|
I really suggest that you read some book on security (e.g. Writing Secure Code, MS Press).
There is more to security programming than a CheckPassword() function. And since you mentioned a server, things like DoS and similar attacks come into mind.
Think about
Andreas
Vote against software patents in europe
|
|
|
|
|
Andreas Saurwein wrote:
There is more to security programming than a CheckPassword() function
I was just using that as an example.
I do have to worry about DoS etc but my server doesn't really do anything that could be exploited yet. I was mearly saying that my project is in it's infancy and is even close to exposing criticaly information.
Andreas Saurwein wrote:
Writing Secure Code, MS Press
Thanks for the book suggestion I will have to check that out.
- Matt Newman / Windows XP Activist
-Sonork ID: 100.11179
Could you Would you with a goat? - Dr Suess
|
|
|
|
|
When you work in a bank... security is always an issue... I´m really paranoid with security... just as my bosses
Mauricio Ritter - Brazil
Sonorking now: 100.13560 Trank
The alcohol is one of the greatest enemys of man, but a man who flee from his enemys is a coward.
|
|
|
|
|
I do GSM MO & BioMetric Solutions and security is really a big issue. Especially if you ship products worldwide!!
Empowerment through development. If the development only WANTS TO WORK!!
|
|
|
|
|
I think we've gomne a little paranoid on security. I can't believe the number of places that expect me to supply a password these days. I've gotten to the point now that, if someone expects me to set up an account and supply a password in order to upload shareware to their site, I simply say "no".
And I have a small set of passwords that I use for everything, along with a simple set of rules for deriving new ones. Maybe the security "experts" (parasites?) think this is a bad idea, but I have to live in the real world.
|
|
|
|
|
Jim I keep a simple text file on my PC that has been encrypted by one password using a simple app.
The text file contains all my accounts, Usernames/IDs and Passwords/ that I use.
Darn boring but it works,
All I have to remember is One Master Password and I have Access to the rest.
"Maybe I should make a proper App that does this" Because I find it so darn useful.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
There are actually a ton of password managers available for free that do this (even though I'm about to write one in C# just for the hell of it.) Search for "password managers" on Google and pick the one you like.
Kevin
|
|
|
|
|
I should have guessed they were already available.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
Kevin Stewart wrote:
There are actually a ton of password managers available for free that do this (even though I'm about to write one in C# just for the hell of it.) Search for "password managers" on Google and pick the one you like.
Maybe they have a backdoor
That would be a good reason to write one yourself
|
|
|
|
|
Many web sites don't seem to require an account not dor security, but for acquiring your e-mail address...
It's hard to scratch your ass when you sit on it. [sighist]
|
|
|
|
|
"None - we just don't care"
|
|
|
|
|
Most real security is real security not code.
Like leaving passwords lying arround, easy passwords,
File size checks. Logs etc.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
I'm always amazed by how easily people will tell you their passwords. It's just not something that's taken seriously in a good many cases.
--------
A common man's understanding of science. Not a normal common man's of course. A very smart common man's. -- Nish, on Science Writing
|
|
|
|
|
ring ring ..
"Hello I'm John CrazyHorse from the special security detail can I check your details for an investigation we are doing for your employer."
Actually hacking a network from the outside is quite difficult in comparisson.
I know a lot of IT departments spend small fortunes on techo stuff, when they should be training employees on the basics.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
Colin Davies wrote:
when they should be training employees on the basics
You mean the infamous don't be dumb course?
Cheers,
Simon
"Every good work of software starts by scratching a developer's personal itch.", Eric S. Raymond
|
|
|
|
|
SimonS wrote:
You mean the infamous don't be dumb course?
Very Similar.
I think thats the idea. I'm often amazed by say a secratary who has used MS-Word for several years but can't send an email.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
Or just take their post-it note pad away from them..
Alice thought that running very fast for a long time would get you to somewhere else. " A very slow kind of country!" said the queen. "Now, here , you see, it takes all the running you can do, to keep in the same place".
|
|
|
|
|
So, errr... what is your password, I forgot?
Philip Patrick
Web-site: www.stpworks.com
"Two beer or not two beer?" Shakesbeer
Need Web-based database administrator? You already have it!
|
|
|
|
|
I have a problems with use of the high security password setup - trying to remember "45lkjfr8o7fw8o734iHoUUufriufds87r4" as my password is a little more than difficult.
Stopping people using password01, password02, password03, password04 etc is reasonable.
Alice thought that running very fast for a long time would get you to somewhere else. " A very slow kind of country!" said the queen. "Now, here , you see, it takes all the running you can do, to keep in the same place".
|
|
|
|
|
yup, the user is the weakest link.
But why shouldn't they? They are asked to use passwords they can't possibly remember, to use different passwords everywhere, to have them handy any time they might need it, but don't have them jotted down under their keyboard?
Sounds silly.
It's hard to scratch your ass when you sit on it. [sighist]
|
|
|
|
|
Those are very good points. I would add also poor network management and limitations of certain popular operating systems. Consider the likelyhood that, within a group of workers, each will occasionally need access to the others' machines:
Ideally, they would log on under their own names, using their own passwords, and be restricted from accessing files the machine's owner considers private. A machine on the network should be no more and no less safe than a machine not on the network.
In reality, the users would probably end up either needing an account on each machine, or learning each other's passwords. Consider which one is quicker to accomplish.
peterchen wrote:
[sighist]
Nice!
--------
A common man's understanding of science. Not a normal common man's of course. A very smart common man's. -- Nish, on Science Writing
|
|
|
|
|
Shog9 wrote:
In reality, the users would probably end up either needing an account on each machine, or learning each other's passwords. Consider which one is quicker to accomplish.
So someone needs to invent a keyboard which will detect your fingerprints while you type and if you are not the right person it will send many volts of electricity through your fingertips.
-Jack
To an optimist the glass is half full.
To a pessimist the glass is half empty.
To a programmer the glass is twice as big as it needs to be.
|
|
|
|
|
Ahhh Star Trek...
with the famous 20000V exploding keyboards!
I love those - gotta get me one.
Dave Huff
Igor would you give me a hand with the bags?
Certainly - you take the blonde and I'll take the one in the turban!
|
|
|
|
|
When you put it like that, it sounds hard for users.
Maybe something should be changed.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
Smart cards are a good idea.. but then again, they can be stolen, lost, left behind, etc. But c'mon guys, security, privacy, who needs them anyways?
|
|
|
|