pallas
Legendary
Offline
Activity: 2716
Merit: 1094
Black Belt Developer
|
|
January 09, 2014, 12:02:18 PM |
|
In your opinion, how does one capital letter in a password raise the security? Honestly, switch that off. It doesnt make a real difference.
It does a lot. For example: any way of increasing the size of the char set used to make passwords lowers the risk of successful brute force attacks. you're right, but if you don't put any boundary on the password choice than the character dictionary is actually made by any character. instead, if you force the user to use a capital letter it means you're actually reducing the dictionary dimension for that character. if N = all possible characters, there exists: N^8 8-chars completely free password, and 26+N^7 8-chars passwords with one capital letter The problem is that if you don't enforce users to use capital letters, numbers and punctuation, they will use just lowercase chars, for lazyness. Thus, if a hacker brute-forces with lowercase chars, he will be successful on most users. Actually, brute force attacks works very well with dictionaries, so the real benefit would be not allowing common words, instead of enforcing capitals or numbers. I have experience of this because I did security audits on unix machines back in the nineties: you could easily find most passwords by using a dictionary + some numbers and mixed caps.
|
|
|
|
eric89
Newbie
Offline
Activity: 40
Merit: 0
|
|
January 09, 2014, 12:33:46 PM |
|
Since no one has offically said it...
I did! He said "officially" as in from Nearmiss or aTriz. The admins? You know, the moo guys? Do you work for them No, but I am pretty official.
|
|
|
|
aTriz
|
|
January 09, 2014, 01:30:24 PM |
|
Stratum is now fixed up! No more 1-2 mintue rounds.
|
|
|
|
mdmedina07
Newbie
Offline
Activity: 56
Merit: 0
|
|
January 09, 2014, 01:58:20 PM |
|
Sweet!
|
|
|
|
nearmiss (OP)
|
|
January 09, 2014, 01:59:39 PM |
|
- Red Rounds
Most are only a minute or two, there was a bug in the switching script triggered under certain conditions following a 0 coin round, that would cause us to potentially switch off the next coin way earlier than we normally would. This bug has been fixed, no more 1-2min rounds.
- Passwords
"Actually, brute force attacks works very well with dictionaries, so the real benefit would be not allowing common words, instead of enforcing capitals or numbers." This is the case, I believe. Common words are also rejected, to some extent. To be honest, the fact we enforce a capital letter is not something I'm going to spend any time thinking further about atm, we've got enough on the list to get to before revisiting a modification on password policy. 8+ chars, 1 uppercase, 1 number. It is what it is for now.
- Balances
You won't see a change to your BTC balance until payouts happen, once a day at GMT 04:00:00. Normally you'd have an "Estimated Un-Exchanged" and "Estimated Exchagned" value that grows and adjusts throughout the day, those are currently disabled, and being worked on. If you don't have a balance *after* payout time, its something to be concerned about, and let support know.
|
Profit-Switching Pool w/ Vardiff -> http://hashco.ws Optionally keep the alts we mine or auto-trade for BTC. In addition can be paid out in any of: 365, AC, BC, BTC, C2, CINNI, COMM, FAC, HBN, MINT, PMC, QRK, RDD, WC, XBC
|
|
|
aint_no_enthusiast
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 09, 2014, 02:07:15 PM |
|
Thanks for the answer, nearmiss!
|
|
|
|
induktor
|
|
January 09, 2014, 02:18:06 PM |
|
The problem is that if you don't enforce users to use capital letters, numbers and punctuation, they will use just lowercase chars, for lazyness. Thus, if a hacker brute-forces with lowercase chars, he will be successful on most users. Actually, brute force attacks works very well with dictionaries, so the real benefit would be not allowing common words, instead of enforcing capitals or numbers. I have experience of this because I did security audits on unix machines back in the nineties: you could easily find most passwords by using a dictionary + some numbers and mixed caps.
I don't agree with the enforce of punctuation and uppercase for two reasons: 1) most (new) keyboard don't have the CAPS LIGHT, so you don't know if you are in uppercase or not, you have no idea how many customers bitches about the uppercase thing with the wireless keyboards, because they type it wrong several times and the passwords gets disabled, all because those keyboards don't have the caps light. 2) punctuation: about 70% of every computer i work on, have the keyboard language mapping wrong, so punctuation are everywhere except where you expect it, so, it is impossible (unless you remember the position of the punctuation keys) to type a password like that if you can't see what are you typing because the mapping does not match the real keyboard. I think is better to use only lowercase letters and numbers, and a dictionary check, if the password is found in the dictionary, it will force you to choose another one.
|
BTC addr: 1vTGnFgaM2WJjswwmbj6N2AQBWcHfimSc
|
|
|
Eastwind
|
|
January 09, 2014, 02:19:45 PM |
|
In my worker setting, there are "Round Shares Accepted (Adj)". Are these adjusted shares? How are they adjusted?
