Screensaver takes too much time to fade-out...

Thu Dec 15 18:30:42 UTC 2011

On 12/15/2011 11:30 AM, Jake Shipton wrote:
> On 15/12/11 15:32, Michael Cronenworth wrote:
>> Jake Shipton wrote:
>>> [snip]
>> Some of your advice is good, but some of it is not. Even though your
>> reply was to a known troll of this list, I'd like to respond to some of
>> your comments.
> Okay :-). I'll respond back to yours.
>
>>> Ensure when setting up your system you do not use the same password
>>> twice, or the same password you use anywhere else. Each password should
>>> be unique and should consist of Upper and Lower case letters, Numbers
>>> and Symbols (For example: MyPa55W0rd&2012&2011).
>> The password "this-is-fun" is just as secure as your example.
>> http://vivekgirotra.com/why-the-password-this-is-fun-is-10-times-more
>>
> Maybe so, but I am simply trying to advise from what I have learned over
> the years. I am in no way a professional or otherwise.

Unfortunately, in the area of passwords too many real security 
professionals have given bad advice.  So not being a security 
professional is not necessarily a bad thing here!

>
> I have simply done passwords like how I have shown in my example above
> for years, so it is how I advise them :-).

But the attack vectors have changed.  Cloud computing has put real 
cracking ability in the hands of everyday hackers.  I authored the 
original paper on attacking WiFi WPA-PSK passwords.  I did that becuase 
vendors were not putting ANY constraints on passwords, and you could 
enter a 4 digit pin with the first release of WPA products.  My paper 
caused a bit of consternation and DID get password minimums set to 8 
characters.  Good enough back in '03.  Now the attack is very easy with 
cloud computing.  I recommend that everyone look at SAE for WiFi 
security.  It is part of 802.11s, but can be used for general AP-STA 
security.  It is already implemented the OpenAP code.  SAE (by my 
colleague Dan Harkins of Aruba) has NO offline attack and a active 
attack only gets one guess per try.  SAE is of the class of 'zero-based 
knowledge' password methods.  Anyway enough of a digression, just my 
point that attacks change over time and what was considered 'good 
enough' 5 years ago is no longer good at all.

Passphrases have ALWAYS been recognized as stronger than passwords, and 
easier to remember.  The problem in using them is that many systems 
would just truncate long passphrases or put strong limits on size of 
entry.  For some time UNIX login was so limited, for example.

I use a couple different styles of passphrases myself.

>
>>> [snip]
>>> Now you should set up your firewall
>>> [snip]
>>> Switch to ICMP Filter, and tick the following:
>>>
>>> - Echo Reply
>> Disabling ping on a workstation that is guaranteed to be behind a router
>> is pointless. Even if the workstation was directly connected to the
>> internet disabling ping is pointless. It will only make future
>> troubleshooting of network issues more difficult. Your internet presence
>> is not hidden by disabling ping.
> I am aware of that, for example a stealth scan with no ping will still
> pick up open ports. However, the person who I replied too claims to be
> under attack constantly. So why not? If you need to troubleshoot your
> network, it isn't difficult to re-enable the ping.

The age old arguement about this wonderful network hack.  To allow pings 
or not to allow them.  I generally like them, but can agree that for the 
OP, disabling them for the 'warm fuzzy' is worth it.