Asymptomatic

It was bound to happen to Habari eventually, right? And in the dark recesses of my mind, I'm happy for two reasons. First because at last we merit inspection by "security consultants". Second because we are staffed well enough to have addressed the issue within a reasonable amount of time. But some questions have arisen about how to handle security announcements, and there are distinct sides on the issues.

Spinning out of Control

Read the rest →

Chris recently complained about the phenomenon of services requiring you to enter all sorts of weird characters in new passwords before accepting them. We both remarked about how this is amusingly potentially less secure than allowing the user to select whatever password they want. Why is that so?

Making the assumption that people will select "good" passwords (and this assumption is utterly incorrect, which is why the services make you put crazy things in your passwords), you have a specific number of combinations of characters that a password can consist of. Restricting one of the characters used in your password to a specific character, you've actually reduced the number of combinations. Let's try a synthetic example.

Read the rest →