 11:50 +0000
Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:34 +1000
Re: OFF TOPIC Snow Crash [was Re: Hello World] alex23 <wuwei23@gmail.com> - 2014-12-26 09:27 +1000
Re: OFF TOPIC Snow Crash [was Re: Hello World] Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-26 15:13 +1100
Re: OFF TOPIC Snow Crash [was Re: Hello World] alister <alister.nospam.ware@ntlworld.com> - 2014-12-26 10:03 +0000
Re: Hello World Marko Rauhamaa <marko@pacujo.net> - 2014-12-22 15:26 +0200
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:41 -0500
Re: Hello World Roy Smith <roy@panix.com> - 2014-12-22 08:13 -0500
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 02:22 +1100
Re: Hello World Jussi Piitulainen <jpiitula@ling.helsinki.fi> - 2014-12-22 17:36 +0200
Re: Hello World Chris Warrick <kwpolska@gmail.com> - 2014-12-22 17:03 +0100
Re: Hello World Skip Montanaro <skip.montanaro@gmail.com> - 2014-12-22 09:39 -0600
Re: Hello World Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-12-23 03:54 +1100
Re: Hello World Mark Lawrence <breamoreboy@yahoo.co.uk> - 2014-12-22 18:48 +0000
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:26 +0000
Re: Hello World Grant Edwards <invalid@invalid.invalid> - 2014-12-22 16:18 +0000
Re: Hello World alister <alister.nospam.ware@ntlworld.com> - 2014-12-22 19:05 +0000
Page 3 of 7 — ← Prev page 1 2 [3] 4 5 6 7 Next page →
| From | Steven D'Aprano <steve+comp.lang.python@pearwood.info> |
|---|---|
| Date | 2015-01-18 10:46 +1100 |
| Message-ID | <54baf443$0$13002$c3e8da3$5496439d@news.astraweb.com> |
| In reply to | #83939 |
Mark Lawrence wrote: > Bah humbug, this has reminded me of doing secure work whereby each > individual had two passwords, both of which had to be changed every > thirty days, and rules were enforced so you couldn't just increment the > number at the end of a word or similar. I hate and despise systems that force you to arbitrarily change a good strong password after N days for no good reason. The utterly bad reason often given by people who don't understand probability is that if hackers try to guess your password by brute-force, changing the password regularly will make it harder for them. That's simply wrong, and is based on a misunderstanding of probability. The merely poor reason given by the more thoughtful sys admins is, if the password hashes get stolen, the hacker has a maximum of N days (and possibly less) to crack the hashes and recover the passwords before they get changed. That's okay as far as it goes, but it's the wrong solution for the problem. The right solution is to salt the passwords, and to secure the hashes from theft. Users should only be forced to change their password if the hashes are stolen, not at arbitrary intervals. The problem with regular password changes is that it makes it significantly harder remember passwords, especially one that you might only use rarely. It encourages users to pick weak, trivial passwords that can be trivially incremented each time the computer insists they change it, "blahblah-JAN" or "blahblahblah1", or to simply write the password down or a Post-it note on their computer. In isolation, regular password changes seems like a good idea, but in practice they are not. Password management is hard enough without having to throw away perfectly good, strong, memorable passwords every N days "just in case". -- Steven
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-01-18 11:04 +1100 |
| Message-ID | <mailman.17820.1421539506.18130.python-list@python.org> |
| In reply to | #83958 |
On Sun, Jan 18, 2015 at 10:46 AM, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote: > The merely poor reason given by the more thoughtful sys admins is, if the > password hashes get stolen, the hacker has a maximum of N days (and > possibly less) to crack the hashes and recover the passwords before they > get changed. That's okay as far as it goes, but it's the wrong solution for > the problem. Related to that is another reason I've heard: if your password is figured out by some means other than hash theft [1], there's a maximum of N days to make use of it. But let's face it, if someone gets hold of one of your accounts, it won't take long to do serious damage. Even if it's not a high-profile target like email or banking, a service with your password known by someone else is a problem *now*, not "after a month of research" or something. Password maximum age is the wrong solution to a few problems, and is itself a problem. Don't do it. ChrisA [1] eg http://xkcd.com/792/
[toc] | [prev] | [next] | [standalone]
| From | Jason Friedman <jsf80238@gmail.com> |
|---|---|
| Date | 2015-01-17 18:19 -0700 |
| Message-ID | <mailman.17830.1421574638.18130.python-list@python.org> |
| In reply to | #83958 |
[Multipart message — attachments visible in raw view] — view raw
> > > Password maximum age is the wrong solution to a few problems, and is > itself a problem. Don't do it. > > Bruce Schneier (mostly) agrees with you: https://www.schneier.com/blog/archives/2010/11/changing_passwo.html.
[toc] | [prev] | [next] | [standalone]
| From | Michael Torrie <torriem@gmail.com> |
|---|---|
| Date | 2015-01-17 19:13 -0700 |
| Message-ID | <mailman.17831.1421574655.18130.python-list@python.org> |
| In reply to | #83958 |
On 01/17/2015 05:04 PM, Chris Angelico wrote: > Related to that is another reason I've heard: if your password is > figured out by some means other than hash theft [1], there's a maximum > of N days to make use of it. But let's face it, if someone gets hold > of one of your accounts, it won't take long to do serious damage. Even > if it's not a high-profile target like email or banking, a service > with your password known by someone else is a problem *now*, not > "after a month of research" or something. > > Password maximum age is the wrong solution to a few problems, and is > itself a problem. Don't do it. Most password policies are the wrong solution. They don't seem to increase the time to guess the password given the hash, and they certainly don't physically secure anything, as passwords that have to be changed often and to bizarre notions of upper case, lower case, digits, non-alphanumeric characters, are guaranteed to be written down and pasted to the monitor. Like many of you I use a password manager these days. It's pretty slick. But really it shows the absurdity of the situation. Instead of passwords we should all just use private/public keypairs and store the private keys in a digital wallet. Forget this password garbage with it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with it, if we're going to require the use of password managers.
[toc] | [prev] | [next] | [standalone]
| From | Marko Rauhamaa <marko@pacujo.net> |
|---|---|
| Date | 2015-01-18 12:03 +0200 |
| Message-ID | <87bnlwl81r.fsf@elektro.pacujo.net> |
| In reply to | #83972 |
Michael Torrie <torriem@gmail.com>: > Most password policies are the wrong solution. I believe passwords themselves are the wrong solution. I believe in a physical, government-issue object capable of challenge-response. It can then be beefed up with extra measures depending on the need. Marko
[toc] | [prev] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-01-18 14:34 +0100 |
| Message-ID | <m9gcna$kgf$3@dont-email.me> |
| In reply to | #83974 |
Marko Rauhamaa wrote:
> I believe in a
> physical, government-issue object
^^^^^^^^^^^^^^^^
Did you forget the smiley? Or where were you during the last 1,5 years?
Ciao, Michael.
[toc] | [prev] | [next] | [standalone]
| From | Marko Rauhamaa <marko@pacujo.net> |
|---|---|
| Date | 2015-01-18 18:03 +0200 |
| Message-ID | <871tmskrds.fsf@elektro.pacujo.net> |
| In reply to | #83980 |
Michael Ströder <michael@stroeder.com>: > Marko Rauhamaa wrote: >> I believe in a >> physical, government-issue object > ^^^^^^^^^^^^^^^^ > Did you forget the smiley? Or where were you during the last 1,5 years? You can juggle the issues all you want. In the end, there's no escaping the governments' underwriting role. The TLS "chain of trust" we have today is a joke and can be spoofed easily not only by governments but really by anybody. Authentication is still separate from privacy, which could be secured from the governments if there were a will. Marko
[toc] | [prev] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-01-18 19:39 +0100 |
| Message-ID | <m9gujm$5bu$1@dont-email.me> |
| In reply to | #83986 |
Marko Rauhamaa wrote: > Michael Ströder <michael@stroeder.com>: > >> Marko Rauhamaa wrote: >>> I believe in a >>> physical, government-issue object >> ^^^^^^^^^^^^^^^^ >> Did you forget the smiley? Or where were you during the last 1,5 years? > > You can juggle the issues all you want. In the end, there's no escaping > the governments' underwriting role. The TLS "chain of trust" we have > today is a joke and can be spoofed easily not only by governments but > really by anybody. That's why I'm internally using my own private CA and limit the trust stores of various services to this CA. > Authentication is still separate from privacy, Not true because there's no authorization without authentication. Ciao, Michael.