In the stats section, there are also pool accepted shares, are they adjusted?
Should be ratio of my accepted shares and the poll accepted share similar to the ratio of my hash rate to pool hash rate?
|
|
|
|
induktor
|
|
January 09, 2014, 02:23:18 PM |
|
- Balances
You won't see a change to your BTC balance until payouts happen, once a day at GMT 04:00:00. Normally you'd have an "Estimated Un-Exchanged" and "Estimated Exchagned" value that grows and adjusts throughout the day, those are currently disabled, and being worked on. If you don't have a balance *after* payout time, its something to be concerned about, and let support know.
Thank you for the update!. one question, can I do manual withdraw or is disabled for now?. happy to see the site back on track!, thank you!.
|
BTC addr: 1vTGnFgaM2WJjswwmbj6N2AQBWcHfimSc
|
|
|
Catswold
|
|
January 09, 2014, 02:33:53 PM |
|
The problem is that if you don't enforce users to use capital letters, numbers and punctuation, they will use just lowercase chars, for lazyness. Thus, if a hacker brute-forces with lowercase chars, he will be successful on most users. Actually, brute force attacks works very well with dictionaries, so the real benefit would be not allowing common words, instead of enforcing capitals or numbers. I have experience of this because I did security audits on unix machines back in the nineties: you could easily find most passwords by using a dictionary + some numbers and mixed caps.
I don't agree with the enforce of punctuation and uppercase for two reasons: 1) most (new) keyboard don't have the CAPS LIGHT, so you don't know if you are in uppercase or not, you have no idea how many customers bitches about the uppercase thing with the wireless keyboards, because they type it wrong several times and the passwords gets disabled, all because those keyboards don't have the caps light. 2) punctuation: about 70% of every computer i work on, have the keyboard language mapping wrong, so punctuation are everywhere except where you expect it, so, it is impossible (unless you remember the position of the punctuation keys) to type a password like that if you can't see what are you typing because the mapping does not match the real keyboard. I think is better to use only lowercase letters and numbers, and a dictionary check, if the password is found in the dictionary, it will force you to choose another one. Honestly? Nearmiss has made it clear and frankly, most people agree with the current password policy. Further argument is pointless and serves no positive purpose. Accept it and move on.
|
|
|
|
MoDu
Member
Offline
Activity: 93
Merit: 10
|
|
January 09, 2014, 02:59:52 PM |
|
I agree, this is 2014 where our GPU miners are also very good at brute forcing password hashes, so we need 2014 policies, otherwise you're open to some of the biggest security fiascos in computer history: Sony, Adobe, Target, etc...
|
|
|
|
Draino
|
|
January 09, 2014, 03:20:10 PM |
|
The problem is that if you don't enforce users to use capital letters, numbers and punctuation, they will use just lowercase chars, for lazyness. Thus, if a hacker brute-forces with lowercase chars, he will be successful on most users. Actually, brute force attacks works very well with dictionaries, so the real benefit would be not allowing common words, instead of enforcing capitals or numbers. I have experience of this because I did security audits on unix machines back in the nineties: you could easily find most passwords by using a dictionary + some numbers and mixed caps.
I don't agree with the enforce of punctuation and uppercase for two reasons: 1) most (new) keyboard don't have the CAPS LIGHT, so you don't know if you are in uppercase or not, you have no idea how many customers bitches about the uppercase thing with the wireless keyboards, because they type it wrong several times and the passwords gets disabled, all because those keyboards don't have the caps light. 2) punctuation: about 70% of every computer i work on, have the keyboard language mapping wrong, so punctuation are everywhere except where you expect it, so, it is impossible (unless you remember the position of the punctuation keys) to type a password like that if you can't see what are you typing because the mapping does not match the real keyboard. I think is better to use only lowercase letters and numbers, and a dictionary check, if the password is found in the dictionary, it will force you to choose another one. agreed, i'm about to sign up to hashcows for testing and these password requirements are cumbersome about 85% of the computers i use are 23 year old radio shack types and a variety of letters can be quite sticky not to mention letters can be used to form words that some people find offensive i say make required passwords be a 3 digit pin (no duplicate digits! i might hit the key twice on accident!) and leave it at that
|
|
|
|
nlsupernova
Member
Offline
Activity: 98
Merit: 10
|
|
January 09, 2014, 03:40:53 PM |
|
They are working their butts off to get the site going, and there is a whole page dedicated to how people dont want to use uppercase letters in the passwords. You guys must must be the happiest people in the world i guess. If using uppercase letters is the biggest problem you currently have. Things have to be going great for you.
