• If you have bought, sold or gained information from our Classifieds, please donate to Kitchen Knife Forums and give back.

    You can become a Supporting Member which comes with a decal or just click here to donate.

WTS ATTENTION: PayPal Friends and Family - beware

Kitchen Knife Forums

Help Support Kitchen Knife Forums:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
And that was something you never stated. All you claimed was a 32 character long password was unbreakable.

For the record, I personally support password manager use. But am also aware that proper 2FA is the way to back that up. Given code quality today, I’d take an 8 character password + token based MFA over your 32 character password any day.

And yes, I’m may be an ********, but spout BS and expect to be called on it.



If you really think that a long password is unbreakable you need to get out of the industry. Everything is breakable. Just because you don’t know how it can be done doesn’t mean it can’t and won’t be tomorrow (or hasn’t been by nation state already). I’ve been doing this long enough to know that basic truth. It’s always a matter of when not if something will get broken.

you are trying so hard to construct a completely different argument so I can be wrong.

not only are you trying to act like a big boy security expert for seemingly no reason other than your own ego, now you're telling me what I said with my post? grow up.

you're suggesting I am saying that you should only have a long password. complete fabrication. what I said is literally right there.

you're suggesting that because there are a million and one attack vectors, that it invalidates something true. completely ridiculous.

you're suggesting I said a "long password is unbreakable". wrong. I said that a well constructed password that is 32 characters long cannot be defeated by attacking the password in a reasonable amount of time with today's hardware and techniques. this is so fundamentally true you literally have to claim Im saying something completely different than anything I've actually said.

look we've all seen the hive graph. this is gpu-accelerated btw.
1652488819237.png


look if you wanna fight mr strawman go ahead but Im done with you. if you're gonna fire shots at what I actually said go ahead but if you're just going to make **** up so you can look impressive then you're gonna have to do it into the void from now on.

also I wasn't sitting in an IT department begging people to use 2FA. I was literally engineering software to secure ICS systems from state actors. you should probably consider that if that's the case, the problem is likely with your interpretation of what I'm saying, rather than what I'm saying. but at the end of the day it doesnt matter; I cashed a lot of paychecks because the **** I wrote worked.
 
all this over me saying that a long password with a mixture of cases, letters and numbers and symbols cant be directly cracked with current hardware.

you're willing to go scorched earth over that statement. like what is actually wrong with you?
 
btw folks esoo's advice to use 2FA is good.

just because he will literally make up **** I never said doesn't invalidate that.
 
@tcmx3 it's clear you've totally missed my point. Not sure why, but you have. I never claimed to invalidate passwords. All I was stating is that passwords are not always kept in a manner that retains their true entropy. You may not have seen it, but I have (and more recently than I should). Perfect InfoSec world meet contract programmer.
 
A long password is effectively unbreakable, provided that it is not compromised and only ever stored and exchanged in encrypted form. But there is absolutely no guarantee that some arbitrary website won't do something totally stupid, such as store a password in plain text.

Heck, I can't count the number of times I have created an account on some small vendor's website and, two minutes later, I get an email saying "Hello Michi, thank you for creating an account with us. Your user name is "Michi" and your password is "Dead Horse".

This kind of thing is still happening, in 2022.
 
@tcmx3 it's clear you've totally missed my point. Not sure why, but you have. I never claimed to invalidate passwords. All I was stating is that passwords are not always kept in a manner that retains their true entropy. You may not have seen it, but I have (and more recently than I should). Perfect InfoSec world meet contract programmer.

no Im rather sure I got your point, it's just that your point was about your ego.

all you did was...? hello? your posts are right there. I can read.

I dunno man you want to make this a dick measuring contest so bad. you could have just made your completely tangential point, it would have been fine. I literally just +1'd that a complex password was good because they are hard to crack. everything else is a complete fantasy that exists only in your mind. including, btw, your suggestion about my infosec experience. are my feelings supposed to be hurt by something so laughably innacurate?
 
I mean esoo I just really cant agree that we should dump toxic waste into the river.

there are loads of ecological studies suggesting that has negative effects. Im not sure why you're so adamant we should do it. I dont think the local wildlife would do well with tons of it pouring into the river.
 
Annual KKF BST conference where thousands fly in from around the country and much of the world. Everyone exchanges funds and makes trades in person and all knives are individually inspected before transactions. No PP fees. Problem solved.
Sounds a bit dangerous for some of us that reuse the same password for KKF and banks/other important websites. No algorithm and salting hashes. Mmmm.... hash browns...🤤
 
no Im rather sure I got your point, it's just that your point was about your ego.

all you did was...? hello? your posts are right there. I can read.

I dunno man you want to make this a dick measuring contest so bad. you could have just made your completely tangential point, it would have been fine. I literally just +1'd that a complex password was good because they are hard to crack. everything else is a complete fantasy that exists only in your mind. including, btw, your suggestion about my infosec experience. are my feelings supposed to be hurt by something so laughably innacurate?

Ok, I did question your skill, but you did call me an ******** (which I read as a hole)

But it’s clear you’re still not understanding my original point. Let’s try this one more time as this has nothing to do with ego.

So let’s do as the hive article does, and we’ll use MD5. We’ll take your 32 character password, pad it to 128 characters and hash it. Now let’s try and crack that. The Hive proved it takes forever. Even longer with a salt. Exactly your point. 100% agree

Now let’s take my overworked web contractor. Doesn’t know **** about security, but knows he can’t store the password in the clear. So what’s he do? He takes your 32 character password and ROT13s it and stores it. How strong is that 32 character password now and how long will those GPUs take to find it? My point.

Sure that’s an extreme example, but as @Michi said, sites are still using reversible hash functions and I’ve see sites recently that truncated long passwords to 12 characters and one that only allowed letters. There are good libraries to avoid that stuff that are obviously not being used. A password is only as good as it’s hash, and if the function generating that hash is compromised then all bets are off.
 
Ok, I did question your skill, but you did call me an ******** (which I read as a hole)

But it’s clear you’re still not understanding my original point. Let’s try this one more time as this has nothing to do with ego.

So let’s do as the hive article does, and we’ll use MD5. We’ll take your 32 character password, pad it to 128 characters and hash it. Now let’s try and crack that. The Hive proved it takes forever. Even longer with a salt. Exactly your point. 100% agree

Now let’s take my overworked web contractor. Doesn’t know **** about security, but knows he can’t store the password in the clear. So what’s he do? He takes your 32 character password and ROT13s it and stores it. How strong is that 32 character password now and how long will those GPUs take to find it? My point.

Sure that’s an extreme example, but as @Michi said, sites are still using reversible hash functions and I’ve see sites recently that truncated long passwords to 12 characters and one that only allowed letters. There are good libraries to avoid that stuff that are obviously not being used. A password is only as good as it’s hash, and if the function generating that hash is compromised then all bets are off.

why is it so hard for you to admit that you wanted to make a (valid, good, useful even) point but you did so by effective making up things that I didnt say so you could argue against them?

honestly if there's a tell I have cyber security experience it's that I am so used to this kind of behavior.

you keep saying I dont understand your original point. I can see from your perspective why you would say that; you wanted to make a point and your point is correct by itself. because your point is correct, you have a blind spot here around the fact that I simply never said ANY of the things you've teed off on. you are locked into this version of my argument that doesnt exist and you want to explain to me why that non-existent argument isn't correct.

I simply will not accept your version of my own damn posts. if you are going to discuss this topic with me, and you are going to just completely make up **** that I never said and attribute it to me, I will correct the record. the end.
 
There are some different arguments here that are really separate issues wrapped up into one.

Password security depends on the password itself and how it is protected during transmission and in storage.

You can create a totally uncrackable password but, if the vendor storing it doesn't protect it properly, it does you no good. If it isn't protected during transmission, it also does you no good. Side-channel attacks like these compromise the best security practices known to man these days.

The reality is that most accounts that are protected by passwords do not have a value or worth high enough to warrant the expense of a side-channel attack.

The vast majority of attacks come from compromised passwords that are reused by people who are NOT I.T. SECURITY PROFESSIONALS! Most of us are not famous enough to have a social media account hacked to be a good payoff so, embarrassment, SPAM, and similar things are the more likely damage. A complex unique 32 character password goes a long way to ensuring if one of my accounts is hacked or compromised by some back-end server problem, all I lose control of is my Adobe, or a single web forum, or similar account which doesn't also have a two-factor authentication method that is still secure.

For HONEY POTS like a brokerage account, large bank account, cyrpto-wallets, etc. I personally insist on a hardware token that can't be faked or duplicated. Those accounts have enough value to be worth a persistent targeted attack.

Here or on forums like this one, the worst thing likely to happen is someone gets scammed on the sale of a knife, which while bad is nowhere near losing your 401K account!

I go back to my original thought that started this exchange. Get Lastpass , BITWarden, or something similar and use unique complex passwords that are as long as possible. MIxed case, numbers, and special characters that is 32 characters long with two-factor authentication so it is hard to crack. Most people will be safe from account hijacks like this which are mostly due to weak passwords for most things used in daily life.
 
Last edited:
What if buyer offer to send via FF? Is that against the rules?
 
What if buyer offer to send via FF? Is that against the rules?

In the past (via DM) I’ve offered the paypal G&S fee as a discount to the buyer if they want to pay via F&F, but I make it clear it’s totally their choice. Usually they decline; one nice buyer actually paid via G&S but tacked on the fee to his payment without even saying anything which was unnecessary but a nice gesture.

I stopped offering the option after the rather strenuous posts by the admins though.

On the buyer’s side, if I was purchasing from a well-known member I’d probably just pay their asking price via F&F without comment.
 
F&F puts all the risk on the Buyer, so if someone offers to buy from you that way it is your choice to accept. Of course if they use their credit card to fund the PP purchase they can still dispute the charge if they are trying to scam you, but in general there is less financial risk as the seller.

Sometimes when I have bought knives through BST, IG, etc. I have offered to buy using F&F if I have a good comfort level with the seller.
 
Back
Top