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-01-18 21:10 +1100 |
| Message-ID | <mailman.17834.1421597461.18130.python-list@python.org> |
| In reply to | #83974 |
On Sun, Jan 18, 2015 at 9:03 PM, Marko Rauhamaa <marko@pacujo.net> wrote: > Michael Torrie <torriem@gmail.com>: > >> Most password policies are the wrong solution. > > I believe passwords themselves are the wrong solution. I believe in a > physical, government-issue object capable of challenge-response. It can > then be beefed up with extra measures depending on the need. I can't tell whether you're serious or not. Do you actually trust "government-issue" more than anything else, or is your tongue firmly in your cheek? Also, which government? ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Marko Rauhamaa <marko@pacujo.net> |
|---|---|
| Date | 2015-01-18 22:50 +0200 |
| Message-ID | <87vbk3ke3x.fsf@elektro.pacujo.net> |
| In reply to | #83987 |
Chris Angelico <rosuav@gmail.com>: > On Sun, Jan 18, 2015 at 9:03 PM, Marko Rauhamaa <marko@pacujo.net> wrote: >> I believe passwords themselves are the wrong solution. I believe in a >> physical, government-issue object capable of challenge-response. It >> can then be beefed up with extra measures depending on the need. > > I can't tell whether you're serious or not. Do you actually trust > "government-issue" more than anything else, or is your tongue firmly > in your cheek? I'm serious. > Also, which government? For example, the State of Finland (the place where I happen to reside). Then, you would know you would be dealing with someone who is holding a physical ID guaranteed by the Finnish government. After all, that's how passports work; passports are trusted everywhere in the world. That would be better than anything we have right now. As far as I know, a system like that is in use in Estonia. In principle, an analogous system is also there in Finland, but it is barely used yet (chicken and egg). The practical online authentication in Finland is provided by private banks. The private solution is effective but it costs businesses money to use making it unavailable for individuals and nonprofits. Marko
[toc] | [prev] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-01-18 14:32 +0100 |
| Message-ID | <m9gclb$kgf$2@dont-email.me> |
| In reply to | #83972 |
Michael Torrie wrote: > Like many of you I use a password manager these days. It's pretty > slick. But really it shows the absurdity of the situation. Instead of > passwords we should all just use private/public keypairs and store the > private keys in a digital wallet. Forget this password garbage with > it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with > it, if we're going to require the use of password managers. Yes, and that's easy e.g. with SSH. And in theory it's easy with SSL/TLS. But support for client certs in browsers really suck (try to change the login once you've chosen a client cert without closing the browser). Ciao, Michael.
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-01-18 21:00 +1100 |
| Message-ID | <mailman.17832.1421575264.18130.python-list@python.org> |
| In reply to | #83958 |
On Sun, Jan 18, 2015 at 1:13 PM, Michael Torrie <torriem@gmail.com> wrote: > Like many of you I use a password manager these days. It's pretty > slick. But really it shows the absurdity of the situation. Instead of > passwords we should all just use private/public keypairs and store the > private keys in a digital wallet. Forget this password garbage with > it's 50-70 bits of entropy. Let's go for 2048-bit keys and be done with > it, if we're going to require the use of password managers. Easy way to do a lot of that is to layer most things on top of SSH. I can pull/push git repositories using my SSH keypairs, I can access the local network mounts that way, all sorts of things can be done with a system that's already deployed. It's easy to put your own service on top of SSH too. Want simplicity? Passwords are fine. Want security? Push the encryption and authentication down to a lower layer, and save yourself the trouble. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-01-18 14:35 +0100 |
| Message-ID | <m9gcqh$kgf$4@dont-email.me> |
| In reply to | #83973 |
Chris Angelico wrote: > Want security? > Push the encryption and authentication down to a lower layer, and save > yourself the trouble. Yes. And now for the next level: How to prevent unauthorized machines to connect to your network… Ciao, Michael.
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-01-19 00:57 +1100 |
| Message-ID | <mailman.17833.1421589430.18130.python-list@python.org> |
| In reply to | #83981 |
On Mon, Jan 19, 2015 at 12:35 AM, Michael Ströder <michael@stroeder.com> wrote: > Chris Angelico wrote: >> Want security? >> Push the encryption and authentication down to a lower layer, and save >> yourself the trouble. > > Yes. And now for the next level: How to prevent unauthorized machines to > connect to your network… Extremely difficult, and in many cases quite unnecessary. No, you let them on the network, and then make sure that won't hurt you more than you're prepared to accept. For instance, someone could join my wifi network - all they need is the WPA2 PSK, which is well known around the place - and use/abuse our internet connection; but they couldn't access my PostgreSQL databases, because the firewall doesn't permit access to port 5432. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-01-18 16:48 +0100 |
| Message-ID | <m9gkjo$l8h$1@dont-email.me> |
| In reply to | #83982 |
Chris Angelico wrote: > On Mon, Jan 19, 2015 at 12:35 AM, Michael Ströder <michael@stroeder.com> wrote: >> Chris Angelico wrote: >>> Want security? >>> Push the encryption and authentication down to a lower layer, and save >>> yourself the trouble. >> >> Yes. And now for the next level: How to prevent unauthorized machines to >> connect to your network… > > Extremely difficult, and in many cases quite unnecessary. No, you let > them on the network, and then make sure that won't hurt you more than > you're prepared to accept. Somewhat true… > For instance, someone could join my wifi > network - all they need is the WPA2 PSK, which is well known around > the place - and use/abuse our internet connection; but they couldn't > access my PostgreSQL databases, because the firewall doesn't permit > access to port 5432. …but your firewall relies on authenticity of IP addresses. Fail! Ciao, Michael.
