Post subject: 2 suggestions
Joined: 2/15/2005
Posts: 246
Location: Torquay, England
1. When telling which ROMs a movie will work with, provide their md5 sums. For a linux user, md5 sums are easy to calculate. Names are not unique. 2. Get. Rid. Of. The. Password. Strength. Meter. I saw a youtube video about this, but I forgot the URL, which sucks, but the jist of it was that the reason why people forget their passwords is because password strength meters encourage a so-called secure, i.e. impossible to remember password. It's good that you don't enforce having certain characters in a password like other annoying sites do, but it shouldn't exist at all. By the way, this topic was originally meant to be only the first suggestion, but I came here for the first time in months and had to change my password to my new one.
ventuz
He/Him
Player (126)
Joined: 10/4/2004
Posts: 940
what's wrong with meter? it doesn't stop you from wanting to use specific password.
Post subject: Re: 2 suggestions
Editor, Active player (297)
Joined: 3/8/2004
Posts: 7469
Location: Arzareth
bobxp wrote:
1. When telling which ROMs a movie will work with, provide their md5 sums. For a linux user, md5 sums are easy to calculate. Names are not unique.
You can check the MD5 sum by loading the ROM in an emulator and it will tell you. Different emulators have different means of indexing ROMs -- some use CRC32, some use MD5, some possibly others, so it would be inconvenient to use different means. Also, those checksums are confusing; they are rarely whole-file checksums, but instead, checksums of the ROM content without headers. This makes it difficult to actually find the right ROM even if you know the checksum, because none of the standard tools for file indexing will help you; you will need an emulation specialized one. Re: Password strength -- a little known fact is that the site administration here occasionally runs a script that probes people's passwords, attempting to guess them. If it manages to guess it, a warning is sent to the user, by PM, telling them to change the password to something stronger, lest their account be disabled in 7 days and ultimately deleted for introducing a security hole. (Identity theft.)
Chamale
He/Him
Player (205)
Joined: 10/20/2006
Posts: 1355
Location: Canada
Suppose your name was q4t3q8o3yt83yht83hyt - you hit random crap on the keyboard. You then copied and pasted that into the password section. Would it read as highly secure or not very secure?
Editor, Expert player (2082)
Joined: 6/15/2005
Posts: 3284
It could read anything from Strong to Weak. So yes, you can fool the meter. Well, not really, since the meter is ignorant. Here's how the meter works: 5 characters or less: None 6 characters: Weak 7 characters or more: - If the characters involve exactly one group of: alpha, numeric, nonalphanumeric: Weak - If the characters involve exactly two of the above groups: Medium - If the characters involve all of the above groups: Strong Really, just use your head when typing a password. P.S. "you" and "your" do not refer to anyone in particular.
Bisqwit wrote:
Re: Password strength -- a little known fact is that the site administration here occasionally runs a script that probes people's passwords, attempting to guess them.
I think it's better off examining them than attempting to guess them. Administrators can do that, right?
Tub
Joined: 6/25/2005
Posts: 1377
FractalFusion wrote:
I think it's better off examining them than attempting to guess them. Administrators can do that, right?
I really really hope that this board still used the standard phpBB-way of not storing passwords plain-text.
m00
Editor, Active player (297)
Joined: 3/8/2004
Posts: 7469
Location: Arzareth
FractalFusion wrote:
I think it's better off examining them than attempting to guess them. Administrators can do that, right?
Passwords are never saved plaintext in the database. When the registration e-mail says that we have no means of retrieving the password if you forget it, it is not lying. There's only a hash that can be used to verify the validity of an attempted password, but not to know what the actual password is.
Banned User
Joined: 3/10/2004
Posts: 7698
Location: Finland
Bisqwit wrote:
When the registration e-mail says that we have no means of retrieving the password if you forget it, it is not lying. There's only a hash that can be used to verify the validity of an attempted password, but not to know what the actual password is.
Of course this should not be taken as the password security being high, especially given that the login is not SSL-protected and thus passwords travel through the internet as plaintext. Of course people who actually have the resources to examine the IP packets going to tasvideos.org are most probably not interested in forum passwords because they don't have any use for them.
FractalFusion wrote:
Really, just use your head when typing a password. P.S. "you" and "your" do not refer to anyone in particular.
If you avoid using the "you-passive" you won't have to make that kind of remark... :P
Post subject: Re: 2 suggestions
Joined: 2/15/2005
Posts: 246
Location: Torquay, England
Bisqwit wrote:
bobxp wrote:
1. When telling which ROMs a movie will work with, provide their md5 sums. For a linux user, md5 sums are easy to calculate. Names are not unique.
You can check the MD5 sum by loading the ROM in an emulator and it will tell you.
I use the "md5sum" terminal command to generate them. Using the md5 function in php or mysql does exactly the same process. If an emulator decides to do it differently, then that's its problem. So, you should keep md5 sums by the rom names, because anyone can find out what one is with a little research.
Bisqwit wrote:
Re: Password strength -- a little known fact is that the site administration here occasionally runs a script that probes people's passwords, attempting to guess them. If it manages to guess it, a warning is sent to the user, by PM, telling them to change the password to something stronger, lest their account be disabled in 7 days and ultimately deleted for introducing a security hole. (Identity theft.)
My password is 14 letters long and is not in English. Go ahead and try and guess it - you won't succeed. Something like "asdhiogaegwety" (fitting the above, but it isn't my password) is obviously more secure than "Random50%", for instance, whereas on the password strength meter, my first example would be "weak" and the second would be "strong".
Post subject: Re: 2 suggestions
Former player
Joined: 3/30/2004
Posts: 1354
Location: Heather's imagination
bobxp wrote:
I use the "md5sum" terminal command to generate them. Using the md5 function in php or mysql does exactly the same process. If an emulator decides to do it differently, then that's its problem.
...the main reason to use the emulator-derived value is that it ignores the header if present, while an OS-derived value (or one from any non-emulation tool) would not. EDIT: The reason the names are present is that those are the Good names. There's a series of ROM managing software that automatically renames files to match the universal identifier of that ROM.
someone is out there who will like you. take off your mask so they can find you faster. I support the new Nekketsu Kouha Kunio-kun.
Post subject: Re: 2 suggestions
Joined: 7/26/2006
Posts: 53
bobxp wrote:
My password is 14 letters long and is not in English. Go ahead and try and guess it - you won't succeed. Something like "asdhiogaegwety" (fitting the above, but it isn't my password) is obviously more secure than "Random50%", for instance, whereas on the password strength meter, my first example would be "weak" and the second would be "strong".
The reason the first example is weak is because its all just letters and the meter would obviously assume that its a common thing like a name or some such, the 2nd example is strong because it has letters, numbers and symbols which the meter assumes that the mix would be something like age34th_ which would be much harder to figure out than if the password was a common dictionary word
Post subject: Re: 2 suggestions
Player (36)
Joined: 9/11/2004
Posts: 2631
bobxp wrote:
2. Get. Rid. Of. The. Password. Strength. Meter. I saw a youtube video about this, but I forgot the URL, which sucks, but the jist of it was that the reason why people forget their passwords is because password strength meters encourage a so-called secure, i.e. impossible to remember password. It's good that you don't enforce having certain characters in a password like other annoying sites do, but it shouldn't exist at all. By the way, this topic was originally meant to be only the first suggestion, but I came here for the first time in months and had to change my password to my new one.
Just because a password is secure doesn't mean it's not memorable. I use the apg generator when I need a new password, they're pronouncable and generally easy to remember, but depending on the settings, secure.
(127)omnipotententity@oberus% apg

