<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_07_13_1336235</id>
	<title>Strong Passwords Not As Good As You Think</title>
	<author>CmdrTaco</author>
	<datestamp>1247496120000</datestamp>
	<htmltext>Jamie noticed that <a href="http://www.schneier.com/blog/archives/2009/07/strong\_web\_pass.html">Bruce Schneier wrote a piece</a> on a <a href="http://www.usenix.org/event/hotsec07/tech/full\_papers/florencio/florencio.pdf">paper on strong passwords</a> that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped.  They make things hard on users, but are useless against phishing and keyloggers.  Everyone can change their password back to 'trustno1' now.</htmltext>
<tokenext>Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password ' advice that many of us ( myself included ) regard as gospel might not be as true as we had hoped .
They make things hard on users , but are useless against phishing and keyloggers .
Everyone can change their password back to 'trustno1 ' now .</tokentext>
<sentencetext>Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped.
They make things hard on users, but are useless against phishing and keyloggers.
Everyone can change their password back to 'trustno1' now.</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680089</id>
	<title>Re:News for who?</title>
	<author>Anonymous</author>
	<datestamp>1247512440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p><nobr> <wbr></nobr><i>...but are useless against phishing and keyloggers....</i> </p><p>No kidding.  Here's another news flash for you, computers do not run on magic crystals.</p></div><p>Also, the sky is blue.</p></div>
	</htmltext>
<tokenext>...but are useless against phishing and keyloggers.... No kidding .
Here 's another news flash for you , computers do not run on magic crystals.Also , the sky is blue .</tokentext>
<sentencetext> ...but are useless against phishing and keyloggers.... No kidding.
Here's another news flash for you, computers do not run on magic crystals.Also, the sky is blue.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335</id>
	<title>News for who?</title>
	<author>Anonymous</author>
	<datestamp>1247500260000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>...but are useless against phishing and keyloggers....</i></p><p>No kidding.  Here's another news flash for you, computers do not run on magic crystals.</p></htmltext>
<tokenext>...but are useless against phishing and keyloggers....No kidding .
Here 's another news flash for you , computers do not run on magic crystals .</tokentext>
<sentencetext>...but are useless against phishing and keyloggers....No kidding.
Here's another news flash for you, computers do not run on magic crystals.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677311</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>fr4nk</author>
	<datestamp>1247503380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I use a <a href="http://en.wikipedia.org/wiki/Whitespace\_(programming\_language)" title="wikipedia.org" rel="nofollow">Whitespace</a> [wikipedia.org] program as my password. Beat that!</htmltext>
<tokenext>I use a Whitespace [ wikipedia.org ] program as my password .
Beat that !</tokentext>
<sentencetext>I use a Whitespace [wikipedia.org] program as my password.
Beat that!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678447</id>
	<title>Why I have only 3 diffrent passwords</title>
	<author>AnAdventurer</author>
	<datestamp>1247507160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>1 password that is easy to type for almost every site that requires registration (like here). 1 password that is complex for places I think people might try randomly to hack, that I don't want them into (like paypal). And one super easy one for my desktop OS. I am smart enough to not get phished, and no one is going to get a keylogger on my system because, one can not be remotely installed and two most of the people around my system are armed and I trust them with my life.<p>I have always believed the weakest point of passwords is keylogging and phishing, all these stupid sites that make you type one uppercase, one number and so on; I have always believed are wasting our time and making things harder for use to remember. </p><p>So, I concur. Long complex passwords is a waste of time. </p><p>Managing multiple identity's, that's a whole different story.</p></htmltext>
<tokenext>1 password that is easy to type for almost every site that requires registration ( like here ) .
1 password that is complex for places I think people might try randomly to hack , that I do n't want them into ( like paypal ) .
And one super easy one for my desktop OS .
I am smart enough to not get phished , and no one is going to get a keylogger on my system because , one can not be remotely installed and two most of the people around my system are armed and I trust them with my life.I have always believed the weakest point of passwords is keylogging and phishing , all these stupid sites that make you type one uppercase , one number and so on ; I have always believed are wasting our time and making things harder for use to remember .
So , I concur .
Long complex passwords is a waste of time .
Managing multiple identity 's , that 's a whole different story .</tokentext>
<sentencetext>1 password that is easy to type for almost every site that requires registration (like here).
1 password that is complex for places I think people might try randomly to hack, that I don't want them into (like paypal).
And one super easy one for my desktop OS.
I am smart enough to not get phished, and no one is going to get a keylogger on my system because, one can not be remotely installed and two most of the people around my system are armed and I trust them with my life.I have always believed the weakest point of passwords is keylogging and phishing, all these stupid sites that make you type one uppercase, one number and so on; I have always believed are wasting our time and making things harder for use to remember.
So, I concur.
Long complex passwords is a waste of time.
Managing multiple identity's, that's a whole different story.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676401</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>s7uar7</author>
	<datestamp>1247500500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>At least read the summary, if to TFA!  How will that help against phishing and keyloggers?</htmltext>
<tokenext>At least read the summary , if to TFA !
How will that help against phishing and keyloggers ?</tokentext>
<sentencetext>At least read the summary, if to TFA!
How will that help against phishing and keyloggers?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680821</id>
	<title>Security bonus</title>
	<author>dandart</author>
	<datestamp>1247515440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Still, many strong passwords for different things, changed regularly plus many Linux Live CDs to stop weird software, plus hardware checks, plus fingerprint readers will prevent it all from being doooooomed!</htmltext>
<tokenext>Still , many strong passwords for different things , changed regularly plus many Linux Live CDs to stop weird software , plus hardware checks , plus fingerprint readers will prevent it all from being doooooomed !</tokentext>
<sentencetext>Still, many strong passwords for different things, changed regularly plus many Linux Live CDs to stop weird software, plus hardware checks, plus fingerprint readers will prevent it all from being doooooomed!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677149</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>Opportunist</author>
	<datestamp>1247502780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>...and to remember. At least for those amongst us who don't think orthography is peeking at birds.</p></htmltext>
<tokenext>...and to remember .
At least for those amongst us who do n't think orthography is peeking at birds .</tokentext>
<sentencetext>...and to remember.
At least for those amongst us who don't think orthography is peeking at birds.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676403</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679571</id>
	<title>trustno1</title>
	<author>recharged95</author>
	<datestamp>1247510820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Everyone can change their password back to 'trustno1' now.</p></div><p>
You mean everyone can change their password back to 'password'.
<br>
<br>
<br>
Let's face it, it's 2009: 1980's coolness is out, 1990's awesomeness is in...</p></div>
	</htmltext>
<tokenext>Everyone can change their password back to 'trustno1 ' now .
You mean everyone can change their password back to 'password' .
Let 's face it , it 's 2009 : 1980 's coolness is out , 1990 's awesomeness is in.. .</tokentext>
<sentencetext>Everyone can change their password back to 'trustno1' now.
You mean everyone can change their password back to 'password'.
Let's face it, it's 2009: 1980's coolness is out, 1990's awesomeness is in...
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677415</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>Anonymous</author>
	<datestamp>1247503800000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I have even heard it recommended to do the same thing with a certain key in place of the space bar.</p><p>"Iradviserpeoplertoruserunusualrsentencesrasrpasswords."</p><p>The space bar makes a distinct sound.  A careful listener could hear the typing with the spacebar sound indicating spaces and how many letters in each word and how many words were being used.  This is a nice first step in guessing the passphrase.</p><p>Using a letter as the space makes "overhearing" the passphrase a hair more difficult.  Of course, if I was really this paranoid, I wouldn't use a wireless keyboard.</p></htmltext>
<tokenext>I have even heard it recommended to do the same thing with a certain key in place of the space bar. " Iradviserpeoplertoruserunusualrsentencesrasrpasswords .
" The space bar makes a distinct sound .
A careful listener could hear the typing with the spacebar sound indicating spaces and how many letters in each word and how many words were being used .
This is a nice first step in guessing the passphrase.Using a letter as the space makes " overhearing " the passphrase a hair more difficult .
Of course , if I was really this paranoid , I would n't use a wireless keyboard .</tokentext>
<sentencetext>I have even heard it recommended to do the same thing with a certain key in place of the space bar."Iradviserpeoplertoruserunusualrsentencesrasrpasswords.
"The space bar makes a distinct sound.
A careful listener could hear the typing with the spacebar sound indicating spaces and how many letters in each word and how many words were being used.
This is a nice first step in guessing the passphrase.Using a letter as the space makes "overhearing" the passphrase a hair more difficult.
Of course, if I was really this paranoid, I wouldn't use a wireless keyboard.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676265</id>
	<title>c'mon</title>
	<author>greebowarrior</author>
	<datestamp>1247499960000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext>surely we should all be changing our passwords back to "Joshua"?</htmltext>
<tokenext>surely we should all be changing our passwords back to " Joshua " ?</tokentext>
<sentencetext>surely we should all be changing our passwords back to "Joshua"?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343</id>
	<title>Sounds dumb to me</title>
	<author>drinkypoo</author>
	<datestamp>1247500320000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>But maybe it's just the summary? I'll go RTFA right after this, or at least skim it. But since phishing and keyloggers are only two threats, and people can still guess passwords (or brute-force them) I think I'll keep using randomly generated passwords.</p><p>"Wrote a piece" apparently means "wrote a sentence" because all Bruce said about the paper is that it was "Interesting", then he C&amp;P'd the abstract. Why not link directly?</p><p>Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place. However, this ignores the type of attack where a remote hole allows retrieval of a file, and that hole is used to retrieve the password list. There are also other attacks which would allow one to get ahold of your encrypted password, not least by sniffing, which can then be brute-forced without having to worry about three-strikes policies.</p><p>In other words, <em>keep your complicated passwords</em>, they are still necessary to defeat dictionary attacks. Security is not something you can buy in the store, it is a mindset that you must adopt. The more factors of security, the better. If you can't memorize a complex password after using it twenty or thirty times, you should start playing memory games or something. Even <em>I</em> can do that and my memory is poor enough to be a liability (and always has been since childhood.) We're all different and excel in different ways, but you owe it to yourself to sharpen certain skills.</p><p>I guess the bottom line is that I'd be concerned about employing someone who can't remember a password. You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes (or eat it, or whatever) when you no longer need it. It shouldn't be that difficult for a modern human who can understand how to operate a computer.</p></htmltext>
<tokenext>But maybe it 's just the summary ?
I 'll go RTFA right after this , or at least skim it .
But since phishing and keyloggers are only two threats , and people can still guess passwords ( or brute-force them ) I think I 'll keep using randomly generated passwords .
" Wrote a piece " apparently means " wrote a sentence " because all Bruce said about the paper is that it was " Interesting " , then he C&amp;P 'd the abstract .
Why not link directly ? Okay , I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place .
However , this ignores the type of attack where a remote hole allows retrieval of a file , and that hole is used to retrieve the password list .
There are also other attacks which would allow one to get ahold of your encrypted password , not least by sniffing , which can then be brute-forced without having to worry about three-strikes policies.In other words , keep your complicated passwords , they are still necessary to defeat dictionary attacks .
Security is not something you can buy in the store , it is a mindset that you must adopt .
The more factors of security , the better .
If you ca n't memorize a complex password after using it twenty or thirty times , you should start playing memory games or something .
Even I can do that and my memory is poor enough to be a liability ( and always has been since childhood .
) We 're all different and excel in different ways , but you owe it to yourself to sharpen certain skills.I guess the bottom line is that I 'd be concerned about employing someone who ca n't remember a password .
You write it down until you memorize it , you treat that piece of paper as precious and secret , you burn it and scatter the ashes ( or eat it , or whatever ) when you no longer need it .
It should n't be that difficult for a modern human who can understand how to operate a computer .</tokentext>
<sentencetext>But maybe it's just the summary?
I'll go RTFA right after this, or at least skim it.
But since phishing and keyloggers are only two threats, and people can still guess passwords (or brute-force them) I think I'll keep using randomly generated passwords.
"Wrote a piece" apparently means "wrote a sentence" because all Bruce said about the paper is that it was "Interesting", then he C&amp;P'd the abstract.
Why not link directly?Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place.
However, this ignores the type of attack where a remote hole allows retrieval of a file, and that hole is used to retrieve the password list.
There are also other attacks which would allow one to get ahold of your encrypted password, not least by sniffing, which can then be brute-forced without having to worry about three-strikes policies.In other words, keep your complicated passwords, they are still necessary to defeat dictionary attacks.
Security is not something you can buy in the store, it is a mindset that you must adopt.
The more factors of security, the better.
If you can't memorize a complex password after using it twenty or thirty times, you should start playing memory games or something.
Even I can do that and my memory is poor enough to be a liability (and always has been since childhood.
) We're all different and excel in different ways, but you owe it to yourself to sharpen certain skills.I guess the bottom line is that I'd be concerned about employing someone who can't remember a password.
You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes (or eat it, or whatever) when you no longer need it.
It shouldn't be that difficult for a modern human who can understand how to operate a computer.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28685185</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>JoCat</author>
	<datestamp>1247495040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>English has remarkably little entropy.  A letter in a sentence like this one has an average of 1.3 bits of entropy.  To improve the secrecy and randomness of passwords, I recommend substitutions.  Take, for example, 'A bird in the hand is worth two in the bush.'  This can be mixed into, '@B1rdInTh3H4nd1$W0rth2InDaBush!'.  Perhaps not as easy to remember, but after you've made a few passwords like this, it becomes second nature.  In my experience, it also becomes easier to mentally 'chunk' passwords, so something like 'B3hold0bli1v1on1$@Hand' is fairly simple to recall.</p><p>Of course, this brings us to a rather interesting junction.  The second sentence has more entropy, making it more resistant to cryptographic analysis.  The first sentence has more letters, making it harder to brute force.  (Though it has no numbers or symbols, but lets set that aside.)  Which is better?  Depends on your purpose, I think.</p></htmltext>
<tokenext>English has remarkably little entropy .
A letter in a sentence like this one has an average of 1.3 bits of entropy .
To improve the secrecy and randomness of passwords , I recommend substitutions .
Take , for example , 'A bird in the hand is worth two in the bush .
' This can be mixed into , ' @ B1rdInTh3H4nd1 $ W0rth2InDaBush ! ' .
Perhaps not as easy to remember , but after you 've made a few passwords like this , it becomes second nature .
In my experience , it also becomes easier to mentally 'chunk ' passwords , so something like 'B3hold0bli1v1on1 $ @ Hand ' is fairly simple to recall.Of course , this brings us to a rather interesting junction .
The second sentence has more entropy , making it more resistant to cryptographic analysis .
The first sentence has more letters , making it harder to brute force .
( Though it has no numbers or symbols , but lets set that aside .
) Which is better ?
Depends on your purpose , I think .</tokentext>
<sentencetext>English has remarkably little entropy.
A letter in a sentence like this one has an average of 1.3 bits of entropy.
To improve the secrecy and randomness of passwords, I recommend substitutions.
Take, for example, 'A bird in the hand is worth two in the bush.
'  This can be mixed into, '@B1rdInTh3H4nd1$W0rth2InDaBush!'.
Perhaps not as easy to remember, but after you've made a few passwords like this, it becomes second nature.
In my experience, it also becomes easier to mentally 'chunk' passwords, so something like 'B3hold0bli1v1on1$@Hand' is fairly simple to recall.Of course, this brings us to a rather interesting junction.
The second sentence has more entropy, making it more resistant to cryptographic analysis.
The first sentence has more letters, making it harder to brute force.
(Though it has no numbers or symbols, but lets set that aside.
)  Which is better?
Depends on your purpose, I think.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</id>
	<title>I'll repeat what I've said before: Use sentences.</title>
	<author>kinabrew</author>
	<datestamp>1247500080000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext><p>I advise people to use unusual sentences as passwords.</p><p>For example, look at the previous sentence.</p><blockquote><div><p>I advise people to use unusual sentences as passwords.</p></div></blockquote><p>It contains uppercase letters, lowercase letters, spaces and punctuation.</p><p>It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.</p><p>And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.</p></div>
	</htmltext>
<tokenext>I advise people to use unusual sentences as passwords.For example , look at the previous sentence.I advise people to use unusual sentences as passwords.It contains uppercase letters , lowercase letters , spaces and punctuation.It 's easy to remember , and hard to guess , so users are unlikely to forget it/write it down.And even if you did write down your sentence/password near your computer , people might not even guess that it was your password .</tokentext>
<sentencetext>I advise people to use unusual sentences as passwords.For example, look at the previous sentence.I advise people to use unusual sentences as passwords.It contains uppercase letters, lowercase letters, spaces and punctuation.It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677147</id>
	<title>Re:News for who?</title>
	<author>nobodylocalhost</author>
	<datestamp>1247502780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>sure they do, chips are essentially are layered silicon crystal lattice, and regulated by quartz crystals. Both are magical enough when you throw electrons at them.</p></htmltext>
<tokenext>sure they do , chips are essentially are layered silicon crystal lattice , and regulated by quartz crystals .
Both are magical enough when you throw electrons at them .</tokentext>
<sentencetext>sure they do, chips are essentially are layered silicon crystal lattice, and regulated by quartz crystals.
Both are magical enough when you throw electrons at them.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678557</id>
	<title>Re:Sounds dumb to me (it's you who sounds dumb)</title>
	<author>Anonymous</author>
	<datestamp>1247507580000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The problem isn't one password.  It's 82 freaking passwords because every web service in the world, and several different departments at work all want a password, have different rules, and require change every so often. There's no effin' way I can remember all that.</p><p>The problem is compounded by pompous admins who think they understand security and don't.  Result? Bizarre systems that accomplish nothing or less. See the previous comment about how complex password rules actually decrease the search space for a password guessing malbot, for example.</p></htmltext>
<tokenext>The problem is n't one password .
It 's 82 freaking passwords because every web service in the world , and several different departments at work all want a password , have different rules , and require change every so often .
There 's no effin ' way I can remember all that.The problem is compounded by pompous admins who think they understand security and do n't .
Result ? Bizarre systems that accomplish nothing or less .
See the previous comment about how complex password rules actually decrease the search space for a password guessing malbot , for example .</tokentext>
<sentencetext>The problem isn't one password.
It's 82 freaking passwords because every web service in the world, and several different departments at work all want a password, have different rules, and require change every so often.
There's no effin' way I can remember all that.The problem is compounded by pompous admins who think they understand security and don't.
Result? Bizarre systems that accomplish nothing or less.
See the previous comment about how complex password rules actually decrease the search space for a password guessing malbot, for example.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677055</id>
	<title>There are good reasons for strong passwords...</title>
	<author>0x537461746943</author>
	<datestamp>1247502480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Where strong passwords help is in case a vulnerability is discovered in the restricted password guesses or if someone finds a way to get your password hashes(corp network) and they take them home to try and brute force them.

Defense in depth.  Not any one solutions solves all problems.  You need multiple protections in place.  Each one itself is just as important as the others.</htmltext>
<tokenext>Where strong passwords help is in case a vulnerability is discovered in the restricted password guesses or if someone finds a way to get your password hashes ( corp network ) and they take them home to try and brute force them .
Defense in depth .
Not any one solutions solves all problems .
You need multiple protections in place .
Each one itself is just as important as the others .</tokentext>
<sentencetext>Where strong passwords help is in case a vulnerability is discovered in the restricted password guesses or if someone finds a way to get your password hashes(corp network) and they take them home to try and brute force them.
Defense in depth.
Not any one solutions solves all problems.
You need multiple protections in place.
Each one itself is just as important as the others.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678069</id>
	<title>The solution...</title>
	<author>Anonymous</author>
	<datestamp>1247505900000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The solution is to put a chip in our heads that generates very long elliptically secure keys that can be used to authenticate with any service. When someone walks up to an ATM machine or uses a website they just need to start saying, 10010010101010001010100101.... you get the idea.</p></htmltext>
<tokenext>The solution is to put a chip in our heads that generates very long elliptically secure keys that can be used to authenticate with any service .
When someone walks up to an ATM machine or uses a website they just need to start saying , 10010010101010001010100101.... you get the idea .</tokentext>
<sentencetext>The solution is to put a chip in our heads that generates very long elliptically secure keys that can be used to authenticate with any service.
When someone walks up to an ATM machine or uses a website they just need to start saying, 10010010101010001010100101.... you get the idea.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676367</id>
	<title>Also useless against Live CD</title>
	<author>Anonymous</author>
	<datestamp>1247500380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Give me an Ubuntu CD and I'll show you just how useless any password is without encryption...</htmltext>
<tokenext>Give me an Ubuntu CD and I 'll show you just how useless any password is without encryption.. .</tokentext>
<sentencetext>Give me an Ubuntu CD and I'll show you just how useless any password is without encryption...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679273</id>
	<title>Re:And this is news how?</title>
	<author>nine-times</author>
	<datestamp>1247509920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yeah, keylogging and phishing are a weakness of passwords.  All passwords.  Strong or not.
</p><p>It's not that strong passwords aren't as good as we thought.  It's that all passwords fail to secure things when the attacker knows the password.</p></htmltext>
<tokenext>Yeah , keylogging and phishing are a weakness of passwords .
All passwords .
Strong or not .
It 's not that strong passwords are n't as good as we thought .
It 's that all passwords fail to secure things when the attacker knows the password .</tokentext>
<sentencetext>Yeah, keylogging and phishing are a weakness of passwords.
All passwords.
Strong or not.
It's not that strong passwords aren't as good as we thought.
It's that all passwords fail to secure things when the attacker knows the password.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676829</id>
	<title>Crap Summary</title>
	<author>nsteinme</author>
	<datestamp>1247501760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>This summary is terrible, even for<nobr> <wbr></nobr>/..  It makes it sound like strong passwords are ineffective, when in fact TFA claims that they are overkill for some situations.
<br>
<br>
I do agree though that passwords that expire are a bag of chach.</htmltext>
<tokenext>This summary is terrible , even for /.. It makes it sound like strong passwords are ineffective , when in fact TFA claims that they are overkill for some situations .
I do agree though that passwords that expire are a bag of chach .</tokentext>
<sentencetext>This summary is terrible, even for /..  It makes it sound like strong passwords are ineffective, when in fact TFA claims that they are overkill for some situations.
I do agree though that passwords that expire are a bag of chach.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679297</id>
	<title>True security</title>
	<author>Anonymous</author>
	<datestamp>1247510040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Obviously, the only way to really and truly secure your companies computers is to have the security office collect all of the power cords in the office.  That will guarantee that no unauthorized users can access them!</p></htmltext>
<tokenext>Obviously , the only way to really and truly secure your companies computers is to have the security office collect all of the power cords in the office .
That will guarantee that no unauthorized users can access them !</tokentext>
<sentencetext>Obviously, the only way to really and truly secure your companies computers is to have the security office collect all of the power cords in the office.
That will guarantee that no unauthorized users can access them!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677831</id>
	<title>Re:Now if only people would take this into account</title>
	<author>DNS-and-BIND</author>
	<datestamp>1247505240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>FYI, Prince changed his name to that silly symbol because his record company claimed rights to the name "Prince".  BTW Prince isn't some made-up stage name, his mother named him that at birth.</htmltext>
<tokenext>FYI , Prince changed his name to that silly symbol because his record company claimed rights to the name " Prince " .
BTW Prince is n't some made-up stage name , his mother named him that at birth .</tokentext>
<sentencetext>FYI, Prince changed his name to that silly symbol because his record company claimed rights to the name "Prince".
BTW Prince isn't some made-up stage name, his mother named him that at birth.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677869</id>
	<title>Re:Now if only people would take this into account</title>
	<author>complete loony</author>
	<datestamp>1247505300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>And then you come back 2 months later, guess your password or they send you an email (which is of course unencrypted, but then so was the login prompt) and force you to change it to something else that you wont remember.</htmltext>
<tokenext>And then you come back 2 months later , guess your password or they send you an email ( which is of course unencrypted , but then so was the login prompt ) and force you to change it to something else that you wont remember .</tokentext>
<sentencetext>And then you come back 2 months later, guess your password or they send you an email (which is of course unencrypted, but then so was the login prompt) and force you to change it to something else that you wont remember.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999</id>
	<title>Dict' attack is sooooo 2000</title>
	<author>Opportunist</author>
	<datestamp>1247502300000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>Nobody brute forces anymore. Nobody. Any sensible password challenge/response system (I doubt there is such a thing if it relies <i>only</i> on that, but I ramble...) will lock you out and disable the account after so many tries, and usually the amount of tries is far lower than the threshold where guessing yields a meaningful chance to succeed. If it doesn't, steer clear of such a system altogether, if it doesn't come up with one of the simplest security "features", it probably is hellish insecure altogether.</p><p>Take, just for example, various game account or freemail system that let you retry infinitly, because their support would be flooded if they locked you out after 3 tries. Yes, you could keep guessing. And probably it is done. So a "strong" password means more security. Usually, no. Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even <i>easier</i> to defeat than the password guessing game.</p><p>You can, essentially, really go back to "12345" style passwords. There are way more than three possible easy to remember passwords, from birthdays to loved ones' names to even your CC pin number, and three being the usual number of retries before lockout. And without lockouts, the average "guess-hacker" won't go for your password. They go for the other venues that are usually far easier to break.</p></htmltext>
<tokenext>Nobody brute forces anymore .
Nobody. Any sensible password challenge/response system ( I doubt there is such a thing if it relies only on that , but I ramble... ) will lock you out and disable the account after so many tries , and usually the amount of tries is far lower than the threshold where guessing yields a meaningful chance to succeed .
If it does n't , steer clear of such a system altogether , if it does n't come up with one of the simplest security " features " , it probably is hellish insecure altogether.Take , just for example , various game account or freemail system that let you retry infinitly , because their support would be flooded if they locked you out after 3 tries .
Yes , you could keep guessing .
And probably it is done .
So a " strong " password means more security .
Usually , no .
Because they invariably also feature some braindead password recovery feature ( ya know , the supersecret questions like " what was the name of your pet dog " , again with infinite tries ) that is usually even easier to defeat than the password guessing game.You can , essentially , really go back to " 12345 " style passwords .
There are way more than three possible easy to remember passwords , from birthdays to loved ones ' names to even your CC pin number , and three being the usual number of retries before lockout .
And without lockouts , the average " guess-hacker " wo n't go for your password .
They go for the other venues that are usually far easier to break .</tokentext>
<sentencetext>Nobody brute forces anymore.
Nobody. Any sensible password challenge/response system (I doubt there is such a thing if it relies only on that, but I ramble...) will lock you out and disable the account after so many tries, and usually the amount of tries is far lower than the threshold where guessing yields a meaningful chance to succeed.
If it doesn't, steer clear of such a system altogether, if it doesn't come up with one of the simplest security "features", it probably is hellish insecure altogether.Take, just for example, various game account or freemail system that let you retry infinitly, because their support would be flooded if they locked you out after 3 tries.
Yes, you could keep guessing.
And probably it is done.
So a "strong" password means more security.
Usually, no.
Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even easier to defeat than the password guessing game.You can, essentially, really go back to "12345" style passwords.
There are way more than three possible easy to remember passwords, from birthdays to loved ones' names to even your CC pin number, and three being the usual number of retries before lockout.
And without lockouts, the average "guess-hacker" won't go for your password.
They go for the other venues that are usually far easier to break.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678397</id>
	<title>Re:Sounds dumb to me</title>
	<author>Anonymous</author>
	<datestamp>1247507040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You mistakenly assume the majority of these modern humans understand how to operate a computer.</p></htmltext>
<tokenext>You mistakenly assume the majority of these modern humans understand how to operate a computer .</tokentext>
<sentencetext>You mistakenly assume the majority of these modern humans understand how to operate a computer.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677087</id>
	<title>Phishing and Keylogger success are due to people</title>
	<author>Ynsats</author>
	<datestamp>1247502600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Strong passwords are meant to foil would-be "guessers" and encryption crackers. Phishing schemes and Keyloggers require some sort of duping of the user as well as unknowingly willful compromising of the user's system to gain access.</p><p>A strong password scheme is quite effective at keeping a password cracker busy for an inordinate amount of time and a randomly generated password will keep the likes of Snidely Whiplash from acquiring access to the system by correctly guessing "Passw0rd" as the password. Both methods would require enough time to crack the password that it would be hopeful that your security systems would be able to pick up the unwanted behavior, stop it and notify the proper people that an attempt to compromise the system was logged.</p><p>That is or course, if you are not using an OS "secure" enough to use hash tables to store "encrypted" keys and the passwords those keys encrypt. I mean, we don't know of any OS that would do that, do we? (I'm rolling my eyes right now, just so you know).</p></htmltext>
<tokenext>Strong passwords are meant to foil would-be " guessers " and encryption crackers .
Phishing schemes and Keyloggers require some sort of duping of the user as well as unknowingly willful compromising of the user 's system to gain access.A strong password scheme is quite effective at keeping a password cracker busy for an inordinate amount of time and a randomly generated password will keep the likes of Snidely Whiplash from acquiring access to the system by correctly guessing " Passw0rd " as the password .
Both methods would require enough time to crack the password that it would be hopeful that your security systems would be able to pick up the unwanted behavior , stop it and notify the proper people that an attempt to compromise the system was logged.That is or course , if you are not using an OS " secure " enough to use hash tables to store " encrypted " keys and the passwords those keys encrypt .
I mean , we do n't know of any OS that would do that , do we ?
( I 'm rolling my eyes right now , just so you know ) .</tokentext>
<sentencetext>Strong passwords are meant to foil would-be "guessers" and encryption crackers.
Phishing schemes and Keyloggers require some sort of duping of the user as well as unknowingly willful compromising of the user's system to gain access.A strong password scheme is quite effective at keeping a password cracker busy for an inordinate amount of time and a randomly generated password will keep the likes of Snidely Whiplash from acquiring access to the system by correctly guessing "Passw0rd" as the password.
Both methods would require enough time to crack the password that it would be hopeful that your security systems would be able to pick up the unwanted behavior, stop it and notify the proper people that an attempt to compromise the system was logged.That is or course, if you are not using an OS "secure" enough to use hash tables to store "encrypted" keys and the passwords those keys encrypt.
I mean, we don't know of any OS that would do that, do we?
(I'm rolling my eyes right now, just so you know).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677773</id>
	<title>Re:Now if only people would take this into account</title>
	<author>Phroggy</author>
	<datestamp>1247505000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I usually design web password thingies like that with minimal requirements:  password must be at least four characters, cannot be all lower-case letters (but all caps or all numbers is fine), cannot be all the same character repeated and cannot be entirely sequential like "12345" or "ABCDE" (but these are valid substrings as long as there's something else too).  Oh, and I hadn't realized I'd done this, but apparently the character set is limited to \x20 to \x7e; no control characters, upper ASCII, or Unicode.  I'm not sure why I put that restriction in, but it shouldn't be an issue for most English-speaking people.</p></htmltext>
<tokenext>I usually design web password thingies like that with minimal requirements : password must be at least four characters , can not be all lower-case letters ( but all caps or all numbers is fine ) , can not be all the same character repeated and can not be entirely sequential like " 12345 " or " ABCDE " ( but these are valid substrings as long as there 's something else too ) .
Oh , and I had n't realized I 'd done this , but apparently the character set is limited to \ x20 to \ x7e ; no control characters , upper ASCII , or Unicode .
I 'm not sure why I put that restriction in , but it should n't be an issue for most English-speaking people .</tokentext>
<sentencetext>I usually design web password thingies like that with minimal requirements:  password must be at least four characters, cannot be all lower-case letters (but all caps or all numbers is fine), cannot be all the same character repeated and cannot be entirely sequential like "12345" or "ABCDE" (but these are valid substrings as long as there's something else too).
Oh, and I hadn't realized I'd done this, but apparently the character set is limited to \x20 to \x7e; no control characters, upper ASCII, or Unicode.
I'm not sure why I put that restriction in, but it shouldn't be an issue for most English-speaking people.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676745</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>furby076</author>
	<datestamp>1247501520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>1) The application can only handle X amount of characters where X is less then the sentence<br>
2) You need to have symbols in there (e.g. '*')<br>
3) You need to change this once per month<br>
4) You have multiple systems which require passwords<br>
5) Passwords may not be repeated<br> <br>

All of this = reasons why your password method may not be the best.<br> <br>

There is a reason why ma-bell made phone numbers seven digits long and it's not because ma-bell anticipated the need to use every 10 million number combinations...it's because 7 digits is what the human brain can easily remember.  Easily being "you remember this once" not "you need to remember a new number every month, including different character sizing, symbols, etc"</htmltext>
<tokenext>1 ) The application can only handle X amount of characters where X is less then the sentence 2 ) You need to have symbols in there ( e.g .
' * ' ) 3 ) You need to change this once per month 4 ) You have multiple systems which require passwords 5 ) Passwords may not be repeated All of this = reasons why your password method may not be the best .
There is a reason why ma-bell made phone numbers seven digits long and it 's not because ma-bell anticipated the need to use every 10 million number combinations...it 's because 7 digits is what the human brain can easily remember .
Easily being " you remember this once " not " you need to remember a new number every month , including different character sizing , symbols , etc "</tokentext>
<sentencetext>1) The application can only handle X amount of characters where X is less then the sentence
2) You need to have symbols in there (e.g.
'*')
3) You need to change this once per month
4) You have multiple systems which require passwords
5) Passwords may not be repeated 

All of this = reasons why your password method may not be the best.
There is a reason why ma-bell made phone numbers seven digits long and it's not because ma-bell anticipated the need to use every 10 million number combinations...it's because 7 digits is what the human brain can easily remember.
Easily being "you remember this once" not "you need to remember a new number every month, including different character sizing, symbols, etc"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676939</id>
	<title>Re:Simple solution</title>
	<author>MadKeithV</author>
	<datestamp>1247502120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Except it'll cost an arm and a leg.</htmltext>
<tokenext>Except it 'll cost an arm and a leg .</tokentext>
<sentencetext>Except it'll cost an arm and a leg.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677955</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>Anonymous</author>
	<datestamp>1247505600000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Well unless they have a sticky note next to that sticky note that says "The unusual sentence on the note next to this is actually the password and not just a random, unusual sentence."</p></htmltext>
<tokenext>Well unless they have a sticky note next to that sticky note that says " The unusual sentence on the note next to this is actually the password and not just a random , unusual sentence .
"</tokentext>
<sentencetext>Well unless they have a sticky note next to that sticky note that says "The unusual sentence on the note next to this is actually the password and not just a random, unusual sentence.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677027</id>
	<title>Memories</title>
	<author>kenp2002</author>
	<datestamp>1247502360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Back in the day there was some issue with Zmodem (or was it kermit... it was a while ago) that downloading a text file with +++ATZ^MATH1 would cause you to disconnect. Ironically I used that for years as a password. The funny thing was when people would try and download a password.txt file for bruteforce they always got disconnected. Now I tend to use passwords that you can't even type the characters normally &#226;-'&#226;-'&#226;-"707&#226;oe&#226;"&#226;&#169; was a good one to use. Go head and keylog that, damn bot would likely thing the password is 176177178707189190201 discarding the alt code</p></htmltext>
<tokenext>Back in the day there was some issue with Zmodem ( or was it kermit... it was a while ago ) that downloading a text file with + + + ATZ ^ MATH1 would cause you to disconnect .
Ironically I used that for years as a password .
The funny thing was when people would try and download a password.txt file for bruteforce they always got disconnected .
Now I tend to use passwords that you ca n't even type the characters normally   - '   - '   - " 707   oe   "     was a good one to use .
Go head and keylog that , damn bot would likely thing the password is 176177178707189190201 discarding the alt code</tokentext>
<sentencetext>Back in the day there was some issue with Zmodem (or was it kermit... it was a while ago) that downloading a text file with +++ATZ^MATH1 would cause you to disconnect.
Ironically I used that for years as a password.
The funny thing was when people would try and download a password.txt file for bruteforce they always got disconnected.
Now I tend to use passwords that you can't even type the characters normally â-'â-'â-"707âoeâ"â© was a good one to use.
Go head and keylog that, damn bot would likely thing the password is 176177178707189190201 discarding the alt code</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677797</id>
	<title>Re:Sounds dumb to me</title>
	<author>Anonymous</author>
	<datestamp>1247505120000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>It shouldn't be that difficult for a modern human who can understand how to operate a computer.</p></div><p>That's the problem though.  Too many "Modern Humans" don't have the first clue about why they are required to remember these passwords and why they have to be so complex etc....  I worked as a system admin in a major hospital for 4 years and even with strict HIPAA rules and all that,  all you need to do is walk into the open patient registration area after say 6pm when the registrars have all gone home for the night, walk to ANY and I do mean ANY keyboard, flip it over and get the usernames and passwords to damn near every critical patient application they run. Go to the cashier office, call security and have them let you in.... They will with no questions if you have a badge.  Trust me you can get one without so much as a hint of trouble.   Walk in the cafeteria, pick one up.  Put it on, call security have then let you in the cash office because you're in IT and need to "fix the computers".  Once you're in, they leave, you flip the keyboard over and there is the admin username and password for all of the finance apps.  Go ahead, log in, create yourself a payment to yourself, edit your paycheck data.  It goes on and on.</p><p>All this because the users that work on these systems are not IT, they are not concerned with security, they are not trained for it when they are hired, they don't care about the IT infrastructure nor do they understand how vital it is to their employment, the company security and bottom lines, the patients privacy etc.</p><p>What's more.....  They shouldn't have to be.</p><p>We are IT.  We are the ones charged with securing the network, servers and applications.  It is not a user's responsibility to do that it is ours.  So it may sound good to beat the users up and say "look how stupid they are, they can't remember simple passwords they use everyday".  I have said it myself, but at the same time we as IT need to understand that to users, the PC, the app, the server and the network are there only so they can type a document, fill in a form, order a product, cut a check, file a report, log a case, play a game, surf the net, pay a bill, email the boss, reply to an instant message etc. etc. etc. etc. etc....</p><p>WE, the IT administrators, coders, developers, engineers, CIO's, network engineers and security architects are the ones who must come up with ways to mitigate security concerns.  Users will be users no matter what and you can't implement security with the flawed thinking that the user is going to help you out by sticking to your plan.</p></div>
	</htmltext>
<tokenext>It should n't be that difficult for a modern human who can understand how to operate a computer.That 's the problem though .
Too many " Modern Humans " do n't have the first clue about why they are required to remember these passwords and why they have to be so complex etc.... I worked as a system admin in a major hospital for 4 years and even with strict HIPAA rules and all that , all you need to do is walk into the open patient registration area after say 6pm when the registrars have all gone home for the night , walk to ANY and I do mean ANY keyboard , flip it over and get the usernames and passwords to damn near every critical patient application they run .
Go to the cashier office , call security and have them let you in.... They will with no questions if you have a badge .
Trust me you can get one without so much as a hint of trouble .
Walk in the cafeteria , pick one up .
Put it on , call security have then let you in the cash office because you 're in IT and need to " fix the computers " .
Once you 're in , they leave , you flip the keyboard over and there is the admin username and password for all of the finance apps .
Go ahead , log in , create yourself a payment to yourself , edit your paycheck data .
It goes on and on.All this because the users that work on these systems are not IT , they are not concerned with security , they are not trained for it when they are hired , they do n't care about the IT infrastructure nor do they understand how vital it is to their employment , the company security and bottom lines , the patients privacy etc.What 's more..... They should n't have to be.We are IT .
We are the ones charged with securing the network , servers and applications .
It is not a user 's responsibility to do that it is ours .
So it may sound good to beat the users up and say " look how stupid they are , they ca n't remember simple passwords they use everyday " .
I have said it myself , but at the same time we as IT need to understand that to users , the PC , the app , the server and the network are there only so they can type a document , fill in a form , order a product , cut a check , file a report , log a case , play a game , surf the net , pay a bill , email the boss , reply to an instant message etc .
etc. etc .
etc. etc....WE , the IT administrators , coders , developers , engineers , CIO 's , network engineers and security architects are the ones who must come up with ways to mitigate security concerns .
Users will be users no matter what and you ca n't implement security with the flawed thinking that the user is going to help you out by sticking to your plan .</tokentext>
<sentencetext>It shouldn't be that difficult for a modern human who can understand how to operate a computer.That's the problem though.
Too many "Modern Humans" don't have the first clue about why they are required to remember these passwords and why they have to be so complex etc....  I worked as a system admin in a major hospital for 4 years and even with strict HIPAA rules and all that,  all you need to do is walk into the open patient registration area after say 6pm when the registrars have all gone home for the night, walk to ANY and I do mean ANY keyboard, flip it over and get the usernames and passwords to damn near every critical patient application they run.
Go to the cashier office, call security and have them let you in.... They will with no questions if you have a badge.
Trust me you can get one without so much as a hint of trouble.
Walk in the cafeteria, pick one up.
Put it on, call security have then let you in the cash office because you're in IT and need to "fix the computers".
Once you're in, they leave, you flip the keyboard over and there is the admin username and password for all of the finance apps.
Go ahead, log in, create yourself a payment to yourself, edit your paycheck data.
It goes on and on.All this because the users that work on these systems are not IT, they are not concerned with security, they are not trained for it when they are hired, they don't care about the IT infrastructure nor do they understand how vital it is to their employment, the company security and bottom lines, the patients privacy etc.What's more.....  They shouldn't have to be.We are IT.
We are the ones charged with securing the network, servers and applications.
It is not a user's responsibility to do that it is ours.
So it may sound good to beat the users up and say "look how stupid they are, they can't remember simple passwords they use everyday".
I have said it myself, but at the same time we as IT need to understand that to users, the PC, the app, the server and the network are there only so they can type a document, fill in a form, order a product, cut a check, file a report, log a case, play a game, surf the net, pay a bill, email the boss, reply to an instant message etc.
etc. etc.
etc. etc....WE, the IT administrators, coders, developers, engineers, CIO's, network engineers and security architects are the ones who must come up with ways to mitigate security concerns.
Users will be users no matter what and you can't implement security with the flawed thinking that the user is going to help you out by sticking to your plan.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28683113</id>
	<title>Re:Now if only people would take this into account</title>
	<author>WuphonsReach</author>
	<datestamp>1247481540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Okay, the smart move for all of these websites.<br>
<br>
Store your credentials in a plain text file (one per site), with the contents encrypted as a PGP/GPG ASCII block.  Easy to backup, you could even just print out the contents of the text file, or mail it to some other location.<br>
<br>
The trade-off is that you have to keep your PGP/GPG key secure.<br>
<br>
Personally, for the less sensitive sites, I give them a random 18-32 character password and let the browser simply store it.  Although I still store the credentials in GPG encrypted text files.</htmltext>
<tokenext>Okay , the smart move for all of these websites .
Store your credentials in a plain text file ( one per site ) , with the contents encrypted as a PGP/GPG ASCII block .
Easy to backup , you could even just print out the contents of the text file , or mail it to some other location .
The trade-off is that you have to keep your PGP/GPG key secure .
Personally , for the less sensitive sites , I give them a random 18-32 character password and let the browser simply store it .
Although I still store the credentials in GPG encrypted text files .</tokentext>
<sentencetext>Okay, the smart move for all of these websites.
Store your credentials in a plain text file (one per site), with the contents encrypted as a PGP/GPG ASCII block.
Easy to backup, you could even just print out the contents of the text file, or mail it to some other location.
The trade-off is that you have to keep your PGP/GPG key secure.
Personally, for the less sensitive sites, I give them a random 18-32 character password and let the browser simply store it.
Although I still store the credentials in GPG encrypted text files.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677861</id>
	<title>Re:Simple solution</title>
	<author>Anonymous</author>
	<datestamp>1247505300000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Better</p><p>My name is (say your name). My voice is my password. Verify me.</p></htmltext>
<tokenext>BetterMy name is ( say your name ) .
My voice is my password .
Verify me .</tokentext>
<sentencetext>BetterMy name is (say your name).
My voice is my password.
Verify me.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28685669</id>
	<title>Password system suggestion</title>
	<author>Cheesetrap</author>
	<datestamp>1247499600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I found this system to work well.

For any non-critical passwords (mainly websites/forums), I have a specific string I base my passes on (let's say it's "passwordssuck"), and each site has a slightly different permutation on this.  If I'm making a password for 'website.com', it might be passwssuck or, if caps/nums/symbols are needed, something like p4ssW$suck... I would try to make any required permutations apply first to the website-specific additions, then to the leftmost possible other characters (no number equivalent for W or P so use the A).

To make it less obvious to an unscrupulous forum/site operator that you are using such a system, it can be better to use something that doesn't look like words, such as the first letters of words in a memorable passphrase (e.g, "strong passwords protect your account from being compromised" = sppyafbc = (in the website.com example) 5ppyaW$fbc<nobr> <wbr></nobr>.... Looks completely random but it's memorable if you use this same system everywhere, and there aren't many things to try if you forget the exact symbol substitution etc for a given site.

So slashdot pass could become 5ppya$Dfbc, midgetpron.com you use $ppy4Mpfbc, and so on - so long as you follow the same ruleset each time you'll never forget them.

I haven't seen any forum sites that enforce password expiry, obviously that'd screw you over.

