1. Home
  2. Categories
  3. Side Bar WTF
  4. You suck at IT, you totally suck

You suck at IT, you totally suck

  • izzion
    I survived the hour long Uno hand

    Ok, Ok, fiiiiine, I'll pay the thread tax...

    Lorenzo Franceschi-Bicchierai  /  Jun 29, 2023

    High school changes every student’s password to ‘Ch@ngeme!’ | TechCrunch

    High school changes every student’s password to ‘Ch@ngeme!’ | TechCrunch

    A high school in Illinois decided that changing everyone students' password to "Ch@ngeme!" and telling everyone about it was a good idea.

    27 BernieTheBernie 1 Reply
  • Steve_The_Cynic

    The problem is that what they did isn't even an IT problem, but a basic security problem. Imagine if it was combination locks for lockers, and the school just went round and changed them all to 10-20-30. It's exactly as stupid as the IT-based problem in the article, but involves no IT. (Well, except that they probably wouldn't do a physical security thing like locker combinations in that sort of way, anyway.)

    7 Watson izzion 2 Replies
  • Watson

    @Steve_The_Cynic said in You suck at IT, you totally suck:

    The problem is that what they did isn't even an IT problem, but a basic security problem. Imagine if it was combination locks for lockers, and the school just went round and changed them all to 10-20-30. It's exactly as stupid as the IT-based problem in the article, but involves no IT. (Well, except that they probably wouldn't do a physical security thing like locker combinations in that sort of way, anyway.)

    There's that one on the part of the high school, but there was also the mistake where the security auditor broke the system they were auditing in the first place.

    Then there was the additional error where the school tried to fix the auditor's mistake instead of giving the auditor a clip around the ear and making them provide a fix.

    9
  • izzion
    I survived the hour long Uno hand

    @Steve_The_Cynic said in You suck at IT, you totally suck:

    The problem is that what they did isn't even an IT problem, but a basic security problem. Imagine if it was combination locks for lockers, and the school just went round and changed them all to 10-20-30. It's exactly as stupid as the IT-based problem in the article, but involves no IT. (Well, except that they probably wouldn't do a physical security thing like locker combinations in that sort of way, anyway.)

    Fair, but if (general) you as an IT implementer are inept enough to not have a self service password reset process functioning mandated in 2023 and as a result are doing mass password resets, that’s on you. And sending an email that literally says “we changed everybody’s password” is just the cherry on top.

    4
  • Jaime

    The real height of obliviousness here is managing a network of thousands of high school students and not even realizing that this is going to open the door to them messing with each other.

    I guess it's a good thing that these people don't manage the keys at a prison, or the vault at a bank.

    11 jinpa 1 Reply
  • G
    Banned

    I think it's all downstream from the attitude some older people have that things "in the computer" aren't real so it's okay to be completely ignorant and careless about them. So what that everyone has everyone else's credentials? What's the worst that can happen?

    7
  • jinpa

    @Jaime Automated prisons are now common, but when one of the first ones was opened, a problem that occurred was all of the cell doors opening at once. 😨

    5
  • BernieTheBernie

    @izzion Hmphff... At a previous company, the software originally stored passwords without salting them before hashing. Then head of development decided to change that, and add salting.
    But how to do the upgrade?
    Well, a random salt was generated per user, and an empty string as password was then salted, hashed, and stored...
    Sehh Kyoo Ritty is complicated.

    9 Jaime 1 Reply
  • Jaime

    @BernieTheBernie said in You suck at IT, you totally suck:

    a random salt was generated per user, and an empty string as password was then salted, hashed, and stored.

    I can't think if any worse alternative. That's so much worse than even not fixing the original problem.

    Seems like the equivalent of "Hey, the front door to my store is all scratched up. I'll drop it off at the painter and pick it up tomorrow."

    11 Tsaukpaetra 1 Reply
  • Tsaukpaetra
    Notification Spam Recipient

    @Jaime said in You suck at IT, you totally suck:

    I can't think if any worse alternative

    I have very recently experienced a system in which all stored passwords were done in reversible encryption (intentionally, it's a password vault) but in order to get the decryption key you needed to ask an API web server for the key. For the two passwords that might be used to encrypt them. And only one was actually ever used. But! The password to authenticate to that password server? It was stored alongside the encrypted blobs, and everyone retrieved that password on each decryption.

    This has not and likely will not be fixed. See the Lounge.

    8 Jaime 1 Reply
  • Jaime

    @Tsaukpaetra That's a worse situation, for sure. I was referring to not being able to think of a worse approach to the problem presented.

    I did once encounter an application that stored passwords with this line:

    pwd = Encrypt(valuetheuserentered, "staticvalue")

    This was coded in an obscure platform and Encrypt was a method provided by the base library, so no one could answer my question as to what it actually does.

    I did some digging and found out that it uses OpenSSL's crypt function. However, it makes some poor choices. It uses bcrypt, but in ECB mode, so every eight characters is independent and you can find things like "passwords ending in 2023" just by looking at the encrypted data. The static encryption key seed was simply our company name, and the library provides an initialization vector - the same one for every encryption ever done.

    13
Log in to reply