[00:52:41] Yay, metal bands [00:58:32] #KSPOfficial: mode change '+o raptop' by ChanServ!ChanServ@services.esper.net [04:06:58] Characterization of 2 Near-Earth asteroids (lots of metals, so you get sensationalist headlines) https://iopscience.iop.org/article/10.3847/PSJ/ac235f [04:53:16] #KSPOfficial: mode change '+o Althego' by ChanServ!ChanServ@services.esper.net [11:42:22] #KSPOfficial: mode change '+v erio' by ChanServ!ChanServ@services.esper.net [13:12:47] oh, y'all got news about the twitch hack? Go reset your twitch password, if you haven't done so yet [13:16:31] was just popping on here to say that [13:46:31] hrm [13:46:58] Action: raptop is going to end up with firefox saving tons of passwords because memorizing them all is impractical [13:52:09] unless you have some logic that compiles in the site itself to the password [13:52:27] and of course update all the passwords at the highest frequesncy required by the sites [13:53:21] ... and get annoyed with stupid limitations on passwords (capital, number etc) that are actually decreasing the potential password pool instead of making it more secure [13:53:22] i'm really annoyed at my current password situation [13:53:51] all of my regular passwords have been compromised, and i can't be bothered to learn new ones, so now i need to find a tool that i can trust to manage passwords for me [13:54:14] L0reMiP5umTw1tt3r [13:54:32] obviously hunter2 -> hunter3 [13:54:39] your passwrm must contain at least 3 non alnum characters, but cannot be longer than 8 chars [13:55:00] yeah, so annoying all the specific and varied requirements they put on passwords nowadays [13:55:18] only requirement should be is a minimum length [13:55:26] maybe not even that [13:55:42] anything else is just limiting the pool of potential passwords [13:56:05] if it MUST contain a number, then ther WILL be a number [13:57:04] Min length makes sense. Max length can be justified, but basically no place with an explicit maximium has a reasonable one [13:57:22] so, instead of [a-zA-Z0-9][a-zA-Z0-9] it will be [a-zA-Z][0-9] or [0-9][a-zA-Z] [13:57:28] that is a much smaller pool [13:59:02] "but you can't trust people to make a good password without being forced into certain choices [13:59:04] " [14:00:07] Also, there's the whole "special character silliness" [14:00:21] yes [14:00:34] it should be enabled [14:00:44] no limitation on the actual characters [14:00:44] hrm, s/ silliness"/" silliness/ [14:00:56] even unicode [14:01:12] yeah [14:01:52] actually, professional system with customers in China or Japan have this req [14:02:16] I can understand showing a non-blocking warning for non-ascii chracters, but outright rejecting is bad [14:02:38] (the warning being "please make sure you can actually enter this password consistently") [14:09:20] exactly [14:09:51] having a minimum length is OK [14:10:59] it dow not limit the pool too much as each length step brings 10++ times more [14:11:28] kubi: I think character-set enforcement is probably reasonable [14:11:36] why? [14:11:46] If someone's using a long and random password, the impact is pretty much nil [14:12:02] Is your site going to break if someone's password includes a space or a #? [14:12:15] (because if they're using a wide character set, it's statistically almost certain to contain one of each type anyway) [14:12:17] character set is a requirement usually in non-latin countries [14:12:37] ppl tend to think that we have only latin or even worse, the english alphabet [14:12:42] and it makes the 90% of users who'd otherwise use some short one-or-two-word dictionary password somewhat less brute-forceable [14:13:14] and most of the population lives on that side of the globe... [14:13:31] kubi: Sorry, I meant enforcing using digits, punctuation etc. [14:13:48] other alphabets should definitely be allowed [14:13:55] I'd be worried about charset reqs being a surprise break so you can't use eg: wide latin characters [14:14:11] (among other things) [14:15:22] do not enforce any digits [14:15:39] any character level enforcement is limiting the variety of passwords [14:15:49] make it as wide as possible [14:16:09] kubi: we could have Zero knowledge proof as method to sign into web sites. But apparently passwords are soooooo much better [14:16:16] and nobody at Firefox cares about innovation anymore. [14:16:17] you can limit on simple patterns, like do not use your login name, or 1234556789 [14:17:37] kubi: for a long random password, the "limiting" is totally negligible [14:17:59] yes [14:18:07] and no [14:18:21] because what we were taling about the beginnin [14:19:45] having different sites limiting you in different ways would make you using password managers (from postit notes to whatever else tools) [14:19:56] For a 15-character password, the probability of *not* containing at least one digit if you use A-Za-z0-9 and a bit of punctuation is about 2% [14:20:11] yeah [14:20:18] but one site says no punctuation [14:20:38] that's pretty much no reduction in password space, for a dramatic increase in security of the 90% of passwords that people don't construct properly [14:20:39] other says max 12 characters, 3rd says no kanji [14:20:45] it is not the space [14:20:54] not only [14:21:11] that is the basic thing you need to worry about in relation to one site [14:21:11] I'm sure password managers can handle this [14:21:23] until you keep them safe [14:21:34] If anything, it discourages users from reusing the same "random" password for multiple sites [14:21:47] (which I'm aware of people doing) [14:21:50] yes [14:22:02] never underestimate ppl [14:22:50] the best when I get from the site that your password can\t be the same as any of the 5 last and can't differ by only one character from them [14:23:17] now, tell me, how th they know if it is only one character without storing the clear text?! [14:24:14] then using the same "random" for multiple sites would just make sure that the operator of site A can reach all of the others [14:24:21] In principle, they could store hashes of all one-character variations [14:24:46] but random people are not prepared for this [14:24:52] would be an awful lot of hashing though [14:25:19] actually, an unhashed character sequence should not even leave my computer [14:25:32] Indeed [14:25:50] if I\m more paranoid, then not even my keyboard:) [14:25:58] They *could* hash all one-character variations in JS in the browser [14:26:02] but it would take a while [14:26:09] yeah [14:26:20] and the number of hashes sent would leak the password length unless there was padding [14:27:09] I can't think of a reasonable way to do it [14:27:14] but maybe there is one [14:27:15] so, anyway [14:27:41] whomever had the same pass for FB and anything else nowadays, go and refresh [14:37:24] kubi: if you're sending out hashed passwords, the server needs to store plaintext passwords [14:38:29] I was not precise [14:38:46] or use a challenge-response login thing with nonces [14:39:02] but nobody seems to like those [14:40:21] (for a website, that would probably require JS to login. I can live with that) [14:41:28] yes [14:42:36] public-private keypairs etc. is far better than this password things [14:42:57] if you have a secure channel and you trust the server then a password is OK [14:43:00] the plain password would still leave your keyboard [14:43:07] no other circumstances [14:43:20] unless you have a proper keyboard :) [14:43:28] but then it leaves your fingers... [14:44:56] ID card authentication + fresh blood sampler [14:45:47] what you have and what you know is normally needed, but makes the system complex [14:46:06] I like the bankID in Sweden [14:46:47] I used to use a Yubikey. it was a pain to recover accounts when it broke ;) [14:47:27] recovery must be difficult or else anyone can recover [14:47:40] you should not optimize for the easiness os it [14:49:02] I still have my Yubi neo. don't use it much these days [14:51:38] Anyway, I'm getting through some mandatory security training that is talking about the importance of defending against phishing [14:51:54] kubi: for one account, I had to receive and return a form by (snail) mail. for other, I had to e-mail photographs of me holding my ID card and a note [14:52:03] yes [14:52:09] or even in person auth [14:52:54] I wouldn't think that to be useful [14:53:18] bank ID SW certificate recovery requires you to go to the bank (that is the proxy of the authority, i.e., the state) or use a bank card reader to make it easy [14:53:27] it's not much different from a photograph of me, ID and note saying "$date, $service, please reset my 2FA" [14:54:01] I had to redo one of them because they need to see my arm holding the things [14:54:08] yes [14:54:09] so you couldn't shop it [14:54:11] that is good [14:54:30] so, making the recovery painful is not an issue [14:54:50] if it is painful you do not make a mistake again [14:55:29] or else it gets the hose again [14:56:41] actually, all the smart card auth things are good [14:56:53] like most ID card nowadays [14:57:18] the stupid thing is that there is no world wide infrastructure and standard to make it ubiquitus [14:58:03] and no good software, either [14:58:28] trying to get the internal smartcard reader on a laptop to work was no fun [14:58:39] (stupid me, using Linux, I know) [14:59:49] that is why there need to be proper standards [15:00:01] and a standard, by definition is accessible to everyone [15:00:07] not patented and stuff [15:01:32] well, there's often a fee [15:05:27] kubi: interestingly, this means that ISO doesn't publish standards [15:07:49] Consider eg: ISO 8601. It's in 2 parts that cost 158 CHF and 178 CHF respectively [15:08:05] https://www.iso.org/standard/70907.html https://www.iso.org/standard/70908.html [15:10:08] an argument can be made that offering those for free would require sponsorships by states or corps [15:58:33] (leaked) "Every other property that Twitch owns including IGDB and CurseForge" - hm. that might be relevant to KSP modders [16:01:17] I usually quote sources but I guess the piratebay-Link/bittorrent-hash to the leaked archive is not interesting to anyone here? :> [16:13:11] hrm [17:18:43] some $ is not an issue [17:19:34] for an individual it can be a lot [17:19:52] but if even a small company can afford these easily [17:20:09] the problem comes with lock-ins and so [17:20:34] also, of course the bigest cost is if you want to connect your service to any of these platforma [17:20:39] like payments [17:20:48] security platforms are the same [17:28:13] Connor Kerman was stranded on Minmus. A drone whizzed by him sending a message that he should get home alone. He jetpacked to orbit, then to Kerbin, aerobraked, refuelled his jetpack in the space station and did a jetpack deorbit. Because his parachute didn't work, he splashed down near the KSC. Hmm, I could have tried updating his status in the space station. [17:44:17] there can be only one [21:19:19] SpaceX is lifting the catch arm mount right now [21:19:26] finally something big is happening! [21:37:54] #KSPOfficial: mode change '+o raptop' by ChanServ!ChanServ@services.esper.net