Sighning up for an account with the military?

[mastermosley]

Just wondering on why this site is so secure with their passwords. Kind of ridiculous, Not like it would
matter if my password was stolen.

[SCORPiON]

I think, security is the alpha and omega to administrate a board. So we restrict passwords, that are easily broken with rainbowtables. Just in case, that the passwords will be stolen, a reversing of them won't be easy.
Ever think: If your account is secure, the board is secure. Doesn't matter, if you got privileged rights or not.

Also we could say: Hmm, why disabling logging of IPs here? Nobody will hurt us.

Wrong. Many people will hurt us. If we're don't secure as much as possible now, we are not trustable. We will have a community, where users can trust the staff and the staff the users. Easy, isn't it?

greetings SCORPiON

[cw2k]

About not storing IP's it a good thing.

But crap like enforce password complexity - my full agreement.
A program may give me recommendation about how 'save' it consider my password - but I should stay at it's advisory. I don't like to be enforced have upper and lower case, number or other constrains in my passwords. How save or weak is my personal choice and freedom.

Also I don't see any danger to the board or community if someone uses a weak password. Because let's consider the worst case - someone guessed the password of someone else. Now what he can do?
Well he can login under the other persons name - do or delete posts of the person as he's logged in, see and change it's profile data- of which I thing the email is the only of some limited use. Well may be the board password is the same as the one for this email account...(but that'll be a different story).
But as far as I see the 'damage' is only limited to the person that choose a weak password. But also bad experience is part of the learning progress. So you may see the will to preserve ppl for 'bad' experience is preventing them from learning. Preventing them to go in tune with the (k)now.

Well beside the fact that's highly unlikely that someone tries to 'guess' some else password on that board - since there's not really much 'value(s)'' or hidden behind someone's account here. Or in short a hacking a account on board.defcon5.biz is uninteresting.

I by myself got really pissed of by the 'password'-paranoia at the exetools forum(stupid password constrains + they want you to have change ya password every two weeks / ban you for an hour if you entered three times the wrong password). Even if the threads there were interesting I quite there after I dare to ask the admin for reason for their 'password-paranoia' - since I didn't found any reason about this in the forum faq/rules. Instead or as reply I just got 'ban point' - man so I ask myself now what is that a reverse engineering forum or the military project. (And as you know in the military everything is secret - but the main thing is: 'No questions.')

Since I'm also in the admins group I changed password requirements of this board to 'none'.

P.s. Na sorry I just decided to edit that post and 'comment' this.

I think, security is the alpha and omega to administrate a board. So we restrict passwords, that are easily broken with rainbowtables. Just in case, that the passwords will be stolen, a reversing of them won't be easy.
Ever think: If your account is secure, the board is secure. Doesn't matter, if you got privileged rights or not.

[without offending you] Nice words however they don't 'feel to me' like having much weight/substance regarding the subject.
The thinking - if my account is secure, the board is secure is I my eyes a thinking of false security.
While a weak user accout password is absolute no treat to board, just putting the focus on that keeps real treats like a PHP mysql security hole or a simple server harddisk crash or server account deletion/block(cause of a bad mail or letter) in shadow.

[NewEraCracker]

Well

security is the alpha and omega to administrate a board.

and we need to protect this against Microsoft attacks.

[kpedersen]

Well

security is the alpha and omega to administrate a board.

and we need to protect this against Microsoft attacks.

Lol, I can imagine Bill Gates, Steve Balmer and Ray Ozzy in a small dark room with some 80s style computers trying each user's account with passwords such as "password", "letmein", "qwerty" and "12345".

[SCORPiON]

The keyword, why strong passwords are recommended: Social engineering. It works flawlessly, trust me. Take a trusted user that is known by the team as trustworthy. So lets see, if we can get the account. If yes - get the way into the team. If no - try to find out friends or contacts. Try to get the account from them.
Now you can go from user1 to user2 over to user3, that is into the team.

You would be amused, how easy that is. If you don't know "social engineering" - let wikipedia explain it for you.

Just my 2 cents... Maybe the most of you have never seen, how it works.

greetings SCORPiON

[akneon]

The keyword, why strong passwords are recommended: Social engineering. It works flawlessly, trust me. Take a trusted user that is known by the team as trustworthy. So lets see, if we can get the account. If yes - get the way into the team. If no - try to find out friends or contacts. Try to get the account from them.
Now you can go from user1 to user2 over to user3, that is into the team.

You would be amused, how easy that is. If you don't know "social engineering" - let wikipedia explain it for you.

Just my 2 cents... Maybe the most of you have never seen, how it works.

greetings SCORPiON

You said it all SCORPiON, that's what it's all about, I cant tell you how many times, Social engineering has worked for me.

[cw2k]

Thanks for pointing that out - 'social engineering' is indeed a reasonable threat.
So the question is: Do I like have the freedom of be able to choose a lax password or do I prefer to have safe entities? By 'safe entities' I mean that if I get for ex. a PM from 'SCORPiON' I can be quite sure that it was really 'SCORPiON' how really wrote it - and not some else how might have 'guessed' his password. If I know that the platform(the forum) enforces somehow to chose a hard to guess passwords I don't need to relay on 'SCORPiON' responsibly to have chosen a secure password.

That's a good and understandable point for the enforcement of secure passwords and really important to know. However I don't like words(and the ideas/concepts behind) like 'military', 'enforce', 'must', 'the absolute', 'the best' or the 'only (right) way'. I like it when ppl make 'weightend' decision. That means instead of hearing some say I do this, because this is good[...reason], he says there is this(/are these)... that are against and that ... what's for that thing. At the moment I give 'that' more weight that's why do it that way.

So it's stay a personal choice you do as admin.
If you (over)take the decision of the community/majority, but don't really standing for it - It'll be better to pass the job to someone how's really behind that decision, or just do it the way you feel good with. But when doing so, keep being honest to yaself <- that's the really important point at that.
... and allow the decision/opinion to life(that implicates to grow as well as to die) or in other word be open for, that that opinion/decision may change over time. Sometime it takes some time for someone to grow into a community as well as it may occur that someone grows apart from it.


My point at the moment is - no matter if you enforce someone to be/to do good or enforce him to be/to do bad, as long as you enforce someone it's not really him, doing it.