I'll post again about those changing passes, but need to post this now before my flaky mobile safari crashes again.<nobr> <wbr></nobr>:p</htmltext>
<tokenext>I found this system to work well .
For any non-critical passwords ( mainly websites/forums ) , I have a specific string I base my passes on ( let 's say it 's " passwordssuck " ) , and each site has a slightly different permutation on this .
If I 'm making a password for 'website.com ' , it might be passwssuck or , if caps/nums/symbols are needed , something like p4ssW $ suck... I would try to make any required permutations apply first to the website-specific additions , then to the leftmost possible other characters ( no number equivalent for W or P so use the A ) .
To make it less obvious to an unscrupulous forum/site operator that you are using such a system , it can be better to use something that does n't look like words , such as the first letters of words in a memorable passphrase ( e.g , " strong passwords protect your account from being compromised " = sppyafbc = ( in the website.com example ) 5ppyaW $ fbc .... Looks completely random but it 's memorable if you use this same system everywhere , and there are n't many things to try if you forget the exact symbol substitution etc for a given site .
So slashdot pass could become 5ppya $ Dfbc , midgetpron.com you use $ ppy4Mpfbc , and so on - so long as you follow the same ruleset each time you 'll never forget them .
I have n't seen any forum sites that enforce password expiry , obviously that 'd screw you over .
I 'll post again about those changing passes , but need to post this now before my flaky mobile safari crashes again .
: p</tokentext>
<sentencetext>I found this system to work well.
For any non-critical passwords (mainly websites/forums), I have a specific string I base my passes on (let's say it's "passwordssuck"), and each site has a slightly different permutation on this.
If I'm making a password for 'website.com', it might be passwssuck or, if caps/nums/symbols are needed, something like p4ssW$suck... I would try to make any required permutations apply first to the website-specific additions, then to the leftmost possible other characters (no number equivalent for W or P so use the A).
To make it less obvious to an unscrupulous forum/site operator that you are using such a system, it can be better to use something that doesn't look like words, such as the first letters of words in a memorable passphrase (e.g, "strong passwords protect your account from being compromised" = sppyafbc = (in the website.com example) 5ppyaW$fbc .... Looks completely random but it's memorable if you use this same system everywhere, and there aren't many things to try if you forget the exact symbol substitution etc for a given site.
So slashdot pass could become 5ppya$Dfbc, midgetpron.com you use $ppy4Mpfbc, and so on - so long as you follow the same ruleset each time you'll never forget them.
I haven't seen any forum sites that enforce password expiry, obviously that'd screw you over.
I'll post again about those changing passes, but need to post this now before my flaky mobile safari crashes again.
:p</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28692367</id>
	<title>News?</title>
	<author>stanjam</author>
	<datestamp>1247592000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>This stuff is kind of obvious to those who are familiar with the technology.  Password strength is good defense against certain types of attacks, such as dictionary and brute force, but have always been vulnerable to keyloggers and phishers. If you are stupid enough to download and install a keylogger or you get fooled into a phishing site, your password strength is meaningless.

Passwords have always been the weakest form of security. The other two forms, smartcards (what you have) and biometrics (who you are) are more secure.  Combinations of these forms are even stronger (passwords in combination with a smart-card, for example). Passwords also suffer from other drawbacks.  Passwords strong enough to be decent are hard to remember, so people tend to write them down.  Passwords weak enough to remember are vulnerable to dictionary and brute force attacks.

Passwords are, and will likely remain, the weakest form of security for those reasons.  Yet they will also likely remain the most common form of security. Companies simply don't want to take the expense of building computers that require smart card or biometric access.  Even on laptops this type of added security still remains uncommon.</htmltext>
<tokenext>This stuff is kind of obvious to those who are familiar with the technology .
Password strength is good defense against certain types of attacks , such as dictionary and brute force , but have always been vulnerable to keyloggers and phishers .
If you are stupid enough to download and install a keylogger or you get fooled into a phishing site , your password strength is meaningless .
Passwords have always been the weakest form of security .
The other two forms , smartcards ( what you have ) and biometrics ( who you are ) are more secure .
Combinations of these forms are even stronger ( passwords in combination with a smart-card , for example ) .
Passwords also suffer from other drawbacks .
Passwords strong enough to be decent are hard to remember , so people tend to write them down .
Passwords weak enough to remember are vulnerable to dictionary and brute force attacks .
Passwords are , and will likely remain , the weakest form of security for those reasons .
Yet they will also likely remain the most common form of security .
Companies simply do n't want to take the expense of building computers that require smart card or biometric access .
Even on laptops this type of added security still remains uncommon .</tokentext>
<sentencetext>This stuff is kind of obvious to those who are familiar with the technology.
Password strength is good defense against certain types of attacks, such as dictionary and brute force, but have always been vulnerable to keyloggers and phishers.
If you are stupid enough to download and install a keylogger or you get fooled into a phishing site, your password strength is meaningless.
Passwords have always been the weakest form of security.
The other two forms, smartcards (what you have) and biometrics (who you are) are more secure.
Combinations of these forms are even stronger (passwords in combination with a smart-card, for example).
Passwords also suffer from other drawbacks.
Passwords strong enough to be decent are hard to remember, so people tend to write them down.
Passwords weak enough to remember are vulnerable to dictionary and brute force attacks.
Passwords are, and will likely remain, the weakest form of security for those reasons.
Yet they will also likely remain the most common form of security.
Companies simply don't want to take the expense of building computers that require smart card or biometric access.
Even on laptops this type of added security still remains uncommon.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677393</id>
	<title>Keepass</title>
	<author>rAiNsT0rm</author>
	<datestamp>1247503680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Seriously. It's free and cross platform. Or else get a full-on corporate password manager/vault. In this day and age it drives me fucking insane that everyone acts like this is still an issue and post-its are the only viable solution. FFS.</p><p>I install and show people how to use Keypass and allow them to use it for any passwords/info they want and people realize it is handy as hell and adopt it with little issue. I've also set up larger corporate systems with SSL based access and everyone uses it, and especially data centers and banks find it invaluable. TANS are also another great computer-based solution.<nobr> <wbr></nobr>...or, if even those are impossible use a simple word or the first letter of each word in a sentence and then tack on the number of the month. Every month use the same thing but with the next month's number. Easy because the first part becomes ingrained in the memory from constant use and you only have to know what month it is for the number part. Much better than simple words and it is at least almost strong without all the complexity to the user.</p></htmltext>
<tokenext>Seriously .
It 's free and cross platform .
Or else get a full-on corporate password manager/vault .
In this day and age it drives me fucking insane that everyone acts like this is still an issue and post-its are the only viable solution .
FFS.I install and show people how to use Keypass and allow them to use it for any passwords/info they want and people realize it is handy as hell and adopt it with little issue .
I 've also set up larger corporate systems with SSL based access and everyone uses it , and especially data centers and banks find it invaluable .
TANS are also another great computer-based solution .
...or , if even those are impossible use a simple word or the first letter of each word in a sentence and then tack on the number of the month .
Every month use the same thing but with the next month 's number .
Easy because the first part becomes ingrained in the memory from constant use and you only have to know what month it is for the number part .
Much better than simple words and it is at least almost strong without all the complexity to the user .</tokentext>
<sentencetext>Seriously.
It's free and cross platform.
Or else get a full-on corporate password manager/vault.
In this day and age it drives me fucking insane that everyone acts like this is still an issue and post-its are the only viable solution.
FFS.I install and show people how to use Keypass and allow them to use it for any passwords/info they want and people realize it is handy as hell and adopt it with little issue.
I've also set up larger corporate systems with SSL based access and everyone uses it, and especially data centers and banks find it invaluable.
TANS are also another great computer-based solution.
...or, if even those are impossible use a simple word or the first letter of each word in a sentence and then tack on the number of the month.
Every month use the same thing but with the next month's number.
Easy because the first part becomes ingrained in the memory from constant use and you only have to know what month it is for the number part.
Much better than simple words and it is at least almost strong without all the complexity to the user.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676251</id>
	<title>News at 11</title>
	<author>Anonymous</author>
	<datestamp>1247499900000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>If your computer is hacked than you're boned.</p><p>Seems to me that the solution is to have a strong password and keep your computer free of malware.</p><p>Is that really so hard?</p></htmltext>
<tokenext>If your computer is hacked than you 're boned.Seems to me that the solution is to have a strong password and keep your computer free of malware.Is that really so hard ?</tokentext>
<sentencetext>If your computer is hacked than you're boned.Seems to me that the solution is to have a strong password and keep your computer free of malware.Is that really so hard?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678205</id>
	<title>Re:Simple solution</title>
	<author>caseih</author>
	<datestamp>1247506260000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>In a word, no.  Biometrics is only a part of identifying someone and controlling access.  In essence, classic security thought says that there are three things to authorizing and authenticating a principal:<br>1. Something you are<br>2. Something you have<br>3. Something you know</p><p>So if biometrics provided #1, a smart card could be #2, and a password could be #3.</p><p>I've known of several high-security installations that required all three things.  A thumb print, the smart card, and a passphrase (or passcode) to go through a door.  Whether or not this really granted real security I don't know.</p><p>Certainly it's clear that biometrics cannot replace passwords as biometrics are not secret really (you leave your fingerprints everywhere).  And as Mythbusters showed, you can fool even the most sophisticated fingerprint scanners quite easily.  But they are still an important part of positively authorizing someone.</p></htmltext>
<tokenext>In a word , no .
Biometrics is only a part of identifying someone and controlling access .
In essence , classic security thought says that there are three things to authorizing and authenticating a principal : 1 .
Something you are2 .
Something you have3 .
Something you knowSo if biometrics provided # 1 , a smart card could be # 2 , and a password could be # 3.I 've known of several high-security installations that required all three things .
A thumb print , the smart card , and a passphrase ( or passcode ) to go through a door .
Whether or not this really granted real security I do n't know.Certainly it 's clear that biometrics can not replace passwords as biometrics are not secret really ( you leave your fingerprints everywhere ) .
And as Mythbusters showed , you can fool even the most sophisticated fingerprint scanners quite easily .
But they are still an important part of positively authorizing someone .</tokentext>
<sentencetext>In a word, no.
Biometrics is only a part of identifying someone and controlling access.
In essence, classic security thought says that there are three things to authorizing and authenticating a principal:1.
Something you are2.
Something you have3.
Something you knowSo if biometrics provided #1, a smart card could be #2, and a password could be #3.I've known of several high-security installations that required all three things.
A thumb print, the smart card, and a passphrase (or passcode) to go through a door.
Whether or not this really granted real security I don't know.Certainly it's clear that biometrics cannot replace passwords as biometrics are not secret really (you leave your fingerprints everywhere).
And as Mythbusters showed, you can fool even the most sophisticated fingerprint scanners quite easily.
But they are still an important part of positively authorizing someone.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28684725</id>
	<title>We shouldn't use biomet at all - are immutable</title>
	<author>Anonymous</author>
	<datestamp>1247491140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Nope, wrong. We shouldn't use biometrics at all, since they're a) easy to foil and b) immutable. It is as if you're constantly carrying your password on your person, because that's all biomets are, fancy passwords, and you're stuck with these because you can't change them. So you want to add a password in the mix? Well, instead of asking for one password you're asking for two, one of them problematic - you might as well ask for a longer password and save yourself the headache. Smartcards on the other hand are a good idea, as long as their range is short enough. I've worked with systems that we were able to overhear. While we liked that because otherwise we would have had to take a detour through the neighbouring wing to get to the cappuccino machine instead of swipe, walk through straight corridor, swipe, I think that if you would want to come up with a good security policy you might want to avoid that.</p></htmltext>
<tokenext>Nope , wrong .
We should n't use biometrics at all , since they 're a ) easy to foil and b ) immutable .
It is as if you 're constantly carrying your password on your person , because that 's all biomets are , fancy passwords , and you 're stuck with these because you ca n't change them .
So you want to add a password in the mix ?
Well , instead of asking for one password you 're asking for two , one of them problematic - you might as well ask for a longer password and save yourself the headache .
Smartcards on the other hand are a good idea , as long as their range is short enough .
I 've worked with systems that we were able to overhear .
While we liked that because otherwise we would have had to take a detour through the neighbouring wing to get to the cappuccino machine instead of swipe , walk through straight corridor , swipe , I think that if you would want to come up with a good security policy you might want to avoid that .</tokentext>
<sentencetext>Nope, wrong.
We shouldn't use biometrics at all, since they're a) easy to foil and b) immutable.
It is as if you're constantly carrying your password on your person, because that's all biomets are, fancy passwords, and you're stuck with these because you can't change them.
So you want to add a password in the mix?
Well, instead of asking for one password you're asking for two, one of them problematic - you might as well ask for a longer password and save yourself the headache.
Smartcards on the other hand are a good idea, as long as their range is short enough.
I've worked with systems that we were able to overhear.
While we liked that because otherwise we would have had to take a detour through the neighbouring wing to get to the cappuccino machine instead of swipe, walk through straight corridor, swipe, I think that if you would want to come up with a good security policy you might want to avoid that.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676763</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28686139</id>
	<title>Re:Dict' attack is sooooo 2000</title>
	<author>Anonymous</author>
	<datestamp>1247502840000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Indeed, the "security" questions are silly, more so when the system forces you to use one. I usually use things like LAUT*)#)\%V )UM $# &gt;)(&amp;^)&amp;)@$ U*)C#Q#\%\_@*^\_)F@F)F(@M()$WM&amp;)(#()@#M\_FM\_F(M\_$ for these and forget about it. No problems ever.</p></htmltext>
<tokenext>Indeed , the " security " questions are silly , more so when the system forces you to use one .
I usually use things like LAUT * ) # ) \ % V ) UM $ # &gt; ) ( &amp; ^ ) &amp; ) @ $ U * ) C # Q # \ % \ _ @ * ^ \ _ ) F @ F ) F ( @ M ( ) $ WM&amp; ) ( # ( ) @ # M \ _FM \ _F ( M \ _ $ for these and forget about it .
No problems ever .</tokentext>
<sentencetext>Indeed, the "security" questions are silly, more so when the system forces you to use one.
I usually use things like LAUT*)#)\%V )UM $# &gt;)(&amp;^)&amp;)@$ U*)C#Q#\%\_@*^\_)F@F)F(@M()$WM&amp;)(#()@#M\_FM\_F(M\_$ for these and forget about it.
No problems ever.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677133</id>
	<title>User account and system seperation anyone?</title>
	<author>Seth Kriticos</author>
	<datestamp>1247502720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Well, yes, if your system is easily compromised by key-loggers than it is irrelevant how strong your password is.<br><br>I like to use systems where this is not the case.<br><br>I also use passwords generated by random generators with a length of at least 12 characters.<br><br>Still, the best choice is to isolate sensitive stuff to other user accounts so your compromised ones only do limited damage.<br><br>If someone gets root privileges on your box, than you are SOL anyway, so rounding up this with IDS systems to ensure system integrity and maybe put most of it on read only partitions improves the situation.<br><br>Not even I'm that paranoid though. User level security on a Linux box is enough to make me sleep good at night.</htmltext>
<tokenext>Well , yes , if your system is easily compromised by key-loggers than it is irrelevant how strong your password is.I like to use systems where this is not the case.I also use passwords generated by random generators with a length of at least 12 characters.Still , the best choice is to isolate sensitive stuff to other user accounts so your compromised ones only do limited damage.If someone gets root privileges on your box , than you are SOL anyway , so rounding up this with IDS systems to ensure system integrity and maybe put most of it on read only partitions improves the situation.Not even I 'm that paranoid though .
User level security on a Linux box is enough to make me sleep good at night .</tokentext>
<sentencetext>Well, yes, if your system is easily compromised by key-loggers than it is irrelevant how strong your password is.I like to use systems where this is not the case.I also use passwords generated by random generators with a length of at least 12 characters.Still, the best choice is to isolate sensitive stuff to other user accounts so your compromised ones only do limited damage.If someone gets root privileges on your box, than you are SOL anyway, so rounding up this with IDS systems to ensure system integrity and maybe put most of it on read only partitions improves the situation.Not even I'm that paranoid though.
User level security on a Linux box is enough to make me sleep good at night.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680083</id>
	<title>Re:Strong passwords retain merit</title>
	<author>Anonymous</author>
	<datestamp>1247512380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Perhaps interesting to note, I was able to use OphCrack to get a 10-character password in about fifteen minutes. It was 8 lowercase letters followed by 2 numbers. The 8 letters are not a word and in fact give no results when I type them into google.</p></htmltext>
<tokenext>Perhaps interesting to note , I was able to use OphCrack to get a 10-character password in about fifteen minutes .
It was 8 lowercase letters followed by 2 numbers .
The 8 letters are not a word and in fact give no results when I type them into google .</tokentext>
<sentencetext>Perhaps interesting to note, I was able to use OphCrack to get a 10-character password in about fifteen minutes.
It was 8 lowercase letters followed by 2 numbers.
The 8 letters are not a word and in fact give no results when I type them into google.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677521</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676613</id>
	<title>Re:c'mon</title>
	<author>DoofusOfDeath</author>
	<datestamp>1247501100000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>surely we should all be changing our passwords back to "Joshua"?</p></div><p>Yeah?  You want to play a game, mothafucka???</p><p>Hang up your punk-ass modem and step down.  She-it.</p><p>(Okay, I probably need to stop watching The Wire before I go to work.)</p></div>
	</htmltext>
<tokenext>surely we should all be changing our passwords back to " Joshua " ? Yeah ?
You want to play a game , mothafucka ? ?
? Hang up your punk-ass modem and step down .
She-it. ( Okay , I probably need to stop watching The Wire before I go to work .
)</tokentext>
<sentencetext>surely we should all be changing our passwords back to "Joshua"?Yeah?
You want to play a game, mothafucka??
?Hang up your punk-ass modem and step down.
She-it.(Okay, I probably need to stop watching The Wire before I go to work.
)
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676265</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678831</id>
	<title>Simple strong passwords</title>
	<author>JDS13</author>
	<datestamp>1247508420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>One way to make easy-to-remember very strong passwords is to scramble an address, viz. Ukiah2035Elm.</p><p>If you must use a public computer, you can protect yourself from keyloggers by jumping from box to box:  type part of your userid in one box, click elsewhere and type other stuff, click the password box and type part, back to the userid to finish, back to the password, etc.</p><p>There are so many naive users that even very simple precautions make you an unattractive target.</p></htmltext>
<tokenext>One way to make easy-to-remember very strong passwords is to scramble an address , viz .
Ukiah2035Elm.If you must use a public computer , you can protect yourself from keyloggers by jumping from box to box : type part of your userid in one box , click elsewhere and type other stuff , click the password box and type part , back to the userid to finish , back to the password , etc.There are so many naive users that even very simple precautions make you an unattractive target .</tokentext>
<sentencetext>One way to make easy-to-remember very strong passwords is to scramble an address, viz.
Ukiah2035Elm.If you must use a public computer, you can protect yourself from keyloggers by jumping from box to box:  type part of your userid in one box, click elsewhere and type other stuff, click the password box and type part, back to the userid to finish, back to the password, etc.There are so many naive users that even very simple precautions make you an unattractive target.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678541</id>
	<title>Rule based authentication</title>
	<author>cwills</author>
	<datestamp>1247507520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Several years ago I read (and wish I remembered where) a technique that I thought was quite interesting.  It was a rule based authentication scheme.  Each account on a system would have it's own set of rules that only the user would know.  For example.</p><p><div class="quote"><p>login: myid
<br>
What is 2+4?:cat</p></div><p>
Here I might have set up the rule to say whenever there is a mathematical equation, with an even result and it's in the morning enter "cat", if it's in the afternoon enter "river", if the result is odd and it's monday then enter "blue", tuesday enter<nobr> <wbr></nobr>... you get the idea.
</p><p>The response has nothing to do mathematically with the question, but relies on the fact that I know what the proper response should be.  And even is someone was watching my response.  Each time I log in a different rule would be used (maybe the next question would be "what color are roses?")</p></div>
	</htmltext>
<tokenext>Several years ago I read ( and wish I remembered where ) a technique that I thought was quite interesting .
It was a rule based authentication scheme .
Each account on a system would have it 's own set of rules that only the user would know .
For example.login : myid What is 2 + 4 ?
: cat Here I might have set up the rule to say whenever there is a mathematical equation , with an even result and it 's in the morning enter " cat " , if it 's in the afternoon enter " river " , if the result is odd and it 's monday then enter " blue " , tuesday enter ... you get the idea .
The response has nothing to do mathematically with the question , but relies on the fact that I know what the proper response should be .
And even is someone was watching my response .
Each time I log in a different rule would be used ( maybe the next question would be " what color are roses ?
" )</tokentext>
<sentencetext>Several years ago I read (and wish I remembered where) a technique that I thought was quite interesting.
It was a rule based authentication scheme.
Each account on a system would have it's own set of rules that only the user would know.
For example.login: myid

What is 2+4?
:cat
Here I might have set up the rule to say whenever there is a mathematical equation, with an even result and it's in the morning enter "cat", if it's in the afternoon enter "river", if the result is odd and it's monday then enter "blue", tuesday enter ... you get the idea.
The response has nothing to do mathematically with the question, but relies on the fact that I know what the proper response should be.
And even is someone was watching my response.
Each time I log in a different rule would be used (maybe the next question would be "what color are roses?
")
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676557</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>goombah99</author>
	<datestamp>1247500980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I agree, except to improve upon this, you can just use the first few letters of each word, or even just the first letter.</p><p>this keeps the passwords reasonably short which is good both for typing quickly (and from just finger muscle memory) as well as being better in cases where passwords are truncated by the system inuse.</p><p>moreover, beyond the first few letters the entropy added by the remaining letters is dropping swiftly so they add less protection if someone know you are using whole words.</p><p>Additionally if you write the sentence on the wall,  but are using only the first few letters of each word, it adds enough obfuscation that someone present at your desk and seeing the sentence probably won't have time to work out your cleverness.</p></htmltext>
<tokenext>I agree , except to improve upon this , you can just use the first few letters of each word , or even just the first letter.this keeps the passwords reasonably short which is good both for typing quickly ( and from just finger muscle memory ) as well as being better in cases where passwords are truncated by the system inuse.moreover , beyond the first few letters the entropy added by the remaining letters is dropping swiftly so they add less protection if someone know you are using whole words.Additionally if you write the sentence on the wall , but are using only the first few letters of each word , it adds enough obfuscation that someone present at your desk and seeing the sentence probably wo n't have time to work out your cleverness .</tokentext>
<sentencetext>I agree, except to improve upon this, you can just use the first few letters of each word, or even just the first letter.this keeps the passwords reasonably short which is good both for typing quickly (and from just finger muscle memory) as well as being better in cases where passwords are truncated by the system inuse.moreover, beyond the first few letters the entropy added by the remaining letters is dropping swiftly so they add less protection if someone know you are using whole words.Additionally if you write the sentence on the wall,  but are using only the first few letters of each word, it adds enough obfuscation that someone present at your desk and seeing the sentence probably won't have time to work out your cleverness.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676647</id>
	<title>Strong passwords don't help against stupidity</title>
	<author>prefec2</author>
	<datestamp>1247501220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>A strong password is a good thing to protect your front door. Of course it is useless if you tell it everybody (phishing) or if you install password logging tools to tell the password a special group of people. But that has nothing to do with the password, it has to do with human behavior. A strong password is good, but it is useless without other security measures. This is no surprise. I hear the loud noise of a rice sack falling over. If I am not mistaken, it comes form China.</p></htmltext>
<tokenext>A strong password is a good thing to protect your front door .
Of course it is useless if you tell it everybody ( phishing ) or if you install password logging tools to tell the password a special group of people .
But that has nothing to do with the password , it has to do with human behavior .
A strong password is good , but it is useless without other security measures .
This is no surprise .
I hear the loud noise of a rice sack falling over .
If I am not mistaken , it comes form China .</tokentext>
<sentencetext>A strong password is a good thing to protect your front door.
Of course it is useless if you tell it everybody (phishing) or if you install password logging tools to tell the password a special group of people.
But that has nothing to do with the password, it has to do with human behavior.
A strong password is good, but it is useless without other security measures.
This is no surprise.
I hear the loud noise of a rice sack falling over.
If I am not mistaken, it comes form China.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676303</id>
	<title>Throwing the baby out with the bathingwater?</title>
	<author>Anonymous</author>
	<datestamp>1247500140000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>So because something that's good against brute-force attacks, but isn't against phishing and keyloggers, we should stop doing that? Phishing and keylogging are a result of strong passwords. So you need to implement adequate measures against those instead of saying strong passwords are useless.</p><p>If users have a hard time remembering their passwords, train them in it. Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user, yet very hard to bruteforce because you can make them quite long easily.</p></htmltext>
<tokenext>So because something that 's good against brute-force attacks , but is n't against phishing and keyloggers , we should stop doing that ?
Phishing and keylogging are a result of strong passwords .
So you need to implement adequate measures against those instead of saying strong passwords are useless.If users have a hard time remembering their passwords , train them in it .
Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user , yet very hard to bruteforce because you can make them quite long easily .</tokentext>
<sentencetext>So because something that's good against brute-force attacks, but isn't against phishing and keyloggers, we should stop doing that?
Phishing and keylogging are a result of strong passwords.
So you need to implement adequate measures against those instead of saying strong passwords are useless.If users have a hard time remembering their passwords, train them in it.
Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user, yet very hard to bruteforce because you can make them quite long easily.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677799</id>
	<title>Standardize a multi-factor system already!</title>
	<author>Big Boss</author>
	<datestamp>1247505120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Something like those secureID tokens or the Paypal security device. Standardize a protocol for them so we can use the same damn one everywhere. Biometrics are crap, for any affordable devices. But a reasonably secure password/passphrase with a token or smartcard would be very secure with little effort from the users. The problem is that everyone is trying to create their own little systems that can't inter-operate. Even if the stupid Paypal token isn't the best security out there, combined with a decent password it would be very hard to crack. It's also easy to use, keeping acceptance and compliance high. They are also reasonably cheap. Now you need my username, password, and the token. Significantly harder to crack while being rather easy for the user to deal with.</p></htmltext>
<tokenext>Something like those secureID tokens or the Paypal security device .
Standardize a protocol for them so we can use the same damn one everywhere .
Biometrics are crap , for any affordable devices .
But a reasonably secure password/passphrase with a token or smartcard would be very secure with little effort from the users .
The problem is that everyone is trying to create their own little systems that ca n't inter-operate .
Even if the stupid Paypal token is n't the best security out there , combined with a decent password it would be very hard to crack .
It 's also easy to use , keeping acceptance and compliance high .
They are also reasonably cheap .
Now you need my username , password , and the token .
Significantly harder to crack while being rather easy for the user to deal with .</tokentext>
<sentencetext>Something like those secureID tokens or the Paypal security device.
Standardize a protocol for them so we can use the same damn one everywhere.
Biometrics are crap, for any affordable devices.
But a reasonably secure password/passphrase with a token or smartcard would be very secure with little effort from the users.
The problem is that everyone is trying to create their own little systems that can't inter-operate.
Even if the stupid Paypal token isn't the best security out there, combined with a decent password it would be very hard to crack.
It's also easy to use, keeping acceptance and compliance high.
They are also reasonably cheap.
Now you need my username, password, and the token.
Significantly harder to crack while being rather easy for the user to deal with.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677475</id>
	<title>Get around keyloggers...</title>
	<author>blahplusplus</author>
	<datestamp>1247503980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>... AI roboform.</p><p><a href="http://www.roboform.com/" title="roboform.com">http://www.roboform.com/</a> [roboform.com]</p></htmltext>
<tokenext>... AI roboform.http : //www.roboform.com/ [ roboform.com ]</tokentext>
<sentencetext>... AI roboform.http://www.roboform.com/ [roboform.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679631</id>
	<title>Re:Sounds dumb to me</title>
	<author>Anonymous</author>
	<datestamp>1247510940000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"I'd be concerned about employing someone who can't remember a password."</p><p>A password? No problem. Who though today has just one password. Your statements strike me as naive.</p></htmltext>
<tokenext>" I 'd be concerned about employing someone who ca n't remember a password .
" A password ?
No problem .
Who though today has just one password .
Your statements strike me as naive .</tokentext>
<sentencetext>"I'd be concerned about employing someone who can't remember a password.
"A password?
No problem.
Who though today has just one password.
Your statements strike me as naive.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677293</id>
	<title>Re:News for who?</title>
	<author>Anonymous</author>
	<datestamp>1247503320000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>No kidding.  Here's another news flash for you, computers do not run on magic crystals.</p></div><p>Then why the hell did I have to change them magic crystals on my 386 to make it run faster?</p></div>
	</htmltext>
<tokenext>No kidding .
Here 's another news flash for you , computers do not run on magic crystals.Then why the hell did I have to change them magic crystals on my 386 to make it run faster ?</tokentext>
<sentencetext>No kidding.
Here's another news flash for you, computers do not run on magic crystals.Then why the hell did I have to change them magic crystals on my 386 to make it run faster?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301</id>
	<title>Simple solution</title>
	<author>L4t3r4lu5</author>
	<datestamp>1247500140000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>Biometric authentication.<br> <br> <a href="http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm" title="bbc.co.uk">No problems there!</a> [bbc.co.uk]</htmltext>
<tokenext>Biometric authentication .
No problems there !
[ bbc.co.uk ]</tokentext>
<sentencetext>Biometric authentication.
No problems there!
[bbc.co.uk]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676575</id>
	<title>Keys</title>
	<author>Haiyadragon</author>
	<datestamp>1247500980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>They make things hard on users, but are useless against phishing and keyloggers.</p></div><p>
O RLY?<br>
Unlike, for example, the keys to my home. If I give those to complete strangers they are still quite useful. <i>For picking my nose.</i></p></div>
	</htmltext>
<tokenext>They make things hard on users , but are useless against phishing and keyloggers .
O RLY ?
Unlike , for example , the keys to my home .
If I give those to complete strangers they are still quite useful .
For picking my nose .</tokentext>
<sentencetext>They make things hard on users, but are useless against phishing and keyloggers.
O RLY?
Unlike, for example, the keys to my home.
If I give those to complete strangers they are still quite useful.
For picking my nose.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676257</id>
	<title>Woo hoo!</title>
	<author>BobSixtyFour</author>
	<datestamp>1247499960000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p>Yes! Now i can change my password back to password!</p></htmltext>
<tokenext>Yes !
Now i can change my password back to password !</tokentext>
<sentencetext>Yes!
Now i can change my password back to password!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680211</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>S77IM</author>
	<datestamp>1247512800000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>You should set your password to,</p><p><div class="quote"><p>I am a pedophile and this encrypted partition contains my child pornography.</p></div><p>That way, if a court orders you to reveal your password, you can plead the 5th Amendment.</p><p>
&nbsp; -- 77IM</p><p>PS.  I am not a pedophile, and my encrypted partition no child pornography, just pirated movies and TV shows.</p></div>
	</htmltext>
<tokenext>You should set your password to,I am a pedophile and this encrypted partition contains my child pornography.That way , if a court orders you to reveal your password , you can plead the 5th Amendment .
  -- 77IMPS .
I am not a pedophile , and my encrypted partition no child pornography , just pirated movies and TV shows .</tokentext>
<sentencetext>You should set your password to,I am a pedophile and this encrypted partition contains my child pornography.That way, if a court orders you to reveal your password, you can plead the 5th Amendment.
  -- 77IMPS.
I am not a pedophile, and my encrypted partition no child pornography, just pirated movies and TV shows.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28683523</id>
	<title>For chrissake, RTFA</title>
	<author>AlejoHausner</author>
	<datestamp>1247483520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Jeez people, read the article. It's talking about WEB passwords, you know, the kind which are impractical to crack by brute force, because a typical web server will lock you out after three failed attempts.  For web passwords, the biggest threats are keyloggers and phishing attacks, not brute-force cracks.  A simple 6-digit numerical PIN can't be brute-force cracked in less than 1000 years if the server locks you out for 24 hours after three failed attempts.</p><p>Of course, there are lots of fascistic sysadmins who demand impossible-to-remember passwords, but that's really not the topic at hand.</p><p>Alejo<br>---------<br>Writing advice: Proofread carefully to make sure you don't any words out.</p></htmltext>
<tokenext>Jeez people , read the article .
It 's talking about WEB passwords , you know , the kind which are impractical to crack by brute force , because a typical web server will lock you out after three failed attempts .
For web passwords , the biggest threats are keyloggers and phishing attacks , not brute-force cracks .
A simple 6-digit numerical PIN ca n't be brute-force cracked in less than 1000 years if the server locks you out for 24 hours after three failed attempts.Of course , there are lots of fascistic sysadmins who demand impossible-to-remember passwords , but that 's really not the topic at hand.Alejo---------Writing advice : Proofread carefully to make sure you do n't any words out .</tokentext>
<sentencetext>Jeez people, read the article.
It's talking about WEB passwords, you know, the kind which are impractical to crack by brute force, because a typical web server will lock you out after three failed attempts.
For web passwords, the biggest threats are keyloggers and phishing attacks, not brute-force cracks.
A simple 6-digit numerical PIN can't be brute-force cracked in less than 1000 years if the server locks you out for 24 hours after three failed attempts.Of course, there are lots of fascistic sysadmins who demand impossible-to-remember passwords, but that's really not the topic at hand.Alejo---------Writing advice: Proofread carefully to make sure you don't any words out.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676403</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>Nerdfest</author>
	<datestamp>1247500500000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext>Slashdot is an excellent source of many of these sentences, as with spelling mistakes they're even harder to brute-force.</htmltext>
<tokenext>Slashdot is an excellent source of many of these sentences , as with spelling mistakes they 're even harder to brute-force .</tokentext>
<sentencetext>Slashdot is an excellent source of many of these sentences, as with spelling mistakes they're even harder to brute-force.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678037</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>joeyblades</author>
	<datestamp>1247505780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Another trick is to take a sentence or song lyric and use only the first character from each word, but then tack on some numbers and special characters. For instance using the sentence above, generate a password that looks like this:</p><p>Iaptuusap&amp;+0</p><p>If you chose a sentence or lyric that has meaning for you, you probably don't need to write it down at all, but if you absolutely had to write something down you could write:</p><p>"I advise people to use unusual sentences as passwords and add nothing"</p><p>You won't forget it, but it's not obvious that it's your password cheat.</p><p>Alternatively, choose something that you already have on your wall, like that Dilbert cartoon and use the text from one of the panels...</p></htmltext>
<tokenext>Another trick is to take a sentence or song lyric and use only the first character from each word , but then tack on some numbers and special characters .
For instance using the sentence above , generate a password that looks like this : Iaptuusap&amp; + 0If you chose a sentence or lyric that has meaning for you , you probably do n't need to write it down at all , but if you absolutely had to write something down you could write : " I advise people to use unusual sentences as passwords and add nothing " You wo n't forget it , but it 's not obvious that it 's your password cheat.Alternatively , choose something that you already have on your wall , like that Dilbert cartoon and use the text from one of the panels.. .</tokentext>
<sentencetext>Another trick is to take a sentence or song lyric and use only the first character from each word, but then tack on some numbers and special characters.
For instance using the sentence above, generate a password that looks like this:Iaptuusap&amp;+0If you chose a sentence or lyric that has meaning for you, you probably don't need to write it down at all, but if you absolutely had to write something down you could write:"I advise people to use unusual sentences as passwords and add nothing"You won't forget it, but it's not obvious that it's your password cheat.Alternatively, choose something that you already have on your wall, like that Dilbert cartoon and use the text from one of the panels...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678093</id>
	<title>Re:Now if only people would take this into account</title>
	<author>asdfghjklqwertyuiop</author>
	<datestamp>1247505960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This why a browser which can remember passwords is nice.</p></htmltext>
<tokenext>This why a browser which can remember passwords is nice .</tokentext>
<sentencetext>This why a browser which can remember passwords is nice.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677633</id>
	<title>Just forget passwords</title>
	<author>CrashandDie</author>
	<datestamp>1247504580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>One-Time-Passwords and Strong Authentication are the way to go.</htmltext>
<tokenext>One-Time-Passwords and Strong Authentication are the way to go .</tokentext>
<sentencetext>One-Time-Passwords and Strong Authentication are the way to go.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678647</id>
	<title>Re:Now if only people would take this into account</title>
	<author>jonaskoelker</author>
	<datestamp>1247507880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses.</p></div><p>You forgot Tengwar.</p></div>
	</htmltext>
<tokenext>Seriously , I my password to your dipshit forum should n't have to contain mixed case , three numbers , nine punctuation marks , Egyptian fucking hieroglyphs , and that goddamn symbol the artist formerly known as Prince uses.You forgot Tengwar .</tokentext>
<sentencetext>Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses.You forgot Tengwar.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28682145</id>
	<title>Seriously?</title>
	<author>Anonymous</author>
	<datestamp>1247477520000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Research shows that houses aren't as good as we think. We should go back to caves now.</p><p>Great advise: There are some weak segments in your chain of defense, so just forget about it all together and open the door wide.</p><p>Phishing is entirely avoidable and key loggers are something you can at least try to avoid by keeping your system updated and not downloading that funny flash video that your aunt thinks you just have to watch. So what's left? Brute force and DNS insertion. The latter you can't really do anything about (i.e. with reasonable amount of effort for the average user), but a strong password is hardly the "struggle" it's portrayed to be, isn't it?</p></htmltext>
<tokenext>Research shows that houses are n't as good as we think .
We should go back to caves now.Great advise : There are some weak segments in your chain of defense , so just forget about it all together and open the door wide.Phishing is entirely avoidable and key loggers are something you can at least try to avoid by keeping your system updated and not downloading that funny flash video that your aunt thinks you just have to watch .
So what 's left ?
Brute force and DNS insertion .
The latter you ca n't really do anything about ( i.e .
with reasonable amount of effort for the average user ) , but a strong password is hardly the " struggle " it 's portrayed to be , is n't it ?</tokentext>
<sentencetext>Research shows that houses aren't as good as we think.
We should go back to caves now.Great advise: There are some weak segments in your chain of defense, so just forget about it all together and open the door wide.Phishing is entirely avoidable and key loggers are something you can at least try to avoid by keeping your system updated and not downloading that funny flash video that your aunt thinks you just have to watch.
So what's left?
Brute force and DNS insertion.
The latter you can't really do anything about (i.e.
with reasonable amount of effort for the average user), but a strong password is hardly the "struggle" it's portrayed to be, isn't it?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676357</id>
	<title>My password is "secret"</title>
	<author>miknix</author>
	<datestamp>1247500380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Nobody knows it.</p></htmltext>
<tokenext>Nobody knows it .</tokentext>
<sentencetext>Nobody knows it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678535</id>
	<title>Re:c'mon</title>
	<author>Anonymous</author>
	<datestamp>1247507520000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>... don't call me Shirley</p></htmltext>
<tokenext>... do n't call me Shirley</tokentext>
<sentencetext>... don't call me Shirley</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676265</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676411</id>
	<title>YOU iNSENSITIVE CLOD?</title>
	<author>Anonymous</author>
	<datestamp>1247500560000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext>hand...don't comprehensive of programming vitality. Like an the 'coomunity' be on a wrong</htmltext>
<tokenext>hand...do n't comprehensive of programming vitality .
Like an the 'coomunity ' be on a wrong</tokentext>
<sentencetext>hand...don't comprehensive of programming vitality.
Like an the 'coomunity' be on a wrong</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676763</id>
	<title>Re:Simple solution</title>
	<author>Itninja</author>
	<datestamp>1247501580000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>Biometrics are not as bullet-proof as many people think. With many fingerprint scanners, for example, one can fool them with little more than a xerox copy of the needed fingerprint. I am more of an advocate of three factor security, instead of just trading one single-factor method for another. <br> <br>We should have biometrics, passwords, and proximity smartcards.</htmltext>
<tokenext>Biometrics are not as bullet-proof as many people think .
With many fingerprint scanners , for example , one can fool them with little more than a xerox copy of the needed fingerprint .
I am more of an advocate of three factor security , instead of just trading one single-factor method for another .
We should have biometrics , passwords , and proximity smartcards .</tokentext>
<sentencetext>Biometrics are not as bullet-proof as many people think.
With many fingerprint scanners, for example, one can fool them with little more than a xerox copy of the needed fingerprint.
I am more of an advocate of three factor security, instead of just trading one single-factor method for another.
We should have biometrics, passwords, and proximity smartcards.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28684953</id>
	<title>Perfect security</title>
	<author>w0mprat</author>
	<datestamp>1247492760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Consecutive characters my ass! No matter what I type my passwords are always *******, or *** or ****** etc. So far nobody has ever guessed!</htmltext>
<tokenext>Consecutive characters my ass !
No matter what I type my passwords are always * * * * * * * , or * * * or * * * * * * etc .
So far nobody has ever guessed !</tokentext>
<sentencetext>Consecutive characters my ass!
No matter what I type my passwords are always *******, or *** or ****** etc.
So far nobody has ever guessed!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676527</id>
	<title>Change back to trustno1?</title>
	<author>Anonymous</author>
	<datestamp>1247500860000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Until I decided to post this my slashdot password WAS trustno1.</p><p>All of the 'strong' password crap also makes crackers ignore easy passwords.  Every rule you add for making a 'secure password' limits the combinations available.  Everytime you make a restriction you are in fact making it easier to brute the password.</p><p>Trustno1 has been a great password for years.  I've had a honeypot setup for at least 8 years using that password for root and administrator and never has it been tried to authenticate with it, even with the hundreds of thousands of attempts that have been made.</p><p>Even the bad guys have been socially engineered into making some very well known passwords great for securing important things, such as slashdot, which used trustno1 for my account until about 30 seconds ago.</p></htmltext>
<tokenext>Until I decided to post this my slashdot password WAS trustno1.All of the 'strong ' password crap also makes crackers ignore easy passwords .
Every rule you add for making a 'secure password ' limits the combinations available .
Everytime you make a restriction you are in fact making it easier to brute the password.Trustno1 has been a great password for years .
I 've had a honeypot setup for at least 8 years using that password for root and administrator and never has it been tried to authenticate with it , even with the hundreds of thousands of attempts that have been made.Even the bad guys have been socially engineered into making some very well known passwords great for securing important things , such as slashdot , which used trustno1 for my account until about 30 seconds ago .</tokentext>
<sentencetext>Until I decided to post this my slashdot password WAS trustno1.All of the 'strong' password crap also makes crackers ignore easy passwords.
Every rule you add for making a 'secure password' limits the combinations available.
Everytime you make a restriction you are in fact making it easier to brute the password.Trustno1 has been a great password for years.
I've had a honeypot setup for at least 8 years using that password for root and administrator and never has it been tried to authenticate with it, even with the hundreds of thousands of attempts that have been made.Even the bad guys have been socially engineered into making some very well known passwords great for securing important things, such as slashdot, which used trustno1 for my account until about 30 seconds ago.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676513</id>
	<title>Other methods</title>
	<author>OpsFace</author>
	<datestamp>1247500800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Is it time to explore other methods as well?  Require fingerprint reader, retinal scanner, a few security questions about your mother's maiden name and your favorite childhood pet, a couple complex math problems, and then insert your driver's license as well as your tongue into a USB device(patent pending)...lets really make sure its you.</htmltext>
<tokenext>Is it time to explore other methods as well ?
Require fingerprint reader , retinal scanner , a few security questions about your mother 's maiden name and your favorite childhood pet , a couple complex math problems , and then insert your driver 's license as well as your tongue into a USB device ( patent pending ) ...lets really make sure its you .</tokentext>
<sentencetext>Is it time to explore other methods as well?
Require fingerprint reader, retinal scanner, a few security questions about your mother's maiden name and your favorite childhood pet, a couple complex math problems, and then insert your driver's license as well as your tongue into a USB device(patent pending)...lets really make sure its you.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676421</id>
	<title>My password</title>
	<author>Rik Sweeney</author>
	<datestamp>1247500560000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>I sometimes set my password to ******** It sounds stupid but it has two advantages:</p><p>1. I know that I've typed in a * because I can see it</p><p>and, most importantly</p><p>2. When I have to repeat my password to confirm it, I can just copy and paste the previous field, saving me literally seconds of typing</p></htmltext>
<tokenext>I sometimes set my password to * * * * * * * * It sounds stupid but it has two advantages : 1 .
