Forum modifications: brute force protection (Page 2 of 3)

Count me in!

Oops!:) Thanks

so to remember them, I'll just write them on this post-it note on my desk...??? I don't see how my security is enhanced by using passwords that I can't keep in my head.

Using an algorithm makes more sense - my take is in this Password security blog post.

I also really like Zwopper's idea of shifting the password periodically, e.g left or right.

In case anyone takes this seriously - please don't. It's better than "password" or "god" or your gf's or bf's name (if their name is sally or john) but not by much.

Edit: fixed link - thanks gsmanners.

Last edited by Chriswaterguy (2010-04-05 07:26:35)

Your link is 404'd.

Your browser fingerprint appears to be unique among the 781,781 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 19.58 bits of identifying information.

I'm unique.. sounds bad

I'm actually very bad with passwords, most of the time I use not-many-letters passwords and only a few good ones for e-mail etc..

Came across an article that made me think of this thread:

http://www.boston.com/bostonglobe/ideas … _password/

*heavy sigh*

I think the (enforced) changing of passwords is a good idea in the corporate world. A few years ago we were having such problems that we made the accountants change their passwords every month. It's also good practice in light of the problems these forums have experienced, especially for m* ... oh i'm not allowed to use the m word.

Also very advisable if you've recently logged in over unsecure wifi. Not sure why https login isn't implemented ... there's a shedload of computing power on that server. Is it the cost of a cert? How about a self-signed? What kind of messages do the major browsers put up for self-signed certs these days? Are they prohibitively scary?

That was interesting. It looks like a fairly sophisticated man in the middle attack that most people probably won't run into unless they're unlucky, but it brought up a good point about details (like the lock icon) that set an expected comfort level by visual cue and the effect of what happens when it's missing. And yeah, mixing it by having it both on an unsecure page (design) and secure mode (status) creates confusion, and confusing things in general seem to be ignored or reconciled and accepted. Sorta like what I just now wrote here.

This. Totally. It's funny how many people will protect their workplace keycards, but when it comes to good passwords (which is part of their job to have) people balk. And I don't know how many times I pulled a post-it off note off someone's monitor that had their password on it.

----------------------

In general though safety wise, I still think plain old social engineering is probably still one of the easiest ways for someone up to no good to find out stuff.

Last edited by chillicampari (2010-04-16 18:17:22)

I don't have any suggestions on what to do - but 3 cheers for all the effort!! You're helping to make our #! world, well, better

No-one can possibly disagree!!

Cheers,

81dc9bdb52d04dc20036dbd8313ed055

really impressive… but a little more efficient… or

MTIzNAo=

in fact: simple variations based on 1234…

Because this thread was dormant for a few months, I missed the original post. I just read it and wondered why I would have to login 5 times every day!

"If a user's login attempt fails 5 times in any 24 hour period..." FTFY :^)