New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Okay, I'll happily do it, but I do think we're veering a little off topic right now so I think we should either end it in the next few posts or move over to the chest pit - I am happy to keep roasting you there if you'd like... but, go on, I'll bite. Which bits? Bare in mind you edited in the last line again while I was typing.
As a sys admin it's just as worrying, you should know about security and be able to make informed decisions if people are paying you about simple distinctions like hashes and encryption methods.
If you meant the chance it could happen, that's still not good enough when better alternatives exist. What you're proposing isn't better but inferior and the new method would be rather trivial to integrate.
THEN DO IT YOURSELF.
If you don't like it, don't use it!
Edit: You seem to have a serious problem taking criticism.
How can I do it? The source isn't public yet.
Showing your true colours as a sysadmin though, now you think it's a good idea to ship a product to the public to be used by anyone in countless ways without being aware of it because they didn't see this thread and have a big hole left in their security in the future, be it near or far. You never know in internet security.
I think it's exceedingly worrying you have this attitude so close to the Heartbleed incident. Completely different executions and attacks but the cause was rolling your own and saying 'I probably know just as good as the guys who devote years to studying this'.
Heartbleed took two years to leak out to the public. How long can your systems hold up?
Yawn. Talk about off-topic. Do you even want me to get started on you?
My systems are secure, thanks. I had the heartbleed bug patched within two hours on all my systems, then performed the usual checks for possible intrusion. Nothing.
Edit: Then you've got nothing to contribute further to this until the source is released. Once that happens, feel free to come back and rape the thread about how I was so wrong and the software is full of holes etc, etc, etc.
I think we're done here then. You're ignoring my posts and just adding hyperbole. Your comprehension is obviously still off as you totally missed the point I was making about heart bleed and your systems.
I guess I'm just happy you're as far away as possible from administering any of my VMs or VM nodes.
I'm happy you're not a customer of mine. I'd imagine you're never satisfied with anything and file chargebacks on the daily. Have fun, kiddo.
you obviously read a lot of the thread as you think I wrote it. there is no known computer that can crack aes-512 encryption with a sufficiently long pass phrase
interesting... the link you previously posted doesnt say anything about that at all. the entire security mention is: kept safe and secure
and its talking about customers data - this isnt customers data its your data.
i dont think anyone is arguing in favour of poor security - in fact the OP did take on board complaints/suggestions and made improvements.
indeed you could. so what is your proposed solution to prevent my first guess from breaking into your app? the advantage of bcrypt is the longer length of time it takes to crunch the strings which causes the entire process to take longer. doesnt stop me "guessing" right first time.
without actual access to the database all these wonderful mathematical numbers are purely theoretical because the internet and forms based logins have the same "slowing" effect as bcrypt.
the OP has added the sha 3 hash to stop you from having multiple pass phrases and so increasing your risk of your data becoming inaccessible. perhaps an option to not check the hash this as the storing of the hash seems to be the main point of concern?
personally if i was attempting to hack this I would target the web server, modify the .js to change its behaviour and store the passwords in a form that appears encrypted to end user but the key is known to me also.
so as a user when storing pw and user info in here (or in commercially available products) I would be storing incomplete strings or strings where say the first and 11th characters had been swapped.
And while I cite facts, you cite assumptions. Nice.
**Something being secure today does not mean it's secure tomorrow and it's irresponsible to not use better alternatives that are tried and tested. There was a time when people recommended md5 to hash passwords. It does not mean it was secure. **
These would all cover it to a degree.: handled according to people’s data protection rights, kept safe and secure, not transferred outside the UK without adequate protection
No, but it keeps the attacker away for longer on most attacks until something better is available again, at which point I will tell anyone using bcrypt to move.
So because one vector of attack would be slower, security best practices don't matter? What if they have a dump of the database?
or maybe just keep it convenient for the user and use a passphrase while still being in line with best practice.
Good luck on your attack, OP didn't talk about the way they were stopping XSS attacks. Maybe I would be able to help there further if I didn't have to rely on my crystal ball.
TLDR
Someone and most of us believe that latest encryption technology were bulletproof. IMHO that's totally wrong. But I just a noob!
Just an FYI, I don't even use HostLogin. I use:
http://www.guengel.ch/myapps/yapet/
That's a nice piece of software.
Good project, a lot of concern. It'll be great if it's open-sourced so that ppl can host themselves. There are some things too important to hand over a third-party without (a lot of) confidence.
Coming soon