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-01-19 04:08 +1100 |
| Message-ID | <mailman.17837.1421600945.18130.python-list@python.org> |
| In reply to | #83985 |
On Mon, Jan 19, 2015 at 2:48 AM, Michael Ströder <michael@stroeder.com> wrote: >> For instance, someone could join my wifi >> network - all they need is the WPA2 PSK, which is well known around >> the place - and use/abuse our internet connection; but they couldn't >> access my PostgreSQL databases, because the firewall doesn't permit >> access to port 5432. > > …but your firewall relies on authenticity of IP addresses. Fail! No; I have two completely separate networks. If you're on the one that anyone can easily get onto, it doesn't matter what your IP is, you do not get access to certain ports on computers on the other side of the firewall. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Michael Ströder <michael@stroeder.com> |
|---|---|
| Date | 2015-01-18 14:30 +0100 |
| Message-ID | <m9gchn$kgf$1@dont-email.me> |
| In reply to | #83958 |
Steven D'Aprano wrote: > Mark Lawrence wrote: > >> Bah humbug, this has reminded me of doing secure work whereby each >> individual had two passwords, both of which had to be changed every >> thirty days, and rules were enforced so you couldn't just increment the >> number at the end of a word or similar. > > I hate and despise systems that force you to arbitrarily change a good > strong password after N days for no good reason. > > The utterly bad reason often given by people who don't understand > probability is that if hackers try to guess your password by brute-force, > changing the password regularly will make it harder for them. That's simply > wrong, and is based on a misunderstanding of probability. But there's a probability > 0 that one of the systems where an admin has to use his/her password was hacked and that passwords gets stolen there. It's hard to find out in case of skilled hackers. => have more than one account for different security areas and have password aging in place. Ciao, Michael.
[toc] | [prev] | [next] | [standalone]
| From | Steve Hayes <hayesstw@telkomsa.net> |
|---|---|
| Date | 2015-01-08 19:02 +0200 |
| Message-ID | <mtdtaalemtguc30127u5ifnbblrgndnrd3@4ax.com> |
| In reply to | #83327 |
On 08 Jan 2015 12:43:33 GMT, albert@spenarnc.xs4all.nl (Albert van der Horst) wrote: >I don't trust sudo because it is too complicated. >(To the point that I removed it from my machine.) >I do How do you do that? I avoided Ubuntu because it had sudo, and then discovered that Fedora had it as well. -- Steve Hayes from Tshwane, South Africa Web: http://www.khanya.org.za/stevesig.htm Blog: http://khanya.wordpress.com E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-01-09 04:11 +1100 |
| Message-ID | <mailman.17481.1420737102.18130.python-list@python.org> |
| In reply to | #83357 |
On Fri, Jan 9, 2015 at 4:02 AM, Steve Hayes <hayesstw@telkomsa.net> wrote: > On 08 Jan 2015 12:43:33 GMT, albert@spenarnc.xs4all.nl (Albert van der Horst) > wrote: > >>I don't trust sudo because it is too complicated. >>(To the point that I removed it from my machine.) >>I do > > How do you do that? > > I avoided Ubuntu because it had sudo, and then discovered that Fedora had it > as well. Uhh, 'apt-get remove sudo'? That ought to work on any Debian-based system. With Debian itself, you get the option during installation of setting a root password, in which case it won't install sudo by default. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | albert@spenarnc.xs4all.nl (Albert van der Horst) |
|---|---|
| Date | 2015-01-17 15:10 +0000 |
| Message-ID | <54ba7b71$0$15929$e4fe514c@dreader35.news.xs4all.nl> |
| In reply to | #83359 |
In article <mailman.17481.1420737102.18130.python-list@python.org>, Chris Angelico <rosuav@gmail.com> wrote: >On Fri, Jan 9, 2015 at 4:02 AM, Steve Hayes <hayesstw@telkomsa.net> wrote: >> On 08 Jan 2015 12:43:33 GMT, albert@spenarnc.xs4all.nl (Albert van der Horst) >> wrote: >> >>>I don't trust sudo because it is too complicated. >>>(To the point that I removed it from my machine.) >>>I do >> >> How do you do that? >> >> I avoided Ubuntu because it had sudo, and then discovered that Fedora had it >> as well. > >Uhh, 'apt-get remove sudo'? That ought to work on any Debian-based That works. That is exactly what I did. >system. With Debian itself, you get the option during installation of >setting a root password, in which case it won't install sudo by >default. > >ChrisA -- Albert van der Horst, UTRECHT,THE NETHERLANDS Economic growth -- being exponential -- ultimately falters. albert@spe&ar&c.xs4all.nl &=n http://home.hccnet.nl/a.w.m.van.der.horst
[toc] | [prev] | [next] | [standalone]
Page 3 of 7 — ← Prev page 1 2 [3] 4 5 6 7 Next page →
Back to top | Article view | comp.lang.python
csiph-web