I know that I 've typed in a * because I can see itand , most importantly2 .
When I have to repeat my password to confirm it , I can just copy and paste the previous field , saving me literally seconds of typing</tokentext>
<sentencetext>I sometimes set my password to ******** It sounds stupid but it has two advantages:1.
I know that I've typed in a * because I can see itand, most importantly2.
When I have to repeat my password to confirm it, I can just copy and paste the previous field, saving me literally seconds of typing</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679309</id>
	<title>Re:Now if only people would take this into account</title>
	<author>Anonymous</author>
	<datestamp>1247510040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I hear ya, I was going to write something quipy myself only to find I'd forgotten which random password I use for this forum.</p></htmltext>
<tokenext>I hear ya , I was going to write something quipy myself only to find I 'd forgotten which random password I use for this forum .</tokentext>
<sentencetext>I hear ya, I was going to write something quipy myself only to find I'd forgotten which random password I use for this forum.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28683723</id>
	<title>What are they going to do with physical password</title>
	<author>kildurin</author>
	<datestamp>1247484900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Okay, I have to change my password every 10 days. But wait, I only have 2 eyes. Retinal scans are out. Hmm, 10 fingers. That works for now until some other security know it all comes along and says it needs to be 20. Ok, now I have to take my shoes off to meet the requirement. Please. And I can't remember was it the left foot or right foot and third toe. At some point, this is all unmanageable. It already is. Lets please stop it now. I have NEVER in 20 years had any of my passwords hacked. Why? I am likely too under the radar for most hackers and maybe that's what security experts need to teach. Until then, just turn off the password checking.</htmltext>
<tokenext>Okay , I have to change my password every 10 days .
But wait , I only have 2 eyes .
Retinal scans are out .
Hmm , 10 fingers .
That works for now until some other security know it all comes along and says it needs to be 20 .
Ok , now I have to take my shoes off to meet the requirement .
Please. And I ca n't remember was it the left foot or right foot and third toe .
At some point , this is all unmanageable .
It already is .
Lets please stop it now .
I have NEVER in 20 years had any of my passwords hacked .
Why ? I am likely too under the radar for most hackers and maybe that 's what security experts need to teach .
Until then , just turn off the password checking .</tokentext>
<sentencetext>Okay, I have to change my password every 10 days.
But wait, I only have 2 eyes.
Retinal scans are out.
Hmm, 10 fingers.
That works for now until some other security know it all comes along and says it needs to be 20.
Ok, now I have to take my shoes off to meet the requirement.
Please. And I can't remember was it the left foot or right foot and third toe.
At some point, this is all unmanageable.
It already is.
Lets please stop it now.
I have NEVER in 20 years had any of my passwords hacked.
Why? I am likely too under the radar for most hackers and maybe that's what security experts need to teach.
Until then, just turn off the password checking.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677847</id>
	<title>you know</title>
	<author>nomadic</author>
	<datestamp>1247505240000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>What annoys me is when the security people demand passwords that are, in terms of strength, way out of proportion to the data they protect.
<br>
<br>
My bank password?  Yes, that should be strong.  The forum where I go for auto repair advice?  No, I shouldn't have to memorize an 8 character password with at least one upper case, one number, and one symbol character.</htmltext>
<tokenext>What annoys me is when the security people demand passwords that are , in terms of strength , way out of proportion to the data they protect .
My bank password ?
Yes , that should be strong .
The forum where I go for auto repair advice ?
No , I should n't have to memorize an 8 character password with at least one upper case , one number , and one symbol character .</tokentext>
<sentencetext>What annoys me is when the security people demand passwords that are, in terms of strength, way out of proportion to the data they protect.
My bank password?
Yes, that should be strong.
The forum where I go for auto repair advice?
No, I shouldn't have to memorize an 8 character password with at least one upper case, one number, and one symbol character.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680613</id>
	<title>Don't get vaccinated</title>
	<author>sorak</author>
	<datestamp>1247514360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And by that logic, you shouldn't get vaccinated, because vaccines are ineffective against stabbings, shootings, heart disease, or drug overdoses.</p></htmltext>
<tokenext>And by that logic , you should n't get vaccinated , because vaccines are ineffective against stabbings , shootings , heart disease , or drug overdoses .</tokentext>
<sentencetext>And by that logic, you shouldn't get vaccinated, because vaccines are ineffective against stabbings, shootings, heart disease, or drug overdoses.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678239</id>
	<title>Re:Now if only people would take this into account</title>
	<author>Anonymous</author>
	<datestamp>1247506440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>If that forum is one that has some sort of authentication procedure for creating new accounts (image recognition, response e-mail, etc.), they may be more worried about comment spam than they are about your account in particular being hacked.  I've seen a few forums where the majority of the posts are Viagra spam.</p></htmltext>
<tokenext>If that forum is one that has some sort of authentication procedure for creating new accounts ( image recognition , response e-mail , etc .
) , they may be more worried about comment spam than they are about your account in particular being hacked .
I 've seen a few forums where the majority of the posts are Viagra spam .</tokentext>
<sentencetext>If that forum is one that has some sort of authentication procedure for creating new accounts (image recognition, response e-mail, etc.
), they may be more worried about comment spam than they are about your account in particular being hacked.
I've seen a few forums where the majority of the posts are Viagra spam.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678303</id>
	<title>Re:Dict' attack is sooooo 2000</title>
	<author>Anonymous</author>
	<datestamp>1247506680000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Disabling the account after 3 tries is a great way to be sure to get DoS'ed. All I have to do is trying random passwords, and your users can't login anymore.</p><p>You have to ban the IP trying, but not the account.</p></htmltext>
<tokenext>Disabling the account after 3 tries is a great way to be sure to get DoS'ed .
All I have to do is trying random passwords , and your users ca n't login anymore.You have to ban the IP trying , but not the account .</tokentext>
<sentencetext>Disabling the account after 3 tries is a great way to be sure to get DoS'ed.
All I have to do is trying random passwords, and your users can't login anymore.You have to ban the IP trying, but not the account.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676465</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>Anonymous</author>
	<datestamp>1247500680000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Tell that to application developers at banks, utilities, and other important accounts that only allow alpha-numeric characters in the password. Who still limits passwords to max 10 characters? Aren't we all salting and hashing anyway?</p><p>How can we put pressure on the application developers to allow us stronger passwords? I can't necessarily change banks or utility providers easily.</p></htmltext>
<tokenext>Tell that to application developers at banks , utilities , and other important accounts that only allow alpha-numeric characters in the password .
Who still limits passwords to max 10 characters ?
Are n't we all salting and hashing anyway ? How can we put pressure on the application developers to allow us stronger passwords ?
I ca n't necessarily change banks or utility providers easily .</tokentext>
<sentencetext>Tell that to application developers at banks, utilities, and other important accounts that only allow alpha-numeric characters in the password.
Who still limits passwords to max 10 characters?
Aren't we all salting and hashing anyway?How can we put pressure on the application developers to allow us stronger passwords?
I can't necessarily change banks or utility providers easily.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28685377</id>
	<title>Re:Sounds dumb to me</title>
	<author>taucross</author>
	<datestamp>1247497080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Any sufficiently advanced scam is indistinguishable from business.</htmltext>
<tokenext>Any sufficiently advanced scam is indistinguishable from business .</tokentext>
<sentencetext>Any sufficiently advanced scam is indistinguishable from business.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678587</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677469</id>
	<title>It's what the password's strong against</title>
	<author>Todd Knarr</author>
	<datestamp>1247503980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p>Conventional "strong" passwords protect against someone trying to guess or brute-force the password. They're really good at this.</p><p>The problem is, few attackers try to guess or brute-force passwords anymore. It's too time-consuming and too readily detected. Most of them will try to get you to tell them the password by one means or another. Phishing e-mails, keyloggers, traffic sniffing, man-in-the-middle attacks, the whole point of all of them's to get your password directly without having to figure out what it is. And against that sort of attack, "secret" is precisely, exactly as secure as "wkL3jfo*Zle". To guard against those attacks you need to strengthen things other than the password itself. And part of what you have to harden against attack is the user themselves, which makes it unlikely you'll succeed.</p></htmltext>
<tokenext>Conventional " strong " passwords protect against someone trying to guess or brute-force the password .
They 're really good at this.The problem is , few attackers try to guess or brute-force passwords anymore .
It 's too time-consuming and too readily detected .
Most of them will try to get you to tell them the password by one means or another .
Phishing e-mails , keyloggers , traffic sniffing , man-in-the-middle attacks , the whole point of all of them 's to get your password directly without having to figure out what it is .
And against that sort of attack , " secret " is precisely , exactly as secure as " wkL3jfo * Zle " .
To guard against those attacks you need to strengthen things other than the password itself .
And part of what you have to harden against attack is the user themselves , which makes it unlikely you 'll succeed .</tokentext>
<sentencetext>Conventional "strong" passwords protect against someone trying to guess or brute-force the password.
They're really good at this.The problem is, few attackers try to guess or brute-force passwords anymore.
It's too time-consuming and too readily detected.
Most of them will try to get you to tell them the password by one means or another.
Phishing e-mails, keyloggers, traffic sniffing, man-in-the-middle attacks, the whole point of all of them's to get your password directly without having to figure out what it is.
And against that sort of attack, "secret" is precisely, exactly as secure as "wkL3jfo*Zle".
To guard against those attacks you need to strengthen things other than the password itself.
And part of what you have to harden against attack is the user themselves, which makes it unlikely you'll succeed.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676917</id>
	<title>Re:News for who?</title>
	<author>Anonymous</author>
	<datestamp>1247502060000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>Here's another news flash for you, computers do not run on magic crystals.</p></div><p>Duh! Everyone already know they run on smoke...</p></div>
	</htmltext>
<tokenext>Here 's another news flash for you , computers do not run on magic crystals.Duh !
Everyone already know they run on smoke.. .</tokentext>
<sentencetext>Here's another news flash for you, computers do not run on magic crystals.Duh!
Everyone already know they run on smoke...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680171</id>
	<title>Trustno1</title>
	<author>Nom du Keyboard</author>
	<datestamp>1247512680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>Everyone can change their password back to 'trustno1' now.</p></div></blockquote><p>
I actually used that password 13 years ago, although not recently.</p></div>
	</htmltext>
<tokenext>Everyone can change their password back to 'trustno1 ' now .
I actually used that password 13 years ago , although not recently .</tokentext>
<sentencetext>Everyone can change their password back to 'trustno1' now.
I actually used that password 13 years ago, although not recently.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677957</id>
	<title>Re:News for who?</title>
	<author>Anonymous</author>
	<datestamp>1247505600000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I have a mac.</htmltext>
<tokenext>I have a mac .</tokentext>
<sentencetext>I have a mac.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677361</id>
	<title>Anonymous Coward</title>
	<author>Anonymous</author>
	<datestamp>1247503620000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>There's a bigger problem that I've yet to see written about and that's the shared username/password issue. I have at least 2 dozen different accounts, if you include Amazon, EBay, credit cards, bank account, youtube, blog/forums, etc.There's no way that I'm going to use different user names for each of them.</p><p>And of course, I'm going going to use the same passwords for the accounts as well. While I'm not too worried about using the same username + password for both Amazon and Ebay, what if I have the same password for MyFavoriteBlog.com. A single nefarious employee at a large blogging/forum site has access to many username/password combinations. What's to stop that user from trying those username/password combinations through eBay, every major bank, every major credit card, etc?</p><p>In truth, I user different user names for more "secure" sites like Amazon and banks than I do for ones that I don't trust, but I'll bet that most people don't bother.</p></htmltext>
<tokenext>There 's a bigger problem that I 've yet to see written about and that 's the shared username/password issue .
I have at least 2 dozen different accounts , if you include Amazon , EBay , credit cards , bank account , youtube , blog/forums , etc.There 's no way that I 'm going to use different user names for each of them.And of course , I 'm going going to use the same passwords for the accounts as well .
While I 'm not too worried about using the same username + password for both Amazon and Ebay , what if I have the same password for MyFavoriteBlog.com .
A single nefarious employee at a large blogging/forum site has access to many username/password combinations .
What 's to stop that user from trying those username/password combinations through eBay , every major bank , every major credit card , etc ? In truth , I user different user names for more " secure " sites like Amazon and banks than I do for ones that I do n't trust , but I 'll bet that most people do n't bother .</tokentext>
<sentencetext>There's a bigger problem that I've yet to see written about and that's the shared username/password issue.
I have at least 2 dozen different accounts, if you include Amazon, EBay, credit cards, bank account, youtube, blog/forums, etc.There's no way that I'm going to use different user names for each of them.And of course, I'm going going to use the same passwords for the accounts as well.
While I'm not too worried about using the same username + password for both Amazon and Ebay, what if I have the same password for MyFavoriteBlog.com.
A single nefarious employee at a large blogging/forum site has access to many username/password combinations.
What's to stop that user from trying those username/password combinations through eBay, every major bank, every major credit card, etc?In truth, I user different user names for more "secure" sites like Amazon and banks than I do for ones that I don't trust, but I'll bet that most people don't bother.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678231</id>
	<title>Multi-layered security</title>
	<author>kilodelta</author>
	<datestamp>1247506380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I note many laptops now come with fingerprint scanners. That's a little bit harder to fake. But it should be coupled with a password. That way you have dual layers of security. But with a Windows box you just boot it up in Knoppix or something similar and it exposes the whole NTFS filesystem.</htmltext>
<tokenext>I note many laptops now come with fingerprint scanners .
That 's a little bit harder to fake .
But it should be coupled with a password .
That way you have dual layers of security .
But with a Windows box you just boot it up in Knoppix or something similar and it exposes the whole NTFS filesystem .</tokentext>
<sentencetext>I note many laptops now come with fingerprint scanners.
That's a little bit harder to fake.
But it should be coupled with a password.
That way you have dual layers of security.
But with a Windows box you just boot it up in Knoppix or something similar and it exposes the whole NTFS filesystem.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676565</id>
	<title>Best Practices</title>
	<author>Anonymous</author>
	<datestamp>1247500980000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of &#239;nancial fraud and identity theft, and most &#239;nancial institutions have security sections on their web-sites which o&#239;er advice on detecting fraud and good password practices. As to password practices traditionally users have been advised to . . . "</p><p>-Choose strong passwords</p><p>-Change their passwords frequently</p><p>-Never write their passwords down</p><p>I would suggest that this is a case for the popular quip: "Pick two".</p></htmltext>
<tokenext>According to the article ( cited by the citation ) : " Users are frequently reminded of the risks : the popular press often reports on the dangers of   nancial fraud and identity theft , and most   nancial institutions have security sections on their web-sites which o   er advice on detecting fraud and good password practices .
As to password practices traditionally users have been advised to .
. .
" -Choose strong passwords-Change their passwords frequently-Never write their passwords downI would suggest that this is a case for the popular quip : " Pick two " .</tokentext>
<sentencetext>According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of ïnancial fraud and identity theft, and most ïnancial institutions have security sections on their web-sites which oïer advice on detecting fraud and good password practices.
As to password practices traditionally users have been advised to .
. .
"-Choose strong passwords-Change their passwords frequently-Never write their passwords downI would suggest that this is a case for the popular quip: "Pick two".</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676519</id>
	<title>Defense-in-depth</title>
	<author>Rennt</author>
	<datestamp>1247500800000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>From the article:<p><div class="quote"><p>Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.</p></div><p>This may be statistically true, but isn't it missing the point of defense-in-depth? Why rely on three-strikes to catch brute force attempts, when you can also have a password that resists brute force in the first place.</p></div>
	</htmltext>
<tokenext>From the article : Passwords that are too weak of course invite brute-force attacks .
However , we find that relatively weak passwords , about 20 bits or so , are sufficient to make brute-force attacks on a single account unrealistic so long as a " three strikes " type rule is in place.This may be statistically true , but is n't it missing the point of defense-in-depth ?
Why rely on three-strikes to catch brute force attempts , when you can also have a password that resists brute force in the first place .</tokentext>
<sentencetext>From the article:Passwords that are too weak of course invite brute-force attacks.
However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.This may be statistically true, but isn't it missing the point of defense-in-depth?
Why rely on three-strikes to catch brute force attempts, when you can also have a password that resists brute force in the first place.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28690763</id>
	<title>Re:Dict' attack is sooooo 2000</title>
	<author>skiman1979</author>
	<datestamp>1247585160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even <i>easier</i> to defeat than the password guessing game.</p></div><p>Well my dog's name is 7/16/1964.  My mother's maiden name is Houston, TX.  My first girlfriend's last name is 4019-2881-2840-9293.  My childhood hero is 123-45-9874.</p></div>
	</htmltext>
<tokenext>Because they invariably also feature some braindead password recovery feature ( ya know , the supersecret questions like " what was the name of your pet dog " , again with infinite tries ) that is usually even easier to defeat than the password guessing game.Well my dog 's name is 7/16/1964 .
My mother 's maiden name is Houston , TX .
My first girlfriend 's last name is 4019-2881-2840-9293 .
My childhood hero is 123-45-9874 .</tokentext>
<sentencetext>Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even easier to defeat than the password guessing game.Well my dog's name is 7/16/1964.
My mother's maiden name is Houston, TX.
My first girlfriend's last name is 4019-2881-2840-9293.
My childhood hero is 123-45-9874.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676945</id>
	<title>Time for keycards</title>
	<author>Twillerror</author>
	<datestamp>1247502120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I've been using some form of a keycard to get into my building/office/server room for how long now?</p><p>Could a little USB reader integrated with the OS really be all the expensive.</p><p>Getting this integrated with the browser world might take some time...but I could see a good password saver attaching your keycard to your ID and encrypting it up. Something that keyloggers couldn't get to. Malware might be a harder problem, but if the program is smart enough to detect access to the metabase of password it might actually become a malware detector.</p><p>At the very least logging into Active directory at work would be swiping my card, encrypting the number, having Active directory have the number in my card, and havign the kernel active. If someone steals my keycard they can access my machine, but then there is some physical trail. Maybe have me put in small password after my keycard swipe to get in if you're really worried about that.</p><p>Then put a web cam on my desktop and have it record when the keycard is swipped...okay maybe that's a bit ridoulous. In all honesty making my user have a 12 digit password is as well....at the end of the day no one wants to hack the normal office works user id and password because it doesn't have meaningful data. The IT worker and the HR person maybe...</p></htmltext>
<tokenext>I 've been using some form of a keycard to get into my building/office/server room for how long now ? Could a little USB reader integrated with the OS really be all the expensive.Getting this integrated with the browser world might take some time...but I could see a good password saver attaching your keycard to your ID and encrypting it up .
Something that keyloggers could n't get to .
Malware might be a harder problem , but if the program is smart enough to detect access to the metabase of password it might actually become a malware detector.At the very least logging into Active directory at work would be swiping my card , encrypting the number , having Active directory have the number in my card , and havign the kernel active .
If someone steals my keycard they can access my machine , but then there is some physical trail .
Maybe have me put in small password after my keycard swipe to get in if you 're really worried about that.Then put a web cam on my desktop and have it record when the keycard is swipped...okay maybe that 's a bit ridoulous .
In all honesty making my user have a 12 digit password is as well....at the end of the day no one wants to hack the normal office works user id and password because it does n't have meaningful data .
The IT worker and the HR person maybe.. .</tokentext>
<sentencetext>I've been using some form of a keycard to get into my building/office/server room for how long now?Could a little USB reader integrated with the OS really be all the expensive.Getting this integrated with the browser world might take some time...but I could see a good password saver attaching your keycard to your ID and encrypting it up.
Something that keyloggers couldn't get to.
Malware might be a harder problem, but if the program is smart enough to detect access to the metabase of password it might actually become a malware detector.At the very least logging into Active directory at work would be swiping my card, encrypting the number, having Active directory have the number in my card, and havign the kernel active.
If someone steals my keycard they can access my machine, but then there is some physical trail.
Maybe have me put in small password after my keycard swipe to get in if you're really worried about that.Then put a web cam on my desktop and have it record when the keycard is swipped...okay maybe that's a bit ridoulous.
In all honesty making my user have a 12 digit password is as well....at the end of the day no one wants to hack the normal office works user id and password because it doesn't have meaningful data.
The IT worker and the HR person maybe...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680221</id>
	<title>Well....</title>
	<author>JAlexoi</author>
	<datestamp>1247512860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>My 23 character strong password was invalidated by my bank's eBanking system's idea that it was too long...</htmltext>
<tokenext>My 23 character strong password was invalidated by my bank 's eBanking system 's idea that it was too long.. .</tokentext>
<sentencetext>My 23 character strong password was invalidated by my bank's eBanking system's idea that it was too long...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</id>
	<title>Now if only people would take this into account...</title>
	<author>Lendrick</author>
	<datestamp>1247500620000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>I signed up for a forum a couple of weeks ago.  I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing.  When I clicked submit, I got an error message telling me that my password needs a number in it.  So I append a '1' on the end to satisfy the filter, and click submit again.  I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter.  Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.</p><p>It would be really nice if they'd just turn those damn filters off.  This forum site isn't a bank.  I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway.  Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses.  Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1."</p><p>[/rant]</p></htmltext>
<tokenext>I signed up for a forum a couple of weeks ago .
I used the same generic password that I use for every other throw-away site out there , so it 's easy to remember the damn thing .
When I clicked submit , I got an error message telling me that my password needs a number in it .
So I append a '1 ' on the end to satisfy the filter , and click submit again .
I get * another * error message telling me that it needs to be mixed case , so I capitalized the first letter .
Now I 'll forget the password and never be able to guess the damn thing again , so the next time I want to log in to whatever forum this was , I 'll need it to send me an email with a reminder.It would be really nice if they 'd just turn those damn filters off .
This forum site is n't a bank .
I could n't give two shits if someone hacks my account there , not that my regular password is particularly guessable anyway .
Seriously , I my password to your dipshit forum should n't have to contain mixed case , three numbers , nine punctuation marks , Egyptian fucking hieroglyphs , and that goddamn symbol the artist formerly known as Prince uses .
Failing that , it would be nice if they at least provided some instructions with the password box that say something to the point of " Capitalize the first letter of your generic password and append a 1 .
" [ /rant ]</tokentext>
<sentencetext>I signed up for a forum a couple of weeks ago.
I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing.
When I clicked submit, I got an error message telling me that my password needs a number in it.
So I append a '1' on the end to satisfy the filter, and click submit again.
I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter.
Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.It would be really nice if they'd just turn those damn filters off.
This forum site isn't a bank.
I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway.
Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses.
Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1.
"[/rant]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678459</id>
	<title>oh-uh duude</title>
	<author>amn108</author>
	<datestamp>1247507280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Everyone can change their password back to 'trustno1' now</p></div><p>I juz like changed my MySpace passwurd like you said, what do I do now? Luuulz! O.o</p></div>
	</htmltext>
<tokenext>Everyone can change their password back to 'trustno1 ' nowI juz like changed my MySpace passwurd like you said , what do I do now ?
Luuulz ! O.o</tokentext>
<sentencetext>Everyone can change their password back to 'trustno1' nowI juz like changed my MySpace passwurd like you said, what do I do now?
Luuulz! O.o
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677651</id>
	<title>Strong auth, not stron passwords</title>
	<author>gmurray</author>
	<datestamp>1247504640000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>This needs to become about Strong Authentication, not strong passwords.
Changing a password often just frustrates users and doesn't help against base level attacks like keylogging. And if your password only changes every month or two then its still valid for quite a while if it is discovered.

We should instead be using multple password factors for all secure scenarios. Something you know AND something you have (some sort of One Time Password, certificate, or biometric factor). This is less frustrating for the user than having to change their password all the time, and it defeats keyloggers, phishing, etc. Soon the web will have to wake up to this. If some of the big players would start to play ball, and say, support the yubikey token at least, then we might start to get the ball rolling.

At least since the identity field is consolidating a bit with infocard and openid, we'll be in a position where all you need is an identity provider that can support multi factor auth.</htmltext>
<tokenext>This needs to become about Strong Authentication , not strong passwords .
Changing a password often just frustrates users and does n't help against base level attacks like keylogging .
And if your password only changes every month or two then its still valid for quite a while if it is discovered .
We should instead be using multple password factors for all secure scenarios .
Something you know AND something you have ( some sort of One Time Password , certificate , or biometric factor ) .
This is less frustrating for the user than having to change their password all the time , and it defeats keyloggers , phishing , etc .
Soon the web will have to wake up to this .
If some of the big players would start to play ball , and say , support the yubikey token at least , then we might start to get the ball rolling .
At least since the identity field is consolidating a bit with infocard and openid , we 'll be in a position where all you need is an identity provider that can support multi factor auth .</tokentext>
<sentencetext>This needs to become about Strong Authentication, not strong passwords.
Changing a password often just frustrates users and doesn't help against base level attacks like keylogging.
And if your password only changes every month or two then its still valid for quite a while if it is discovered.
We should instead be using multple password factors for all secure scenarios.
Something you know AND something you have (some sort of One Time Password, certificate, or biometric factor).
This is less frustrating for the user than having to change their password all the time, and it defeats keyloggers, phishing, etc.
Soon the web will have to wake up to this.
If some of the big players would start to play ball, and say, support the yubikey token at least, then we might start to get the ball rolling.
At least since the identity field is consolidating a bit with infocard and openid, we'll be in a position where all you need is an identity provider that can support multi factor auth.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676979</id>
	<title>Bruce wrote: "Interesting paper from HotSec '07:"</title>
	<author>Browzer</author>
	<datestamp>1247502240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Is this the whole "piece" he wrote?</p><p>TIA</p></htmltext>
<tokenext>Is this the whole " piece " he wrote ? TIA</tokentext>
<sentencetext>Is this the whole "piece" he wrote?TIA</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679947</id>
	<title>Re:Now if only people would take this into account</title>
	<author>Anonymous</author>
	<datestamp>1247511960000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You may not care but as an admin of such a site, I do care.  Botnets want on those sites to spam senselessly. If you have a 'throwaway' password</p></htmltext>
<tokenext>You may not care but as an admin of such a site , I do care .
Botnets want on those sites to spam senselessly .
If you have a 'throwaway ' password</tokentext>
<sentencetext>You may not care but as an admin of such a site, I do care.
Botnets want on those sites to spam senselessly.
If you have a 'throwaway' password</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28688247</id>
	<title>Re:Simple solution</title>
	<author>Anonymous</author>
	<datestamp>1247568660000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>or a dog RFID tag (with an on switch) under your skin with your 2048 kbit private key</p></htmltext>
<tokenext>or a dog RFID tag ( with an on switch ) under your skin with your 2048 kbit private key</tokentext>
<sentencetext>or a dog RFID tag (with an on switch) under your skin with your 2048 kbit private key</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676763</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287</id>
	<title>And this is news how?</title>
	<author>damn\_registrars</author>
	<datestamp>1247500080000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext>I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging.  However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.</htmltext>
<tokenext>I would n't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging .
However with the number of brute force methods out there for cracking weak passwords , I do n't see how this in any way reduces the value of strong passwords on systems where passwords are critical .</tokentext>
<sentencetext>I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging.
However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677911</id>
	<title>Good point</title>
	<author>StikyPad</author>
	<datestamp>1247505480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Except that they're two sides of the same coin.  Strong passwords are worthless without good filtering, common sense, and vigilance, and all of that is for naught if your password is "12345".  A more appropriate observation would be, "Using a hard to guess password is worthless if you tell everyone what it is."</p></htmltext>
<tokenext>Except that they 're two sides of the same coin .
Strong passwords are worthless without good filtering , common sense , and vigilance , and all of that is for naught if your password is " 12345 " .
A more appropriate observation would be , " Using a hard to guess password is worthless if you tell everyone what it is .
"</tokentext>
<sentencetext>Except that they're two sides of the same coin.
Strong passwords are worthless without good filtering, common sense, and vigilance, and all of that is for naught if your password is "12345".
A more appropriate observation would be, "Using a hard to guess password is worthless if you tell everyone what it is.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28682805</id>
	<title>Simple, cheap two-factor authentication...</title>
	<author>Loopy</author>
	<datestamp>1247480400000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I'm surprised nobody's mentioned the stupidly simple and cheap two-factor authentication methods available. Example: World of Warcraft. People are <i>constantly</i> getting "hacked" or keylogged or whatever for that game's credentials, yet I have not heard of a single person with the keyfob they sell for $6.50US ever being hacked or keylogged. I mean, c'mon. It's less than $7US for permanent security.</p><p>The only downside is that there is no standard for this in terms of which keyfob works with your particular system, meaning your company or message board or whatever would have to figure that part out. Still, if it's a company, why not use that remote-access(VPN) keyfob for normal logins that require passwords as well.</p><p>I know Shell Oil does this with password + smart card, so having one doesn't matter as you need both, plus physical access to the correct server/LAN environment.</p><p>I'm surprised this is so constantly debated as a topic of security instead of a topic of onerous usability requirements imposed by draconian IT departments. Seriously. Remember a simple, permanent password + keyfob combination, or remember stupidly complex random gibberish that's required to change every 45 days. Seems easy to me.</p></htmltext>
<tokenext>I 'm surprised nobody 's mentioned the stupidly simple and cheap two-factor authentication methods available .
Example : World of Warcraft .
People are constantly getting " hacked " or keylogged or whatever for that game 's credentials , yet I have not heard of a single person with the keyfob they sell for $ 6.50US ever being hacked or keylogged .
I mean , c'mon .
It 's less than $ 7US for permanent security.The only downside is that there is no standard for this in terms of which keyfob works with your particular system , meaning your company or message board or whatever would have to figure that part out .
Still , if it 's a company , why not use that remote-access ( VPN ) keyfob for normal logins that require passwords as well.I know Shell Oil does this with password + smart card , so having one does n't matter as you need both , plus physical access to the correct server/LAN environment.I 'm surprised this is so constantly debated as a topic of security instead of a topic of onerous usability requirements imposed by draconian IT departments .
Seriously. Remember a simple , permanent password + keyfob combination , or remember stupidly complex random gibberish that 's required to change every 45 days .
Seems easy to me .</tokentext>
<sentencetext>I'm surprised nobody's mentioned the stupidly simple and cheap two-factor authentication methods available.
Example: World of Warcraft.
People are constantly getting "hacked" or keylogged or whatever for that game's credentials, yet I have not heard of a single person with the keyfob they sell for $6.50US ever being hacked or keylogged.
I mean, c'mon.
It's less than $7US for permanent security.The only downside is that there is no standard for this in terms of which keyfob works with your particular system, meaning your company or message board or whatever would have to figure that part out.
Still, if it's a company, why not use that remote-access(VPN) keyfob for normal logins that require passwords as well.I know Shell Oil does this with password + smart card, so having one doesn't matter as you need both, plus physical access to the correct server/LAN environment.I'm surprised this is so constantly debated as a topic of security instead of a topic of onerous usability requirements imposed by draconian IT departments.
Seriously. Remember a simple, permanent password + keyfob combination, or remember stupidly complex random gibberish that's required to change every 45 days.
Seems easy to me.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676351</id>
	<title>The same combination as my luggage!</title>
	<author>mrdoogee</author>
	<datestamp>1247500320000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>0</modscore>
	<htmltext>1 - 2 - 3 - 4 - 5</htmltext>
<tokenext>1 - 2 - 3 - 4 - 5</tokentext>
<sentencetext>1 - 2 - 3 - 4 - 5</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677367</id>
	<title>yup</title>
	<author>Anonymous</author>
	<datestamp>1247503620000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p>They make things hard on users, but are useless against phishing and keyloggers.</p></div></blockquote><p>Forcing users to change passwords does nothing against keyloggers either.  But it definitely makes it easier to tell when a user has changed their password.</p><p>They'll type the current known password, then tab or click, then type some new cryptic garbage, then tab or click, then the <em>same</em> cryptic garbage.</p><p>But the worst possible password constraint I can think of is limiting the <em>maximum</em> number of allowed characters.  I can think of absolutely no good reason for this restriction, yet large companies, such as Cedar Point's online reservation system posses this restriction.</p></div>
	</htmltext>
<tokenext>They make things hard on users , but are useless against phishing and keyloggers.Forcing users to change passwords does nothing against keyloggers either .
But it definitely makes it easier to tell when a user has changed their password.They 'll type the current known password , then tab or click , then type some new cryptic garbage , then tab or click , then the same cryptic garbage.But the worst possible password constraint I can think of is limiting the maximum number of allowed characters .
I can think of absolutely no good reason for this restriction , yet large companies , such as Cedar Point 's online reservation system posses this restriction .</tokentext>
<sentencetext>They make things hard on users, but are useless against phishing and keyloggers.Forcing users to change passwords does nothing against keyloggers either.
But it definitely makes it easier to tell when a user has changed their password.They'll type the current known password, then tab or click, then type some new cryptic garbage, then tab or click, then the same cryptic garbage.But the worst possible password constraint I can think of is limiting the maximum number of allowed characters.
I can think of absolutely no good reason for this restriction, yet large companies, such as Cedar Point's online reservation system posses this restriction.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676711</id>
	<title>Re:My password</title>
	<author>ptbarnett</author>
	<datestamp>1247501400000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>I sometimes set my password to ********</p></div><p>Your password is <a href="http://www.bash.org/?244321" title="bash.org">hunter2</a> [bash.org]?</p></div>
	</htmltext>
<tokenext>I sometimes set my password to * * * * * * * * Your password is hunter2 [ bash.org ] ?</tokentext>
<sentencetext>I sometimes set my password to ********Your password is hunter2 [bash.org]?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676421</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677993</id>
	<title>Offsite cracking</title>
	<author>Anonymous</author>
	<datestamp>1247505720000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>While a lot of people have said "don't worry about strong passwords because systems lock you out after 3 tries" or something like that, there is an exception. Back in high school, a friend and I took all the local LM hashes off the school machines (we all had our own network logins) and then cracked them offsite. The actual network authentication would lock you out if you tried too many times, but our cracking rig would allow you to try an infinite number of times. In general, we'd stay away from the passwords that took too long to compute since there were so many weak passwords that we got nearly instantly.</p><p>So, I guess the moral of the story is that while any good system includes lockouts, if the password hashes are ever obtained, the strong passwords do come in handy.</p><p>and a fun fact: 90\% of girls passwords in my school were the names of boys.</p></htmltext>
<tokenext>While a lot of people have said " do n't worry about strong passwords because systems lock you out after 3 tries " or something like that , there is an exception .
Back in high school , a friend and I took all the local LM hashes off the school machines ( we all had our own network logins ) and then cracked them offsite .
The actual network authentication would lock you out if you tried too many times , but our cracking rig would allow you to try an infinite number of times .
In general , we 'd stay away from the passwords that took too long to compute since there were so many weak passwords that we got nearly instantly.So , I guess the moral of the story is that while any good system includes lockouts , if the password hashes are ever obtained , the strong passwords do come in handy.and a fun fact : 90 \ % of girls passwords in my school were the names of boys .</tokentext>
<sentencetext>While a lot of people have said "don't worry about strong passwords because systems lock you out after 3 tries" or something like that, there is an exception.
Back in high school, a friend and I took all the local LM hashes off the school machines (we all had our own network logins) and then cracked them offsite.
The actual network authentication would lock you out if you tried too many times, but our cracking rig would allow you to try an infinite number of times.
In general, we'd stay away from the passwords that took too long to compute since there were so many weak passwords that we got nearly instantly.So, I guess the moral of the story is that while any good system includes lockouts, if the password hashes are ever obtained, the strong passwords do come in handy.and a fun fact: 90\% of girls passwords in my school were the names of boys.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676521</id>
	<title>Strong passwords may be overkill</title>
	<author>GodfatherofSoul</author>
	<datestamp>1247500860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Really, your password has to be two things: unguessable and unique.  Unguessable in that no one can read a quick bio of you and start hammering out children's names or birthplaces and unique in that you're not sharing the same password across multiple hosts.  That being said, I use the <a href="http://www.pctools.com/guides/password/" title="pctools.com">PC Tools Password</a> [pctools.com] tool to generate my passwords.  However, this introduces a whole new problem as I now have to maintain and secure a file containing all of these impossible-to-remember passwords that represents the keys to my kingdom.</htmltext>
<tokenext>Really , your password has to be two things : unguessable and unique .
Unguessable in that no one can read a quick bio of you and start hammering out children 's names or birthplaces and unique in that you 're not sharing the same password across multiple hosts .
That being said , I use the PC Tools Password [ pctools.com ] tool to generate my passwords .
However , this introduces a whole new problem as I now have to maintain and secure a file containing all of these impossible-to-remember passwords that represents the keys to my kingdom .</tokentext>
<sentencetext>Really, your password has to be two things: unguessable and unique.
Unguessable in that no one can read a quick bio of you and start hammering out children's names or birthplaces and unique in that you're not sharing the same password across multiple hosts.
That being said, I use the PC Tools Password [pctools.com] tool to generate my passwords.
However, this introduces a whole new problem as I now have to maintain and secure a file containing all of these impossible-to-remember passwords that represents the keys to my kingdom.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676451</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>Looce</author>
	<datestamp>1247500620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>So, uh... passphrases?</p></htmltext>
<tokenext>So , uh... passphrases ?</tokentext>
<sentencetext>So, uh... passphrases?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677019</id>
	<title>Re:And this is news how?</title>
	<author>Anonymous</author>
	<datestamp>1247502360000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It's not even a traditional "brute force" since that implies that an attack will focus on one password and attempt to crack it via these methods.  In actuality, it's even simpler than that.</p><p>When a password is created it stored, for example, as a salt and a hash. In the simplest case, the hash on one system is compared to the stored hash on the authenticating server. The reasoning is that even were the hash to be revealed, because it is ostensibly non-reversible, someone couldn't determine the password from the hash.</p><p>The hashes are not random, however. Given a particular salt and a particular password, the hash will be identical  There are billions of such hashes.</p><p>With a PC, I can generate a dictionary of possible salts and possible hashes.  It will be a huge dictionary, but given a particular hash, I can look it up in the dictionary and immediately retrieve the password (or at least a string that hashes to the same password).</p><p>Each character in a strong password can increase  the strength of the overall security because it makes a dictionary lookup less likely since it's difficult (though not impossible) to hash passwords of greater length . This assumes that you use a large keyspace and no regular words or common variations on regular words (thus "p@ssw0rd" is just as bad as "password").</p></htmltext>
<tokenext>It 's not even a traditional " brute force " since that implies that an attack will focus on one password and attempt to crack it via these methods .
In actuality , it 's even simpler than that.When a password is created it stored , for example , as a salt and a hash .
In the simplest case , the hash on one system is compared to the stored hash on the authenticating server .
The reasoning is that even were the hash to be revealed , because it is ostensibly non-reversible , someone could n't determine the password from the hash.The hashes are not random , however .
Given a particular salt and a particular password , the hash will be identical There are billions of such hashes.With a PC , I can generate a dictionary of possible salts and possible hashes .
It will be a huge dictionary , but given a particular hash , I can look it up in the dictionary and immediately retrieve the password ( or at least a string that hashes to the same password ) .Each character in a strong password can increase the strength of the overall security because it makes a dictionary lookup less likely since it 's difficult ( though not impossible ) to hash passwords of greater length .
This assumes that you use a large keyspace and no regular words or common variations on regular words ( thus " p @ ssw0rd " is just as bad as " password " ) .</tokentext>
<sentencetext>It's not even a traditional "brute force" since that implies that an attack will focus on one password and attempt to crack it via these methods.
In actuality, it's even simpler than that.When a password is created it stored, for example, as a salt and a hash.
In the simplest case, the hash on one system is compared to the stored hash on the authenticating server.
The reasoning is that even were the hash to be revealed, because it is ostensibly non-reversible, someone couldn't determine the password from the hash.The hashes are not random, however.
Given a particular salt and a particular password, the hash will be identical  There are billions of such hashes.With a PC, I can generate a dictionary of possible salts and possible hashes.
It will be a huge dictionary, but given a particular hash, I can look it up in the dictionary and immediately retrieve the password (or at least a string that hashes to the same password).Each character in a strong password can increase  the strength of the overall security because it makes a dictionary lookup less likely since it's difficult (though not impossible) to hash passwords of greater length .
This assumes that you use a large keyspace and no regular words or common variations on regular words (thus "p@ssw0rd" is just as bad as "password").</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677521</id>
	<title>Strong passwords retain merit</title>
	<author>clarkn0va</author>
	<datestamp>1247504160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Strong passwords may not save you from keylogging, but that doesn't make them altogether useless. Rainbow tables, for example, will expose weak passwords but not strong ones on Windows machines. If you're using a boot disk to get into a computer that might store one of my strong passwords, well you can wipe it out or change stuff but at least my password is no less secure than before.</htmltext>
<tokenext>Strong passwords may not save you from keylogging , but that does n't make them altogether useless .
Rainbow tables , for example , will expose weak passwords but not strong ones on Windows machines .
If you 're using a boot disk to get into a computer that might store one of my strong passwords , well you can wipe it out or change stuff but at least my password is no less secure than before .</tokentext>
<sentencetext>Strong passwords may not save you from keylogging, but that doesn't make them altogether useless.
Rainbow tables, for example, will expose weak passwords but not strong ones on Windows machines.
If you're using a boot disk to get into a computer that might store one of my strong passwords, well you can wipe it out or change stuff but at least my password is no less secure than before.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28701917</id>
	<title>Re:Now if only people would take this into account</title>
	<author>Anonymous</author>
	<datestamp>1247663280000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it.</p></div><p>Even if you want to use strong passwords at all, requiring a digit is a stupid way to do it.  Nowadays the most popular minimum password length is 8 characters.  Assuming your available character set is 7-bit ASCII minus the control characters (making 95 available characters), the knowledge that the password contains at least one digit eliminates over 41\% of the search space for 8-character passwords.</p></div>
	</htmltext>
<tokenext>I signed up for a forum a couple of weeks ago .
I used the same generic password that I use for every other throw-away site out there , so it 's easy to remember the damn thing .
When I clicked submit , I got an error message telling me that my password needs a number in it.Even if you want to use strong passwords at all , requiring a digit is a stupid way to do it .
Nowadays the most popular minimum password length is 8 characters .
Assuming your available character set is 7-bit ASCII minus the control characters ( making 95 available characters ) , the knowledge that the password contains at least one digit eliminates over 41 \ % of the search space for 8-character passwords .</tokentext>
<sentencetext>I signed up for a forum a couple of weeks ago.
I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing.
When I clicked submit, I got an error message telling me that my password needs a number in it.Even if you want to use strong passwords at all, requiring a digit is a stupid way to do it.
Nowadays the most popular minimum password length is 8 characters.
Assuming your available character set is 7-bit ASCII minus the control characters (making 95 available characters), the knowledge that the password contains at least one digit eliminates over 41\% of the search space for 8-character passwords.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677555</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>networkconsultant</author>
	<datestamp>1247504280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I've taken to drawing on my keyboard, seeing as I am a touch typist geometric shapes work really well, also the ASCII output from XINE turns my movie collection into wonderful passwords in ASCII and great seeds for keys.</htmltext>
<tokenext>I 've taken to drawing on my keyboard , seeing as I am a touch typist geometric shapes work really well , also the ASCII output from XINE turns my movie collection into wonderful passwords in ASCII and great seeds for keys .</tokentext>
<sentencetext>I've taken to drawing on my keyboard, seeing as I am a touch typist geometric shapes work really well, also the ASCII output from XINE turns my movie collection into wonderful passwords in ASCII and great seeds for keys.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28687403</id>
	<title>lockout equals DoS</title>
	<author>phtpht</author>
	<datestamp>1247602200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>TFA suggests countering brute force attacks with lockout mechanisms. I'm sure the users will be happy about not being able to log in just because their password was recently brute-forced. Any lockout mechanism is vulnerable to DoS, please remember that forever. And don't argument with IP address restrictions.</htmltext>
<tokenext>TFA suggests countering brute force attacks with lockout mechanisms .
I 'm sure the users will be happy about not being able to log in just because their password was recently brute-forced .
Any lockout mechanism is vulnerable to DoS , please remember that forever .
And do n't argument with IP address restrictions .</tokentext>
<sentencetext>TFA suggests countering brute force attacks with lockout mechanisms.
I'm sure the users will be happy about not being able to log in just because their password was recently brute-forced.
Any lockout mechanism is vulnerable to DoS, please remember that forever.
And don't argument with IP address restrictions.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678081</id>
	<title>Punctuation police here...</title>
	<author>onemorechip</author>
	<datestamp>1247505900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>TFA repeatedly misuses apostrophes to form plurals ("userID's").</p></htmltext>
<tokenext>TFA repeatedly misuses apostrophes to form plurals ( " userID 's " ) .</tokentext>
<sentencetext>TFA repeatedly misuses apostrophes to form plurals ("userID's").</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680305</id>
	<title>Re:Some things to note</title>
	<author>clone53421</author>
	<datestamp>1247513160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>There is a maximum because some backend systems can't handle a password longer than that.</p></div><p>Fix them.</p><p><div class="quote"><p>Always set the maximum number of attempts allowed: 3 or 5, depending on how smart/dumb your user base is.</p></div><p>This makes it trivial to harass someone by locking out their account, by the way. And, if you have lots of usernames, you can lock lots of people out, straining your user support system with getting them all enabled again.</p><p>(In some cases you don't care: e.g. with limited access, it may be easy enough to figure out who's the problem and make them stop.)</p><p><div class="quote"><p>Have a user answer security questions (At least 3 different ones). So when they forget their password, they can log into a system themselves to change their password</p></div><p>Security questions are notoriously bad account protection devices. Just ask Sarah Palin.</p><p><div class="quote"><p>Leverage single sign on technologies.</p></div><p>Okay, we can agree on this much.</p><p><div class="quote"><p>Force password changes frequently. Every 3 months, I would suggest.</p><p>Not allow users to use their previous 6 passwords and make sure that at least 2 characters are different between passwords</p></div><p>Thereby almost guaranteeing many of them will write it down.</p><p>(Also requiring you to store their password, either in plain text or in some form that can be reversed to the plain-text password. Bad!)</p></div>
	</htmltext>
<tokenext>There is a maximum because some backend systems ca n't handle a password longer than that.Fix them.Always set the maximum number of attempts allowed : 3 or 5 , depending on how smart/dumb your user base is.This makes it trivial to harass someone by locking out their account , by the way .
And , if you have lots of usernames , you can lock lots of people out , straining your user support system with getting them all enabled again .
( In some cases you do n't care : e.g .
with limited access , it may be easy enough to figure out who 's the problem and make them stop .
) Have a user answer security questions ( At least 3 different ones ) .
So when they forget their password , they can log into a system themselves to change their passwordSecurity questions are notoriously bad account protection devices .
Just ask Sarah Palin.Leverage single sign on technologies.Okay , we can agree on this much.Force password changes frequently .
Every 3 months , I would suggest.Not allow users to use their previous 6 passwords and make sure that at least 2 characters are different between passwordsThereby almost guaranteeing many of them will write it down .
( Also requiring you to store their password , either in plain text or in some form that can be reversed to the plain-text password .
Bad ! )</tokentext>
<sentencetext>There is a maximum because some backend systems can't handle a password longer than that.Fix them.Always set the maximum number of attempts allowed: 3 or 5, depending on how smart/dumb your user base is.This makes it trivial to harass someone by locking out their account, by the way.
And, if you have lots of usernames, you can lock lots of people out, straining your user support system with getting them all enabled again.
(In some cases you don't care: e.g.
with limited access, it may be easy enough to figure out who's the problem and make them stop.
)Have a user answer security questions (At least 3 different ones).
So when they forget their password, they can log into a system themselves to change their passwordSecurity questions are notoriously bad account protection devices.
Just ask Sarah Palin.Leverage single sign on technologies.Okay, we can agree on this much.Force password changes frequently.
Every 3 months, I would suggest.Not allow users to use their previous 6 passwords and make sure that at least 2 characters are different between passwordsThereby almost guaranteeing many of them will write it down.
(Also requiring you to store their password, either in plain text or in some form that can be reversed to the plain-text password.
Bad!)
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677745</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677035</id>
	<title>Re:Weak passwords</title>
	<author>Attila Dimedici</author>
	<datestamp>1247502420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I have generally understood the "three strikes" rule to mean that any user who tries to access their account three times with an incorrect password is locked out. It doesn't matter what IP address they are using, so no a botnet of 50,000 nodes is not allowed 150,000 guesses.</htmltext>
<tokenext>I have generally understood the " three strikes " rule to mean that any user who tries to access their account three times with an incorrect password is locked out .
It does n't matter what IP address they are using , so no a botnet of 50,000 nodes is not allowed 150,000 guesses .</tokentext>
<sentencetext>I have generally understood the "three strikes" rule to mean that any user who tries to access their account three times with an incorrect password is locked out.
It doesn't matter what IP address they are using, so no a botnet of 50,000 nodes is not allowed 150,000 guesses.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676435</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28696961</id>
	<title>Re:Best Practices</title>
	<author>Anonymous</author>
	<datestamp>1247569020000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>At the top of page 4 of TFA, it says the yield drops to one break-in per 100 million trials.  Their math is off; it should be per 1 billion trials.</p></htmltext>
<tokenext>At the top of page 4 of TFA , it says the yield drops to one break-in per 100 million trials .
Their math is off ; it should be per 1 billion trials .</tokentext>
<sentencetext>At the top of page 4 of TFA, it says the yield drops to one break-in per 100 million trials.
Their math is off; it should be per 1 billion trials.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676565</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677381</id>
	<title>threat model</title>
	<author>Tom</author>
	<datestamp>1247503680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>As all things in security, it's not black and white.</p><p>What exactly does "strong" mean? That's the important password.</p><p>In most circumstances, your threat model why you need a "strong" password is password guessing. It is rarely an actual brute-force attack, because most systems these days prevent a brute-force attack (e.g. they lock you out or reset your password to a random one that they send you per mail if you try it more than X times).</p><p>If your threat model does not include brute-force attacks, what you need is a "difficult to guess" password. That means you don't use "password" or "secret" and you don't use your own name, the name of your significant other or dog, your birthday and so on.</p><p>And that's all there is to it, really. All the bullshit about using numbers, special characters, etc. is just that - bullshit. It's defense against a threat that's not important anymore.</p><p>IANAL, but I am a security professional. Most of my passwords contain no numbers, and where the systems enforce them, there's usually a single number at the end or beginning. But I <b>can</b> type all my passwords in about a second on a standard keyboard. That makes shoulder-surfing a lot more difficult. In fact, I can make fairly good guesses at most "hunt and peck" people's passwords when I watch them type it in from across a small room. And the more difficult it is, the longer it takes them to type it in, and the easier it is for me to spot it.</p><p>So it all depends on your threat model, as always. Know what you need to defend against, and you'll have a pretty good idea of how you need to defend.</p></htmltext>
<tokenext>As all things in security , it 's not black and white.What exactly does " strong " mean ?
That 's the important password.In most circumstances , your threat model why you need a " strong " password is password guessing .
It is rarely an actual brute-force attack , because most systems these days prevent a brute-force attack ( e.g .
they lock you out or reset your password to a random one that they send you per mail if you try it more than X times ) .If your threat model does not include brute-force attacks , what you need is a " difficult to guess " password .
That means you do n't use " password " or " secret " and you do n't use your own name , the name of your significant other or dog , your birthday and so on.And that 's all there is to it , really .
All the bullshit about using numbers , special characters , etc .
is just that - bullshit .
It 's defense against a threat that 's not important anymore.IANAL , but I am a security professional .
Most of my passwords contain no numbers , and where the systems enforce them , there 's usually a single number at the end or beginning .
But I can type all my passwords in about a second on a standard keyboard .
That makes shoulder-surfing a lot more difficult .
In fact , I can make fairly good guesses at most " hunt and peck " people 's passwords when I watch them type it in from across a small room .
And the more difficult it is , the longer it takes them to type it in , and the easier it is for me to spot it.So it all depends on your threat model , as always .
Know what you need to defend against , and you 'll have a pretty good idea of how you need to defend .</tokentext>
<sentencetext>As all things in security, it's not black and white.What exactly does "strong" mean?
That's the important password.In most circumstances, your threat model why you need a "strong" password is password guessing.
It is rarely an actual brute-force attack, because most systems these days prevent a brute-force attack (e.g.
they lock you out or reset your password to a random one that they send you per mail if you try it more than X times).If your threat model does not include brute-force attacks, what you need is a "difficult to guess" password.
That means you don't use "password" or "secret" and you don't use your own name, the name of your significant other or dog, your birthday and so on.And that's all there is to it, really.
All the bullshit about using numbers, special characters, etc.
is just that - bullshit.
It's defense against a threat that's not important anymore.IANAL, but I am a security professional.
Most of my passwords contain no numbers, and where the systems enforce them, there's usually a single number at the end or beginning.
But I can type all my passwords in about a second on a standard keyboard.
That makes shoulder-surfing a lot more difficult.
In fact, I can make fairly good guesses at most "hunt and peck" people's passwords when I watch them type it in from across a small room.
And the more difficult it is, the longer it takes them to type it in, and the easier it is for me to spot it.So it all depends on your threat model, as always.
Know what you need to defend against, and you'll have a pretty good idea of how you need to defend.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677183</id>
	<title>Re:I met Bruce Schneier in an elevator once</title>
	<author>Anonymous</author>
	<datestamp>1247502900000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>and then he told you noone would ever believe you?</p><p>do post the puzzle later.<br>probably just the magic square</p><p>276<br>951<br>438</p></htmltext>
<tokenext>and then he told you noone would ever believe you ? do post the puzzle later.probably just the magic square276951438</tokentext>
<sentencetext>and then he told you noone would ever believe you?do post the puzzle later.probably just the magic square276951438</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676297</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28693419</id>
	<title>What a load of crap...</title>
	<author>Anonymous</author>
	<datestamp>1247596200000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>What a crap statement.  That's like saying door key/lock combinations are useless because you can bring someone home with you, let them spend the night, and have them rob you before you wake up in the morning.  The answer to phishing is simple - you just use some common sense.  As for keylogging - keep your system physically secure by keeping it away from physical access, and logically secure by installing and maintaining good quality anti-virus/anti-malware programs.  Oh, and stay away from hacking/porn sites.   lol</p></htmltext>
<tokenext>What a crap statement .
That 's like saying door key/lock combinations are useless because you can bring someone home with you , let them spend the night , and have them rob you before you wake up in the morning .
The answer to phishing is simple - you just use some common sense .
As for keylogging - keep your system physically secure by keeping it away from physical access , and logically secure by installing and maintaining good quality anti-virus/anti-malware programs .
Oh , and stay away from hacking/porn sites .
lol</tokentext>
<sentencetext>What a crap statement.
That's like saying door key/lock combinations are useless because you can bring someone home with you, let them spend the night, and have them rob you before you wake up in the morning.
The answer to phishing is simple - you just use some common sense.
As for keylogging - keep your system physically secure by keeping it away from physical access, and logically secure by installing and maintaining good quality anti-virus/anti-malware programs.
Oh, and stay away from hacking/porn sites.
lol</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676869</id>
	<title>Re:My password</title>
	<author>blackraven14250</author>
	<datestamp>1247501880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Also adding 15 seconds of mouse usage and hand movements.</htmltext>
<tokenext>Also adding 15 seconds of mouse usage and hand movements .</tokentext>
<sentencetext>Also adding 15 seconds of mouse usage and hand movements.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676421</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678197</id>
	<title>This is...</title>
	<author>EddyPearson</author>
	<datestamp>1247506200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>...the second story in as many minutes stating the fucking obvious.</p><p>Did we just change management or something?</p></htmltext>
<tokenext>...the second story in as many minutes stating the fucking obvious.Did we just change management or something ?</tokentext>
<sentencetext>...the second story in as many minutes stating the fucking obvious.Did we just change management or something?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677257</id>
	<title>Re:Best Practices</title>
	<author>Inda</author>
	<datestamp>1247503140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Didn't Bruce once say it is OK to write passwords down?<br><br>Write them down on a small piece of paper. Stick said piece of paper in wallet because we are all taught from a young age to look after small, valuable pieces of paper in our wallets.<br><br>Or am I thinking of someone else?<br><br>Or did I dream this?<br><br>Or did I make it up, hence making me expert security type person?</htmltext>
<tokenext>Did n't Bruce once say it is OK to write passwords down ? Write them down on a small piece of paper .
Stick said piece of paper in wallet because we are all taught from a young age to look after small , valuable pieces of paper in our wallets.Or am I thinking of someone else ? Or did I dream this ? Or did I make it up , hence making me expert security type person ?</tokentext>
<sentencetext>Didn't Bruce once say it is OK to write passwords down?Write them down on a small piece of paper.
Stick said piece of paper in wallet because we are all taught from a young age to look after small, valuable pieces of paper in our wallets.Or am I thinking of someone else?Or did I dream this?Or did I make it up, hence making me expert security type person?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676565</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677745</id>
	<title>Some things to note</title>
	<author>Anonymous</author>
	<datestamp>1247505000000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>1. "But the worst possible password constraint I can think of is limiting the maximum number of allowed characters."  There is a maximum because some backend systems can't handle a password longer than that.</p><p>2. Always set the maximum number of attempts allowed: 3 or 5, depending on how smart/dumb your user base is.</p><p>3. Use Self Service Tools.  Have a user answer security questions (At least 3 different ones).  So when they forget their password, they can log into a system themselves to change their password (Using a secure kiosk or guest account, with access only to the self service tool).</p><p>4. Leverage single sign on technologies.  Having 10 different applications with potentially 10 different passwords causes people to write the password own on sticky notes (Or on a excel spreadsheet).  Using SSO mitigates that.</p><p>5. Force password changes frequently.  Every 3 months, I would suggest.</p><p>6. Not allow users to use their previous 6 passwords at least and make sure that at least 2 characters are different between passwords.  So they can't just go from Password1 to Password2.</p><p>It's not a fool proof solution, but that combination of rules I have seen work the best at corporations.</p></htmltext>
<tokenext>1 .
" But the worst possible password constraint I can think of is limiting the maximum number of allowed characters .
" There is a maximum because some backend systems ca n't handle a password longer than that.2 .
Always set the maximum number of attempts allowed : 3 or 5 , depending on how smart/dumb your user base is.3 .
Use Self Service Tools .
Have a user answer security questions ( At least 3 different ones ) .
So when they forget their password , they can log into a system themselves to change their password ( Using a secure kiosk or guest account , with access only to the self service tool ) .4 .
Leverage single sign on technologies .
Having 10 different applications with potentially 10 different passwords causes people to write the password own on sticky notes ( Or on a excel spreadsheet ) .
Using SSO mitigates that.5 .
Force password changes frequently .
Every 3 months , I would suggest.6 .
Not allow users to use their previous 6 passwords at least and make sure that at least 2 characters are different between passwords .
So they ca n't just go from Password1 to Password2.It 's not a fool proof solution , but that combination of rules I have seen work the best at corporations .</tokentext>
<sentencetext>1.
"But the worst possible password constraint I can think of is limiting the maximum number of allowed characters.
"  There is a maximum because some backend systems can't handle a password longer than that.2.
Always set the maximum number of attempts allowed: 3 or 5, depending on how smart/dumb your user base is.3.
Use Self Service Tools.
Have a user answer security questions (At least 3 different ones).
So when they forget their password, they can log into a system themselves to change their password (Using a secure kiosk or guest account, with access only to the self service tool).4.
Leverage single sign on technologies.
Having 10 different applications with potentially 10 different passwords causes people to write the password own on sticky notes (Or on a excel spreadsheet).
Using SSO mitigates that.5.
Force password changes frequently.
Every 3 months, I would suggest.6.
Not allow users to use their previous 6 passwords at least and make sure that at least 2 characters are different between passwords.
So they can't just go from Password1 to Password2.It's not a fool proof solution, but that combination of rules I have seen work the best at corporations.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676197</id>
	<title>HEY!</title>
	<author>Anonymous</author>
	<datestamp>1247499780000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>0</modscore>
	<htmltext><p>How did you now my password?</p></htmltext>
<tokenext>How did you now my password ?</tokentext>
<sentencetext>How did you now my password?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676581</id>
	<title>Which passwords are important?</title>
	<author>DNS-and-BIND</author>
	<datestamp>1247500980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Well, if I'm signing up for a forum or some free email account somewhere, I don't need industrial-grade uncrackable password.  Actually, if my password gets cracked, big deal.  It's just come crappy account somewhere.  I just love signing up for something because I want to ask a question, and the system refuses my password because it doesn't have two symbols, a mix of uppercase and lowercase, and two <b>different</b> numbers.  Oh, Jip*4&amp;nv4X isn't a good password, nix on that!  And by the way, here's a brand-new illegible CAPTCHA for you for every new password try, only barely readable by native speakers of English.  Anyone else from any other culture who doesn't use the 52 Roman letters, you're out of luck.</htmltext>
<tokenext>Well , if I 'm signing up for a forum or some free email account somewhere , I do n't need industrial-grade uncrackable password .
Actually , if my password gets cracked , big deal .
It 's just come crappy account somewhere .
I just love signing up for something because I want to ask a question , and the system refuses my password because it does n't have two symbols , a mix of uppercase and lowercase , and two different numbers .
Oh , Jip * 4&amp;nv4X is n't a good password , nix on that !
And by the way , here 's a brand-new illegible CAPTCHA for you for every new password try , only barely readable by native speakers of English .
Anyone else from any other culture who does n't use the 52 Roman letters , you 're out of luck .</tokentext>
<sentencetext>Well, if I'm signing up for a forum or some free email account somewhere, I don't need industrial-grade uncrackable password.
Actually, if my password gets cracked, big deal.
It's just come crappy account somewhere.
I just love signing up for something because I want to ask a question, and the system refuses my password because it doesn't have two symbols, a mix of uppercase and lowercase, and two different numbers.
Oh, Jip*4&amp;nv4X isn't a good password, nix on that!
And by the way, here's a brand-new illegible CAPTCHA for you for every new password try, only barely readable by native speakers of English.
Anyone else from any other culture who doesn't use the 52 Roman letters, you're out of luck.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679459</id>
	<title>Everyone is Missing the Point</title>
	<author>strimpster</author>
	<datestamp>1247510520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I think that I must be the only person who actually read the paper. The point of the author is not that we don't need good passwords, but rather that we would gain much more security out of making the user ids strong. The individual talked about all of the ways that accounts can be broken into and talked heavily about the method of bulk guessing accounts. If the site's user ids are very dense (meaning that the unused input space is little), then the chances of a break in are much more likely (like in the case of site generated user ids that are sequential). This is because the input space for passwords is only so large, and it is very likely that 1 in 1,000,000 users will have a random password. The research talked about how in order for this to be true, the site has to have a large amount of users (like a national bank chain). The author even mentions that it doesn't matter if the user writes his/her strong user id down, as it is only a portion of the credentials and is intended to prevent the bulk guessing of accounts. This used with stronger passwords (I should note that the author even talks about not really needing strong passwords if strong user ids are used) seems to be a good defense. It is a very interesting read, and the author brings thoughts to the table that have not really been discussed (as far as I have read). Before anyone attacks this simple synopsis of the paper, please read it to fully understand lol.</htmltext>
<tokenext>I think that I must be the only person who actually read the paper .
The point of the author is not that we do n't need good passwords , but rather that we would gain much more security out of making the user ids strong .
The individual talked about all of the ways that accounts can be broken into and talked heavily about the method of bulk guessing accounts .
If the site 's user ids are very dense ( meaning that the unused input space is little ) , then the chances of a break in are much more likely ( like in the case of site generated user ids that are sequential ) .
This is because the input space for passwords is only so large , and it is very likely that 1 in 1,000,000 users will have a random password .
The research talked about how in order for this to be true , the site has to have a large amount of users ( like a national bank chain ) .
The author even mentions that it does n't matter if the user writes his/her strong user id down , as it is only a portion of the credentials and is intended to prevent the bulk guessing of accounts .
This used with stronger passwords ( I should note that the author even talks about not really needing strong passwords if strong user ids are used ) seems to be a good defense .
It is a very interesting read , and the author brings thoughts to the table that have not really been discussed ( as far as I have read ) .
Before anyone attacks this simple synopsis of the paper , please read it to fully understand lol .</tokentext>
<sentencetext>I think that I must be the only person who actually read the paper.
The point of the author is not that we don't need good passwords, but rather that we would gain much more security out of making the user ids strong.
The individual talked about all of the ways that accounts can be broken into and talked heavily about the method of bulk guessing accounts.
If the site's user ids are very dense (meaning that the unused input space is little), then the chances of a break in are much more likely (like in the case of site generated user ids that are sequential).
This is because the input space for passwords is only so large, and it is very likely that 1 in 1,000,000 users will have a random password.
The research talked about how in order for this to be true, the site has to have a large amount of users (like a national bank chain).
The author even mentions that it doesn't matter if the user writes his/her strong user id down, as it is only a portion of the credentials and is intended to prevent the bulk guessing of accounts.
This used with stronger passwords (I should note that the author even talks about not really needing strong passwords if strong user ids are used) seems to be a good defense.
It is a very interesting read, and the author brings thoughts to the table that have not really been discussed (as far as I have read).
Before anyone attacks this simple synopsis of the paper, please read it to fully understand lol.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676435</id>
	<title>Weak passwords</title>
	<author>CopaceticOpus</author>
	<datestamp>1247500620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The summary is missing an important point. The article suggests that weak passwords can be made secure by limiting the number of guesses allowed using a three strikes rule.</p><p>However, this solution has some problems. If any old password is allowed, there are 10-20 passwords which are most commonly chosen by all users. These are still likely to be guessed by an automated guessing system.</p><p>Also, the three strikes rule can be circumvented by using a botnet based attack. A botnet of 50,000 nodes would be allowed 150,000 guesses.</p><p>One other benefit to requiring strong passwords is that it may keep users from reusing the password from their Yahoo account, fantasy football account, etc.</p></htmltext>
<tokenext>The summary is missing an important point .
The article suggests that weak passwords can be made secure by limiting the number of guesses allowed using a three strikes rule.However , this solution has some problems .
If any old password is allowed , there are 10-20 passwords which are most commonly chosen by all users .
These are still likely to be guessed by an automated guessing system.Also , the three strikes rule can be circumvented by using a botnet based attack .
A botnet of 50,000 nodes would be allowed 150,000 guesses.One other benefit to requiring strong passwords is that it may keep users from reusing the password from their Yahoo account , fantasy football account , etc .</tokentext>
<sentencetext>The summary is missing an important point.
The article suggests that weak passwords can be made secure by limiting the number of guesses allowed using a three strikes rule.However, this solution has some problems.
If any old password is allowed, there are 10-20 passwords which are most commonly chosen by all users.
These are still likely to be guessed by an automated guessing system.Also, the three strikes rule can be circumvented by using a botnet based attack.
A botnet of 50,000 nodes would be allowed 150,000 guesses.One other benefit to requiring strong passwords is that it may keep users from reusing the password from their Yahoo account, fantasy football account, etc.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676909</id>
	<title>Keylogger</title>
	<author>lenwood</author>
	<datestamp>1247502000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>This makes me want to install keyloggers on all of the computers in my office.</htmltext>
<tokenext>This makes me want to install keyloggers on all of the computers in my office .</tokentext>
<sentencetext>This makes me want to install keyloggers on all of the computers in my office.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678377</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>j79zlr</author>
	<datestamp>1247506920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I use complex but easy to remember, something like:

Five\%of60isTHREE

Easy to remember, but not easily guessed.</htmltext>
<tokenext>I use complex but easy to remember , something like : Five \ % of60isTHREE Easy to remember , but not easily guessed .</tokentext>
<sentencetext>I use complex but easy to remember, something like:

Five\%of60isTHREE

Easy to remember, but not easily guessed.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680697</id>
	<title>Re:Simple solution</title>
	<author>gr8dude</author>
	<datestamp>1247514840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Biometry should only be used for identification, not for authentication.</p><p>The fingerprint answers the question "who is this person?", and not the question "is it really this person?". It can be applied in the second case, but the problem is that we leave our fingerprints on everything we touch.</p></htmltext>
<tokenext>Biometry should only be used for identification , not for authentication.The fingerprint answers the question " who is this person ?
" , and not the question " is it really this person ? " .
It can be applied in the second case , but the problem is that we leave our fingerprints on everything we touch .</tokentext>
<sentencetext>Biometry should only be used for identification, not for authentication.The fingerprint answers the question "who is this person?
", and not the question "is it really this person?".
It can be applied in the second case, but the problem is that we leave our fingerprints on everything we touch.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678317</id>
	<title>Re:Now if only people would take this into account</title>
	<author>tehdaemon</author>
	<datestamp>1247506680000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>You may not care if you account is compromised, but the forum may not want the flood of spam/crap that could result. I can't say for sure - but I wouldn't be surprised if this was the logic behind it.<p>T</p></htmltext>
<tokenext>You may not care if you account is compromised , but the forum may not want the flood of spam/crap that could result .
I ca n't say for sure - but I would n't be surprised if this was the logic behind it.T</tokentext>
<sentencetext>You may not care if you account is compromised, but the forum may not want the flood of spam/crap that could result.
I can't say for sure - but I wouldn't be surprised if this was the logic behind it.T</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676459</id>
	<title>Hide userid - seems like a good idea</title>
	<author>hey</author>
	<datestamp>1247500680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Like the paper says userids aren't secrets but non-secret userids make spam easier.  Many companies use initial + last name as the user id: eg jsmith.  If they also added a random 4 digit number: eg jsmith1234.  It would make guessing userids harder for spam.  And make unauthorized login attempts harder.</p></htmltext>
<tokenext>Like the paper says userids are n't secrets but non-secret userids make spam easier .
Many companies use initial + last name as the user id : eg jsmith .
If they also added a random 4 digit number : eg jsmith1234 .
It would make guessing userids harder for spam .
And make unauthorized login attempts harder .</tokentext>
<sentencetext>Like the paper says userids aren't secrets but non-secret userids make spam easier.
Many companies use initial + last name as the user id: eg jsmith.
If they also added a random 4 digit number: eg jsmith1234.
It would make guessing userids harder for spam.
And make unauthorized login attempts harder.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679039</id>
	<title>"Schneier wrote a piece"?</title>
	<author>Anonymous</author>
	<datestamp>1247509080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei Flor&#195;ncio, Cormac Herley, and Baris Coskun."</p><p>That's not "a piece".</p></htmltext>
<tokenext>" Interesting paper from HotSec '07 : " Do Strong Web Passwords Accomplish Anything ?
" by Dinei Flor   ncio , Cormac Herley , and Baris Coskun .
" That 's not " a piece " .</tokentext>
<sentencetext>"Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?
" by Dinei FlorÃncio, Cormac Herley, and Baris Coskun.
"That's not "a piece".</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28684553</id>
	<title>In 2002 British Telecom had 200 people...</title>
	<author>gilgongo</author>
	<datestamp>1247489760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I know this isn't really on topic, but it may interest some of you that I was told by a security consultant that in 2002 British Telecom (BT) had a call centre of 200 (two hundred) people doing one thing and one thing only: re-setting forgotten passwords for BT employees worldwide.

