security

CAPTCHA is Dead, Long Live CAPTCHA!

security

CAPTCHA is Dead, Long Live CAPTCHA!

In November 2007 I called these three CAPTCHA implementations “unbreakable”: Google (unbreakable)Hotmail (unbreakable)Yahoo (unbreakable) 2008 is shaping up to be a very bad year indeed for CAPTCHAs: * Jan 17: InformationWeek reports Yahoo CAPTCHA broken * Feb 6: Websense reports Hotmail CAPTCHA broken * Feb 22: Websense reports Google CAPTCHA broken

By Jeff Atwood ·
Comments
The Dramatic Password Reveal

security

The Dramatic Password Reveal

As far back as I can remember – which admittedly isn’t very far – GUI toolkits have included a special type of text entry field for passwords. As you type, the password field displays a generic character, usually a dot or asterisk, instead of the character you actually typed. I’ve

By Jeff Atwood ·
Comments
Digital Certificates: Do They Work?

security

Digital Certificates: Do They Work?

The most obvious badge of internet security is the “lock” icon. The lock indicates that the website is backed by a digital certificate: 1. This website is the real deal, not a fake set up by criminals to fool you. 2. All data between your browser and that website is

By Jeff Atwood ·
Comments
Software Registration Keys

security

Software Registration Keys

Software is digital through and through, and yet there’s one unavoidable aspect of software installation that remains thoroughly analog: entering the registration key. The aggravation is intentional. Unique registration keys exist only to prevent piracy. Like all piracy solutions – short of completely server hosted applications and games, where piracy

By Jeff Atwood ·
Comments

security

Blacklists Don’t Work

Jon Galloway and I got into a heated debate a few weeks ago about the efficacy of anti-virus software. My position is that anti-virus software sucks, and worst of all, it doesn’t work anyway. That’s what I’ve been saying all along, and it’s exactly what I

By Jeff Atwood ·
Comments
Don’t Forget To Lock Your Computer

security

Don’t Forget To Lock Your Computer

I encourage my coworkers to lock their computers. Security, after all, is everyone’s business. But often gentle encouragement is not enough. Sometimes, more... persuasive methods are necessary. I first learned about the noble art of goating from from Omar Shahine: We have this problem in Hotmail. If you walk

By Jeff Atwood ·
Comments

security

Hardware Assisted Brute Force Attacks: Still For Dummies

Evidently hardware assisted brute force password cracking has arrived: A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community. Elcomsoft, a software company based in Moscow, Russia, has filed a US patent for the technique. It takes advantage of

By Jeff Atwood ·
Comments
You’re Probably Storing Passwords Incorrectly

security

You’re Probably Storing Passwords Incorrectly

The web is nothing if not a maze of user accounts and logins. Almost everywhere you go on the web requires yet another new set of credentials. Unified login seems to elude us at the moment, so the status quo is an explosion of usernames and passwords for every user.

By Jeff Atwood ·
Comments
Rainbow Hash Cracking

security

Rainbow Hash Cracking

The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423” in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong.” The Geekwisdom password strength meter rates it “mediocre.” Why is Ophcrack so fast? Because it

By Jeff Atwood ·
Comments
Trojans, Rootkits, and the Culture of Fear

security

Trojans, Rootkits, and the Culture of Fear

Scott Wasson at The Tech Report notes that two of his family members fell victim to the eCard email exploit that has been making the rounds lately: I just dropped off a package containing my dad’s laptop at the FedEx depot this afternoon. I spent parts of several days

By Jeff Atwood ·
Comments
Does Anyone Actually Read Software EULAs?

legalese

Does Anyone Actually Read Software EULAs?

If you’ve used a computer for any length of time, you’ve probably clicked through hundreds of End User License Agreement (EULA) dialogs. And if you’re like me, you haven’t read a single word of any of them. Who can blame you? They’re mind-numbing legalese. As

By Jeff Atwood ·
Comments

security

The Windows Security Epidemic: Don’t Run as an Administrator

In How to Clean Up a Windows Spyware Infestation, I documented how spyware can do a drive-by infection of your machine through your web browser. To be absolutely clear, I never clicked on any advertisements, or downloaded and executed any files. All I did was open a GameCopyWorld web page

By Jeff Atwood ·
Comments