Notices by Royce Williams (tychotithonus@infosec.exchange), page 3

@ryanc Erk - sorry!

@ryanc massscan may be useful reference code:

https://github.com/robertdavidgraham/masscan

@ryanc Here I'm just referring to everyday "I want to delete just this one message" interaction

As a:

Gmail user

I want to:

be allowed to still interact with the UI to perform deletes on messages while the list of message is actively being refreshed

so that:

the email list shifts just as I'm clicking, deleting the wrong email, but then the results vanishing so quickly that I may not even notice that I deleted the wrong one

Could be a feature: less itchy ... and a new look!

@lapo @ryanc Very reasonable for the what3words use case ... but may get tricky as the target keyspace gets larger. Short wordlist for something like passwords turns into 7 or more words to get enough keyspace. And the "humans can keep 5 to 9 things in short-term memory" means that rehearsal of 5 things to try to commit it from short-term to long-term keeps memorization manageable for a greater number of users.

@ryanc I see your point - though personally, I'd rather ask them to learn a couple of new words, than ask them to remember 7 words to approach equivalent keyspace.

(To be clear, we're talking about truly "must be memorized" secrets: the "initial" passwords to your password manager, your AD / VPN login, etc.)

These NIST principles:

• "length is more important that complexity"

• "forced rotation is bad"

... are a start, but they are all outdated proxies for the only true password principle:

• "uniqueness is more important than anything"

This uniqueness s not terribly hard. A five-word random passphrase from a 20K+ dictionary, with no other requirements:

• is globally unique for most practical purposes
• is longer than every platform's minimum
• is infeasible to crack for most threat models¹
• can be memorized without a ton of effort

And if you're dealing with a system that enforces other complexity, just apply the same complexity every time. This is safe because the strength of the password comes from the number of combinations. Capitalizing the first word, and appending 1 and an underscore is what I do to meet naive complexity. And I'm totally fine sharing that with the world because that's not what makes my passwords strong.

And if the platform has a length maximum, it's usually not one that requires memorization, and the password can just be set to random 15 ASCII chars and stored in your password manager.

tl;dr Give your users a password manager, and teach them to make random passphrases for their must-be-memorized secrets. Anything else is wasting time, teaching them things that are already outdated.

¹This is 3x1021 combinations. Worried about nation states or aliens? Use a bigger wordlist ... or just add one more word. Instantly makes it 20K+ times harder to crack (6x1025).

Odd that Gmail doesn't have a "warn when link text uses a domain that doesn't match the link" feature. This seems trivial to implement?

@baloo Fair point. Sure wish the click-tracking frameworks all had an easy "BYO subdomain" feature so that small shops could easily make in-domain redirects easy.

@patrickcmiller This was really good @wendynather - so articulate and practical!

In a world where adversarial reconstruction of social/influence network propagation is likely, I imagine things like "demure/mindful" are like radioactive dye -- added to trace where it goes.

Or maybe a flex - to prove to others where it can go.

@thomasfuchs Wow, I had no idea.

https://www.reddit.com/r/8BitGuy/comments/qr7edg/comment/jl2u9gq/

@grumpybozo Part of the less-ethical sales-pressure API is to push social/guilt buttons to incent giving in. You very likely did nothing to trigger it (other than saying no). I wouldn't give it another thought.

@xabean No immediate hits - permuted case and leet for both 'Yealink' and 'YealinkPhone', and appended and prepended all sorts of stuff (all possible 4-char suffixes, etc.) ... nothing so far

@xabean Depending on sensitivity, Hashes.com has a bounty / escrow system (free). Or you could upload it as a 'user list' to HashMob. Or you could let me take a ... crack at it (2x 4090s). :D

Edit: a third option, if you know hashcat and Docker, is to just rent a chunk of GPUs through vast.ai or similar.

@xabean What's in the other /etc/shadow?

@ryanc If I have, I've totally spaced it and it will be as fun as the first time? Link me!

@ryanc Looks great! Subtitles are a nice touch!

@wdormann I even opened a ticket for too-narrow grabbable window edges on the Linux side. The response I got was "we're not changing that, there's a workaround -- hold down the ALT key and right click when you're dragging near that edge". So now I have to remember which OS I'm on every time I need to do this. It's just so ... unnecessary.