Please enter some random data (only first 16 are significant)
(eg. your old password):>
3quaHaggu (THREE-qua-Hag-gu)
cakwupWek1 (cak-wup-Wek-ONE)
JaHidek3 (Ja-Hid-ek-THREE)
Vaypceir3 (Vayp-ceir-THREE)
Iduvved1 (Id-uv-ved-ONE)
EgVelraGrut8 (Eg-Vel-ra-Grut-EIGHT)
omnipotententity@oberus% apg --help
/usr/lib/apg/apg: unknown option --

apg   Automated Password Generator
        Copyright (c) Adel I. Mirzazhanov

apg   [-a algorithm] [-r file]
      [-M mode] [-E char_string] [-n num_of_pass] [-m min_pass_len]
      [-x max_pass_len] [-c cl_seed] [-d] [-s] [-h] [-y] [-q]

-M mode         new style password modes
-E char_string  exclude characters from password generation process
-r file         apply dictionary check against file
-b filter_file  apply bloom filter check against filter_file
                (filter_file should be created with apgbfm(1) utility)
-p substr_len   paranoid modifier for bloom filter check
-a algorithm    choose algorithm
                 1 - random password generation according to
                     password modes
                 0 - pronounceable password generation
-n num_of_pass  generate num_of_pass passwords
-m min_pass_len minimum password length
-x max_pass_len maximum password length
-s              ask user for a random seed for password
                generation
-c cl_seed      use cl_seed as a random seed for password
-d              do NOT use any delimiters between generated passwords
-l              spell generated password
-t              print pronunciation for generated pronounceable password
-y              print crypted passwords
-q              quiet mode (do not print warnings)
-h              print this help screen
-v              print version information
How can you forget EgVelraGrut8?
Build a man a fire, warm him for a day, Set a man on fire, warm him for the rest of his life.