Sign On
Create Account
#1 posted February 11, 2015 at 7:09am (EST)  
I lost my link! You know, the one that automatically logs me in? something like,,,,,
bill Bronze Star Survey Creator
#2 posted February 11, 2015 at 8:22am (EST)  
A few years ago I upgraded the site's security in a few ways. One of the main things I did is stopped storing passwords "in the clear". Another way of saying that is that SC no longer knows your password. Instead it stores an encrypted version of it that can only be generated by using the right password.

Initially, I hadn't given security on SC much thought because it's just a fun site and there's little at risk here. But, then I heard about some cases where hackers exploited people's tendency to use the same password on multiple sites. So, for example, your password on SC may not matter. But, maybe it's the same password you use everywhere, including your bank. That makes SC the weak link if I store passwords in the clear. And, having that P=mypassword thing in the link is quite bad too (e.g. if your computer was broken into, a hacker would get it easily).

So, that sign-in link was phased out. For one, the site no longer knows your password. But, it's also just bad security to put that sort of thing out there.

I realize that link had its uses. Most people shouldn't need it if they use a private computer. They can just stay signed on, cookies will remember them.

Also, just to mention, another thing I did was change the password field to allow for much longer strings. It's really more of a passphrase now. And, it accepts any character. Thus, you can have a password that is a sentence. The nice thing about that is you can have it be something that's much easier to remember, but is secure because of its length. For example, you might use "I love beer so much it hurts sometimes." or "*beer* *beer* *beer*" or "My mom raised me to drink beer." etc. This, as opposed to something like Wjx7@#j7d! which is secure because of all the different characters but hard to remember.

That said, the truth is the U=user&P=password link is still technically possible to create. So, if you insist on using it, send me a private reply and I can try to walk you through it. Roughly speaking, I think you can just fill in your password (which I don't know, but you do) into a link like you posted and it still works. It's just bad. Alternately, there's a way to do it with the encrypted passphrase string that usually works too. It's a long/ugly link, but it's a bit better because it won't actually have your password in it (e.g. if you get hacked or something).
#3 posted February 12, 2015 at 7:20am (EST)  
I completely understand. I am usually here from my work computer, so I have firefox clear everything upon exit. It's no big deal to type my password. However, I think I will go change my password to something longer and more fun! Beer
they Survey Central Subscriber Bronze Star Survey Creator
#4 posted February 13, 2015 at 7:08am (EST)  
I completely understand too! This was interesting. Bill, I wish you wrote my HTML CSS & Java textbook. Maybe it would be less dry. (I'm still having tons of fun with it anyway). Which category does all this password stuff fit into? I think it would be funny to surprise my professor with a password requirement when he goes to check my homework raspberry.
bill Bronze Star Survey Creator
#5 posted February 13, 2015 at 9:01am (EST)  
Hm. I'm not sure what the category might be. Security or cryptography, I guess. It was a couple years ago when I made the changes. It's not that fresh in my head at the moment. At the time, I think I just searched for online articles about it. I found a couple that made the most sense to me and took their advice. Though, it wasn't the most common advice. I'm not sure I could track them down at this point. But, I'll look.

I don't actually think there's a great deal of agreement on the matter. Some sites still believe in security questions, for example. I think all the bank websites I use do that. But, I read some stuff that said it was crap and I personally think it's dumb/annoying too.

The actual encryption algorithm matters, though I get to the end of my understanding here. I ended up using "bcrypt". I recall one of the features it has is that it's a bit slow to calculate and encrypted message. So, that makes the brute-force attempt to crack passwords (where you just keep guessing) take too long. Encryption is a huge sub-topic and can get very math intensive. It's like prime numbers, truly random numbers, "salt" and other stuff. I don't know much about it really, but I think I more or less grasp some high-level concepts. There's probably a good concise web pages that explains it somewhere...

I think Bruce Schneier is one of the best minds out there on the topic of security and encryption. Though, he's often challenging what others are doing. Here's an example: It might be a little technical, but hopefully understandable.

Just learning about the basics of how encryption works is kind of cool. When I was a kid, a friend and I used to make up codes where we just wrote out an alphabet then what the letter should be changed into for the code. What computers do today is not so different from that. But, there are some smart things that have been built on top of it.

