Bradford Mint

No, the TV series "Plebs" tells it like it really was.

Unlikely, remember that the software was just bought in and bodged to fit. A lot of stuff about MP isn't made for SL but quite the opposite.

Obviously. Tragic.

Well that "bite" is totally fake! At 31 seconds (where it's freeze framed), her bite actually starts at the burger downwards and her nose is clearly being turned up by the bread. Yet at 32 seconds in the cut to closeup, there's a chunk missing from the bread. Doesn't even require a P900 or P1000 camera to debunk THIS and I really do need to stop watching Flat Earth and Flat Earth debunking videos.

But what about the weekend preferences too, might swing to 100% female at the weekends or maybe as yet undecided!

Yeah... about a gender slider... "49% bi-curious, 51% male", now translate that into a poseball seating position...

Yep except that I suspect that assumes brute force attempts rather than other methods.

The question to ask is "if someone the other side of the world has my username and password, can they log in on their device?" Where an additional factor is concerned, they would also need the additional factor, in this case, your phone. So even if the phone is the same device as the one accessing the service, as long as the channel to handle that additional authentication factor is separate, there's an additional level of security. Simply put, without the extra factor, the person with your credentials on the other side of the world isn't going to get anywhere fast.

Where's the issue there? That's easy! A female doorway opens inwards, a male doorway opens outwards. I thought this was well understood?

No, you miss the point. While the xkcd cartoon is fun and makes a point, beyond a mere handful of passwords, the scheme fails as soon as you encounter sites that enforce a policy that disallows your own choice of picking supposedly strong passwords. I'm sure that you have also encountered sites where the enforced policy would be considered weaker than the password type you would prefer to use and as such, you are forced to pick *something* to meet their policy even though it's different to any scheme that you'd reasonably remember. Thus, the issue of maintaining unique passwords against any personal chosen scheme becomes more challenging and the issue of storing passwords comes to the fore. Now you're forced to stick 276 passwords into a password manager which now has to be trusted and yet provides a nice tasty treat for any attack, notwithstanding the related issues of having access to the password database for a user who is mobile, as i'm sure you'll agree, it's quite infeasible to expect people to remember every password against a multitude of policies that force people to go off-piste from their normal scheme, especially for rarely used sites.

Yep so the next website you visit specifies that your password must contain a capital letter and a number... Batterystaple1 Next site, must be only 8 digits with a symbol Battery# Next site, between 8 to 10 digits number but no symbols other than _ % and must contain one of them Batteryst% and so on, then look at the password cache and discover that you have 276 passwords stored, many of them with enforced policies that don't match your own personal rules of choosing passwords and it's just utterly broken.

As is KCOM. Do you think that Virgin Media is a part of BT? My sarcasm detector wasn't triggered.

Except for Virgin and KCOM and anyone else where a proper LLU has taken place.

Well I probably will at some point soon no doubt.

We may not be in the deleted thread but the topic is the same and the same content is coming up and to be frank, my sentiments still apply. Complain to the appropriate information commissioner that someone with a fake name, holds someone else's fake name and see how that goes. They really have serious things to do. As I said in the other thread, go and issue a request for data, lets say against Blueberry or Maitreya and see how that goes.

Because the common misunderstanding that all use is business use, as per the previous deleted thread where someone believed that if you have a sim, that magically means it's now a business.

The word "business" does not get mentioned in the original post.

