Security
Pathetic password policy continued.
Submitted by pwnell on Tue, 02/17/2009 - 17:40Continuing my frustration with changing my password on this one Linux system, I tried to be clever. So I logged in as root, then used:
passwd accountname
to force set the password. So much to my surprise, when I tried that, and I saw this response:
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
How is this for good security
Submitted by pwnell on Thu, 02/12/2009 - 19:31My password on a Linux server was recently reset by the authorities that be, and the secure thing to do is naturally to immediately change your password upon logging in, to enhance privacy and security of the account. So much to my surprise did I encounter this response from the system:
-bash-2.05b$ passwd
Changing password for user waldo.
Changing password for waldo
(current) UNIX password:
You must wait longer to change your password
passwd: Authentication token manipulation error
Evasive Security
Submitted by pwnell on Tue, 02/06/2007 - 20:43I was busy implementing a system for a client using C++ on Win32 when I had to use the sprintf function. As I knew it was insecure I looked up the function's details - only to be caught in an infinite web of evasion.
An exert from MSDN:
Bad Practise: Sending back read only HTML form fields
Submitted by pwnell on Mon, 07/04/2005 - 21:21If you had ever written HTML pages sending back form data to a backend server, you must have come across the need to sometimes restrict the user from changing a value - therefore you used a read only form field. This can cause serious trouble...
Is security really important?
Submitted by pwnell on Sat, 12/25/2004 - 20:18I had the pleasure of being in a meeting room a few weeks ago in a large, respected company with some of their technical experts discussing the security considerations for a project I am consulting on.
Since I am paranoid about security, I obviously tried to push that they upped the security on the system dramatically (they are hosting it and will eventually take over the responsibility for securing it). It was just so startling to witness their responses to many of my recommendations, that I started to realise exactly how ignorant many people are towards IT security.
