Password Security (and my new blog)

[unicityd]

Recently, I've had several discussions (online and offline) about password security, password hashing algorithms, and what it is that we're trying to accomplish.  I ended up starting a blog so I had a place to publish everything.  The articles up so far are about password security, but I plan to publish more on other (mostly application) security issues.  I hope that what I've written will be of interests to the folks here.

So far, I've posted about why rainbow tables aren't as powerful as people think, how long passwords actually need to be to withstand an online or offline attack, and an analysis of what we're actually trying to accomplish with salting, stretching, delay timers, expiration etc.

The blog is here: http://bugcharmer.blogspot.com

Feedback is welcome.

[fred]

ok buddy congrats but i have a question when u can have a website for free with all features that other sites has, why u still write weblog?

[3xban]

functionality and security would be a prime reason I would.  I have a site and host that I pay yearly for.  The cost is minimal based on all the unlimited features I have.  I also can install a number of applications on the site ranging from Wordpress to Jabber chat.  Problem is that I could either let them install and have little to manage but also little to customize or manually install and have to worry about keeping the code clean and updating it regularly.  If you go with a blogspot or tumblr account, all you really have to worry about is the content.  Plus both of these services are free.

I've been considering taking most of my site down until I can make some time to update everything but I have a game forum that a handful of people use.  When I had more time, I enjoyed messing around with the website but now I just need something to work.

[unicityd]

ok buddy congrats but i have a question when u can have a website for free with all features that other sites has, why u still write weblog?

I don't have to do any maintenance or setup.  I can just write, check my stats once in a while, etc.

[fred]

with www.zymic.com u can have a free web host with amazing features and u can register a .tk domain fo it (free) so creating a free and good website is not so hard man

[3xban]

missing the point Cyber.Spirit.  Eventually we just want a site to work and do what we need it to do without having to worry.  Hosting a full site when you just want to write a regular blog is overkill by today's standards.  Even with free sites, you still need to worry about maintenance, whether you do it or the host does it.  Most of my site is maintained by the host but there are pieces that fall to me to manage and can be exploited if I don't keep up on it.  If I just want to post to a regular blog, it is much easier to sign up for the free Blogspot account.  That way I can tweet my thoughts and concerns and reference the blog for more content that can't fit in the standard twitter post. 

Also one thing I find great about maintaining a blog is the writing practice.  As you go further in your Security career, you will find this becomes a must have skill.  It can eventually lead to possibly doing talks at the local Bsides event, SchmooCon or DerbyCon.

[chrisj]

3xban,

running my own full sites is what lead me to speaking at Bsides Detroit, GrrCON and DerbyCon this year.

I'm also teaching a workshop to a local Security User group (MiSEC) in Aug.

You'd be surprised what doing something for personal learning, and brushing up on skills can lead to.

[impelse]

3xban,

running my own full sites is what lead me to speaking at Bsides Detroit, GrrCON and DerbyCon this year.

I'm also teaching a workshop to a local Security User group (MiSEC) in Aug.

You'd be surprised what doing something for personal learning, and brushing up on skills can lead to.

This is the second time I heard about that. Maybe something to consider

[unicityd]

3xban,

running my own full sites is what lead me to speaking at Bsides Detroit, GrrCON and DerbyCon this year.

I'm also teaching a workshop to a local Security User group (MiSEC) in Aug.

You'd be surprised what doing something for personal learning, and brushing up on skills can lead to.

I'm working full-time and going back to school.  Even a small amount of extra time to maintain a full site would be a deal breaker for me.  Once I'm out of school, I might do that; especially if I need to release code, exploits, etc.

[chrisj]

I'm working full-time and going back to school.  Even a small amount of extra time to maintain a full site would be a deal breaker for me.  Once I'm out of school, I might do that; especially if I need to release code, exploits, etc.

I work full time, I go to college (university) part time, I run a local lock sport group and involved in a few others. I have 2 sites (one server), a podcast, and an active member in 2 security groups. the time is there, you just have to learn to manage it.

[3xban]

Show off   Understandable though and I agree.  But again if time is limited then you pick your filler for the little spare time you have.  Mine is reverse engineering malware.  Once I have a bit more I may circle back to building out my site.

[unicityd]

But again if time is limited then you pick your filler for the little spare time you have.  Mine is reverse engineering malware. 

Mine is crypto.  I heart teh maths.

[fred]

missing the point Cyber.Spirit.  Eventually we just want a site to work and do what we need it to do without having to worry.  Hosting a full site when you just want to write a regular blog is overkill by today's standards.  Even with free sites, you still need to worry about maintenance, whether you do it or the host does it.  Most of my site is maintained by the host but there are pieces that fall to me to manage and can be exploited if I don't keep up on it.  If I just want to post to a regular blog, it is much easier to sign up for the free Blogspot account.  That way I can tweet my thoughts and concerns and reference the blog for more content that can't fit in the standard twitter post. 

Also one thing I find great about maintaining a blog is the writing practice.  As you go further in your Security career, you will find this becomes a must have skill.  It can eventually lead to possibly doing talks at the local Bsides event, SchmooCon or DerbyCon.

3xban im working on my new website with free host and domain man its not overkill blogs services has many disadvantages you just get a subdomain (example.blogspot.com) you cant design your blog freely you cant upload your files and create direct download links. users cant log in to your website and so on...

But with a free host and domain you can have all of above features and some another features too. if your problem is security you can run a pentest on your web application (you cant run pentest on the web server because its not legal.)

Then when you can have your own domain your own host your own web design and many of amazing features i think blog services are sucks..... im sure they have vulnerabilities also

CyberSpirit......

[fred]

and i missed something blog services must be so thankful of us because people made blogspot famous (example) without those people blog services are useless im wondering even if they understand it they wont give people some good features   

[3xban]

But again if time is limited then you pick your filler for the little spare time you have.  Mine is reverse engineering malware. 

Mine is crypto.  I heart teh maths.

Nerd   I don't mind math.  I was hanging at a Ruby meetup a few weeks back and they started doing situational calculus in the "Math Room" of my friend's office.  I am watching these guys go to town with an explanation of the math and then I realize, holy crap, I sort of understand this.  Then it dawned on me, oh that wonderful Intro to Logic class I took way back in college.  I felt briefly smart.  I think they were just doing it for kicks.