<neggles>
s'why microsoft/NIST/ACSC/etc all just say "require at least 12 characters, preferably 16, don't restrict what people can use" now
<neggles>
in my experience the most helpful thing is teaching people that space is a legal character in a password
<Habbie>
that's a good summary
<Habbie>
of course CorrectHorseBatteryStaple is okay too
<Habbie>
but that again shares some of the problems with the other case (the upper half of the comic)
<neggles>
we built a fairly simple password generator at work for when we reset users' passwords or create new accounts
<neggles>
picks four words out of the 5,000 most commonly used words in english, with some filtered out just to prevent horrors
<neggles>
(these are all used with "force password change on first login")
<neggles>
but we've had a lot of users reply with "...wait, you can have spaces in there?"
<dwfreed>
that's still 2^49 possibilities
<Habbie>
xkcd says 44, but i don't know how long that list of common words was
<neggles>
it's a pool of just under 5000 words, started with 6000, stripped everything less than 4 characters, swearwords, stuff like "kill" etc
<Habbie>
so you're likely right :)
<neggles>
and there's a sanity check at the end to make sure it's at least 21 characters so it won't pick four 4-letter words
<Habbie>
i'm reminded of the first graphical password prompt i ever wrote, which would light up half of a key if you got the first half right
<Habbie>
in my defense, i was 13
<neggles>
eh
<neggles>
this was an improvement over using "ChangeMeClient2023!"
<Habbie>
hah yes
<neggles>
we've also turned off password expiration, mandated MFA, and set minimum pw length to 16 for all but a couple of stubborn clients who are at 12
<Habbie>
<3
<dwfreed>
neggles: would take 3.5 hours for a 4090 to crack if it was a sha1 hash
<dwfreed>
but that requires stealing the hash
<dwfreed>
vs online attack
<dwfreed>
(and also being a sha1 hash)
<neggles>
yeah online attack won't work
<neggles>
more than a handful of incorrect attempts and it gets locked and we get a ticket opened about it
<dwfreed>
right
<neggles>
how many is variable, ask AAD Password Protection (which also does some nice things like check against the pwned passwords list and a list of keywords associated with the client's business)
<neggles>
plus the attack window is very small, matter of hours
<Habbie>
great when you're small enough that you can just go for "5 strikes and you're out" instead of having to implement something complex that considers location etc.
<neggles>
it does consider location etc
<Habbie>
ok
<Habbie>
but still locks pretty quickly
<neggles>
yes
<Habbie>
my coworker implemented such a system
<Habbie>
he discovered some fun things i didn't think of before
<Habbie>
like, if somebody enters the -same- wrong password 10 times, that's probably just their old phone, and it's not a problem
<neggles>
well and if you're *not* a brand new user you can reset it yourself by supplying 2 MFA methods, one of which must be MS Authenticator or a U2F key
<neggles>
unless you're an exec, then it's two MFA methods and approval from our on-call tech
<Habbie>
:)
<neggles>
and you get *one* incorrect password attempt if you're outside australia for the majority of our clients
<Habbie>
ack :)
<neggles>
and for one client, self-service password reset will only work from a device we have under MDM :D
<Habbie>
hah
<Habbie>
ok, bed
<Habbie>
have a good rest of day :)
<neggles>
it has taken me *five years* to get to this point and, well, the only clients who've had breaches in the last year are ones who refused to do it until said breach :P
<neggles>
fairo, g'night :P
<neggles>
(...and the one who had a shared account with more permissions than it should've had, with a password of 'bubble2', when they are a bubblewrap company...)
<Habbie>
lol
<neggles>
luckily they got in an hour after the daily backup ran & it was some kid in Queensland who had no idea what they were doing, but jeez... they use U2F tokens for shared accounts now :D
<neggles>
anyway
minimal has quit [Quit: Leaving]
floof58 has quit [Remote host closed the connection]
floof58 has joined #openwrt-devel
danitool has quit [Ping timeout: 480 seconds]
tSYS has quit [Quit: *squeak*]
tSYS has joined #openwrt-devel
rua has quit [Quit: Leaving.]
valku has quit [Quit: valku]
rua has joined #openwrt-devel
dansan has quit [Remote host closed the connection]
<soxrok2212>
robimarko: i know you posted a wiki link to add a buildbot builder. is 4 cores enough? i have an 8c/16t server only
Acinonyx_ has joined #openwrt-devel
csharper2005 has joined #openwrt-devel
csharper2005 has left #openwrt-devel [#openwrt-devel]
Acinonyx has quit [Ping timeout: 480 seconds]
olitv_ has joined #openwrt-devel
csharper2005 has joined #openwrt-devel
csharper2005 has quit [Read error: Connection reset by peer]
olitv_ has quit []
Borromini has quit [Ping timeout: 480 seconds]
Borromini has joined #openwrt-devel
minimal has joined #openwrt-devel
shoragan has quit [Quit: quit]
shoragan has joined #openwrt-devel
<f00b4r0>
the coverage range that the old qca953x devices provide never cease to amaze me. I just set a new personal record at 300m, through at least one building wall and vegetation, from a tiny AP with shitty PCB F-antennas. Impressive.
<hurricos>
nothing beats ath9k
<f00b4r0>
seems so
<hurricos>
well, lots of things beat ath9k. It's just a great 802.11n implementation
<f00b4r0>
heh
<f00b4r0>
what impresses me even more is that I wasn't even in direct LoS: uneven terrain had a hump between the device and the AP
<stintel>
the key is "no firmware" ;)
<Borromini>
:)
<f00b4r0>
stintel: heh, indeed ;)
<hurricos>
Sounds like M300 is locked by new bootloader? I know P-series CPUs read pins in the bootrom to forumate the RCW and change boot media, sounds like the T-series must not :(
<f00b4r0>
hurricos: locked?