So just to put some of this into perspective of what's perceived to be a problem and the likely outcome, i'll share some recent fun around some requests for personal data from large, highly "credible" organisations (I use that term loosely depending on your point of view but each of them is a well known organisation. I'll keep them brief but you'll see where this goes:- A previous employer - "we don't hold any personal data beyond 7 years". I pushed hard and magically they came back with my employment details, entire record and banking details from over 10 years ago. I asked them to delete it all as they had no lawful need to keep it. Ah bit of a problem there because it's all archived in the same dataset as others and they can't delete individual records (write only media). What am I going to do, cry boohoo to the Information Commissioner? A parking provider - "we have no data". I pushed on this one, they magically came back with a bunch of data, CCTV, locations of vehicles etc. "Delete it all" I said, it's of no use to you. They said they had. I asked for proof, they said they didn't need to provide any. What am I going to do, cry boohoo to the Information Commissioner? Besides, i'll be back in those car parks and the cars will be recorded again so back to square one. An insurance provider - These guys were really good, 8/10 on the GDPR SAR response scale, immediately understood my deliberately vague request, came back with all the data. "Delete it all" I said, I have no contract with you anymore and haven't had for 3 years. They said "no way, we're keeping it for 8 years just in case!". What am I going to do, cry boohoo to the Information Commissioner? A major airline - Hopeless, 2 hours trying to get an agent in a call centre to first of all understand that they really do have databases other than the flight booking one. Eventually, I got the data haul by going through obtuse channels but it was late, far beyond the 30 days they're permitted. What I am going to do, cry boohoo to the Information Commissioner? In this case they said that the I.C. was already aware but then they were rather busy as they had already had to fess up to a breach of 380,000 customers credit card details a week ago. In perspective, given the above, lets just consider for one moment the likely response from the Information Commissioner when presented with the following:- Complainant: *sobs* "I think someone who I don't know, in a game, just might have logged my avatar name and public UUID and *sniffs* it's not fair, I want something done!" Information Commissioner to their office buddy: "Bob, pass me the "Petty Complaints" file again would you please?" and responds back "thanks for your report" *closes file* Now i'm not suggesting that the issue isn't potentially genuine but in terms of traction with regard to potential penalties, most of these concerns are up there with complaints to the police about people in the street looking at them in a strange way. Now, on the other hand, if said database holds SL AND RL data and sensitive PII pertaining to religous and sexual traits which is then breached and releases the entire SL database to the internet, that may get more than a raised eyebrow. But....then if the database is only for personal use, it falls outside the remit of GDPR anyway so *slam dunk* end of thread. Thanks, you're welcome!

Because not everyone in the forums is a Rhinoceros

Actually, just to be somewhat pedantic, the only legal opinion that truly matters is that of the judge with the final say. Meaning that the opinion of the first judge doesn't count if it goes to appeal. This is kinda highlighted at the moment by a recent case where the UK Electoral Commission had a legal opinion which the judge ruled against. https://www.bbc.co.uk/news/uk-politics-45519676

I repeat from the deleted thread... Casper got it wrong!

@JJValero Writer You appear to have completely misunderstood what GDPR is and what it is not. Nowhere does it state that holding a database with personal information is illegal! Quite the opposite in fact, especially where it's for personal use as one example. GDPR applies to how the data is protected and what the lawful reasons for holding it are and also rights of the data subject. Shame the other long thread got deleted, looks like we need to buckle up and go for the same ride.

I agree Callum, the rainbow table attacks with compute arrays as listed in the first post are most suited to unsalted password databases such as would be leaked from an organisation. Nobody bothers to attack consumers across a distributed geography using brute force. The attack landscape is too wide with usually insufficient gain. Your other point about password strength is also important because it highlights that choosing a "strong" password in itself is usually meaningless given that a single letter when hashed is the same length as a 1,000,000,000,000 character long password. Phishing remains the greatest threat here.

In terms of lockout protection yes but the reality is that the threat is not brute forcing a password in the first place but most likely phishing and in this case phishing a PIN would only have merit if the attacker is also in possession of the second factor, which implies a physical attack has also occurred. I realise that you are aware of this but wouldn't want people thinking a strong password is the same as a PIN. So as was already mentioned by someone else, entering a cryptographically super strong password into compromised site, has provided no extra security.

Yes but as has been pointed out brute forcing a login (such that it would result in a locked account) isn't the threat actor in play here but rather the calculation of the hashes against a rainbow table.