Even the Germans did some of it in WW2 using a machine called Engima. And, the British famously cracked their code. There have been a couple recent movies about Alan Turing that likely tell the story. Part of how the Germans made it harder to crack is that the Enigma machine kept changing the letter-for-letter equivalence. So, when you decode the first letter in a message, it may be that 'a' is really 'g', but when you do the next letter 'a' is now really 't'. So, the trick then becomes figuring out how the code changes. And, that has gotten very sophisticated these days. It's to the point where we basically have ciphers that can encode a message (or a password) in a way that's very hard to crack. So, we can generally take for granted that if you have some encrypted message, it can't be decoded without the right key (or password). So, that's all great. But, now some of the focus has shifted more to what we actually do with that. Because people can still do dumb stuff that undermines the actual security.

Saving passwords in the clear is one dumb thing to do. Using an overly simple password like a word that's in the dictionary is also dumb because a hacker can just try every word in the dictionary. Part of what's going on is that people can use the incredible power of computers to just try lots of things (brute force) to crack something. Some encryption methods that used to be fine are no longer considered good because computers have gotten so much faster that they can be cracked in a day or so (where it used to be 100 years or something).

Maybe Khan Academy might be a good place to learn about cryptography:

#6 posted February 13, 2015 at 12:27pm (EST)  
Here is a place you can go to to check your password strength. Personally I would not use a real password that you are using, but one approximating it.

And this site will give you an approximation of the time it would take to crack it.

bill Bronze Star Survey Creator
#7 posted February 13, 2015 at 12:47pm (EST)  
"My mom raised me to drink beer." scores well on both of those. yes
#8 posted February 16, 2015 at 7:41am (EST)
edited February 16, 2015 at 7:42am (EST)  
My SC password seems secure.

It would take a desktop PC about 178 quadrillion years to crack your password
bill Bronze Star Survey Creator
#9 posted February 16, 2015 at 11:11am (EST)  
Well, we better get started cracking it in that case.
#10 posted February 17, 2015 at 5:33am (EST)
edited February 17, 2015 at 5:33am (EST)  
You can start cracking the password bill.
I'll be with FG cracking a few Beers waiting for you smile
Heck I'll even fry up some bacon for when you get there.
#11 posted February 17, 2015 at 7:07am (EST)  
So 178 quadrillion years of Beer and bacon? Sounds good. We let Bill have some too, right?
bill Bronze Star Survey Creator
#12 posted February 17, 2015 at 7:17am (EST)  
I think I saw a Twilight Zone episode once where the main character thought she went to heaven because it was all Beer and bacon there. But, after the first quadrillion years, she got sick of Beer and bacon (shocking, I know... but a quadrillion years is a long time). Then she realized she still had 177 quadrillion years of it. She was in hell!
#13 posted February 17, 2015 at 10:32am (EST)  
oh... so the beer was probably warm... yeah, that would suck.
#14 posted February 18, 2015 at 4:38am (EST)  
And the bacon was probably turkey and not good ole pig bacon
#15 posted February 18, 2015 at 7:28am (EST)  
Oh come on now... why ruin a guys day? smile
#16 posted February 18, 2015 at 12:41pm (EST)  
Hey you know me. I am the pessimist here (I think there was a survey with an attached test that proved that laughing out loud)
#17 posted February 19, 2015 at 7:21am (EST)  
laughing out loud Oh ok. But turkey bacon? Really?
bill Bronze Star Survey Creator
#18 posted February 19, 2015 at 7:55am (EST)  
Full disclosure: the bacon icon bacon is not made from a pig.
#19 posted February 19, 2015 at 10:54am (EST)  
Interesting stuff, I read some on this too - Mitzie is paranoid about this stuff and at one time I had an encryption and shredding software up to Blowfish, DoD and 256AES and all kinds of crap, then I thought is someone really gonna try and breakthrough my encrpytion for my online porn downloads?

My friend told me (a computer guy) that 99% of the time its not some super hacker etc, its usually someone careless with their password, a bitter ex-employee etc etc

Regards David

#20 posted February 19, 2015 at 12:03pm (EST)  
bill wrote:
> Full disclosure: the bacon icon bacon is not made from a pig.

NOOOOOOO! We want real food that means delicious bacon from a pig. laughing out loud
bill Bronze Star Survey Creator
#21 posted February 19, 2015 at 1:44pm (EST)  
David - Blowfish porn? That's weird, dude.