Security is Bullshit

All these captchas, mandatory stupid passwords, no shorter than three letters, including non-printable digit, voodoo-key cryptography, security anus checks and you have spent too little time to complete security check.

I'm just a simple citizen, why should I care about this autism? When will humanity defeat find a cure from non-normies, by say gassing them?

Security isn't bullshit at all. But I agree the stuff you posted is bullshit.

what OP describes is cargo cult security

how to achieve security: don't use C or runtimes written in C

>>4
lack of buffer overflows does not imply security.

>>4

So PHP is the light and the way?

the government has set new regulations which require password text boxes to disable the paste function.

yep they've come up with something even worse than the "websites must tell you that they are setting a cookie" law

>>7
source? this sounds like the stupidest fucking idea ever

>>8
sorry cant easily find the page that said it, did find a gov.uk page saying the opposite though

captchas

...to prevent automated posting. Does it actually work? Only partially -- companies just hire idiots (``clickworkers'') to post advertisements or do astroturfing on the internet. At least a lot of the really stupid spam gets filtered out.

mandatory stupid passwords, no shorter than three letters, including non-printable digit

Does it actually work? No -- passwords only get ``cracked'' in stupid Hollywood movies. In reality, they just hack the whole database because the service provider was stupid enough to store passwords in plain text. See: a lot of actual recent hacks; there even was a hack disclosure TODAY (2016-09-01): Dropbox.
The weakest part isn't the password but usually the server. If you were a hacker: would you rather try to crack 100,000 passwords or hack a single server?

>>11
nice dubs

captchas are bullshit

No, they are not. Of course using them as Cloudflare do is weird, but there is no better spam filtering technology.

>>6
PHP is a runtime written in C so no.

>>8
that's because its bullshit

>>14
unfortunately, paste blockers are real, and there's rumblings that browsers will offer a simple paste-blocking API instead of the hacks that are currently employed.

>>15
So recompile it with that bit commented out.

>>10
passwords are usually hashed with a shitty function like MD5 or SHA1, and that was the case with many recent leaks. that's why they do get cracked offline - you hack the server one way or another, dump the database and fire up your favorite rainbow tables software (if no salt) or a bruteforcer (if salt) - that's why we have memory-hard hash functions like scrypt now. also, passwords get cracked online too, although it's usually more scattershot dictionary attacks to get the low hanging fruit because you can't make your job easier with a GPU and you're limited by connection speed.

of course, hacking the server just to dump the passwords is fairly uncreative. it looks like last resort - you couldn't get money out of the hack itself, you couldn't leak anything interesting etc. honestly, if I got into LinkedIn or Dropbox or Last.fm I'd rather replace the sites with goatse, it's equally uncreative but at least it's lulzy.

>>15
paste blockers are real and dumb, yes. it doesn't mean they're going to be mandated by the government. at least I hope so.

>>17

passwords are usually hashed with a shitty function like MD5 or SHA1

IIRC there were also plain text databases.

passwords get cracked online

They usually do phishing, so having weird rules to force 'complex' passwords isn't helping.

LinkedIn or Dropbox or Last.fm

Criminals want to get into something for financial reasons not for fun (maybe script kiddies want to do it for fun or fame). Think banking, Amazon, PayPal, Steam (holy shit man you know how much money some people put in Steam? FUCK! Of course some guys want to steal and resell accounts!).

>>18

IIRC there were also plain text databases.

maybe, but there were MD5/SHA1 ones as well and passwords in those absolutel do get cracked

They usually do phishing, so having weird rules to force 'complex' passwords isn't helping.

IIRC fappening was done through dictionary attacks but you're right, complex password rules are stupid. especially when they don't accept my complex password for not fitting their definition of 'complex' (a 30-char password consisting of words and numbers is more secure than an 8-char one with at least one special character and a capital letter somewhere other than on the first position).

Criminals want to get into something for financial reasons not for fun

sure, but dumping a list of hashes won't get you much money. I'd rather have fun

Think banking, Amazon, PayPal, Steam (holy shit man you know how much money some people put in Steam? FUCK! Of course some guys want to steal and resell accounts!).

protip: if you have money somewhere, use 2FA

I had to make a password for managing stock dividends and the site limited me to 12 chars and forbade certain symbols

>>20
prolly because someone put VARCHAR(12) in 1999 and everyone is scared of changing it

Check em

I dont have anything to hide so its ok