Server Relocation WTF



  • So, we are relocating offices over the weekend. Part of this involves relocating and (apparently) reconfiguring our servers. The office manager sent out the email below. Not sure I need to say anything else....

    To effect a successful and incident free move from A to B, we need to gather all users’ login passwords for server re-configuration at the new office. Please be assured that passwords will be handled with the strictest of confidence and that accounts will be logged into for checking of shared drives and security levels only.

    Please email your password to myself before Thursday 3rd Nov. Passwords not received can be re-set to a default setting but this action exposes the system to a greater risk of unauthorised access due to there being multiple accounts with the same password. Your password will be viewed by myself and the Network Systems Engineer only and can be re-set to something of your own choosing once you have logged in at the new office.



    1. Give them a password you aren't using and tell them to administratively change your password to that before the migration.
    2. Change your password to a different password after the migration.
    3. Profit!

  • :belt_onion:

    So, wait a few months, then send the exact same message out, spoofing his email address, profit?



  • Have you mentioned to him that he may be braindead?



  • I briefly thought about doing that. I sighed and got on with my life instead.
    Oh and posted here.


  • :belt_onion:

    Can you report his email as phishing?

    Or even better, send him an email, CC'ing the boss, asking if his account has been comprimised because this looks a hell of a lot like a phishing email.



  • As a bonus, see if you can get the boss to reply to the original email with you CC'd.


  • :belt_onion:

    Yes!

    Oh wait, do you have infosec people? Send it to them, they should have a blast with that!



  • Nothing so grandiose. We're a (very) small engineering firm. IT "support" and yes, I use that term loosely, is contracted out.
    We have some interesting restrictions, like not being able to customise the icons on the taskbar, but at least we have some semblance of admin rights.


  • Grade A Premium Asshole

    @metallurg said:

    We're a (very) small engineering firm.

    Then what's the big deal?

    Yeah, it is a minor :wtf:, but the server admins have access to all your shit anyway. They just want to be able to verify that all the shared drives, etc., work properly and that the office isn't entirely fucked when you guys get there. Login, make sure everything works, log out.

    If they wanted to rummage through all the files on your desktop, they could do that at the server without you ever knowing and without your machine even being on.



  • But what if I use my super-secret password for all my logins? My bank accounts, oh no!


  • Fake News

    There's the fact that email isn't a safe medium for passwords compared to just writing a note and passing it to your boss (that should work for small firm).

    Of course this is less important if you're using an internal Exchange server.


  • Fake News

    Reset your password before the move?
    Anyone using your excuse for real needs to be told how to use a password manager.


  • Grade A Premium Asshole

    @JBert said:

    There's the fact that email isn't a safe medium for passwords compared to just writing a note and passing it to your boss (that should work for small firm).

    Of course this is less important if you're using an internal Exchange server.

    Meh. It is secure enough. For this purpose anyway. We are talking about domain passwords. They need access to the network if they happen to somehow intercept the one email containing your password.

    If the IT support firm triggers a password reset for everyone on Monday, I see no major problem with what they have done. Yeah, it would be better if it had not been done over email, and yes it was phrased like a phishing attack, but small firms don't need enterprise procedures.

    And really, it would be worse if they host their own Exchange server, because then they just sent their email password also since it is the same as their domain password. Email should be able to be accessed from anywhere.


  • Fake News

    @Polygeekery said:

    If the IT support firm triggers a password reset for everyone on Monday, I see no major problem with what they have done.

    Ah, forgot to comment on this nugget:

    Passwords not received can be re-set to a default setting but this action exposes the system to a greater risk of unauthorised access due to there being multiple accounts with the same password.

    Surly @metallurg's boss could reset passwords to some random password**emphasized text if he was really concerned about this?!? :wtf:


  • Grade A Premium Asshole

    "hunter2" really should be safe enough for everyone.



  • @Polygeekery said:

    "*******" really should be safe enough for everyone.

    That's kind of a boring password.


  • FoxDev

    @Polygeekery said:

    "hunter2" really should be safe enough for everyone.

    Did you know that discoourse automatically encrypts your password if you accidentally post it?

    you will see your password in plain text but everyone else sees ■■■■■■■.

    try it! it's true!


  • Notification Spam Recipient

    Cool, let me try!

    My password is: accaliaisamoron

    Did it work?


  • BINNED

    Didn't work ... It encrypted my location field instead ... Discourse!


  • FoxDev

    @Vault_Dweller said:

    Cool, let me try!

    My password is: belgium

    Did it work?

    <ass



  • It is bad practice and makes people think that sending their password via email is okay in some circumstances. Bad practices lead to bad habits.


  • Notification Spam Recipient

    Yes. Rather scream it across the room instead.


  • :belt_onion:

    Also the fact that rule number 0 is NEVER EVER EVER EVER EVER send passwords via email.



  • @metallurg said:

    Because I really don't know how we're going to move from A to B, we need to gather all users’ login passwords because I don't understand how domains and accounts work. Please be assured that emailing me your password is still an unbelievably stupid thing for me to ask you to do, and that doing so almost guarantees you a visit from the Bad Security Fairy.

    Before you leave for the day on Friday, please make sure that you are logged in to your online banking, AWS console and your Ashley Madison account as well, as we need access to those too.

    Please forget everything you have ever learned about network security and email your password to myself before Thursday 3rd Nov. If you are unable to bring yourself to do this before then, Steve has a shovel by the reception desk and will be willing to hit you on the head with it until emailing me your plaintext password starts to seem like a good idea. Passwords not received can be re-set to a default setting because I really have no idea how to reset passwords and this will no doubt lead to multiple accounts with the same password, which is almost as bad an idea as having everybody in the company email me their passwords in the first place. Your password will be viewed by myself, the Network Systems Engineer, and anybody else, really, because our security policy is such a sad an lonely thing that nobody ever pays attention to.

    Okay, I can see how if this was all a hands on, do everything while sitting at each desk and then do it over again on the next desk kind of thing (I believe the techincal term is "Doing it wrong"), then it could be helpful to have someone log in to each account, verify connectivity, configure printers, add shared drives, reset the wallpaper to the proper inspirational poster and all, but...

    1. There are better ways to do all of this. Unfortunately, they mostly depend on having done things the right way before the move starts, but they are far better.
    2. No, really. Far, far, far better.
    3. The last sentence alone says enough. "Your password [...] can be re-set to something of your own choosing once you have logged in at the new office." Maybe I'm reading too much into the use of passive voice here, but that sounds different from "You can reset your own password once you log in, just like you always could before and usually do whenever you hit the password expiry time anyway" and suggests that someone else would need to reset the password for each user.

    I'm going to have to agree with Miss Hoover, who said “The children are right to laugh at you, Ralph.”



  • Just wait for the next guy to press CC-ALL and wooohooo! 🍿



  • My password is: belgium

    Hey! It works!


  • Dupa

    @flabdablet said:

    Hey! It works!

    I don't think it does. You can't see it too and it should be only us, that can't.

    Discourse broke @accalia's futurefeature.



  • @Polygeekery said:

    "hunter2" really should be safe enough for everyone.

    Ha! Hunter3 is even more safer.



  • @kt_ said:

    You can't see it too

    Sure I can! It's "belgium".



  • @Eldelshell said:

    Just wait for the next guy to press CC-ALL and wooohooo! 🍿

    We used to do this thing at work where I would e-mail everyone a question, usually related to safety policies, and all the people who correctly answer the question would have their name put into a drawing for a prize.

    Sometimes, someone would Reply All, then others would submit that same answer. Mildy amusing when the answer was wrong.


Log in to reply