|
|
|
|
Catswold
|
|
January 09, 2014, 03:41:01 PM |
|
agreed, i'm about to sign up to hashcows for testing and these password requirements are cumbersome
about 85% of the computers i use are 23 year old radio shack types and a variety of letters can be quite sticky not to mention letters can be used to form words that some people find offensive
i say make required passwords be a 3 digit pin (no duplicate digits! i might hit the key twice on accident!) and leave it at that
If this isn't sarcasm, I just don't quite know what to say . . . maybe . . . Wow!
|
|
|
|
nlsupernova
Member
Offline
Activity: 98
Merit: 10
|
|
January 09, 2014, 03:42:29 PM |
|
3 digit pin, lolz Dont forget to set the maximum number of times you can try to enter a password before the site blocks your account to 999.
|
|
|
|
mrbrdo
|
|
January 09, 2014, 03:44:17 PM |
|
How often does "current balance" update? I've been mining for 16 hours with 2.3MH/s and I only have 0.00000522 balance which is ridiculous! I got 2 million accepted shares and 30k rejected (I think cgminer switched in between, so maybe this is just from last 1 hr, don't know).
|
|
|
|
Catswold
|
|
January 09, 2014, 03:51:06 PM |
|
How often does "current balance" update? I've been mining for 16 hours with 2.3MH/s and I only have 0.00000522 balance which is ridiculous! I got 2 million accepted shares and 30k rejected (I think cgminer switched in between, so maybe this is just from last 1 hr, don't know).
Does anyone ever bother to read even the last 2 pages of a forum thread anymore before just jumping in and asking a question? https://bitcointalk.org/index.php?topic=293872.msg4408900#msg4408900
|
|
|
|
mdmedina07
Newbie
Offline
Activity: 56
Merit: 0
|
|
January 09, 2014, 04:08:16 PM |
|
Phbbtt reading is overrated Not like this is a forum...oh nm. :| How often does "current balance" update? I've been mining for 16 hours with 2.3MH/s and I only have 0.00000522 balance which is ridiculous! I got 2 million accepted shares and 30k rejected (I think cgminer switched in between, so maybe this is just from last 1 hr, don't know).
Does anyone ever bother to read even the last 2 pages of a forum thread anymore before just jumping in and asking a question? https://bitcointalk.org/index.php?topic=293872.msg4408900#msg4408900
|
|
|
|
matsonj
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 09, 2014, 04:08:53 PM |
|
The problem is that if you don't enforce users to use capital letters, numbers and punctuation, they will use just lowercase chars, for lazyness. Thus, if a hacker brute-forces with lowercase chars, he will be successful on most users. Actually, brute force attacks works very well with dictionaries, so the real benefit would be not allowing common words, instead of enforcing capitals or numbers. I have experience of this because I did security audits on unix machines back in the nineties: you could easily find most passwords by using a dictionary + some numbers and mixed caps.
I don't agree with the enforce of punctuation and uppercase for two reasons: 1) most (new) keyboard don't have the CAPS LIGHT, so you don't know if you are in uppercase or not, you have no idea how many customers bitches about the uppercase thing with the wireless keyboards, because they type it wrong several times and the passwords gets disabled, all because those keyboards don't have the caps light. 2) punctuation: about 70% of every computer i work on, have the keyboard language mapping wrong, so punctuation are everywhere except where you expect it, so, it is impossible (unless you remember the position of the punctuation keys) to type a password like that if you can't see what are you typing because the mapping does not match the real keyboard. I think is better to use only lowercase letters and numbers, and a dictionary check, if the password is found in the dictionary, it will force you to choose another one. agreed, i'm about to sign up to hashcows for testing and these password requirements are cumbersome about 85% of the computers i use are 23 year old radio shack types and a variety of letters can be quite sticky not to mention letters can be used to form words that some people find offensive i say make required passwords be a 3 digit pin (no duplicate digits! i might hit the key twice on accident!) and leave it at that LMAO...3 digit pin?! Ya know what, skip the PIN and just hand your BTC over to me as soon as you mine it. You're just asking to get your balance stolen with a 3 digit pin. I could guess it in 10 mins. The site password restrictions are quite common and more sites should use the restrictions. Sure, they can be a pain, but it's not unlike signing into Facebook or Yahoo!. You don't want a new password system like the rest of the developed world because your computer is too old but you're mining with some fancy new graphics cards? I can't even...
|
|
|
|
mrbrdo
|
|
January 09, 2014, 04:21:53 PM |
|
I did read most of it, but 90% is bitching about password restrictions so I missed it. Anyway, thanks.
|
|
|
|
|