Today I forgot the password for a site I use only occasionally. This is rare, as I have a number of password schemes that I use to create a password unique to each site. After clicking the reset password link, I am confronted with the “password strength checker” below:

This list of rules doesn’t fit very well with my password scheme, primarily because what I computed in my head fails the test for uppercase characters.

Using the phrase “this is an unbelievably long password that would take a very long time to crack” fails this rule too, as well as the tests for a number and punctuation. I’m not suggesting that this is a good password, but it’s certainly better than “aA1!bcde” which passes all the rules. These 8 characters are trivial to brute force on any modern machine even if the underlying software uses a salted hash.

The offending software appears to be Jive, who perhaps need to set some more sensible defaults on their login system.

This blog can now be reached over IPv6 (or ipv6.edeca.net), which is surely the final nail in the coffin of IPv4 across the internet.
Read the rest of this entry »

Tired of seeing repeated attempts to login to a Linux server you run?  There are a number of options, all with their own benefits and disadvantages.  The easiest way is to move the port that the SSH server runs on, perhaps to 2222 instead of 22.  However. this can be annoying behind some firewalls and means that you need to specify the port each time you SSH to a host.  This post looks at denyhosts, a viable alternative.
Read the rest of this entry »