Post AYgQdILfUOrGDbdzfc by CultivatorLinFeng@poa.st
(DIR) More posts by CultivatorLinFeng@poa.st
(DIR) Post #AYg76FiCNBgfM7iGsS by graf@poa.st
2023-08-13T05:31:38.046514Z
11 likes, 8 repeats
this isnt because of any specific event, we have just taken up the task of periodically reminding some of you because a lot of you don't take anything seriously and you should. what happened to poast was a 0day vulnerability and there is potential that there are others. we have taken measures to limit specific API endpoints to staff provided VPNs and other security measures but you should always err on the side of caution no matter what website you use and rotate sessions/tokens/passwords/etc wherever you can. the first thursday in may is password reset day, but you should all get in the habit of doing it every couple months or once a month. your account security starts with youRT: https://poa.st/objects/d4d6be4c-3aa6-47c2-9c5d-562d4827fdba
(DIR) Post #AYgIOkAsx1yoXh9QBc by billstclair@gleasonator.com
2023-08-13T07:38:14.497520Z
0 likes, 0 repeats
@graf @PoastSupport There are 405 entries in my password app. If I changed them all every 60 days, that would be 6 or 7 every day. I’ll keep my policy of only changing a password when I see evidence that it has been compromised, which very rarely happens.If only I could convince developers to NEVER save a plaintext password, only its hash. And to stop with the insane capital letters, numbers, and special character requirements.diceware.ninja is my Diceware passphrase generator.
(DIR) Post #AYgIhW2din0qDCFGwC by graf@poa.st
2023-08-13T07:41:36.115534Z
5 likes, 1 repeats
@billstclair @PoastSupport yeah well the problem is you will never convince anyone including people who use the same password for everything. getting upset at us suggesting it to people is not the way to solve this. we hash everyone's passwords so you will never get the plaintext equivalent but that doesn't stop leaks from other sites affecting poast. having tunnel vision angst toward us for suggesting users be secure is lost and makes you look foolish
(DIR) Post #AYgJEpQ6h3lrry6fi4 by MaleGoddess@poa.st
2023-08-13T07:47:39.442138Z
3 likes, 1 repeats
@graf @PoastSupportHaJokes on you. I use one time use passwords. I set the password, log in once, and forget it. If I'm ever logged out, then that account is lost.Because not only do I use one time use passwords, I use one time use email addresses, so all accounts are non-recoverable.
(DIR) Post #AYgLHsJ2cTUjb6NknY by niggy@poa.st
2023-08-13T08:10:36.565851Z
11 likes, 8 repeats
@graf @billstclair @PoastSupport yes friend and also password hashes can be cracked, even Pleroma's pbkdf2. so it's important to use complex passwords avoiding dictionary words if possiblegetting credentials is the most important priority of a good attacker, and the main way a small breach is leveraged into compromising everythingso often high-effort high-security environments, even up to government networks, just have one shitty system you eg get an AD NTLM hash from, crack, and get a password to access everything withso please secure your password usage friends, and don't just rely on just any password you use anywhere always being private
(DIR) Post #AYgLNWZSLMaZvMknya by graf@poa.st
2023-08-13T08:11:37.246699Z
1 likes, 0 repeats
@niggy @billstclair @PoastSupport 128 character includer of every ascii possible chad tapping in
(DIR) Post #AYgLiimg87vBst2v0y by professionalbigot69@poa.st
2023-08-13T08:15:27.878496Z
2 likes, 0 repeats
@niggy the best way to test one's password hashing is to type out something that'd get flagged by the FBI in plain text @graf @billstclair @PoastSupport
(DIR) Post #AYgMObwjwW3sq8j7ke by graf@poa.st
2023-08-13T08:23:00.472825Z
4 likes, 2 repeats
@professionalbigot69 @niggy @PoastSupport @billstclair whatever you do don't tell anyone the database salt is uuuuuooooohhhhhhhhhhhhmisatomommygfooohhhhhhhh
(DIR) Post #AYgNuqdGyZIXbnYa7U by RealAkoSuminoe@poa.st
2023-08-13T08:39:04.295797Z
1 likes, 1 repeats
@niggy @graf @billstclair @PoastSupport This is also why using a password manager with crypto-random generated passwords that are site-unique is important. For security to work, it has to be convenient enough that people don't take shortcuts around it.Also, sure pbkdf2 is not the worst thing in the world, but OWASP only recommends it when targetting FIPS. Is there a reason that we aren't using argon2id, or at least scrypt or bcrypt?
(DIR) Post #AYgOljJotn3uH0fqXQ by niggy@poa.st
2023-08-13T08:49:37.442748Z
2 likes, 0 repeats
@RealAkoSuminoe @graf @billstclair @PoastSupport pbkdf2 is just what pleroma uses and can't fault them it's better than most web apps, wordpress still uses keystretched md5people put too much emphasis on strength of password hashing anyway relative to everything else, pleroma doesn't even support password strength policiesthe strongest hash algorithm isn't going to help if there's shit passwords, hash strength isn't a fundamental security boundary it just means it takes longer to crack, weak passwords will still always be crackable
(DIR) Post #AYgQdILfUOrGDbdzfc by CultivatorLinFeng@poa.st
2023-08-13T09:10:26.878541Z
0 likes, 0 repeats
@graf @PoastSupport People have shitty passwords due to password fatigue. Yes, you can set up a password that's 32 characters long and full of extended ascii characters, but being forced to change it frequently means there will be a lot of instances of "ThisIsMyPassword1!".In either case, what good is a deadbolt lock on a house with floor to ceiling windows?
(DIR) Post #AYgVLDtToR0sxdf3dw by billstclair@gleasonator.com
2023-08-13T10:03:16.132081Z
1 likes, 0 repeats
@RealAkoSuminoe @PoastSupport @graf @niggy 20 years ago. I used the same password for everything. I’ve still seen no evidence that anyone else knows it. Now I use a password manager. I used Diceware pass phrases for a long time, until sites started requiring larger alphabets, in an effort to trade off password strength for difficulty of memorization. Once I had enough passphrases that I couldn’t remember them, I started letting the password manager create random passwords with weird characters. I still much prefer “serve food mocha sniff spur brink” to “u96@!ezPSQ”, but the latter is easier do, so I do.
(DIR) Post #AYglOEYFQGk58TBguG by PalePimp@poa.st
2023-08-13T13:02:11.988523Z
1 likes, 1 repeats
@graf @niggy @billstclair @PoastSupport Best use a proper RNG engine.
(DIR) Post #AYhdyH1P6vUkkMSXHU by JustJohnny@poa.st
2023-08-13T23:14:41.216704Z
1 likes, 0 repeats
@RealAkoSuminoe @niggy @graf @billstclair @PoastSupport I feel like using an app to generate and store passwords is an inherent security flaw.
(DIR) Post #AYhoEMbp6UP0Fbnym8 by RealAkoSuminoe@poa.st
2023-08-14T01:03:39.333578Z
0 likes, 0 repeats
@JustJohnny @niggy @graf @billstclair @PoastSupport Not really, unless you use a bad app for it (cough cough LastPass cough).
(DIR) Post #AYhoODpQbXKXujryJE by RealAkoSuminoe@poa.st
2023-08-14T01:10:11.812469Z
2 likes, 1 repeats
@billstclair @PoastSupport @graf @niggy If you were using the same password everywhere 20 years ago, there's def people who know what it was. 20 years ago, a lot of sites considered security an afterthought, and passwords were stored in plain text. You used to click "forgot password" and have your password emailed to you instead of getting a password reset request link sent.Maybe no bad actors got it. Maybe it was never used maliciously.