January 12, 2009 9:08 AM. How long has S/Key been around? Fill in the blank: the name of this blog is Schneier on ___________ (required): Allowed HTML But the banks have no choice.

You essentially have to make the choices: UsePassword (YES | NO) connect on LinkedIn, By There are other strategies, making the client perform some mildly expensive action (factor a 64-bit co-prime?)

And then, after the attack was discovered and Twitter temporarily shut down all verified accounts, the public lost a vital source of information.

Or at the very least do it for admin/moderator level users.”. For a marginal cost of damn close to zero they could have required two-factor. (If I were a national-intelligence agency, I might even use a bitcoin scam to mask my real intelligence-gathering purpose.)

@Simon Willison You have to prevent/ignore submission of a new password-attempt for a certain time and not delay your processing of a single request.

Only way back in is to call the help desk.

No one except those companies do. Maybe this hack will serve as a wake-up call. is trying fervently to accomplish this. If the option to do it by age is available, I agree, and it is preferable. We want to hear what you think about this article. Discrimination based on age, especially prejudice against the elderly. Your guess is as good as mine. My point is it was not just the poor authentication mechanisms but it was a number of flaws that lead to twitter being effectively owned. Apr 17, 2018, By

There is no regulation.

Why even lock the account for an hour? I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. Somehow your web app has to recognize multiple login attempts (which itself isn’t easy in a 1000’s of servers farm) and then pass the connection off to a low-level waiter. January 13, 2009 6:20 AM. If they don’t or can’t enforce complexity requirements, they should do this, save for the fact that management often balks at it. They get to decide what level of security you have on your accounts, and you have no say in the matter.

They have some sort of shared data store to maintain state (maybe an RDBMS, maybe something else), and all data is probably at least cached locally. A 10 character password with 5 bits of entropy per character is not feasibly guessable even at a high rate. It’s what I call a DAS error. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. The FBI is investigating. Read: Why Twitter may be ruinous for the left.

Bruce Schneier is an internationally renowned Security Technologist, called a “security guru” by the Economist.He is the New York Times best-selling author of 14 books—including Click Here to Kill Everybody—as well as hundreds of articles, essays and academic papers.His influential newsletter Crypto-Gram and blog Schneier on Security are read by over 250,000 people. The operator is likely more interested in keeping costs low than in strong security. Take care that it is not so annoying as to encourage lax password security. We also don’t know what other world leaders have those protections, or the decision process surrounding who gets them. Better still, as was said: kick to a CAPTCHA after multiple failures. }, Think about that again in the face of an attacker being able to issue parallel requests. January 14, 2009 11:11 AM. RSA Conference logo, RSA and other trademarks are trademarks of RSA Security LLC or its affiliates. I find preventing passwords and requiring keys to be a satisfactory solution.

He is the author of 14 books -- including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World -- as well as hundreds of articles, essays, and academic papers. http://all.net/journal/netsec/1997-09.html Delays? Distributed shared state is a “solved” problem, but only in the sense that you can trade off various parts of the ACID guarantee for performance and robustness.

Mar 07, 2019, By

. Johnny Vector • .

NO!!! account simply because someone is The users might not be IT savvy, but the IT group really should know better, 20+ years after the dangers of enforced password timeouts were documented. He is, to his surprise, presented with twitter support tools. Feel free to delete my comment after you’ve read it…. Many people rely on Twitter’s authentication systems to know that someone who purports to be a certain celebrity, politician, or journalist is really that person. Couple that with a shell script, and you could add those entries to Netfilter to block not only SSH, but everything on your server. You gotta have limits. January 15, 2009 3:03 PM.

January 12, 2009 11:39 AM, @MikeA: “I’m guessing that the “month name as password” stupidity only occurs at companies that are still doing the “make users change passwords frequently” stupidity.”. You’ve reduced the brute-force time by 90%, but 25 years is still too long to wait to get someone’s Twitter account.

of accounts!

JimFive • False Data •

January 12, 2009 11:12 AM. Balance(Usabilty, Complexity of password, change frequency, and lockout behavior) Simon Willison • Paeniteo •

Bruce Schneier is an internationally renowned Security Technologist, called a “security guru” by the Economist. It, however, is surprising how much the ssh logging quiets down after doing this.

Twitter will send you a link to a pass update page, that automatically logs into your acct after the pw is changed. Bruce Schneier on Seems to me that Twitter, in particular, is prepared for two-factor authentication.