This call centre had grown from 4 people in 1996. In the end, it was the accountants that persuaded the IT department to do something about it. Part of the solution was to install something called an "LDAP server" on the network which in effect meant that various applications could use a centralised authentication system. That managed to keep the call centre rising above the 500 people in 2007 that had been projected by 2002 trends. It now stands at about 350 operators, 24 hours a day, 365 days a week. A cost that BT has to accept as "reasonable."</htmltext>
<tokenext>I know this is n't really on topic , but it may interest some of you that I was told by a security consultant that in 2002 British Telecom ( BT ) had a call centre of 200 ( two hundred ) people doing one thing and one thing only : re-setting forgotten passwords for BT employees worldwide .
This call centre had grown from 4 people in 1996 .
In the end , it was the accountants that persuaded the IT department to do something about it .
Part of the solution was to install something called an " LDAP server " on the network which in effect meant that various applications could use a centralised authentication system .
That managed to keep the call centre rising above the 500 people in 2007 that had been projected by 2002 trends .
It now stands at about 350 operators , 24 hours a day , 365 days a week .
A cost that BT has to accept as " reasonable .
"</tokentext>
<sentencetext>I know this isn't really on topic, but it may interest some of you that I was told by a security consultant that in 2002 British Telecom (BT) had a call centre of 200 (two hundred) people doing one thing and one thing only: re-setting forgotten passwords for BT employees worldwide.
This call centre had grown from 4 people in 1996.
In the end, it was the accountants that persuaded the IT department to do something about it.
Part of the solution was to install something called an "LDAP server" on the network which in effect meant that various applications could use a centralised authentication system.
That managed to keep the call centre rising above the 500 people in 2007 that had been projected by 2002 trends.
It now stands at about 350 operators, 24 hours a day, 365 days a week.
A cost that BT has to accept as "reasonable.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676919</id>
	<title>Re:I met Bruce Schneier in an elevator once</title>
	<author>Mark Hood</author>
	<datestamp>1247502060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If I was Bruce Schneier that's what I'd do<nobr> <wbr></nobr>.... Just doodle a random sequence of digits inside to make you crazy (and make you assume I'm a genius for doing it on the spot).</p><p>Either that, or he was trying to solve the morning Sudoku, and used your book as scratch paper...</p><p>Mark</p></htmltext>
<tokenext>If I was Bruce Schneier that 's what I 'd do .... Just doodle a random sequence of digits inside to make you crazy ( and make you assume I 'm a genius for doing it on the spot ) .Either that , or he was trying to solve the morning Sudoku , and used your book as scratch paper...Mark</tokentext>
<sentencetext>If I was Bruce Schneier that's what I'd do .... Just doodle a random sequence of digits inside to make you crazy (and make you assume I'm a genius for doing it on the spot).Either that, or he was trying to solve the morning Sudoku, and used your book as scratch paper...Mark</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676297</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676297</id>
	<title>I met Bruce Schneier in an elevator once</title>
	<author>Anonymous</author>
	<datestamp>1247500080000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p>and he autographed my copy of Applied Crypto for me, and he copied a little puzzle inside the front cover. It was a 3x3 matrix of numbers. I could never make heads nor tail of it. Has anyone else seen this and solved it? I'm at work so I do not have my copy of applied crypto with me, or I'd attempt to post the puzzle.</p></htmltext>
<tokenext>and he autographed my copy of Applied Crypto for me , and he copied a little puzzle inside the front cover .
It was a 3x3 matrix of numbers .
I could never make heads nor tail of it .
Has anyone else seen this and solved it ?
I 'm at work so I do not have my copy of applied crypto with me , or I 'd attempt to post the puzzle .</tokentext>
<sentencetext>and he autographed my copy of Applied Crypto for me, and he copied a little puzzle inside the front cover.
It was a 3x3 matrix of numbers.
I could never make heads nor tail of it.
Has anyone else seen this and solved it?
I'm at work so I do not have my copy of applied crypto with me, or I'd attempt to post the puzzle.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28682129</id>
	<title>Re:Hide userid - seems like a good idea</title>
	<author>donutz</author>
	<datestamp>1247477460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>So you want to put part of the password into the username?</p></htmltext>
<tokenext>So you want to put part of the password into the username ?</tokentext>
<sentencetext>So you want to put part of the password into the username?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676459</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679407</id>
	<title>Re:yup</title>
	<author>Anonymous</author>
	<datestamp>1247510340000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Cedar Point is small potatoes next to Vanguard, who limits passwords to 10 characters. That's ridiculous for the largest family of mutual funds.</p></htmltext>
<tokenext>Cedar Point is small potatoes next to Vanguard , who limits passwords to 10 characters .
That 's ridiculous for the largest family of mutual funds .</tokentext>
<sentencetext>Cedar Point is small potatoes next to Vanguard, who limits passwords to 10 characters.
That's ridiculous for the largest family of mutual funds.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677367</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676489</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>clone53421</author>
	<datestamp>1247500740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>They'd also have to be a pretty good typist, since they can't see what they've typed. Plus, the password box doesn't visibly change to reflect the extra keystrokes after it's full, so you can't tell if you hit an extra letter. If you only get 3 tries before your account locks out, this might not be a very good idea.</p><p>Then of course most passwords can't be longer than a certain length, which the other reply already mentioned.</p></htmltext>
<tokenext>They 'd also have to be a pretty good typist , since they ca n't see what they 've typed .
Plus , the password box does n't visibly change to reflect the extra keystrokes after it 's full , so you ca n't tell if you hit an extra letter .
If you only get 3 tries before your account locks out , this might not be a very good idea.Then of course most passwords ca n't be longer than a certain length , which the other reply already mentioned .</tokentext>
<sentencetext>They'd also have to be a pretty good typist, since they can't see what they've typed.
Plus, the password box doesn't visibly change to reflect the extra keystrokes after it's full, so you can't tell if you hit an extra letter.
If you only get 3 tries before your account locks out, this might not be a very good idea.Then of course most passwords can't be longer than a certain length, which the other reply already mentioned.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28683583</id>
	<title>Geometric patterns on the keyboard</title>
	<author>thenextstevejobs</author>
	<datestamp>1247484000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I've found this is a nice way to create complicated passwords that are immune to dictionary attacks. Choose a pattern of shift on/off and draw a nice little picture. It's fun and easy. And you could probably write down what the picture is without arousing suspicion, if necessary.</htmltext>
<tokenext>I 've found this is a nice way to create complicated passwords that are immune to dictionary attacks .
Choose a pattern of shift on/off and draw a nice little picture .
It 's fun and easy .
And you could probably write down what the picture is without arousing suspicion , if necessary .</tokentext>
<sentencetext>I've found this is a nice way to create complicated passwords that are immune to dictionary attacks.
Choose a pattern of shift on/off and draw a nice little picture.
It's fun and easy.
And you could probably write down what the picture is without arousing suspicion, if necessary.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676837</id>
	<title>Re:Throwing the baby out with the bathingwater?</title>
	<author>Anonymous</author>
	<datestamp>1247501760000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You do realize that the insane password schemes aren't built against gussing at the login, they're built against someone brute forcing the password hash. As things have changed, getting the password hash has gotten a lot harder, and generally an administrator account has already been compromised, reducing (but not eliminating) the problem of the passwords getting compromised. That risk has to be balanced against the risk of having passwords on a postit note next to the computer, which is real and very exploitable. Therefore, there's a significant chance that having a complex password scheme lowers the security of the system.</p></htmltext>
<tokenext>You do realize that the insane password schemes are n't built against gussing at the login , they 're built against someone brute forcing the password hash .
As things have changed , getting the password hash has gotten a lot harder , and generally an administrator account has already been compromised , reducing ( but not eliminating ) the problem of the passwords getting compromised .
That risk has to be balanced against the risk of having passwords on a postit note next to the computer , which is real and very exploitable .
Therefore , there 's a significant chance that having a complex password scheme lowers the security of the system .</tokentext>
<sentencetext>You do realize that the insane password schemes aren't built against gussing at the login, they're built against someone brute forcing the password hash.
As things have changed, getting the password hash has gotten a lot harder, and generally an administrator account has already been compromised, reducing (but not eliminating) the problem of the passwords getting compromised.
That risk has to be balanced against the risk of having passwords on a postit note next to the computer, which is real and very exploitable.
Therefore, there's a significant chance that having a complex password scheme lowers the security of the system.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676303</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677189</id>
	<title>Re:And this is news how?</title>
	<author>morgan\_greywolf</author>
	<datestamp>1247502900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Well, for one, many companies institute obtuse password policies in the first place.  So people are forced into using strong passwords.  I don't think this means strong passwords are without value, but the fact that keyloggers and phishers exist means that any system that relies exclusively on passwords automatically has several very bad weak points in its security.</p></htmltext>
<tokenext>Well , for one , many companies institute obtuse password policies in the first place .
So people are forced into using strong passwords .
I do n't think this means strong passwords are without value , but the fact that keyloggers and phishers exist means that any system that relies exclusively on passwords automatically has several very bad weak points in its security .</tokentext>
<sentencetext>Well, for one, many companies institute obtuse password policies in the first place.
So people are forced into using strong passwords.
I don't think this means strong passwords are without value, but the fact that keyloggers and phishers exist means that any system that relies exclusively on passwords automatically has several very bad weak points in its security.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676645</id>
	<title>Re:HEY!</title>
	<author>Omniscient Lurker</author>
	<datestamp>1247501220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>According to TFS you have a keylogger on your computer. I suggest you kill it with fire, but not in Soviet Russia, because "in Soviet Russia, keylogger fire kills with you.".</htmltext>
<tokenext>According to TFS you have a keylogger on your computer .
I suggest you kill it with fire , but not in Soviet Russia , because " in Soviet Russia , keylogger fire kills with you .
" .</tokentext>
<sentencetext>According to TFS you have a keylogger on your computer.
I suggest you kill it with fire, but not in Soviet Russia, because "in Soviet Russia, keylogger fire kills with you.
".</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676197</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678587</id>
	<title>Re:Sounds dumb to me</title>
	<author>itsdapead</author>
	<datestamp>1247507700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place.</p></div><p>Unfortunately, if you still force all users to have hard-to-remember passwords, you'll find it much harder to be draconian about that three-strikes policy... That's the point - these issues aren't orthoganal and tackling one can have negative consequences for another. Maybe (gasp) the answer is to have different policies for different threat levels?
</p><p>Of course, if you really can persuade everybody to use really, really strong passwords  then that doesn't matter so much - the real problem is with bogus rules for "strong" passwords: "t0p5ecret", "5w0rdf1sh", "joshua1983" etc. probably won't slow down dictionary attacks enough to keep up with Moore's Law.</p><p><div class="quote"><p>I guess the bottom line is that I'd be concerned about employing someone who can't remember a password.</p></div><p>I think you have a sound policy for the systems management nerd herd, but have fun applying it to your CEO when he's forgotten his password for the third time in a month (but still wants root), or the minimum-wage-slaves on reception.
</p><p>I'd be concerned about employing someone who was stupid enough to fall for the "please email us your password so we can re-enable your account" phish, but there seems to be one born every minute (not that that stops my <i>real</i> bank cold-calling and asking me to confirm my identity from time to time... Oh, ye gods!)</p><p><div class="quote"><p>You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes</p></div><p>...and then some Bastard Operator From Hell forces a password change.</p><p><div class="quote"><p>(or eat it, or whatever)</p></div><p>Mmmm...  cH3353Bur93r...<nobr> <wbr></nobr>:-)</p></div>
	</htmltext>
<tokenext>Okay , I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place.Unfortunately , if you still force all users to have hard-to-remember passwords , you 'll find it much harder to be draconian about that three-strikes policy... That 's the point - these issues are n't orthoganal and tackling one can have negative consequences for another .
Maybe ( gasp ) the answer is to have different policies for different threat levels ?
Of course , if you really can persuade everybody to use really , really strong passwords then that does n't matter so much - the real problem is with bogus rules for " strong " passwords : " t0p5ecret " , " 5w0rdf1sh " , " joshua1983 " etc .
probably wo n't slow down dictionary attacks enough to keep up with Moore 's Law.I guess the bottom line is that I 'd be concerned about employing someone who ca n't remember a password.I think you have a sound policy for the systems management nerd herd , but have fun applying it to your CEO when he 's forgotten his password for the third time in a month ( but still wants root ) , or the minimum-wage-slaves on reception .
I 'd be concerned about employing someone who was stupid enough to fall for the " please email us your password so we can re-enable your account " phish , but there seems to be one born every minute ( not that that stops my real bank cold-calling and asking me to confirm my identity from time to time... Oh , ye gods !
) You write it down until you memorize it , you treat that piece of paper as precious and secret , you burn it and scatter the ashes...and then some Bastard Operator From Hell forces a password change .
( or eat it , or whatever ) Mmmm... cH3353Bur93r... : - )</tokentext>
<sentencetext>Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place.Unfortunately, if you still force all users to have hard-to-remember passwords, you'll find it much harder to be draconian about that three-strikes policy... That's the point - these issues aren't orthoganal and tackling one can have negative consequences for another.
Maybe (gasp) the answer is to have different policies for different threat levels?
Of course, if you really can persuade everybody to use really, really strong passwords  then that doesn't matter so much - the real problem is with bogus rules for "strong" passwords: "t0p5ecret", "5w0rdf1sh", "joshua1983" etc.
probably won't slow down dictionary attacks enough to keep up with Moore's Law.I guess the bottom line is that I'd be concerned about employing someone who can't remember a password.I think you have a sound policy for the systems management nerd herd, but have fun applying it to your CEO when he's forgotten his password for the third time in a month (but still wants root), or the minimum-wage-slaves on reception.
I'd be concerned about employing someone who was stupid enough to fall for the "please email us your password so we can re-enable your account" phish, but there seems to be one born every minute (not that that stops my real bank cold-calling and asking me to confirm my identity from time to time... Oh, ye gods!
)You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes...and then some Bastard Operator From Hell forces a password change.
(or eat it, or whatever)Mmmm...  cH3353Bur93r... :-)
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677103</id>
	<title>I vote miss leading scare mongering</title>
	<author>C\_Kode</author>
	<datestamp>1247502660000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Strong passwords are are useless and only cause users problems?  That is absolutely stupid.  First off, strong passwords have nothing to do with phishing schemes, they are about brute force / guessing passwords.   Just like a seat belt (a safety device) on a car isn't meant to protect you against car fires.   Protecting you from car fires is done in a completely different way.</p><p>Strong passwords have a purpose and that purpose hasn't changed and is extremely valuable in protecting you accounts.</p><p>Phishing != brute force attack.  Stop scare mongering.</p></htmltext>
<tokenext>Strong passwords are are useless and only cause users problems ?
That is absolutely stupid .
First off , strong passwords have nothing to do with phishing schemes , they are about brute force / guessing passwords .
Just like a seat belt ( a safety device ) on a car is n't meant to protect you against car fires .
Protecting you from car fires is done in a completely different way.Strong passwords have a purpose and that purpose has n't changed and is extremely valuable in protecting you accounts.Phishing ! = brute force attack .
Stop scare mongering .</tokentext>
<sentencetext>Strong passwords are are useless and only cause users problems?
That is absolutely stupid.
First off, strong passwords have nothing to do with phishing schemes, they are about brute force / guessing passwords.
Just like a seat belt (a safety device) on a car isn't meant to protect you against car fires.
Protecting you from car fires is done in a completely different way.Strong passwords have a purpose and that purpose hasn't changed and is extremely valuable in protecting you accounts.Phishing != brute force attack.
Stop scare mongering.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678437</id>
	<title>Re:I'll repeat what I've said before: Use sentence</title>
	<author>Anonymous</author>
	<datestamp>1247507160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Ok..now..what did you say your user name was again?</p></htmltext>
<tokenext>Ok..now..what did you say your user name was again ?</tokentext>
<sentencetext>Ok..now..what did you say your user name was again?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676495</id>
	<title>The Problem With Passwords</title>
	<author>furby076</author>
	<datestamp>1247500740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>When a company makes the requirements so difficult.  For example: Symbol, plus one caps, plus one lowercase, plus one number, and at least 8 characters, changed every month and never being able to repeat.  Then this policy is applied to every system, which if they are not all AD (active directory) controlled means someone has to remember multiple passwords each month.<br> <br>

What happens? People WILL use post-it-notes with their passwords.  Security can bitch and moan all they want about this but the alternative is people callign helpdesk 5 times a day saying "reset my password".<br> <br>

There needs to be a balance when using passwords...too easy and you have little/no security, too difficult and you force people to find routes to remember their passwords (e.g. post-it notes) killing any security.  You would be better off to have too easy of passwords.<br> <br>

If a company is that paranoid about password security then install fingerprint/eye-scanners.  They are very inexpensive (sub $100 retail) and you will save users and help desk a world of hurt.</htmltext>
<tokenext>When a company makes the requirements so difficult .
For example : Symbol , plus one caps , plus one lowercase , plus one number , and at least 8 characters , changed every month and never being able to repeat .
Then this policy is applied to every system , which if they are not all AD ( active directory ) controlled means someone has to remember multiple passwords each month .
What happens ?
People WILL use post-it-notes with their passwords .
Security can bitch and moan all they want about this but the alternative is people callign helpdesk 5 times a day saying " reset my password " .
There needs to be a balance when using passwords...too easy and you have little/no security , too difficult and you force people to find routes to remember their passwords ( e.g .
post-it notes ) killing any security .
You would be better off to have too easy of passwords .
If a company is that paranoid about password security then install fingerprint/eye-scanners .
They are very inexpensive ( sub $ 100 retail ) and you will save users and help desk a world of hurt .</tokentext>
<sentencetext>When a company makes the requirements so difficult.
For example: Symbol, plus one caps, plus one lowercase, plus one number, and at least 8 characters, changed every month and never being able to repeat.
Then this policy is applied to every system, which if they are not all AD (active directory) controlled means someone has to remember multiple passwords each month.
What happens?
People WILL use post-it-notes with their passwords.
Security can bitch and moan all they want about this but the alternative is people callign helpdesk 5 times a day saying "reset my password".
There needs to be a balance when using passwords...too easy and you have little/no security, too difficult and you force people to find routes to remember their passwords (e.g.
post-it notes) killing any security.
You would be better off to have too easy of passwords.
If a company is that paranoid about password security then install fingerprint/eye-scanners.
They are very inexpensive (sub $100 retail) and you will save users and help desk a world of hurt.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676349</id>
	<title>This just in!</title>
	<author>HideyoshiJP</author>
	<datestamp>1247500320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Bullet proof windows not as safe as previously thought. Under certain conditions, such as a door being unlocked and/or open, a bullet proof window may not keep you safe from robbery at gunpoint.</htmltext>
<tokenext>Bullet proof windows not as safe as previously thought .
Under certain conditions , such as a door being unlocked and/or open , a bullet proof window may not keep you safe from robbery at gunpoint .</tokentext>
<sentencetext>Bullet proof windows not as safe as previously thought.
Under certain conditions, such as a door being unlocked and/or open, a bullet proof window may not keep you safe from robbery at gunpoint.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676465
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_59</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677957
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_41</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678317
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678037
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680089
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680697
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_60</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677189
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678303
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677147
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680211
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677861
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677521
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680083
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28701917
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_58</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676557
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677415
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_63</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676451
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_48</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676265
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678535
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676565
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28696961
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676489
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677797
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_53</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677831
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679947
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676745
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28690763
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679309
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679273
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_45</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677019
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_61</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678239
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_52</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677869
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676421
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676869
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_51</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678093
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676403
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677149
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_42</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676939
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676401
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676459
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28682129
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_43</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677745
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680305
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678587
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28685377
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_57</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678557
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_50</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28685185
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676917
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28686139
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676197
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676645
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677773
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_49</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678397
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_56</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676265
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676613
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676565
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677257
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678647
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_55</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676435
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677035
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_46</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678377
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676763
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28688247
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_62</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676297
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677183
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676297
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676919
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679631
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677555
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_47</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678437
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676763
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28684725
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677367
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679407
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_54</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676421
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676711
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678205
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_44</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676303
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676837
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677311
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28683113
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677293
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_07_13_1336235_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677955
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676421
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676711
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676869
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676521
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676527
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677745
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680305
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677381
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676257
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676367
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676335
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676917
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677957
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680089
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677147
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677293
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677361
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677847
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680613
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676297
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677183
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676919
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676197
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676645
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676565
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677257
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28696961
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676439
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677773
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28683113
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678647
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28701917
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677869
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679309
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678317
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678239
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677831
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678093
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679947
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676265
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676613
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678535
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676999
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28690763
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28686139
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678303
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676289
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677955
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676465
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676451
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676403
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677149
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677415
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676557
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676745
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678037
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678437
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676401
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677555
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28685185
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677311
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678377
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680211
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676489
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676435
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677035
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677367
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679407
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679459
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676301
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676939
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677861
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676763
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28688247
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28684725
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680697
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678205
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676351
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676251
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676303
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676837
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676287
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677521
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28680083
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677189
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677019
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679273
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676343
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678397
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678587
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28685377
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28677797
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28678557
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28679631
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676459
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28682129
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_07_13_1336235.28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_07_13_1336235.28676519
</commentlist>
</conversation>
