Tank2333 has quit [Remote host closed the connection]
Ezriilc has quit [Ping timeout: 189 seconds]
sasamj has quit [Quit: Connection closed for inactivity]
flayer has joined #KSPOfficial
immibis has joined #KSPOfficial
prefixcactus has joined #KSPOfficial
darsie has joined #KSPOfficial
sandbox has joined #KSPOfficial
sasamj has joined #KSPOfficial
_whitelogger has joined #KSPOfficial
Dazzyp has quit [Ping timeout: 192 seconds]
Tank2333 has joined #KSPOfficial
Pytagoras has joined #KSPOfficial
erio has joined #KSPOfficial
Pyta has quit [Ping timeout: 189 seconds]
estorado has quit [Ping timeout: 189 seconds]
estorado has joined #KSPOfficial
Rhys has quit [Quit: R.I.P]
dnsmcbr has quit [Ping timeout: 189 seconds]
Kevin has quit [Ping timeout: 189 seconds]
Rhys has joined #KSPOfficial
Kevin has joined #KSPOfficial
eriophora has quit [Ping timeout: 189 seconds]
dnsmcbr has joined #KSPOfficial
Tank2333 has quit [Remote host closed the connection]
<Mat2ch>
oh, y'all got news about the twitch hack? Go reset your twitch password, if you haven't done so yet
<umaxtu>
was just popping on here to say that
Althego has quit [Quit: Leaving]
prefixcactus has quit [Ping timeout: 189 seconds]
MrTikku has quit [Quit: Lähdössä]
LunchBot has quit [Remote host closed the connection]
LunchBot has joined #KSPOfficial
<raptop>
hrm
* raptop
is going to end up with firefox saving tons of passwords because memorizing them all is impractical
<kubi>
unless you have some logic that compiles in the site itself to the password
<kubi>
and of course update all the passwords at the highest frequesncy required by the sites
<kubi>
... and get annoyed with stupid limitations on passwords (capital, number etc) that are actually decreasing the potential password pool instead of making it more secure
<flayer>
i'm really annoyed at my current password situation
<flayer>
all of my regular passwords have been compromised, and i can't be bothered to learn new ones, so now i need to find a tool that i can trust to manage passwords for me
<kubi>
L0reMiP5umTw1tt3r
<raptop>
obviously hunter2 -> hunter3
<kubi>
your passwrm must contain at least 3 non alnum characters, but cannot be longer than 8 chars
<flayer>
yeah, so annoying all the specific and varied requirements they put on passwords nowadays
<kubi>
only requirement should be is a minimum length
<kubi>
maybe not even that
<kubi>
anything else is just limiting the pool of potential passwords
<kubi>
if it MUST contain a number, then ther WILL be a number
<raptop>
Min length makes sense. Max length can be justified, but basically no place with an explicit maximium has a reasonable one
<kubi>
so, instead of [a-zA-Z0-9][a-zA-Z0-9] it will be [a-zA-Z][0-9] or [0-9][a-zA-Z]
<kubi>
that is a much smaller pool
<flayer>
"but you can't trust people to make a good password without being forced into certain choices
<flayer>
"
<raptop>
Also, there's the whole "special character silliness"
<kubi>
yes
<kubi>
it should be enabled
<kubi>
no limitation on the actual characters
<raptop>
hrm, s/ silliness"/" silliness/
<kubi>
even unicode
<raptop>
yeah
<kubi>
actually, professional system with customers in China or Japan have this req
<raptop>
I can understand showing a non-blocking warning for non-ascii chracters, but outright rejecting is bad
<raptop>
(the warning being "please make sure you can actually enter this password consistently")
<kubi>
it dow not limit the pool too much as each length step brings 10++ times more
<FLHerne>
kubi: I think character-set enforcement is probably reasonable
<kubi>
why?
<FLHerne>
If someone's using a long and random password, the impact is pretty much nil
<raptop>
Is your site going to break if someone's password includes a space or a #?
<FLHerne>
(because if they're using a wide character set, it's statistically almost certain to contain one of each type anyway)
<kubi>
character set is a requirement usually in non-latin countries
<kubi>
ppl tend to think that we have only latin or even worse, the english alphabet
<FLHerne>
and it makes the 90% of users who'd otherwise use some short one-or-two-word dictionary password somewhat less brute-forceable
<kubi>
and most of the population lives on that side of the globe...
<FLHerne>
kubi: Sorry, I meant enforcing using digits, punctuation etc.
<FLHerne>
other alphabets should definitely be allowed
<raptop>
I'd be worried about charset reqs being a surprise break so you can't use eg: wide latin characters
<raptop>
(among other things)
<kubi>
do not enforce any digits
<kubi>
any character level enforcement is limiting the variety of passwords
<kubi>
make it as wide as possible
<Mat2ch>
kubi: we could have Zero knowledge proof as method to sign into web sites. But apparently passwords are soooooo much better
<Mat2ch>
and nobody at Firefox cares about innovation anymore.
<kubi>
you can limit on simple patterns, like do not use your login name, or 1234556789
<FLHerne>
kubi: for a long random password, the "limiting" is totally negligible
<kubi>
yes
<kubi>
and no
<kubi>
because what we were taling about the beginnin
<kubi>
having different sites limiting you in different ways would make you using password managers (from postit notes to whatever else tools)
Baumfaust has joined #KSPOfficial
Baumfaust has quit [Remote host closed the connection]
<FLHerne>
For a 15-character password, the probability of *not* containing at least one digit if you use A-Za-z0-9 and a bit of punctuation is about 2%
<kubi>
yeah
<kubi>
but one site says no punctuation
<FLHerne>
that's pretty much no reduction in password space, for a dramatic increase in security of the 90% of passwords that people don't construct properly
<kubi>
other says max 12 characters, 3rd says no kanji
<kubi>
it is not the space
<kubi>
not only
<kubi>
that is the basic thing you need to worry about in relation to one site
<FLHerne>
I'm sure password managers can handle this
<kubi>
until you keep them safe
<FLHerne>
If anything, it discourages users from reusing the same "random" password for multiple sites
<FLHerne>
(which I'm aware of people doing)
<kubi>
yes
<kubi>
never underestimate ppl
<kubi>
the best when I get from the site that your password can\t be the same as any of the 5 last and can't differ by only one character from them
<kubi>
now, tell me, how th they know if it is only one character without storing the clear text?!