<hurricos>
from stintel / hauke up there talking about the new u-boot password.
<hurricos>
Does the M300 have presoldered JTAG? I haven't got a full board image
<f00b4r0>
don't remember seeing a connector or a footprint
<stintel>
you can end up in u-boot shell by installing OpenWrt on the sd card
<stintel>
we were just looking for ways to avoid opening the box
<hurricos>
Oh, cool!
<hurricos>
OK, that makes perfect sense
<hurricos>
phew
<stintel>
I'm happily running dual M300 in an HA OpenWrt setup :)
<stintel>
for ~1.5y
<hurricos>
I was worried they overreacted to that vulnerability they had in like 2021 and pushed a locked down u-boot to their hardware
<hurricos>
read as, cut off supply >:(
<aiyion>
If you found a way, I'd really liked to know about it. I spent an evening without success on keeping it closed.
<stintel>
contacted an ISP here that offers 2000/2000, but after their initial response and my reply to that, didn't hear from them again
<stintel>
so I have no real incentive to replace the m300s yet ;p
<stintel>
well, the fact that fman uses firmware, maybe
<stintel>
but it's a fine device, rackmount, has standard PSU so easily replaceable, rj45 console port, ...
<aiyion>
The day that thing does not drop my batman-adv traffic, I'll chime in ;)
<stintel>
:P
<stintel>
yeah it would be a cool project to figure that out
<f00b4r0>
hmm, luci bites me again
<f00b4r0>
adding a new ssid, trying to associate with an interface that's not a bridge, does not automatically create the bridge. Fail :(
<stintel>
maybe making the vanilla kernel work with the userspace fmc (?) tool would not be that hard
<SlimeyX>
my girl misplaced her old macbook for a few years, found it the other day https://imgur.com/a/KHQcZOS
<stintel>
also maybe we should document that batman might not work with dpaa/fman based devices
<aiyion>
stintel: I'll focus on my exam phase the next weeks, but If there's something to test, I can provide results.
<stintel>
aiyion: I have no time to work on that anytime soon, moved to different project at work, no longer involving OpenWrt
<aiyion>
Maybe I'll bug you with that again, when I'm done with the phase and try to do it myself ;)
<stintel>
currently busy migrating some stuff to other hardware at home, after that I need to make a new "home" vlan, isolated from my company vlans, but with the smart tv, chromecasts, home automation etc accessible for the gf
<stintel>
(she's now limited to the guest network and can't access anything but the Internet)
<f00b4r0>
stintel: if you do decide to get rid of your m300s, do ping me ;)
Borromini has quit [Ping timeout: 480 seconds]
<stintel>
f00b4r0: will try to keep it in mind!
<f00b4r0>
thx!
<stintel>
yw
<stintel>
I replaced the PSU in both, they use a bit less power since doing that, don't remember the numbers though
valku has joined #openwrt-devel
<stintel>
and one of the old PSUs is running my esp32 controller 6x PWM fans in my rack
<stintel>
the other one was DOA
<stintel>
got a partial refund from the seller
<stintel>
I tried to get them to refuned the full price for a 2nd hand replacment PSU but then they said "you can ship everything back for a full refuned"
<stintel>
but I really wanted to keep them ;)
<stintel>
wtf refuned, twice
* stintel
steps awaye from the computer
<f00b4r0>
;)
<robimarko>
soxrok2212: f00b4r0 and ynezz can tell you
<f00b4r0>
soxrok2212: 4c won't get you anywhere I'm afraid.
<f00b4r0>
besides it's not just the number of core, you need a sizeable amount of memory, plus storage
floof58 is now known as Guest2790
floof58 has joined #openwrt-devel
Guest2790 has quit [Ping timeout: 480 seconds]
indy has quit [Ping timeout: 480 seconds]
swegener has quit [Quit: leaving]
T-Bone has joined #openwrt-devel
f00b4r0 has quit [Read error: No route to host]
f00b4r0 has joined #openwrt-devel
T-Bone has quit [Read error: Connection reset by peer]
<soxrok2212>
f00b4r0: 8c helpful?
<soxrok2212>
i have plenty of ram and storage
<soxrok2212>
8tb ssd, i can cut out a chunk of that
<f00b4r0>
8c is always better than 4c. How about you describe your hardware more precisely though?
<f00b4r0>
a buildbot will chew through ssd like butter, fwiw
<soxrok2212>
i7-7820x, 64gb ram, 8tb ssd running on proxmox
<soxrok2212>
i also have a few tb of hdd space
<f00b4r0>
that's ok-ish. At the end of the day I'm not the one making the decision anyway, you'd have to ask ynezz
<f00b4r0>
soxrok2212: it's kind of you and much appreciated, I just want to highlight all pitfalls, because a new resource that is added to the pool only to be removed and/or being on-and-off due to admin realizing the true cost of running an openwrt buildbot is not ideal.
<soxrok2212>
understood :) thanks for the input!
<f00b4r0>
these resources are typically expected to be available (and crunching) 24/7, so there's that too.
<f00b4r0>
last important point is your internet pipe
<f00b4r0>
anything below 50/50 is going to be rather underwhelming, to put it nicely :)
minimal has quit [Remote host closed the connection]
<soxrok2212>
will have symmetric 1g soon
Borromini has joined #openwrt-devel
aiyion has quit [Ping timeout: 480 seconds]
aiyion has joined #openwrt-devel
minimal has joined #openwrt-devel
rua has quit [Remote host closed the connection]
rua has joined #openwrt-devel
<f00b4r0>
hmm wth. bridge device declared with one eth iface, comes up without the eth as bridge member