March 16, 2013 at 8:43 am
L' Eomot InversΓ© (3/16/2013)
Yes, so I'll never use correct horse battery stable as a pasword now - the everbody and his dog knows it :laugh:
How about autos world needs gas.
Four simple words is still much harder to crack.:Wow:
We just had a the financial user from a nursing home call in and say that the clinical users had given her their user names and passwords in case she needed to add a diagnosis to make the claims work. WTF? :crazy:
----------------
Jim P.
A little bit of this and a little byte of that can cause bloatware.
March 16, 2013 at 10:40 am
Jim P. (3/16/2013)
How about autos world needs gas.Four simple words is still much harder to crack.:Wow:
I think the XKCD cartoon actually under estimates the entropy of four common words. Lets call that 11 bits per word - I suspect that most people intelligent enough to be able to type a password have an active vocabulary quite a lot bigger than 2000 words. Even so, I have a large number of different passwords, and I'm not going to remember them all, so I need a password safe or dictionary and I want that to be locked by something with a lot more than 44 bits and even for some of the passwords themselves I want nearly twice that. So I use quite long passphrases - much more than 4 words - and make sure they are something I already know (ie quoting something that's already there) and not something I might forget. That's one of my beliefs that has changed: I used to think it sensible to introduce the odd error into the phrase, but soon experience taught me that this increased the chances of forgetting it by a large factor - years ago I lost my PGP keys that way (and of course couldn't revoke them) - so now I believe it's better to keep the orignal phrase without perturbation - the perturbation has only negligible effect on the probability of the phrase being found by guessing. Within the safe or dictionary the original passwords can or course have much less entropy - I don't think I have any need for more than 80 bits for any of the individual passwords (except for ones that are protecting the private keys of public key encryption pairs), and most things could have much less entropy than that.
We just had a the financial user from a nursing home call in and say that the clinical users had given her their user names and passwords in case she needed to add a diagnosis to make the claims work. WTF? :crazy:
Not crazy, or at least no exceptionally so, just ordinary people doing what ordinary people do.
Tom
March 17, 2013 at 5:30 pm
Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.
With this idea, your password (how you enter it) is changing slightly every time you access it. The system could get to know that you get tired mid-afternoon and have a slower typing speed or the first thing in the morning have a hard time getting the little finger over to that tricky "Q" key. Other times you like to enter the text "Mary had a little lamb" and highlight the "had" text.
That way it's not the data (user name & password) that really is authorised, it's your persona or you.
March 17, 2013 at 7:44 pm
Scott Anderson #2 (3/17/2013)
Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.
This is one of the nastiest security myths that exists, and had done quite a lot of damage through having created systems which force people to change passwords frequently, thus ensuring that they can never remember them so they are always sitting there on a post-it note for everyone to see. Only someone completely incompetent at serious security believes in changing passwords often (unless they have a situation where compromise is unlikely to be dsetected within the period between changes).
The whole "frequent password changes" idea is total nonsense. Changing your password has no effect whatsoever on the chance of it being guessed, or being broken by brute force attack. The only effect it has is on the duration of a compromise - and since a the typical time for a broken password to do all the damage it can is rather short, changing your password every rather long time stands very little (approximately zero) chance of reducing the damage - far smaller a chance than the risk that consequences of changing (maybe communicating passwords, maybe time to learn passwords) will do rather a lot of damage.
If you change your password once a fortnight instead of once a year, you reduce the expected time that a broken password is valid if you don't notice it from six months to a week - so you gain some wonderful extra protection provided it takes you more than a week to notice that someone is misusing your account. What a pitiful benefit that is!
Tom
March 17, 2013 at 10:06 pm
Yes, which leads to yet another problem, password staleness. You make have thought up the easiest to remember, hardest to crack password, but unless you change it often, then you are still in a world of problem attack vectors.
This is one of the nastiest security myths that exists
Re-reading my comment, I didnβt fully qualify my brief comment, oops you are exactly right.
What I should have said was, as people generally re-use passwords across systems, thereby opening themselves up to multiple attacks vectors. If one of those systems is compromised then itβs not hard to find others to try it with. Like with Antivirus that only detects 99% of issues, all you need is to be unlucky to get that 1% which made that 99% not even matter. One can get in a habit of password re-use (or staleness) and suddenly find themselves in trouble. I agree, frequent password changes is never a good thing for the user. Yes, if your password cannot be worked out and the system containing it doesn't get hacked, you can safely use the same password and never need to change it, but does that really happen?
Only someone completely incompetent at serious security believes in changing passwords often (unless they have a situation where compromise is unlikely to be dsetected within the period between changes).
This one I don't agree with so much. How easy is it to detect a compromise? How do you know when others have your password? How many systems display the number of recent failed attempts (or even since the last successful login) or successful ones, plus when they do, do you even take note? Until something destructive or unwanted happens and especially if you are only a user and cannot access the logs, you wouldn't know what read-only activity has happened. No, a stale password is no benefit here.
March 18, 2013 at 4:58 am
Lynn Pettis (3/15/2013)
Okay, drop the religious debate. It will go where we really don't want it to go really fast.
Sorry. My facetious comment was not aimed at any religion but a jocular poke at TravisDBA as he appears to enjoy the banter. My mistake (about the post, not TravisDBA having a sense of humour), sorry.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 18, 2013 at 10:02 am
In the last 1-2 years, I have given up on religious wars in technology (this should not be taken in any way to have anything to do with real religion). Just part of the list from the last 20 years or so: Mainframe-PC, Windows-UNIX, DB2-IMS/IDMS, Sybase-Oracle-Informix-Ingress, SQL Server-Oracle, PC-MAC, iPhone/Pad-Android, I don't argue about it anymore. Each technology is good for something, and works better for some people. Life is too short, and nobody convinces the other side anyway. I think that my oldest son misses these arguments, at least WRT Apple products π
March 18, 2013 at 2:19 pm
+1
March 19, 2013 at 3:46 am
lptech (3/18/2013)
In the last 1-2 years, I have given up on religious wars in technology (this should not be taken in any way to have anything to do with real religion). Just part of the list from the last 20 years or so: Mainframe-PC, Windows-UNIX, DB2-IMS/IDMS, Sybase-Oracle-Informix-Ingress, SQL Server-Oracle, PC-MAC, iPhone/Pad-Android, I don't argue about it anymore. Each technology is good for something, and works better for some people. Life is too short, and nobody convinces the other side anyway. I think that my oldest son misses these arguments, at least WRT Apple products π
Utterly agree. The more experience I gain (for that, read "the older I get" π ) the more I see the technologies I work with purely as tools, and it's not the tool that is important but what you end up producing. A cabinet maker is judged professionally by the furniture he or she produces, not by the make of planes and chisels he or she uses, so why should it be different in the IT world?
Semper in excretia, suus solum profundum variat
March 19, 2013 at 4:24 am
majorbloodnock (3/19/2013)Utterly agree. The more experience I gain (for that, read "the older I get" π ) the more I see the technologies I work with purely as tools, and it's not the tool that is important but what you end up producing. A cabinet maker is judged professionally by the furniture he or she produces, not by the make of planes and chisels he or she uses, so why should it be different in the IT world?
At the risk of firing up another "discussion"... we risk losing our unique place to make THE difference, instead of A difference; or worse, backing a winning horse that eventually loses. You've always struck me as reasonably logical when it comes to evaluating the human condition, Bloodnock, so was this a rhetorical question?
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
March 19, 2013 at 4:35 am
lptech (3/18/2013)
In the last 1-2 years, I have given up on religious wars in technology (this should not be taken in any way to have anything to do with real religion). Just part of the list from the last 20 years or so: Mainframe-PC, Windows-UNIX, DB2-IMS/IDMS, Sybase-Oracle-Informix-Ingress, SQL Server-Oracle, PC-MAC, iPhone/Pad-Android, I don't argue about it anymore. Each technology is good for something, and works better for some people. Life is too short, and nobody convinces the other side anyway. I think that my oldest son misses these arguments, at least WRT Apple products π
I never went in for those kinds of arguments (they are rarely discussions or debates). I tend to find that most technology has its value but all could be better. Perhaps a little unfair but I've yet to see perfection and time always highlights that anything could be better.
Phone wars are the funniest: my Mrs hates my brilliant Windows Phone and I can't get on with her adored iPhone. Solution: she has an iPhone and I have a Windows Phone. Simple π
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
March 19, 2013 at 5:00 am
Gary Varga (3/19/2013)
Phone wars are the funniest: my Mrs hates my brilliant Windows Phone and I can't get on with her adored iPhone. Solution: she has an iPhone and I have a Windows Phone. Simple π
Couldn't agree more. To quote an antique: "Different Strokes for Different Folks."
I like Droid, personally, but more for what I don't have to deal with than what it does.
There was a question in the editorial as to what has changed for me. I figure it's only fair to answer. Everything.
In 3 years.
I used to think I was excellent at my job. I learned I was, but that I had sooo much more to learn. Ignorance assumes perfection, I guess. Then I came here.
Allow me to explain just how wrong I was.
I showed up here for the last 5/6 years or so prior to my first post. I opened an account simply to read an article sometime in the past century (me, exagerate? never. I also can't spell at 4:30 in the morning). Off and on I'd slip in and pick up some tidbit.
Then I realized I needed help when I decided the deep end of the pool wasn't so deep and realized I couldn't swim there... after going in headfirst.
Jeff Moden whapped me one upside the head and explained to me that this resource wasn't simply for me to show up and beat on when I chose, I'd better behave by what the forum expected if I wanted some help. Well crap. It took one post (slight pride on my part) and I fixed that error. I got some of the most amazing help to what was a simple problem to this forum and moved on. Then I decided the forum was a place I should probably get more involved in, there was a lot of knowledge here.
Ever felt like a mosquito at the lion's feast?
I've learned that although I'm pretty damned good at my job, I am not a guru... even in any particular aspect. I've learned that although I know a lot of tricks, I simply can't know all of them. I've learned (once again recently) that someone with 10 posts can point me at a solution that people with thousands couldn't. I've learned that respect from intelligent people, that I want to earn it from, isn't earned through humor nor ability; but by presentation backed with knowledge. I've been reminded of something that the internet made me forget; an argument is not a debate and a debate is sure as hell not an argument if you want to actually have a debate and learn something.
I've learned that the most obnoxious presence I know on the internet (and I usually eat the trolls, they're tasty) can actually teach me something if you read through the trash. Those of you who know who I'm talking about please leave out the name, I did on purpose.
I've been forcibly reminded recently that late data is useless data. A rough idea, known for being worth that value, is better than perfection delivered 3 days later.
I've learned tons. I don't think anyone in this industry can HELP but learn... or die through attrition to those who can, though they may have weaker skills presently.
I'll keep learning. I'm not dead yet. Now present your ankles.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
March 19, 2013 at 5:02 am
First of all, Craig, thanks very much for the compliment; I do my best.
Regarding your question, I'm embarrassed to say I'm not entirely clear what you're asking, so I'll try to clarify what I originally meant.
In my opinion, the people who pay for a company's IT don't care what technologies we use. Any users of IT will judge our work in their terms, not ours, so they won't care if we use SQL Server or Oracle, but will care if they can't access their data. As a result, I believe we should concentrate on achieving what our users need achieved and only worry about technical elegance after that. A technically elegant solution may well be important in terms of ongoing maintenance and so on, but is irrelevant if the solution doesn't meet the business's needs.
The uniqueness for IT is its ability to touch all areas of the business, so our capacity to make the difference relies on our ability to understand the business and the processes it both uses and needs. If we can do that, we should be able to switch between which db platform we use, which server OS, which client OS, which CRM package, which financial package end so on according to what we can afford, what is currently available and how well it meets our current needs. Eventually, the business will judge us on how much value IT provides to the business, not on the tools we use.
Semper in excretia, suus solum profundum variat
March 19, 2013 at 5:07 am
Just to add that Craig wrote his latest post whilst I was writing mine, so I didn't get a chance to agree wholeheartedly with all he has said in it. Words of wisdom, Craig.
Semper in excretia, suus solum profundum variat
March 19, 2013 at 5:22 am
majorbloodnock (3/19/2013)
First of all, Craig, thanks very much for the compliment; I do my best.
My pleasure, I assure you.
Regarding your question, I'm embarrassed to say I'm not entirely clear what you're asking, so I'll try to clarify what I originally meant.
My apologies and you've answered it thoroughly. I blame a distraction from about 3 hours ago that was quite cute and looked amazing through a beer bottle. Thus, my fault. You asked a question I felt you already had the answer to, and was hoping for the clarification you've already made.
My personal opinion, and that's all it is before I get swamped in PMs, an opinion, is that a majority of the tech wars revolve around two concepts. What is the most usable for a particular user, and what a techie is most involved with for their continued career. There are outliers to be sure of people stuck in one tech who desperately wish they could use another to provide solutions, but I find those people to be rare and not zealots that are usually found in the tech/religious wars.
I will support SQL Server until it dies. Why? I've based my continued career around it. I will advocate it's TCO, its adaptability, and the ease of finding lower level (and thus cheaper) support for it than the majority of other platforms. I'll also tell a client to hire an Access developer on occassion and leave my number should they grow at some point. Our newbies need work too. π
The end result is that our clients must use our products. They decide what they want. Windows 8, as much as it annoys me in simply its display, is based on countless hours of marketing research. Someone must want this thing. I'll wait for the next server deploy, personally. The tool we make them with means nothing until the user is happy. The rest is who got hired to build it, Bob the <sometechhere> guru... or me.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
Viewing 15 posts - 61 through 74 (of 74 total)
You must be logged in to reply to this topic. Login to reply