<kubi>
then using the same "random" for multiple sites would just make sure that the operator of site A can reach all of the others
<FLHerne>
In principle, they could store hashes of all one-character variations
<kubi>
but random people are not prepared for this
<FLHerne>
would be an awful lot of hashing though
<kubi>
actually, an unhashed character sequence should not even leave my computer
<FLHerne>
Indeed
<kubi>
if I\m more paranoid, then not even my keyboard:)
<FLHerne>
They *could* hash all one-character variations in JS in the browser
<FLHerne>
but it would take a while
<kubi>
yeah
<FLHerne>
and the number of hashes sent would leak the password length unless there was padding
<FLHerne>
I can't think of a reasonable way to do it
<FLHerne>
but maybe there is one
<kubi>
so, anyway
<kubi>
whomever had the same pass for FB and anything else nowadays, go and refresh
<packbart>
kubi: if you're sending out hashed passwords, the server needs to store plaintext passwords
<kubi>
I was not precise
<packbart>
or use a challenge-response login thing with nonces
<packbart>
but nobody seems to like those
<packbart>
(for a website, that would probably require JS to login. I can live with that)
<kubi>
yes
<kubi>
public-private keypairs etc. is far better than this password things
<kubi>
if you have a secure channel and you trust the server then a password is OK
<packbart>
the plain password would still leave your keyboard
<kubi>
no other circumstances
<kubi>
unless you have a proper keyboard :)
<kubi>
but then it leaves your fingers...
betelgeuse has joined #KSPOfficial
<packbart>
ID card authentication + fresh blood sampler
<kubi>
what you have and what you know is normally needed, but makes the system complex
<kubi>
I like the bankID in Sweden
MrTikku has joined #KSPOfficial
<packbart>
I used to use a Yubikey. it was a pain to recover accounts when it broke ;)
<kubi>
recovery must be difficult or else anyone can recover
<kubi>
you should not optimize for the easiness os it
<umaxtu>
I still have my Yubi neo. don't use it much these days
Lyneira has joined #KSPOfficial
<raptop>
Anyway, I'm getting through some mandatory security training that is talking about the importance of defending against phishing
<packbart>
kubi: for one account, I had to receive and return a form by (snail) mail. for other, I had to e-mail photographs of me holding my ID card and a note
<kubi>
yes
<kubi>
or even in person auth
<packbart>
I wouldn't think that to be useful
<kubi>
bank ID SW certificate recovery requires you to go to the bank (that is the proxy of the authority, i.e., the state) or use a bank card reader to make it easy
<packbart>
it's not much different from a photograph of me, ID and note saying "$date, $service, please reset my 2FA"
<packbart>
I had to redo one of them because they need to see my arm holding the things
<kubi>
yes
<packbart>
so you couldn't shop it
<kubi>
that is good
<kubi>
so, making the recovery painful is not an issue
<kubi>
if it is painful you do not make a mistake again
<packbart>
or else it gets the hose again
<kubi>
actually, all the smart card auth things are good
<kubi>
like most ID card nowadays
<kubi>
the stupid thing is that there is no world wide infrastructure and standard to make it ubiquitus
<packbart>
and no good software, either
<packbart>
trying to get the internal smartcard reader on a laptop to work was no fun
<packbart>
(stupid me, using Linux, I know)
<kubi>
that is why there need to be proper standards
<kubi>
and a standard, by definition is accessible to everyone
<kubi>
not patented and stuff
<packbart>
well, there's often a fee
<raptop>
kubi: interestingly, this means that ISO doesn't publish standards
<raptop>
Consider eg: ISO 8601. It's in 2 parts that cost 158 CHF and 178 CHF respectively
<packbart>
an argument can be made that offering those for free would require sponsorships by states or corps
Ezriilc has joined #KSPOfficial
Eddi|zuHause has quit []
jazzkutya has joined #KSPOfficial
Eddi|zuHause has joined #KSPOfficial
<packbart>
(leaked) "Every other property that Twitch owns including IGDB and CurseForge" - hm. that might be relevant to KSP modders
<packbart>
I usually quote sources but I guess the piratebay-Link/bittorrent-hash to the leaked archive is not interesting to anyone here? :>
<raptop>
hrm
m4v has quit [Ping timeout: 198 seconds]
flayer has quit [Quit: Leaving]
flayer has joined #KSPOfficial
m4v has joined #KSPOfficial
<kubi>
some $ is not an issue
<kubi>
for an individual it can be a lot
<kubi>
but if even a small company can afford these easily
<kubi>
the problem comes with lock-ins and so
<kubi>
also, of course the bigest cost is if you want to connect your service to any of these platforma
<kubi>
like payments
<kubi>
security platforms are the same
<darsie>
Connor Kerman was stranded on Minmus. A drone whizzed by him sending a message that he should get home alone. He jetpacked to orbit, then to Kerbin, aerobraked, refuelled his jetpack in the space station and did a jetpack deorbit. Because his parachute didn't work, he splashed down near the KSC. Hmm, I could have tried updating his status in the space station.