passwords Archives - Security Musings

Vavada - это онлайн-казино, предоставляющее широкий выбор азартных игр, включая слоты, рулетку, блэкджек и другие. Vavada привлекает игроков разнообразными бонусами и акциями.

PIVPN with 2-Factor Authentication

Posted onMay 8, 2022 by Peter Hesse

(Edited 5/8/2022 with some changes to make sure it works on Buster / other linux distributions with sec-linux. The new stuff is in purple.) It took me a while but I finally found someone that had solved this. I am linking the solution. However, typing in a password and following it up with the one-time-password (OTP) is *extremely* user unfriendly. Anything that is hard to do to make better security actually makes worse security. Instead my approach protects the private keys with a password, and you then only use the OTP as the user’s password each login. So, here is the process. Assuming you have pivpn already installed and working with an OpenVPN configuration. Install google authenticator on the pi: sudo apt-get install libpam-google-authenticator Edit[…]

Updating VMware vCenter and ESXi Certificates

Posted onJanuary 23, 2013 by Peter Hesse

By default, the installation of VMware’s vCenter and ESXi use self-signed certificates with hardcoded passwords to protect the private keys of their SSL web services. While it gets you services that work out of the box, it is really bad form and a poor security practice. If you install (or update to) version 5.1 of the VMware infrastructure components, you will be left with a bunch of warning windows like the ones on the left. If you’re lucky enough to have access to your own public key infrastructure, you can issue your own certificates to replace those provided by VMware so you don’t see constant warnings. However, if you undertake this effort be forewarned: VMWare’s guidance (Replacing Default vCenter 5.1[…]

Windows 8 Authentication and Compliance

Posted onJanuary 17, 2013 by Peter Hesse

Two weeks ago, I finally got a chance to try out a Windows 8 system. First, I have to give huge kudos to Dell, who makes the XPS 12 system I’m playing with. This system seems to be the ideal platform for a Windows 8 user. A thin and light notebook with plenty of power, with the ability to flip the screen around and make it into a touchscreen tablet. That said, during my initial installation of the system, alarm bells immediately rang in my head. “This system doesn’t comply with many password policies!” I found that as I joined my Windows 8 system to my company’s domain (which enforces a number of things through group policy), some configurations were allowed[…]

Flight of the Black Swan

Posted onJanuary 15, 2013 by Peter Hesse

The term “black swan event” was introduced by Nassim Nicholas Taleb in the book Fooled By Randomness. Black swan events have three major characteristics: they are rare, they cause a significant or extreme impact, and upon retrospection, they are actually predictable. As described very well in this Wired article, “getting hacked” is a black swan event. While “getting hacked” can mean many different things, let’s take the example as used in the Wired article of having your identity stolen by hackers. It is rare enough that many of us will probably never experience it. Some cases have an extreme impact such as having your identity stolen, losing funds from your bank account, or having your computer or mobile devices wiped. And as this blog and any number of[…]

Plain text offenders

Posted onNovember 16, 2012 by Peter Hesse

Ever forget your password on a website? Yeah, thought so. Ever hit the “forgot password” link on a website and got your password emailed back directly to you? If that’s the case, it means that website saves your password in plain text so that they can email it back to you. This is a terrible security practice for a few reasons: Email is not a secure protocol, so even if you use a secure protocol to log in (HTTPS), when your password is emailed it becomes exposed to the world. If that website is hacked, your password will be quite available and visible to the attacker. Even if the website is not attacked, your password is available to anyone who has[…]

The math behind passwords

Posted onNovember 12, 2012 by Peter Hesse

We are working with a security policy that treats two passwords of equivalent strength: 8 character password with two character sets represented (pick two of upper/lower/number/symbol) 6 character password with three character sets represented (pick three of upper/lower/number/symbol) The question arises, how equivalent (or not) are they? Well, it’s time to do some math. Total Possible Passwords One way to measure password strength is in the total number of passwords that one might be able to generate that meet that criteria. More would be better. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols available on the average keyboard (totaling 95 options). If we simply asked how many possible 6 character passwords are there, you can multiply 95 for[…]