On Wed, Dec 29, 2010 at 12:00:01AM -0500, David Hutto wrote: > On Tue, Dec 28, 2010 at 11:51 PM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> > wrote: > > On Tue, Dec 28, 2010 at 11:28:12PM -0500, Joshua Kehn wrote: > > > >> On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote: > >> > >> > On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote: > >> > > >> >> Specifically: > >> >> > >> >>>> Dotan Cohen wrote: > >> >>>>> I seem to have an issue with users who copy-paste their usernames > and > >> >>>>> passwords coping and pasting leading and trailing space characters. > >> >> > >> >> Users should not be copy-pasting passwords or usernames. Do not > compromise a system to cater to bad [stupid, ignorant, you pick] users. If > this is an issue then educate the users. > >> >> > >> > > >> > Wrong. I use a program called pwgen to generate passwords for me, which > >> > I cannot remember. I use another program I built to store them in an > >> > encrypted file. When I have to supply a password which I've forgotten > >> > (as usual), I fire up my password "vault", find the password, and paste > >> > it wherever it's needed. Users would be wise to follow a scheme like > >> > this, rather than using their dog's name or somesuch as their passwords. > >> > > >> > Paul > >> > > >> > -- > >> > Paul M. Foster > >> > http://noferblatz.com > >> > > >> > >> What is "wrong?" That users should not be copy-pasting passwords or > don't compromise the system? > >> > >> I agree that users should not use weak passwords, but not everyone > goes everywhere with a vault. I am more then capable of memorizing 20 or > so 16-32 character full set passwords. > >> > > > > And so you assume everyone can do that? I can remember maybe 5 of the > > passwords I regularly need. (I rarely repeat passwords for different > > sites.) In addition, some passwords have been *assigned* to me and > > cannot readily be changed (and are usually difficult to remember). Many > > of the rest I so seldom use that it would be silly to try to remember > > them. Particularly when I do have a password-locked file I can use to > > record them for me. > > > > Under the circumstances I described, I have yet to hear in what way > > copying and pasting passwords compromises security of anything by > > itself. Please enlighten me. > > Correct me if I'm wrong, but If you initially type the username and > password into a file, and you have, in my paranoid scenario, a > keylogger you don't know about, it get's logged, but also, i assume it > would get logged if you typed it in as well, on the site, or that > someone could lift the password if given the authority on your system, > correct? Well, let's see. My system sits behind a firewall. No external services are advertised to the internet. All internal addresses are non-routable. I do not use or have any wifi. The system sits in my home office. I use a Debian Linux system and practice very safe computing. I often investigate little-known sites before surfing to them, and never accept temptations to click on ads. In fact, I have my /etc/hosts file set up to block the vast majority of ad servers (I see a fraction of the ads most people see). I never download content of questionable origin, nor accept it from others without investigating it first. I have a root kit detector installed, which I periodically use. I'm the only person who uses this computer. No one who enters this space is more knowledgeable than I am about computers (= not capable of hacking a computer). And suffice it to say that I'm easily capable of dropping an intruder in his tracks from a distance should he enter my abode uninvited. Moreover, the law here allows me to do so with impunity. Now, theoretically, assuming I'm entering a password over an unencrypted internet connecton (non-HTTPS), someone could theoretically capture that password. However, I can't think of the last time I've been asked to do such a thing, if ever. And if invited to do so, I would check first what kind of content such a hacker would thereby gain access to. If the content wasn't that important, then it wouldn't much matter to me if they captured the password. (I've worked at places where a password on in unencrypted internet-facing server would give someone access to the bug-tracking system. Big deal.) So, yes, on planet Epsilon-3-Bingo, perhaps. But here? Unlikely. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
