DocScrutinizer05 | highly recommended: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ wget https://github.com/jamesridgway/pwnedpasswords.sh/blob/master/pwnedpasswords.sh -O /usr/local/bin/pwnedpasswords.sh && chmod +x /usr/local/bin/pwnedpasswords.sh | 04:34 |
---|---|---|
DocScrutinizer05 | might even want to add this to passwd(1) | 04:36 |
furrywolf | because wgetting and running a random file is so secure. :) | 04:37 |
DocScrutinizer05 | for sure you won't add the wget part to passwd X-P | 04:38 |
DocScrutinizer05 | you however might ponder adding the script to passwd, after *checking it* | 04:38 |
DocScrutinizer05 | actually wget is somewhat deprecated under root's privileges | 04:39 |
furrywolf | I just wrote a script for someone that not just wgets arbritary files, and not just then gets different files from the contents of that file, it saves to a fixed name in /tmp, making it utterly stupid to run as root. :) | 04:41 |
furrywolf | (highly insecure tmpfile usage) | 04:43 |
DocScrutinizer05 | wget itself is not secure | 04:50 |
DonkeyHotei | that script will send each actual password of yours to someone else's website. fail. | 04:51 |
DocScrutinizer05 | fail! it sends SHA hash | 04:51 |
DocScrutinizer05 | this been first thing I checked | 04:52 |
DocScrutinizer05 | since otherwise it would be not only "fail", it would be a brainfart | 04:52 |
furrywolf | it seems fairly secure to me, in that it only sends them the first five characters of the hash, which gets a list of all hashes starting with those five characters, and then compares locally. | 04:53 |
DonkeyHotei | SHA1 | 04:53 |
DonkeyHotei | might as well be RC4 | 04:54 |
furrywolf | again, it only sends _the first five characters_. anything other than plaintext is fine when used like that. | 04:54 |
DocScrutinizer05 | ^^^ | 04:54 |
DocScrutinizer05 | refer to https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/ | 04:55 |
DocScrutinizer05 | >>It doesn't matter that SHA1 is a fast algorithm unsuitable for storing your customers' passwords with because that's not what we're doing here, it's simply about ensuring the source passwords are not immediately visible.<< | 04:55 |
furrywolf | and to make sure you don't send the first five characters of every password you try. heh. | 04:56 |
furrywolf | the first five characters of anything that remotely approximates a proper hash is not a security risk | 04:56 |
furrywolf | there are certainly algorithms you could use that do not remotely approximate a proper hash, but sha1 is more than adequate. | 04:57 |
DocScrutinizer05 | my root password had 6 hits :-S | 05:02 |
furrywolf | hrmm, I could write an even simpler is-your-password-compromised script... wget "http://www.google.com/$1" && echo "Your password has been compromised at least one time" :P | 05:02 |
DocScrutinizer05 | lol | 05:02 |
furrywolf | (by sending it in plaintext, it itself compromises it, thus it's always right! :) | 05:03 |
DocScrutinizer05 | reminds me on the battery-eye app that guaranteed to drain your battery within a few hours by constantly polling and logging its state ;-P | 05:09 |
furrywolf | lol | 05:09 |
djph | DocScrutinizer05: this is why I disallow remote-root-anything :) | 10:13 |
DocScrutinizer05 | anyway watch out! https://github.com/technonerdz/passwordsecurity.info/issues/6 don't use the web interface | 10:15 |
sokan | my T420 has arrived! I only need to pick it up now :D | 12:17 |
sokan | and tomorrow 1 more dev1 system out there! stability with no systemd :D | 12:17 |
Ryushin | Is there a mirror that is faster then others? us.deb.devuan.org is very slow. | 16:32 |
KatolaZ | Ryushin: for US you can use devuan.c3sl.ufpr.br | 16:36 |
KatolaZ | https://pkgmaster.devuan.org/mirror_list.txt | 16:37 |
KatolaZ | they have a fast connection to US | 16:37 |
Ryushin | KatolaZ: Thanks much. | 16:37 |
KatolaZ | we are working on that as well | 16:37 |
Ryushin | Always something. LOL | 16:38 |
KatolaZ | always too much to do :) | 16:39 |
Ryushin | It said my apt update was going to take 4 hours. I was thinking I need to find a mirror that has "ludicrous speed" for the connection. | 16:42 |
KatolaZ | Ryushin: that mirror has 20Gb/s to FL | 17:06 |
Ryushin | I was reading that. That is a nice mirror. | 17:15 |
Ryushin | Much better. 37Mb/s | 17:15 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!