We know that an 8-character password with upper-case letters, lower-case letters, numbers, and special characters is definitely stronger than a 6-character password with only letters and numbers. But how much stronger is it?
Category: Uncategorized
The real problem is one of philosophy. IPv6 tries to do too many things, to provide too many features. This doesn’t, as a general rule, work out well. The tools which stand the test of time aren’t intelligent, feature-rich toys. They’re simple, streamlined creatures which do one thing Very Well.
The big news of the week, emanating from Toorcon 12, is the release of Firesheep. This tool makes SideJacking – that is, “hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server” – painfully simple for anybody to use. How easy? Well, let’s see… you download and install Firefox… and then you download and install the Firesheep extension to Firefox… and then you restart Firefox and run the tool to start hijacking sessions… that’s it! Simple enough for ya? SideJacking is not a new concept, nor is the existence of tools. Robert Graham of Errata Security made a bit of a splash with his tool Hamster back[…]
When did password cracking get so hard? Remember LM hash? Obsolete since Windows NT, until Windows Vista it was on by default for backward compatibility. Even back in the day an external hard drive easily had enough room for a full set of rainbow tables and generating them only took a few days at most, depending on your computer speed. That is to say, brute forcing was actually possible. Even your moderately security conscious types who actually paid attention to complexity rules could fall victim to a password attack if their account was on any machine with LM hashes turned on. Now it’s all NTLM hashes in the Windows world, and frankly brute forcing NTLM just isn’t feasible for your[…]
OWASP’s AppSecDC 2010 is less than a month away, running at the Washington Convention Center November 8-11. The first two days provide attendees and locals with an excellent opportunity to attend high-quality training for very little money. In particular, Gemini Security will be delivering KRvW Associates‘ “Software Security Best Practices” curriculum. This course is a 2-day program that only costs $1,495! The curriculum is hands-on in nature, portable to most code bases, and builds on the successes of the OWASP Top 10 list, OWASP Live CD, and several years of quality curriculum from KRvW Associates. We hope that you’ll be able to attend the conference and also take advantage of this, or other, training programs. Sign-up today!
The “big” news of the week (thus far), if you can call it that, is Google’s announcement of the availability of soft tokens for Google Apps as of today (read about in their post “Moving security beyond passwords“). From a security perspective I’m greatly underwhelmed. Maybe I’ve just become jaded in my old age, but this really strikes me as a big “so what?” announcement. AOL did this several years ago (unsuccessfully, I might add) using RSA hard tokens. The reason for their failure is myriad, ranging from a lack of promotion to requiring customers to pay for it, but ultimately it came down to one specific concern: usability. I don’t for a minute accept TechCrunch’s take on this announcement[…]