tag:blogger.com,1999:blog-146274112024-02-28T15:28:27.255-06:00Code MisgivingsObservations along the path of life as a software developer and security professional.Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-14627411.post-31327872441150410902017-10-10T13:59:00.001-05:002017-10-10T13:59:19.619-05:00The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1d!Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly—he regrets the error<br />
<br />
The man who wrote the book on password management has a confession to make: He blew it.<br />
<br />
Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.” The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly.<br />
<br />
The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.<br />
<br />
The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.<br />
<br />
Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement.<br />
<br />
“Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired.<br />
<br />
In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments. Paul Grassi, an NIST standards-and-technology adviser who led the two-year-long do-over, said the group thought at the outset the document would only require a light edit.<br />
<br />
“We ended up starting from scratch,” Mr. Grassi said.<br />
<br />
The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Mr. Grassi said. Those rules did little for security—they “actually had a negative impact on usability,” he said.<br />
<br />
Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.<br />
<br />
Amy LaMere had long suspected she was wasting her time with the hour a month it takes to keep track of the hundreds of passwords she has to juggle for her job as a client-resources manager with a trade-show-display company in Minneapolis. “The rules make it harder for you to remember what your password is,” she said. “Then you have to reset it and it just makes it take longer.”<br />
<br />
When informed that password advice is changing, however, she wasn’t outraged. Instead, she said it just made her feel better. “I’m right,” she said of the previous rules. “It just doesn’t make sense.”<br />
<br />
Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.<br />
<br />
In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3— a typical example of password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.<br />
<br />
Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.<br />
<br />
He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.<br />
<br />
“They were appalled I even asked,” Mr. Burr said.<br />
<br />
With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.<br />
<br />
The published guidelines were the best he could do.<br />
<br />
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said Mr. Burr.<br />
<br />
Nevertheless, NIST’s password advice became widely influential, not just within the federal government but on corporate networks, websites and mobile devices.<br />
<br />
Collectively, humans spend the equivalent of more than 1,300 years each day typing passwords, according to Cormac Herley, a principal researcher at Microsoft Corp. His company once followed the Burr code for passwords, but no more.<br />
<br />
The biggest argument against Mr. Burr’s prescriptions: they haven’t worked well. “It just drives people bananas and they don’t pick good passwords no matter what you do,” Mr. Burr said.<br />
<br />
The past decade has seen a data-breach boom. Hackers have stolen and posted online hundreds of millions of passwords from companies such as MySpace, LinkedIn and Gawker Media.<br />
<br />
Those postings have given researchers the data they need to take a hard look how people’s passwords fare against the tools hackers used to break them. Their conclusion? While we may think our passwords are clever, they aren’t. We tend to gravitate toward the same old combinations over and over.<br />
<br />
Back in 2003, Mr. Burr didn’t have the data to understand this phenomenon. Today, it is obvious to people like Lorrie Faith Cranor. After years of studying terrible concoctions, she put 500 of the most commonly used passwords on a blue and purple shift dress she made and wore to a 2015 White House cybersecurity summit at Stanford University.<br />
<br />
Adorned with the world’s most common passwords—princess, monkey, iloveyou and others that are unprintable here—the dress has prompted careful study, and embarrassment.<br />
<br />
“I’ve had people look at it and they’re like, ‘Oh, I’d better go change my passwords,” said Ms. Cranor, a professor at Carnegie Mellon University.<br />
<br />
The NIST rules were supposed to give us randomness. Instead they spawned a generation of widely used and goofy looking passwords such as Pa$$w0rd or Monkey1! “It’s not really random if you and 10,000 other people are doing it,” said Mr. Herley, the Microsoft researcher.<br />
<br />
Mr. Grassi, who rewrote NIST’s new password guidelines, thinks his former colleague Mr. Burr is being a little bit hard on himself over his 2003 advice.<br />
<br />
“He wrote a security document that held up for 10 to 15 years,” Mr. Grassi said. “I only hope to be able to have a document hold up that long.”Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.com0tag:blogger.com,1999:blog-14627411.post-65063288920346290452016-09-07T14:52:00.004-05:002016-09-07T14:52:34.743-05:00Password Strength MetersHere is an interesting take on Password Strength Meters for websites (which are usually <b><i>bad</i></b>, but they do remind the user that good passwords are important).<br />
<br />
<a href="https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/" target="_blank">https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ </a><br />
<br />
<b>TL;DR</b> – (1) Complex character sets are not as good as long passwords. (2) Use of keyboard patterns and common words, even leetspeak, make (shorter) passwords weaker.<br />
<br />
Code here:<br />
<br />
<a href="https://github.com/dropbox/zxcvbn" target="_blank">https://github.com/dropbox/zxcvbn</a><br />
<br />
And here is a nice implementation using their code:<br />
<a href="https://www.my1login.com/resources/password-strength-test/" target="_blank"><br /></a>
<a href="https://www.my1login.com/resources/password-strength-test/" target="_blank">https://www.my1login.com/resources/password-strength-test/ </a><br />
<br />
<br />Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.com0tag:blogger.com,1999:blog-14627411.post-84428910307748913892012-10-01T12:27:00.000-05:002012-10-01T12:27:13.677-05:00ASP.NET ASPX Pre-compile Errors<div class="MsoNormal">
MS Visual Studio, by default, does not compile a project’s ASPX/ASCX pages until runtime (via IIS Just-In-Time compiler). Unfortunately,
the IIS JIT compiler is very forgiving, ignoring some syntax errors,
missing custom tag libraries, un-handled events, etc. Therefore, these types of errors may exist in ASPX pages even though the web page “works”.</div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal">
This
Visual Studio Post-Build Event will show these hidden ASPX errors in
the Error Window when a normal REBUILD ALL is performed.</div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Framework 2.0, 3.0, 3.5:</div>
<div class="MsoNormal">
VS2010 -> Project -> Properties -> Build Events -> Post-build event command line:</div>
<div class="MsoNormal">
"%systemroot%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler" -errorstack -c -v "$(TargetName)" -p "$(ProjectDir)\"</div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Framework 4.0, 4.5:</div>
<div class="MsoNormal">
VS2010 -> Project -> Properties -> Build Events -> Post-build event command line:</div>
<div class="MsoNormal">
"%systemroot%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler" -errorstack -c -v "$(TargetName)" -p "$(ProjectDir)\"</div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal">
64-bit Framework 2.0, 3.0, 3.5:</div>
<div class="MsoNormal">
VS2010 -> Project -> Properties -> Build Events -> Post-build event command line:</div>
<div class="MsoNormal">
"%systemroot%\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler" -errorstack -c -v "$(TargetName)" -p "$(ProjectDir)\"</div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal" style="height: 8pt; min-height: 8pt; padding: 0px;">
<br /></div>
<div class="MsoNormal">
64-bit Framework 4.0, 4.5:</div>
<div class="MsoNormal">
VS2010 -> Project -> Properties -> Build Events -> Post-build event command line:</div>
<div class="MsoNormal">
"%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler" -errorstack -c -v "$(TargetName)" -p "$(ProjectDir)\"</div>
<div class="MsoNormal">
<br /></div>
Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.com0tag:blogger.com,1999:blog-14627411.post-14400390843885960932011-07-20T11:40:00.000-05:002012-02-13T11:40:46.217-06:00Project Management<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfHLWpRSE2IT_KjLs-aqETmta3fFjrRvQEd0jE5DCY2E-7GSvWvhSzfpQ7uyBlBFBzCB-mfrk2CpfJ2mp_51QkcmqGcnaY_iWI9kJUxlojxb7jlA1RswJRGbHEwEbzbOGqvYY5/s1600/sdlc.jpg" imageanchor="1" style=""><img border="0" height="300" width="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfHLWpRSE2IT_KjLs-aqETmta3fFjrRvQEd0jE5DCY2E-7GSvWvhSzfpQ7uyBlBFBzCB-mfrk2CpfJ2mp_51QkcmqGcnaY_iWI9kJUxlojxb7jlA1RswJRGbHEwEbzbOGqvYY5/s400/sdlc.jpg" /></a></div>Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.com0tag:blogger.com,1999:blog-14627411.post-72622975231855123582008-07-01T10:00:00.003-05:002009-07-16T10:57:24.297-05:00MS SQL Server Error CodesSELECT * FROM [master].[dbo].[sysmessages]<br /><br />Severity Levels:<br /><table style="text-align: justify;" border="0"> <tbody> <tr> <td width="80">0 to 10</td> <td>Messages with a severity level of 0 to 10 are informational messages and not actual errors.</td> </tr> <tr> <td>11 to 16</td> <td>Severity levels 11 to 16 are generated as a result of user problems and can be fixed by the user. For example, the error message returned in the invalid update query, used earlier, had a severity level of 16.</td> </tr> <tr> <td>17</td> <td>Severity level 17 indicates that SQL Server has run out of a configurable resource, such as locks. Severity error 17 can be corrected by the DBA, and in some cases, by the database owner.</td> </tr> <tr> <td>18</td> <td>Severity level 18 messages indicate nonfatal internal software problems.</td> </tr> <tr> <td>19</td> <td>Severity level 19 indicates that a nonconfigurable resource limit has been exceeded.</td> </tr> <tr> <td>20</td> <td>Severity level 20 indicates a problem with a statement issued by the current process.</td> </tr> <tr> <td>21</td> <td>Severity level 21 indicates that SQL Server has encountered a problem that affects all the processes in a database.</td> </tr> <tr> <td>22</td> <td>Severity level 22 means a table or index has been damaged. To try to determine the extent of the problem, stop and restart SQL Server. If the problem is in the cache and not on the disk, the restart corrects the problem. Otherwise, use DBCC to determine the extent of the damage and the required action to take.</td> </tr> <tr> <td>23</td> <td>Severity level 23 indicates a suspect database. To determine the extent of the damage and the proper action to take, use the DBCC commands.</td> </tr> <tr> <td>24</td> <td>Severity level 24 indicates a hardware problem.</td> </tr> <tr> <td>25</td> <td>Severity level 25 indicates some type of system error.</td> </tr> </tbody> </table>Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.comtag:blogger.com,1999:blog-14627411.post-1121786396489976732008-02-02T08:30:00.002-06:002008-10-18T07:59:01.336-05:00Secure File Transfer (SFTP) and Remote Access using (SSH)I've used 3 different ones in the past, with different success. All there are full SSH servers, meaning you get SFTP, SCP, Secure remote console (like Telnet) and secure TCP/IP for port tunnelling. I user it to securely connect to my machines and run VNC for remote control. It's the fastest and most secure way I've found to do remote control of my machines.<br /><br />My favorite is <a href="http://www.bitvise.com/winsshd" target="_blank">WinSSHD</a> from BitVise. A personal license will run you $39.95, but it's well worth it. It's the easiest to set up and maintain. Rock solid.<br /><strong>*UPDATE* WinSSHd v5.x is now free for personal use!</strong><br /><br />Next is <a href="http://www.freesshd.com/" target="_blank">FreeSSHd</a>. As the name implies, it's free! I've used it on computers that I only need to connect to occationally. It's a harder to understand and configure. I've also had problems where it would stop working and only a reboot would fix.<br /><br />Last is <a href="http://www.cygwin.com/" target="_blank">CygWin</a>. It's a DLL and set of programs that basically turn your Windows system into Linux. If you're a *nix person, this may be the way to go. I found it difficult to set up and configure the SSH server in CygWin, but once I got it running everything worked fine. Oh, it's free!Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.com0tag:blogger.com,1999:blog-14627411.post-7469303663597745822007-11-01T12:20:00.000-05:002017-11-18T12:21:46.004-06:00Forward Outlook VB Script<span style="font-family: monospace; font-size: x-small;">
Option Explicit<br />
<br />
Private Const FORWARD_TO_EMAIL As String = "me@email.com"<br />
<br />
Sub AutoForwardEmail(outlookMailItem As Outlook.mailItem)<br />
On Error GoTo ErrorSub<br />
<br />
Dim orgMail As Outlook.mailItem<br />
Dim newMail As Outlook.mailItem<br />
<br />
Set orgMail = Application.Session.GetItemFromID(outlookMailItem.EntryID)<br />
Set newMail = orgMail.Forward<br />
<br />
newMail.Recipients.Add FORWARD_TO_EMAIL<br />
newMail.DeleteAfterSubmit = True<br />
newMail.Body = orgMail.Body<br />
newMail.BodyFormat = olFormatPlain<br />
newMail.Send<br />
<br />
EndSub:<br />
Set newMail = Nothing<br />
Set orgMail = Nothing<br />
Exit Sub<br />
ErrorSub:<br />
MsgBox "Unexpected Error: " & Err.Description<br />
Resume EndSub:<br />
End Sub
</span>
Larry Johnsonhttp://www.blogger.com/profile/11916296312472765298noreply@blogger.com0