My first troublesome hallucination with a #LLM in a while: #Claude3#Opus (200k context) insisting that I can configure my existing #Yubikey#GPG keys to work with PKINIT with #Kerberos and helping me for a couple of hours to try to do so — before realising that GPG keys aren't supported for this use case. Whoops.
No real bother other than some wasted time, but a bit painful and disappointing.
@sundogplanets@GrantMeStrength The Pluto-Charon system was formed in a giant collision (like the Earth-Moon system), and the small satellites were formed from the debris disk after that impact. Their rock/ice ratio is an important constraint on modeling that impact, which is then useful for helping to model the giant impact that formed the Moon.
I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
You're right - you have no control over the password policies for third-party services. So with that in mind, let me introduce you to a concept I debuted last summer called #PasswordNihilism .
Password nihilism is understanding that sites have shit complexity requirements and shit password storage, and then not giving a shit because you recognize that none of it matters. Max 8 characters? Doesn't matter, don't care. Plaintext storage? Doesn't matter, don't care.
Why doesn't it matter, and why should you not care? Because out of all the attributes a password can have (length, complexity, uniqueness, randomness, etc.), the only one that actually matters is uniqueness. And by "matters", I mean "actually defends against threats in the overall threat model for password security."
So, as long as you're using a password manager to generate and store unique passwords for each site, you too can be a password nihilist!
If you'd like to learn more about password nihilism, check out: