Bad password policy...
-
@StarLite said:
@Douglasac said:
2nd hit on google for `C6H2(NO2)3CH3` links you to the Wikipedia page of Trinitrotoluene. Even Bing managed to find some slitghly hintfull pages for that term (although it's results are a LOT crappier then google's results....) If you are puzzling to find out what C6H2(NO2)3CH3 is, you have failed your online tests and should´t be posting here anyways .. ;)
Also, for those who are puzzling overC6H2(NO2)3CH3, it's Trinitrotoluene.Hey how about those people that do not know that this is what made the "Teenage Ninja Turtles"
-
tehee!
[Nitroglycerin] was synthesized by chemist Ascanio Sobrero in 1847. Sobrero initially called his discovery pyroglycerine, and warned vigorously against its use as an explosive. It was later adopted as a commercially useful explosive.
-
@PSWorx said:
Reminds me of the system of our university. It won't accept passwords longer than 8 characters either, but it has the added bonus that it doesn't generate any error message when you set your password to something longer. Instead, it does the only sensible thing and silently truncates your password to its first 8 chars. Naturally, this has led to some good hilarity with the support desk over the years.
My bank silently truncates to 10. Or did; I had to learn the hard way when they made the change and suddenly my password no longer worked unless I omitted the last few characters.
-
@HighlyPaidContractor said:
Do Australians really use "fortnight" regularly?
When Centrelink is involved, on a fortnightly basis we use it.
Another example of bad password policies (or more a general WTF), MacromatiX, something that claims to be a retail operating system but is in reality a web-based backoffice suite, has it's own password WTF's... passwords aren't case sensitive (so it considers chicken and Chicken to be the same password). This system is used for a variety of backofficy type things: processing of payroll information, register reconcillation, stock management, et cetera. Really need something a little more secure than that, methinks.
Macromatix story time nao.
One day, I was counting my register at the end of my shift, tralala, prepared the float, and then I fed my password to MacromatiX (omitting the capital letter in it because I'm a rebel like that) because I'd finished it. I summon the manager who puts her password in to confirm that I have counted it and that I haven't palmed what I took out to make the float, and there's a large variance in what I counted: turns out that I can't count well. So, she puts her password in again so I can put my password in again so we can modify it and remove the errant money so I can put my password in again so she can put her password in again so we can print the reconciliation report (it makes sense when you do it). She clicks the "Release and Modify" button next to my name (as opposed to her name) by accident, and deauthorizes not only herself but me as well. She shouldn't have been able to do that because I put my password in, and because of this the manager wasn't able to override it so that my password wasn't needed to release it or re-authorize it.
Then again, this business runs their POS terminals on Windows 2000 still and has the backoffice computer as the server, because that's not incredibly stupid or anything. And we've had the backoffice computer die, and boy was that a barrel of laughs.
Then there's IBM 4690 GSA which for some reason won't let you have 0 as the first digit in a password (which is a retarded name as it's four digits, not a word at all).mod: fixed paragrahs FY –dh
-
@rmarquet said:
@tchize said:
2 Solid USB key + vault in the basement. Minimum investment, minimum risks. Only usefull for backups you don't write often (eg: when you are done with a client, you backup all it's data because you must still legally keep them for whatever reason during 10 years)
No basement in my house. :) So I don't really feel comfortable that anywhere in the house is safe from a fire.
I suggest a fireproof data/media safe. A small one, the size you might find in a hotel room, is around $NZ 1000. It will hold passports, birth certificates, deeds, usb keys, tapes, external hard disks, jewellery, etc - all the stuff you'd like to survive a house fire.
-
@havokk said:
@rmarquet said:
@tchize said:
2 Solid USB key + vault in the basement. Minimum investment, minimum risks. Only usefull for backups you don't write often (eg: when you are done with a client, you backup all it's data because you must still legally keep them for whatever reason during 10 years)
No basement in my house. :) So I don't really feel comfortable that anywhere in the house is safe from a fire.
I suggest a fireproof data/media safe. A small one, the size you might find in a hotel room, is around $NZ 1000. It will hold passports, birth certificates, deeds, usb keys, tapes, external hard disks, jewellery, etc - all the stuff you'd like to survive a house fire.
We actually do have one and our passports and my wife's pearls are in there. The issue with this is that it requires me to remember to get the USB device out of the safe/toilet tank/whatever and update it regularly.
I stopped responding on this issue because I knew everyone would simply one-up me. The short version is that my wife and I wanted off-site backup and were happy to pay for it. An automated offsite backup is nice because it can be automated.
-
I can't stand password policies that require changing passwords every so and so. Such policies come from the seventies, when everyone had access to one, maybe two things that were password-protected, and remembering even complicated passwords was easy.
Today everyone needs PINs, PUKs, site passwords, and every fucking server has a password expiration policy, because it's totally more secure! I mean, everyone does it, so it must be secure!
Oh wait, no it's not. It's just moving the problem from the server to the user. "We figured out a way to make your password impossible to crack, by rendering it obsolete. Now you remember your new password. Every single password you use. We can't guarantee the safety of your data if you write it down."
The only problem: you can't even use the same password everywhere. The policies differ, so you have to change your password more often here, less often there, use a keychain to store them, your browser helpfully remembers your login and password, etc. I currently use about 100 different credential sets at work.
At first I stored them in Oubliette, but maybe it's time to stop fucking caring and just throw them in a Excel file.
-
@Kiss me I'm Polish said:
Oh wait, no it's not. It's just moving the problem from the server to the user. "We figured out a way to make your password impossible to crack, by rendering it obsolete. Now you remember your new password. Every single password you use. We can't guarantee the safety of your data if you write it down."
And as someone else already mentioned, you soon start having passwords named after seasons and what have you...
At first I stored them in Oubliette, but maybe it's time to stop fucking caring and just throw them in a Excel file.
I have to keep a list. It's the only way. I just counted 28 passwords at work (albeit several of those are for systems that have been decommissioned, so I see 24 active passwords). And that's JUST work related passwords. Some of these systems I access daily, some I access once or twice a year. Frustrating.
-
@Kiss me I'm Polish said:
I can't stand password policies that require changing passwords every so and so.
From a recent change of servers at work (from the section on changing passwords):IMPORTANT: The password you have just set will now be the password you must use to access the hosted services. The administrators cannot see the password you have set, they only have the ability to reset your account password. The hosted system keeps a history of the last 24 passwords used and does not permit you to re-use a password which has been used previously within that history record. You must change your password at least once every 90 days. You cannot change your own password more than once in 24 hours. You will receive a warning 14 days before your password expires. If your password expires, you are prompted to change it when you sign in to the Administration Centre, My Company Portal, or the Sign In application.
WTF is that all about? At worst that's 6 years before you can reuse a password, or just over 3 weeks if you make a concerted effort to cycle through 24 password changes.
What is the point? Oh - the restrictions on the password itself?:7 Characters or more
A combination of upper and lower case letters
At least one number or symbol
I've no idea, and no inclination to test to see, if there's a maximum length. It took my 10 character password. For this quarter anyway.
-
I use a password that has a semi-constant core plus a part that's mnemonically generated from the service I use.
This works so well that for the latest service I signed up for, I forgot my password almost as soon as I logged out. I then reconstructed it from association and lo, it was correct on first try.
-
@dhromed said:
That is what I do, too, except for the sites having ridiculous requirements that do not permit strong passwords, which, sadly, is about 90% of the really important accounts. For those, I end up relying on the "Forgot password?" functionality and pray my web-based email is never compromised...I use a password that has a semi-constant core plus a part that's mnemonically generated from the service I use.
This works so well that for the latest service I signed up for, I forgot my password almost as soon as I logged out. I then reconstructed it from association and lo, it was correct on first try.
-
@Xyro said:
That is what I do, too, except for the sites having ridiculous requirements that do not permit strong passwords, which, sadly, is about 90% of the really important accounts. For those, I end up relying on the "Forgot password?" functionality and pray my web-based email is never compromised...
A.K.A. government sites.
I have to go to a government-run site to pay my student loan bills. To login, all I need is the first two letters of my last name, the last four digits of my SSN, and a four-digit pin. My last name is pretty much common knowledge so that just leaves 1000 SSN combinations * 1000 PIN combinations = 1,000,000 guesses. If my SSN was stolen they'd only have to try 1000 PIN combinations which could probably be brute-forced within minutes. Oh, and the site doesn't lock your account or anything if you get stuff wrong, unless it takes over a dozen tries before you're locked out. If my name and SSN are found then the PIN is just a joke and doesn't really provide any additional security.
Personally I'd rather just use a username, email, or even an SSN and stick with a traditional strong password with 15 - 25 characters.
-
@mott555 said:
A.K.A. government sites.
I have to go to a government-run site to pay my student loan bills. To login, all I need is the first two letters of my last name, the last four digits of my SSN, and a four-digit pin. My last name is pretty much common knowledge so that just leaves 1000 SSN combinations * 1000 PIN combinations = 1,000,000 guesses. If my SSN was stolen they'd only have to try 1000 PIN combinations which could probably be brute-forced within minutes. Oh, and the site doesn't lock your account or anything if you get stuff wrong, unless it takes over a dozen tries before you're locked out. If my name and SSN are found then the PIN is just a joke and doesn't really provide any additional security.
Personally I'd rather just use a username, email, or even an SSN and stick with a traditional strong password with 15 - 25 characters.
While I generally agree, I think we can savely call 1000 tries "over a dozen".
-
@PSWorx said:
While I generally agree, I think we can savely call 1000 tries "over a dozen".
Most sites I've used that lock you out do so after only three failed attempts. Since I've failed to log in around a dozen times in a row without having my account locked (had a failing keyboard for a while), I assumed it doesn't lock at all.
-
@mott555 said:
To login, all I need is the first two letters of my last name, the last four digits of my SSN, and a four-digit pin. My last name is pretty much common knowledge so that just leaves 1000 SSN combinations * 1000 PIN combinations = 1,000,000 guesses.
Unless there's some additional restrictions you haven't mentioned, that's 10000 SSN combinations * 10000 PIN combinations = 100,000,000 guesses.
-
@Someone You Know said:
@mott555 said:
To login, all I need is the first two letters of my last name, the last four digits of my SSN, and a four-digit pin. My last name is pretty much common knowledge so that just leaves 1000 SSN combinations * 1000 PIN combinations = 1,000,000 guesses.
Unless there's some additional restrictions you haven't mentioned, that's 10000 SSN combinations * 10000 PIN combinations = 100,000,000 guesses.
Doh.
-
@mott555 said:
I have to go to a government-run site to pay my student loan bills. To login, all I need is the first two letters of my last name, the last four digits of my SSN, and a four-digit pin. My last name is pretty much common knowledge so that just leaves 1000 SSN combinations * 1000 PIN combinations = 1,000,000 guesses. If my SSN was stolen they'd only have to try 1000 PIN combinations which could probably be brute-forced within minutes. Oh, and the site doesn't lock your account or anything if you get stuff wrong, unless it takes over a dozen tries before you're locked out. If my name and SSN are found then the PIN is just a joke and doesn't really provide any additional security.
And why, exactly, would anyone want to break into your DirectLoans account?To pay your bills for you? I'm looking at my account right now and can't find a single way to extract any meaningful information other than SHOCK HORROR my street address and phone number. Okay, they could submit an early payment using my saved account info - how the fuck is that going to help J. Random Hacker? All it's going to do is mildly inconvenience me while the accounts are reset and get unleash the twin hells of government and bank fraud teams.
-
@Weng said:
And why, exactly, would anyone want to break into your DirectLoans account?
To pay your bills for you? I'm looking at my account right now and can't find a single way to extract any meaningful information other than SHOCK HORROR my street address and phone number. Okay, they could submit an early payment using my saved account info - how the fuck is that going to help J. Random Hacker? All it's going to do is mildly inconvenience me while the accounts are reset and get unleash the twin hells of government and bank fraud teams.
That's a very good question which I can't answer. However, "Why the hell would someone want to hack this account?" is not an excuse to have lame security. But I do fall towards the paranoid side of things when it comes to application security.
-
My bank and government login require strong passwords that must rotate every 3 months (or something), and use SMS-authentication on many things.
Apparently this is a luxury situation.
-
@dhromed said:
SMS-authentication
You say that as if it's a good thing.
(which probably means I don't get what it is)
-
@b-redeker said:
OTP via text-message probably.@dhromed said:
SMS-authentication
You say that as if it's a good thing.
(which probably means I don't get what it is)
-
-
@rmarquet said:
I have to keep a list. It's the only way. I just counted 28 passwords at work (albeit several of those are for systems that have been decommissioned, so I see 24 active passwords). And that's JUST work related passwords. Some of these systems I access daily, some I access once or twice a year. Frustrating.
I get around this by grouping related systems and using the same password for all the systems in a group.
I still have my network password, my core applications password, my minor applications password, a couple of passwords for external vendors, server logins for three different applications (each with prod password and dev/test password), a couple of ETL repository logins, half a dozen database logins... but generally I can remember them.
What really annoyed me the other day, though, was trying to get online access to my superannuation fund. Every other fund I've looked at on the web allows you to register using your membership number, and gets you to provide some information to check against their records so they know (well, OK, hope) it's actually you. My current fund required me to ring their customer service line to be allocated an ID and a password. The ID was a string of digits with no relationship to my membership number, and is the only way I can login. It's not visible anywhere on the site, and won't be on any of the paperwork I receive from them, unlike my membership number which is on every annual statement. So basically, every time I want to login to their site I'll have to go and dig up the specific bit of paper I wrote the ID on. Or ring up customer service again and say "I can't remember my login ID, my membership number is..."
Perhaps not surprisingly, the site itself was easily the worst of all the superannuation funds' sites that I have used. It made me feel sad that I was trying to close down all my other superannuation accounts and roll the balances over into this one.
-
Use KeePass?
I mean, I'm only starting using it right now, but I don't have nearly as many usernames and passwords to remember as you guys.
-
@Sutherlands said:
Use KeePass?
If it gets too out-of-control, I'll probably have to. In the meantime, I feel that if someone armed with my password for our CRM system also wants to sabotage our ETL repository (and has the ETL client software installed and pointing to the correct server and port), having a different password for the ETL repository probably wouldn't have stopped them. Particularly when the people who know where the ETL repository is also have admin access to the ETL domain and could simply create a new dummy user to sabotage it with, forcing us to go to the trouble of restoring it from the previous night's backup.
-
I have a WTF in this area I can share. I have an online account with ESRI's website since I took some online ArcGIS courses for work. However their login form is broken, at least for me, I don't think anybody else in the office has any problems. It never remembers my password. Ever. If I need to login I have to click the "Reset Password" link and then they email me a temporary password which lets me log in and set a new password. I'll set my usual password and go on since I'm already logged in and everything works great. But if I log out and try to login again the password I just set won't work and I'll have to reset it again.
-
@mott555 said:
I have a WTF in this area I can share. I have an online account with ESRI's website since I took some online ArcGIS courses for work. However their login form is broken, at least for me, I don't think anybody else in the office has any problems. It never remembers my password. Ever. If I need to login I have to click the "Reset Password" link and then they email me a temporary password which lets me log in and set a new password. I'll set my usual password and go on since I'm already logged in and everything works great. But if I log out and try to login again the password I just set won't work and I'll have to reset it again.
Sounds like your usual password is getting mangled when they save it. Any special characters in it? Maybe you should set a really simple password and see if it remembers that, then (if it succeeds) work your way up, find out how complex you can make your password before you break it.
Not that they should be saving your password in the first place, but you know they are. Well, saving some related password, anyway.
-
@Scarlet Manuka said:
Sounds like your usual password is getting mangled when they save it. Any special characters in it? Maybe you should set a really simple password and see if it remembers that, then (if it succeeds) work your way up, find out how complex you can make your password before you break it.
Not that they should be saving your password in the first place, but you know they are. Well, saving some related password, anyway.
Nope, no special characters, just lowercase letters and some numbers.
In related news, apparently even Amazon.com has made the same exact stupid password mistake as others mentioned in this thread. http://www.neowin.net/news/amazon-password-flaw
-
@mott555 said:
In related news, apparently even Amazon.com has made the same exact stupid password mistake as others mentioned in this thread. http://www.neowin.net/news/amazon-password-flaw
Covered and explained earlier in the thread as well.
@Heron said:
@Heron said:
@derula said:
And Amazon, too. (Still does, just checked. At least the German version.)
Wow. That's kind of disturbing. I'll bring this to the attention of our security team.
If you go into your account settings and reset your password (even to the *same* password), it won't happen anymore. (Apparently the issue was fixed at some point, but only for passwords that were created or reset after the fix was deployed. For obvious reasons I can't go in to more detail.)
-
@locallunatic said:
@mott555 said:
In related news, apparently even Amazon.com has made the same exact stupid password mistake as others mentioned in this thread. http://www.neowin.net/news/amazon-password-flaw
Covered and explained earlier in the thread as well.
People are supposed to read threads before posting? Pshaw!
The funny thing is when I saw that post about the Amazon thing, I was thinking, "hm, where have I heard that recently..." Turns out it was this very thread!
-
@blakeyrat said:
People are supposed to read threads before posting? Pshaw!
OK, you got me there. And the linked article covers the fix too, so I can't even claim to be adding anything :(.
-
@b-redeker said:
OK I'm the first (I think) to actually say it's TNT. However, I can't think of a parcel company with a name like that.@TarquinWJ said:
C6H2(NO2)3CH3
"an explosive consisting of a yellow crystalline compound that is a flammable toxic derivative of toluene".
Is this an American company?
-
@belgariontheking said:
Is this an American company?
I think it's based in Netherlands, and I've certainly had stuff delivered by them to me (to Slovenia).
-
@b-redeker said:
It's still a total WTF and possibly the dumbest unit of measurement evar.
Only half correct. In a physics lesson at school one day near the end of term, the teacher left us alone for half an hour and told us to calculate the speed of light, given some starting information to work from. Before he left, we asked him what units the answer should be expressed in. 'Any units you like,' he replied.
After some discussion amongst ourselves, we all agreed on furlongs per fonrtnight (and no, before you ask, sorry but for some reason I fiorget the result we calculated).
-
I'm sorry Cad, I didn't quite catch that, could you say it again?
BTK, TNT (the courier company) also operates in the UK. And they drive like fucking maniacs.
-
@Cad Delworth said:
After some discussion amongst ourselves, we all agreed on furlongs per fortnight (and no, before you ask, sorry but for some reason I fiorget the result we calculated).
1.8026175 × 1012
-
@Cad Delworth said:
After some discussion amongst ourselves, we all agreed on furlongs per
Use Google Calc. It's not as if it's original enough that you were the only ones to think of it.
fortnight (and no, before you ask, sorry but for some reason I fiorget the
result we calculated).
-
That's rough :(
-
I've got it hanging on my wall. If you write out all the terms and cancel them out properly and then use a calculator with infinite precision (well, ok, limits-of-memory precision) you get 1,802,617,498,996 and 4/11.
