this post was submitted on 14 Jul 2023
1179 points (92.1% liked)

Technology

59581 readers
4728 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

We've all been there.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 40 points 1 year ago (5 children)

Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.

[–] [email protected] 22 points 1 year ago* (last edited 1 year ago)

Since 2017 at least; and IIRC years before that; that's just the earliest NIST publication on the subject I could find with a trivial Web search.

https://pages.nist.gov/800-63-3/sp800-63b.html

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

"Memorized secrets" means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.

[–] [email protected] 10 points 1 year ago (2 children)

I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.

[–] [email protected] 7 points 1 year ago

Yeah, the most recent one for me was creating a password at lemmy.world

[–] [email protected] -1 points 1 year ago (2 children)

I wouldn’t say obsolete because that implies it’s not really used anymore.

I'm not sure where you heard someone use the word "obsolete" that way, but I assure you that there are thousands if not millions of examples of obsolete technologies in constant and everyday use.

[–] [email protected] -1 points 1 year ago (1 children)

Yeah i agree. The best example of this is Linux. To anyone who disagrees, why does a modern operating system require you to use a terminal, or edit config files instead of changing settings in a gui?

Its THE example of ancient software being pushed on to niave techies that would rather have an insecure open source project than a safe, walled garden like Microsoft Windows 11.

Although Windows 11 does have its problems. The chief of which is bogging down the streamlined simplicity with things a normal user wont need like a package manager.

[–] [email protected] 0 points 1 year ago (1 children)

The best example of this is Linux.

Ouch... so, you might want to learn more about technology before commenting in a Technology community...

why does a modern operating system require you to use a terminal

Because a terminal is one of the most powerful modes of interaction ever invented. It can serve as a relatively low-tech UI, but it is also simple enough to be used as a machine interface. It is lightweight, works even when other protocols and interfaces are thwarted by infrastructure issues, because it is simple text, but also meant to be read by a human, it can make for a great interface for logging, you don't have to guess at which obscure standard (if any) to use to talk to it, compliance with relevant standards is baked into nearly every language ever written, etc.

Try building a system like Kubernetes on graphical UIs... I dare you.

Its THE example of ancient software being pushed on to niave techies

What industry are you working in?! AWS is nearly all Linux. Google Cloud is nearly all Linux. Android is Linux. Hell, even Microsoft finally relented and is now strongly supporting their Windows Subsystem for Linux (WSL) because it's necessary for supporting modern cloud applications.

that would rather have an insecure open source project than a safe, walled garden like Microsoft Windows 11.

Okay, this has to be a troll... right? This is a troll? Please tell me you can't be serious.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

I know it can be hard to have your ideas quedtioned, but at least try to be civil. I never questioned your intentions, yet youre acting like im crazy. A walled garden is obviously more secure than an open source project because nobody can even see the code to find vulnerabilities in it. There is a reason why Android is moving further and further away from open sores code.

What industry are you working in?! AWS is nearly all Linux. Google Cloud is nearly all Linux. Android is Linux. Hell, even Microsoft finally relented and is now strongly supporting their Windows Subsystem for Linux (WSL) because it's necessary for supporting modern cloud applications.

I understand that you like horses. You ride one every day, and you might have evwn named your horse. The fact is that its time to buy a car. Notice i said buy. Quality software costs money, and always will. Its time to move into the future with the rest of us.

the terminal is simple

Yes i agree. Throwing rocks is also simpler than firing a gun, yet modern militaries arent training slingers anymore. Ive developed games using Windows exclusivley (for a lot of money i asure you) and ive never once had to use a terminal ever. I literally just have to email my source code to my boss, and he compiles it. I have no need to know how, because its not my problem. Theres no need to use a terminal when i have Visual Studio and Outlook. If you want to be a cool hackerman you can, but id rather use something thats intuitive and works.

I think anyone who uses Linux is stuck in the past. Communism doesnt work either, bucko.

[–] [email protected] 2 points 1 year ago

I know it can be hard to have your ideas quedtioned, but at least try to be civil. I never questioned your intentions, yet youre acting like im crazy.

I think that's all you. I have never suggested that you are crazy. I suggested that calling Microsoft software "safe" as opposed to Linux which is, "insecure," sounds like trolling. But that's because it sounds like trolling. No crazy stated or implied.

A walled garden is obviously more secure than an open source project because nobody can even see the code to find vulnerabilities in it.

You should learn more about the world of software. Seriously. Security experts have been reasonably unanimous in their support of the "Many Eyes Make All Bugs Shallow" approach to software security for decades, even while they have criticized it as a mantra that ignores the flaws in a presumption of open source software security.

But just to put it in a simple logically sealed box: Microsoft's source code has been leaked several times, and of course, bad actors probably have gained access to it throughout the years without such public knowledge. This means that the fundamental difference between Microsoft's proprietary codebase and open source codebases is not, cannot be the availability of source code. Rather, it is the ability for independent groups to review the code on an ongoing basis.

When the only difference is independent review, the only possible result is higher security.

I understand that you like horses. You ride one every day, and you might have evwn named your horse. The fact is that its time to buy a car.

None of this constitutes a logical refutation to the examples I provided, which are critical components of modern software development and deployment.

Source: I'm a professional software release engineer who has worked with many of the world's largest corporations.

Quality software costs money

For starters, this is unfounded cargo culting. There is no evidence for this at all. I can point to dozens of very expensive piles of crufty old software that no one should ever go near, and also to some free software that is literally foundational to the modern software world.

Money has nothing to do with the quality of software, but you're also mistaken if you think open source software is free. You can pay IBM millions of dollars for a suite of enterprise-ready open source software. Most of the cost in such software is rarely the software itself. It's services, support, training and customization.

Throwing rocks is also simpler than firing a gun, yet modern militaries arent training slingers anymore

But they are succeeding wildly by using largely open source software running on open hardware for drones, networking, battlefield analysis, logistics, etc.

[–] [email protected] 5 points 1 year ago (3 children)

For today's 10,000 who have never seen it, https://xkcd.com/936/ succinctly explains why the whole mixed character types thing isn't favoured.

[–] [email protected] 1 points 1 year ago (1 children)

I'm still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.

[–] [email protected] 2 points 1 year ago

Some of them are broken by quantum computers, but not all of them. For example, SHA256. You can use Grover's algorithm to take sqrt(n) steps to check n possible passwords, which on the one hand means it can be billions of times faster, but on the other hand, you just need to double the length of the password to get the same security vs quantum computers. Also, this is the first I've heard of a hash that uses a quantum computer. Do you have a source? Hashes need to be deterministic, and quantum computers aren't, so that doesn't seem like it would work very well.

Maybe you're getting mixed up with using quantum encryption to get around quantum computers breaking common encryption algorithms?

[–] [email protected] -1 points 1 year ago

Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.

[–] [email protected] -1 points 1 year ago

Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.

[–] [email protected] 2 points 1 year ago

People should be made aware of all the tools available to properly manage tons of passwords. Not even going too deep into "passkey" stuff or any modern shenanigans, but a password manager used to generate random passwords for each separate sites is such a simple step.

[–] [email protected] 1 points 1 year ago

Yeah! And nowadays the industry is pushing towards password less authentication. Github just started rolling it out to beta users