Password security 101
-
So this French TV station got hacked yesterday by IS ...
Comes along this possible explanation ...
-
TLDR:
Post-it note on wall [in a televised interview next to a worker's desk] revealed network's passwords for YouTube, Instagram.
-
I call lies and desepticons. There are no post-its in that image.
-
There are no post-its in that image
You still only have yellow ones over there ...
My password is on a pink one
-
Do they also come in A4? Because that's all I see in that image. Sheets of A4 paper.
-
My favourite bit:
Twitter user pent0thal confirmed that account's displayed password was "lemotdepassedeyoutube," which translates in English to "the password of YouTube.
-
I call lies and desepticons. There are no post-its in that image.
It's France, right? They probably have their own versions with stupid names because they can't stand that Post-Its came from America.
-
They probably have their own versions with stupid names because they can't stand that Post-Its came from America.
They're black and white, and have pictures of onions on the side.
-
@thegoryone said:
I have so many green post-its on my monitor it looks like a really shitty Christmas tree.
Also, lulz.
I once worked for a company that used its own postcode (6 digit) as their remote admin account for about 250 external service customers.
That's terrible... That's only 10^6 possible combinations. Here in the Netherlands it would be fine, though, as there would be 10^4*26^2 possible combinations
-
-
-
I still see some artefacts there - I think you need to go back to NCIS to complete your training...
And there's definitely a render bug there...
-
Freedom Papers™
-
Websites should ditch usernames and just ask for your password to log in. If anyone shares it with you, they get the option to log in as your account. Best way to guarantee uniqueness.
-
No, they shouldn't allow you to share passwords. If you try to set a password that someone else has taken, the system should ask you to provide a different one.
-
Nobody Shares Passwords Better Than This
-
No, they shouldn't allow you to share passwords. If you try to set a password that someone else has taken, the system should ask you to provide a different one.
And tell you who's it is so you can ... "ask" them to change it.
-
Websites should ditch usernames and just ask for your password to log in. If anyone shares it with you, they get the option to log in as your account. Best way to guarantee uniqueness.
If the passwords are randomly generated and known to be randomly generated, and the search space is big enough (128 bits or more), this actually works.
If you want to play with it, you can set up ssh to log on this way: create a common user account that all your users will share for ssh connections, make sshd accept key-based logons only for that account, and use per-key command= options in its authorized_keys file to force sshd to su into the associated user account after authenticating with that key.
Each user's ssh key then functions as both user identifier and authenticator.
-
And tell you who's it is so you can ... "ask" them to change it.
Why pester them when you can log in and change it yourself? That's the considerate thing to do.
-
Why pester them when you can log in and change it yourself? That's the considerate thing to do.
The mean ideas thread is
-
Best way to guarantee uniqueness.
Typos password
Whoah, what are all these files??? Where did my stuff go???
-
If the passwords are randomly generated and known to be randomly generated, and the search space is big enough (128 bits or more), this actually works.
[...]
Each user's ssh key then functions as both user identifier and authenticator.A variation on that theme is client-authenticated SSL, where the initial key exchange doesn't just establish the server's crypto ident but also the client's. It's a very strong system, but not one that's used much with HTTPS because it's a pain to set up in browsers.
-
hunter2
-
In all seriousness, that's a good way to enforce password security, just have to do it sneaky...
To person 1: Say "That password is not unique enough.", make them choose another
For person 2, lock their AD account and flag it for password reset.
Schedule both of them for the next week's password security training session.
-
Actually Post-It brand sticky-notes come in sizes up to 17" by 22"
-
The origins of Post-Its date back to medieval England when it was traditional to write the dates of important feast days on the sides of livestock. These became known as Post-It Goats. As the years went by and paper because more readily available they morphed into the form we're more familiar with today.
-
The origins of Post-Its date back to medieval England when it was traditional to write the dates of important feast days on the sides of livestock.
You'd think they would be rather difficult to stick to a wall.
-
You'd think they would be rather difficult to stick to a wall.
It's a well-known fact in Western Europe that goatshit, mixed with straw, is sticky enough to attach a goat to a wall and hold it there for a couple of days.
-
It's a well-known fact in Western Europe that goatshit, mixed with straw, is sticky enough to attach a goat to a wall and hold it there for a couple of days.
In Eastern Europe, OTOH, we never experimented with smearing our walls with shit.
Filed under: so much progress lost
-
In Eastern Europe, OTOH, we never experimented with smearing our walls with shit.
Dammit. You didn't take the bait.
-
In Eastern Europe, OTOH, we never experimented with smearing our walls with shit.
And now we're stuck with American technology. It's the same with internets, and many other things.
-
-
A variation on that theme is client-authenticated SSL, where the initial key exchange doesn't just establish the server's crypto ident but also the client's. It's a very strong system, but not one that's used much with HTTPS because it's a pain to set up in browsers.
And you can get the best of both worlds with TLS-SRP, if the browser vendors would ever start supporting it...
-
In Eastern Europe, OTOH, we never experimented with smearing our walls with shit.
Waste of perfectly good shit?
-
In Eastern Europe, OTOH, we (snip)
I thought you were Polish? Since when is Poland in Eastern Europe?
-
I thought you were Polish? Since when is Poland in Eastern Europe?
Since they built that damn wall in Berlin instead of Kiev?
-
best of both worlds with TLS-SRP
No thanks. There's far more fucked up with passwords than with client certificates. The inventors of SRP (TLS-SRP is just SRP over TLS) have a strange idea about what threat model they're really addressing or what real-world security practices actually are (“post-it goats” and all).
-
Since they built that damn wall in Berlin instead of Kiev?
So you don't think of yourselves as being Central Europe? That was the traditional designation…
-
Though I grant you that even 20+ years on many people still can’t tell the difference, Eastern Bloc ≠ Eastern Europe.
-