Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I blogged about week ago: Some funny stuff for a change: I told my colleagues that we receive at least 5000 "hack attempts" aka failed logins daily to any of our public Internet facing servers. One of my colleagues just said to me: "Well, you're having such a password policy, that maybe those are actually failed login attempts and not hack attempts at all." - It really got me laughing. Yes, passwords, especially long complex and random ones are painful for users. Here's password of the day (opening and closing quotes aren't included in the password):"^j'lb#K-€3,<_úgWJdXå(n_6=41Bµ%cj!" Btw. Good luck guessing the password or finding it out using SHA-1 hashs or so. I know it's possible, it just might take a while. ;) p.s. This password still got less than 256 bits of entropy. I never really intented anyone to actually remember the passwords. I personally consider passwords as "shared secret", which is just a blob of random bits.


Passwords have been compromised before by being captured in server logs that ended up being accessible.

If you are logging failed password attempts anywhere, then you've got a security hole.

Here's the details on the breach I'm talking about http://ieeelog.com/


The fact that you can see the passwords is a bit worrying.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: