Jump to content
OpenSecurity.global

John Carroll

Members
  • Content Count

    10
  • Joined

  • Last visited

  • Invited by

    Lawrence Munro

Community Reputation

6 Neutral

3 Followers

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Has anyone here looked at this approach to improving password length? I've looked into getting large user bases to create longer passphrase and from what I can see there are options that if you're in a defined group, you get to have X password policy What I'm hoping for is for a password to be taken, assessed on it's 'satisfaction' criteria then based on that outcome given a group to be in. new password is: DR0w55ap! (password is upper/lower/special char, less than 10 characters, it's going in the basic password policy decision, less time between password renewal enforcement new password is: KingsOfLeonAreSuperAnnoying (password is greater than 25 chars (+ other things*) it's going in the long passphrase policy decision = more time between password renewal enforcement I've been told to take a look at passfilt.dll, does anyone have any first hand experience with this ? I really like this idea, and I think it's a good ramp to getting people busting out longer passwords/passphrases https://docs.microsoft.com/en-us/windows/win32/secmgmt/management-functions what it isn't clear on is if you can have more than one policy that can be conditionally applied based on user provided - maybe it can't, but it would be ace if it could, does anyone know any MS nerds that might be worth talking too ?
  2. Very Artisinal @Kevin Beaumont !
  3. I do like a big fat enter key... or i mean, my pinky does. dude 64gig ! my desktop doesnt even have that, save some for the rest of us geez
  4. I see you are a slack user also - what laptop ?
  5. In the past when dealing with dodgies I've gone to lengths to get IP addresses and from those reading my replies but the problem with the sextorsion emails i recieve is they dont need a reply, they're broadcasted spam with an address for you to pay if they get lucky with the fear, these emails usually propagate from other compromised email addresses or disposable ones : ) If you replied with, i'm trying to pay but it's sending me here (canary) there might be some milage in it, but other than your excellent password advice, how much time do you want to spend on these asshats, with the resources and visibility you have if there are domains there are actions to take if there are .onions there are other actions if there is just a bitcoin address ... just add that address to the spam folder one time, I was being scammed out of a lenovo w520, I ended up putting a fake website called 'trackages.co' as a fake parcel tracking website to tell the scammer i'm using this service they can see where it is with this uniq refrence number, the first time they hit it it was from a dial up in uganda, but the 2nd,3rd,4th time was blackberry in the UK ... handed that over to SOCA or whatever it was called at the time 🙂 - was fun. it's really about the context of the interaction, do they need to read a reply can you illicit further interactions, and can you trick them into clicking shit - the sextorsion emails ive seen i consider 'UDP' they dont care what you say back to them but might be worth trying ! ... also if this was twitter, my response would be much more hurrendous. (i have a reputation to protect)
  6. Busted by @Kevin Beaumont already 😕 😄 

  7. https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project ASVS is a comprehensive framework that all web apps can benefit from Santander have a nice web app for it too https://github.com/Santandersecurityresearch/asvs
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy