Comment On Encapsulation in the Hot Seat

Santosh K. had seen all the emails about the upcoming code audit. [expand full text]
« PrevPage 1 | Page 2 | Page 3Next »

Re: Encapsulation in the Hot Seat

2013-02-06 12:25 • by Rob (unregistered)
400745 in reply to 400700
imgx64:
TRTWF is the SQL injection.

Don't forget the closing of the ResultSet, PreparedStatement and Connection that will never happen if executing the statement throws an exception. Did Santosh never hear of finally blocks?

Re: Encapsulation in the Hot Seat

2013-02-06 12:48 • by Daniel (unregistered)
400746 in reply to 400696
Is the real wtf that the comment worth featuring wasn't?

Re: Encapsulation in the Hot Seat

2013-02-06 12:48 • by Andrew (unregistered)
The auditor was reasonable, supportive, and actually correct about our protagonist's code, and he learned something by trying to justify his design to someone else.

Where's the WTF, TRWTF, and the PHB?!

Re: Encapsulation in the Hot Seat

2013-02-06 12:49 • by chubertdev
400748 in reply to 400744
C-Derb:
I was about to argue that women absolutely cannot hold their bladder longer than men, then I saw that I would be arguing with Nagesh.

Carry on.


Maybe he hangs out with whales.

Re: annoying password expiration

2013-02-06 12:53 • by Bruce W
400749 in reply to 400742
snoofle:
Interesting. I too, use an algorithm. I have 24 passwords I rotate through. Starting with "Z", go diagonally up, over one and down the next row, capitalizing the first letter encountered. For example: Zaq12wsx. The next password change, start with X, then C, V, B and finally N. The do the same thing in reverse, but diagonally the other way: Zse45rdx. Then repeat, but from the numbers down and back up: 1Qazxsw2, ..., 0Okmnji9. If you need a character from !, @, #, ..., (, ), just use it as the first (last) character, depending upon which end of the keyboard from which you start.

It's pretty secure as I can't even remember them unless I'm looking at a keyboard, but trivial to type. And even when I tell someone what the current password is, they invariably get it wrong.

The best part is all you have to remember is the starting character and which way to zig-zag.



Note to self - add Snoofle's 24 passwords to rainbow table.

Re: Encapsulation in the Hot Seat

2013-02-06 13:00 • by Zylon
Snoofle, you're on a computer, not a typewriter. It's okay to use italics instead of is-that-a-hyperlink-oh-no-its-just-an -underline underlines now.

Re: Encapsulation in the Hot Seat

2013-02-06 13:06 • by ubersoldat
400751 in reply to 400750
I had to read the story two times to understand who was talking when. And at the end TWTF is not from the auditor? I don't like that.


On the other hand, if I was that auditor I wouldn't even wasted my time explaining to Santosh how stupid his getters were and what an awful PoS all that code is.

Re: annoying password expiration

2013-02-06 13:14 • by Nagesh
400752 in reply to 400739
Peter:
Scott:
Andy:
What kind of auditor is this? Most auditors I've encountered just say things like "your passwords aren't being changed every 30 days."

If you ask "why 30 days and not 90?" they reply "because that's what it says on my checklist here."
Auditors like this drove the final nail in any chance of remembering your password. Thanks to them, I haven't known any of my passwords in 5 years, except the passwords I need to get to my password vault.

Talk about a high-risk target! And it didn't exist, until the auditors forced it on me.


Password validation algorithms force password generation algorithms. Here's mine:

1. Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers

2. Pick a separator character sequence that includes whatever characters the password validation algorithm requires (one special character and two numbers, for example)

3. Spell the first two letters of the word chosen in #1, phonetically (e.g.: Alpha Bravo)

4. Insert the separator sequence between the two phonetics

5. When password change time comes, use the next two letters in "the word", and the same separator characters.

Saves me from trying to remember a new password every 30 days, and is "unique enough" to pass the automated filter. All I have to remember is the original word and the separator sequence.


Ask keePass to generate password every once in 30 days.
Keep it simple silly!

Re: Encapsulation in the Hot Seat

2013-02-06 13:15 • by Nagesh
400753 in reply to 400744
C-Derb:
Nagesh:
QJo:
So the real WTF is not going to the lavatory immediately before the code review? That's Meeting 101.


Correct as great swami always say - He who can hold bladder for longest time will win argument. That is why women win most arguments.

I was about to argue that women absolutely cannot hold their bladder longer than men, then I saw that I would be arguing with Nagesh.

Carry on.


is clear that swamiji and you're on different astral plain. in my company women beat mean at this game every time. coffee or not no make difference.

Re: Encapsulation in the Hot Seat

2013-02-06 13:16 • by Nagesh
400754 in reply to 400748
chubertdev:
C-Derb:
I was about to argue that women absolutely cannot hold their bladder longer than men, then I saw that I would be arguing with Nagesh.

Carry on.


Maybe he hangs out with whales.


Hey don't judge fat women!

Re: Encapsulation in the Hot Seat

2013-02-06 13:24 • by Xaser (unregistered)
Today's article rubs me the wrong way. The code is feature-worthy, but the presentation is all backwards: why is the story not written from the submitter's perspective (and the wrong name bolded)? It reads really awkwardly as a result, especially after checking the comments and finding out it wasn't a confession post.

I'm being a whiny arse, of course, but I was similarly un-thrilled with yesterday's article for various reasons (confusing presentation and unclear ending) and I'm hoping this doesn't mark a shift away from the TDWTF we all know and love. TRWTF would be if this trend continues. :P

On second thought, though, perhaps I should be thankful. Without these two articles, mmmok's comment on p.1 wouldn't exist, which provided the heartiest laugh I've had all week.

Re: Encapsulation in the Hot Seat

2013-02-06 13:34 • by snoofle
400756 in reply to 400755
Xaser:
...finding out it wasn't a confession post...
It actually was a confession - the guy nearly broke down after being forced to explain his code to the entire team. It was just related by me from his perspective.

Re: Encapsulation in the Hot Seat

2013-02-06 13:51 • by Anon (unregistered)
400757 in reply to 400710
snoofle:
Andy:
What kind of auditor is this?

I was the auditor. Santosh is on my team and sits nearby. Nobody likes this guy, mostly because he talks the talk, but codes like this (actual, unaltered code presented). I was doing a routine code review, stumbled upon his latest creation and showed it to our boss who insisted on the public code review, in front of the whole team!


Wait...then how do you know so much about the current status of Santosh's bladder? Is this a thing where you work?

Re: Encapsulation in the Hot Seat

2013-02-06 13:52 • by Anon (unregistered)
400758 in reply to 400703
Remy Porter:
And fun fact: there's never actually been a study done to see if frequent password changes actually improve security. And there's no reason to think it would- at best, you're revoking an already compromised password. But on a 90 day password cycle, that means you have an average of 45 days of unfettered access. On a 30-day password cycle, it's an average of 15.

And what's the average amount of time an attacker needs to exploit a compromised password? I'm sure it varies, but I can guarantee that the number isn't measured in days.

It's cargo-cult logic.


Good point. This is why I change my password every 5 minutes.

Re: Encapsulation in the Hot Seat

2013-02-06 13:54 • by SomeCoder (unregistered)
Is it bad that this code - presumably from Snoofle's intern - looks like the regular stuff coded up by our SENIOR ENGINEERS/ARCHITECTS at my work?

*SIGH*

Re: Encapsulation in the Hot Seat

2013-02-06 14:09 • by snoofle
400760 in reply to 400757
Anon:
Wait...then how do you know so much about the current status of Santosh's bladder? Is this a thing where you work?
The dance

Re: Encapsulation in the Hot Seat

2013-02-06 14:16 • by mihi
And:

Using a String array instead of an object with named fields to store the messages.

Use "stringly typed enums" for deciding which action to perform.

Using equalsIgnoreCase for comparing the (upper case) string values in case you forget to press the Shift key later.

Re: Encapsulation in the Hot Seat

2013-02-06 14:16 • by Evan (unregistered)
I just start with hunter2 and increment the ending number.

Re: Encapsulation in the Hot Seat

2013-02-06 14:42 • by DrPepper
[Quote]Oh, I’m safe, all my code has been in Production and working fine, surely someone would have complained![/quote]

How many times I've made the same invocation!!!

Seriously, didn't anyone ask this person for a code sample before hiring them?

Re: Encapsulation in the Hot Seat

2013-02-06 14:51 • by Matt Westwood
400765 in reply to 400729
Santosh:
After that, I resigned in disgrace and felt obligated to commit ritual suicide. My family in India starved when the money stopped coming in, but it's OK because it gave the family living in the adjacent cardboard box some fresh protein to eat.

I thought I was doing great! I mean, the code compiled. Do you have any idea how much effort I put into getting just that far?


It's a fuck of a lot bloody further than the shit that one of my arsebrained colleagues used to check into our codebase.

Re: Encapsulation in the Hot Seat

2013-02-06 15:21 • by Geoff (unregistered)
400766 in reply to 400758
Guys you know there is more than one type of risk associated with passwords right? Most of they are an identity mechanism and most systems are still single factor.

Its true 'external' brute force attempts are easy to detect and defend against? What about offline attacks? Most of the time password resets/changes are logged, modifying a password store or even the reading of it by any unusual process might also be logged, but not recovering it from a backup tape etc. So there may be a number of IT administrative people in an org that at least on occasion have access to this data.

Password rotation is an important control. If can get the passwd/shadow/sam etc file off a machine I can brute force the password undetectably but assuming they are of a decent length and complexity it will take weeks or months. Once I have one of these passwords I can use the identity of that individual as much as like with little chance of any audit mechanism showing conclusively that its someone other than the account owner performing these activities; let alone produce conclusive evidence of who the perp is. For there other controls might be effectively thwarted, perhaps someone who is not on the insiders SEC list can now access insider data, etc.

This is one hole password rotation + complexity can at least help to close.

Re: Encapsulation in the Hot Seat

2013-02-06 15:52 • by WhatsMyName (unregistered)
400767 in reply to 400766
correcthoursebatterystaple

Enough said

Re: Encapsulation in the Hot Seat

2013-02-06 16:23 • by Dann of Thursday (unregistered)
400770 in reply to 400762
Evan:
I just start with hunter2 and increment the ending number.


How did you know my password?!

Re: Encapsulation in the Hot Seat

2013-02-06 16:30 • by Spits Coffee Through His Nose (unregistered)
...all my code has been in Production and...


“Just remember - after you’re hired when your internship is over,...


*faint*

Re: Encapsulation in the Hot Seat

2013-02-06 16:39 • by pn (unregistered)
400772 in reply to 400756
snoofle:
It actually was a confession - the guy nearly broke down after being forced to explain his code to the entire team. It was just related by me from his perspective.
Since a few years ago, all code in our shop goes through peer review before it gets merged into the mainline. It does wonders even when there are no interns in the team.

Re: Encapsulation in the Hot Seat

2013-02-06 17:00 • by david (unregistered)
400773 in reply to 400715
portablejim:

How about if the hashes (especially salted ones) are compromised instead of the passwords themselves?


(a) I think you mean "especially unsalted" instead of "salted" in which case just go out back and shoot yourself. Salting is easy, there is no excuse for not salting.

(b) If your concern is that someone may spend months trying to crack a salted hashed password then just increase the number of hashing rounds by a magnitude or two. If you are concerned that someone will spend years trying to crack a salted hashed password... you are the NSA and have other weaknesses to spend your time on.

Re: Encapsulation in the Hot Seat

2013-02-06 17:07 • by Chris Lively (unregistered)
WTFs not previously mentioned
1. Potential leaked sql connections - no using statements and lack of try..catch/finally clauses near where the error will occur.
2. Badly named method: "selectQuantityFromDB" may as well have named it: SelectCountFromAnyTableHopeItDoesntBlow
3. Potential SQL injections in "selectQuantityFromDB"
4. Complete lack of parameter checking in "selectQuantityFromDB".
5. Impossible to debug SQL due to using that dumb ass "selectQuantityFromDB" method.
6. Threading for apparently no other reason than because it looks cool.

That last sentence of the Auditor should have been:
"Just remember - Never be afraid to ask for help from your next employer."

Re: Encapsulation in the Hot Seat

2013-02-06 17:20 • by Tim (unregistered)
400776 in reply to 400723
Shawn H Corey:
Yes the biggest problem with the education system is its stress on individual effort. There is nothing more upsetting than to find that a recent grad spent a week working on a problem which is already solved in your code base. Homework is for school, not the real world. Ask before you do things on your own.


I can think of two things more upsetting off the top of my head.

1. Finding that a senior developer spent a week working on a problem that is already solved in your code base, and them then refusing to refactor to use the better of the two solutions.

2. Finding that you just spent a week working on a problem that is already solved in your code base. Bonus points if the existing solution is better than your solution.

Note that #2 is different to discovering that the problem is already solved badly in your code base and you spend a week improving it.

Re: Encapsulation in the Hot Seat

2013-02-06 18:05 • by someone (unregistered)
400778 in reply to 400703
Remy Porter:
And fun fact: there's never actually been a study done to see if frequent password changes actually improve security. And there's no reason to think it would- at best, you're revoking an already compromised password. But on a 90 day password cycle, that means you have an average of 45 days of unfettered access. On a 30-day password cycle, it's an average of 15.


On the other hand I have hacked a system two years ago and still have full access to everything (from webserver over NAS to switches), because no one of them has changed their password...

And how did I hack them? A file traversal bug in on of their custom written cgi scripts that let me view a 3 year old database dump. Which contained the unchanged webadmin password...

Re: annoying password expiration

2013-02-06 18:45 • by bambam (unregistered)
400779 in reply to 400739
Peter:

1. Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers

I prefer to use the color burnt umber in my passwords.

Re: annoying password expiration

2013-02-06 18:50 • by F (unregistered)
400780 in reply to 400739
Peter:
Scott:
Andy:
What kind of auditor is this? Most auditors I've encountered just say things like "your passwords aren't being changed every 30 days."

If you ask "why 30 days and not 90?" they reply "because that's what it says on my checklist here."
Auditors like this drove the final nail in any chance of remembering your password. Thanks to them, I haven't known any of my passwords in 5 years, except the passwords I need to get to my password vault.

Talk about a high-risk target! And it didn't exist, until the auditors forced it on me.


Password validation algorithms force password generation algorithms. Here's mine:

1. Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers

2. Pick a separator character sequence that includes whatever characters the password validation algorithm requires (one special character and two numbers, for example)

3. Spell the first two letters of the word chosen in #1, phonetically (e.g.: Alpha Bravo)

4. Insert the separator sequence between the two phonetics

5. When password change time comes, use the next two letters in "the word", and the same separator characters.

Saves me from trying to remember a new password every 30 days, and is "unique enough" to pass the automated filter. All I have to remember is the original word and the separator sequence.

... and where you have got to in the series. Or do you expect the login routine to allow several dozen failed attempts?

Re: Encapsulation in the Hot Seat

2013-02-06 19:26 • by Norman Diamond (unregistered)
400781 in reply to 400722
Coyne:
But that doesn't mean you should be afraid of good auditors (except at the IRS).
No exception. If the "IRS" had good auditors, they'd pay refunds owing to honest people. You need to be afraid of their non-good non-auditors who steal, make false allegations, conceal facts until court cases are under way, destroy records, submit perjured declarations, and prove how much damage they can do to honest people. I'll take audits any day.

Re: Encapsulation in the Hot Seat

2013-02-06 19:36 • by Norman Diamond (unregistered)
400782 in reply to 400758
Anon:
Remy Porter:
And fun fact: there's never actually been a study done to see if frequent password changes actually improve security. And there's no reason to think it would- at best, you're revoking an already compromised password. But on a 90 day password cycle, that means you have an average of 45 days of unfettered access. On a 30-day password cycle, it's an average of 15.

And what's the average amount of time an attacker needs to exploit a compromised password? I'm sure it varies, but I can guarantee that the number isn't measured in days.

It's cargo-cult logic.
Good point. This is why I change my password every 5 minutes.
I WEP'ed when I read that.

Re: Encapsulation in the Hot Seat

2013-02-06 19:37 • by Curtis P (unregistered)
400783 in reply to 400723
Is this your own observation, or one you culled from elsewhere. It may well be the most cogent thought I have ever seen on the art of programming.

Re: annoying password expiration

2013-02-06 19:43 • by Curtis P (unregistered)
400784 in reply to 400779
bambam:
Peter:

1. Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers

I prefer to use the color burnt umber in my passwords.


I prefer umber hulks.

Re: Encapsulation in the Hot Seat

2013-02-06 20:07 • by noname (unregistered)
400786 in reply to 400703
Remy Porter:
And fun fact: there's never actually been a study done to see if frequent password changes actually improve security. And there's no reason to think it would- at best, you're revoking an already compromised password. But on a 90 day password cycle, that means you have an average of 45 days of unfettered access. On a 30-day password cycle, it's an average of 15.

And what's the average amount of time an attacker needs to exploit a compromised password? I'm sure it varies, but I can guarantee that the number isn't measured in days.

It's cargo-cult logic.
Depends what you mean by "study"....

I've seen a lot of literature online talking about the increased vulnerability (people select easier passwords, or write them down), increased cost (people keep locking their accounts) etc.

One of the most interesting ones I;ve read even tried to assess the situation where a "bad guy" was in the process of brute forcing and a password was changed, whether it would increase, decrease or not affect the likelihood of an eventual breach.

For accounts that lock after x failed attempts, brute forcing is pretty effectively stopped (I suppose it would be possible for someone to try once a day on the assumption that a user will have a successful log in in between or someething, but for brute force that makes for a LOOOOOONG time anyways).

For situations where people are playing rainbow table games, the system must already be compromised to some degree to have leached the hashes....and (as someone else pointed out) the only benefit of expiration is in the case that your account is already breached....Incidentally, I don't think secure passwords are particularly resistant to rainbow table attacks - because hashes are not unique - of course a well salted hash makes these a lot more difficult....YUM

But I increasingly learn that there are certain types who enjoy arbitrary rules. These are usually (not always) the people who you work with who really make you wonder whether qualifications were on sale at the flea market. They tend to obsess on the letter of the law rather than the spirit of the law, because they understand what the rule is, not why the rule exists. They also thrive on process - because you don't need to think - you just become a process automaton. For some reason (possibly because there's a certain necessity for rules) they seem to end up in management, security and audits.....

Oh, they also love metrics - and you can often get them off your case by giving them some fun meaningless number puzzle to work on (like calculating number bugs vs number potential bugs - SixSigma...oh yeah).

Our security dept is like that. We have an obsession with expiring passwords - on systems that are only connected to the outside world through other theoretically impenetrable systems. If someone is brute forcing my account on this account, then they must have already breached a network that (we'd like to think) is pretty secure.....

Re: Encapsulation in the Hot Seat

2013-02-06 20:23 • by Jacker (unregistered)
400788 in reply to 400778
someone:
I have hacked a system two years ago and still have full access to everything (from webserver over NAS to switches), because no one of them has changed their password.
If you were a competent hacker, changing passwords wouldn't do a thing to you. They'd have to erase everything and reinstall from trusted offline media.

So changing passwords every 5 minutes wouldn't help, once you're in.

Re: Encapsulation in the Hot Seat

2013-02-06 20:39 • by jum (unregistered)
400789 in reply to 400710
snoofle:
Andy:
What kind of auditor is this?

I was the auditor. Santosh is on my team and sits nearby. Nobody likes this guy, mostly because he talks the talk, but codes like this (actual, unaltered code presented). I was doing a routine code review, stumbled upon his latest creation and showed it to our boss who insisted on the public code review, in front of the whole team!
Then:
1) Why is his name bold?
2) How on earth did you know what he was thinking?

You're becoming one of THEM....

Re: annoying password expiration

2013-02-06 20:48 • by fe (unregistered)
400790 in reply to 400739
Peter:
Scott:
Andy:
What kind of auditor is this? Most auditors I've encountered just say things like "your passwords aren't being changed every 30 days."

If you ask "why 30 days and not 90?" they reply "because that's what it says on my checklist here."
Auditors like this drove the final nail in any chance of remembering your password. Thanks to them, I haven't known any of my passwords in 5 years, except the passwords I need to get to my password vault.

Talk about a high-risk target! And it didn't exist, until the auditors forced it on me.


Password validation algorithms force password generation algorithms. Here's mine:

1. Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers

2. Pick a separator character sequence that includes whatever characters the password validation algorithm requires (one special character and two numbers, for example)

3. Spell the first two letters of the word chosen in #1, phonetically (e.g.: Alpha Bravo)

4. Insert the separator sequence between the two phonetics

5. When password change time comes, use the next two letters in "the word", and the same separator characters.

Saves me from trying to remember a new password every 30 days, and is "unique enough" to pass the automated filter. All I have to remember is the original word and the separator sequence.

http://www.howsecureismypassword.net/

Alpha!23Bravo
scores: 26 Million years...that's not bad

Re: Encapsulation in the Hot Seat

2013-02-06 20:50 • by Meep (unregistered)
400791 in reply to 400703
Remy Porter:
And fun fact: there's never actually been a study done to see if frequent password changes actually improve security.


Has there even been a study to figure out what counts as an improvement? I mean, how do you even measure this stuff? Presumably I'm running some firm and we have a mission that is, over a certain period, worth something. When we implement a security policy, we lose an amount of productivity worth S, but it either reduces the likelihood of an expected attack or the severity of the damage of that attack, such that our overall expected losses are less by T. If we can show that S < T, we win.

And there's no reason to think it would- at best, you're revoking an already compromised password. But on a 90 day password cycle, that means you have an average of 45 days of unfettered access. On a 30-day password cycle, it's an average of 15.

And what's the average amount of time an attacker needs to exploit a compromised password? I'm sure it varies, but I can guarantee that the number isn't measured in days.

It's cargo-cult logic.


It sort of makes sense if someone wants to lurk quietly and snarf up data. On a secured military network for instance, or maybe a corporate network.

That said, if an attacker can get into such a network, they're far better off setting up a backdoor than reusing your password.

For most of our important passwords, such as with financial institutions, it makes no sense at all. They're going to empty your accounts the instant they're in.

Re: annoying password expiration

2013-02-06 20:50 • by fe (unregistered)
400792 in reply to 400742
snoofle:
Peter:
Scott:
Andy:
What kind of auditor is this? Most auditors I've encountered just say things like "your passwords aren't being changed every 30 days."

If you ask "why 30 days and not 90?" they reply "because that's what it says on my checklist here."
Auditors like this drove the final nail in any chance of remembering your password. Thanks to them, I haven't known any of my passwords in 5 years, except the passwords I need to get to my password vault.

Talk about a high-risk target! And it didn't exist, until the auditors forced it on me.


Password validation algorithms force password generation algorithms. Here's mine:

1. Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers

2. Pick a separator character sequence that includes whatever characters the password validation algorithm requires (one special character and two numbers, for example)

3. Spell the first two letters of the word chosen in #1, phonetically (e.g.: Alpha Bravo)

4. Insert the separator sequence between the two phonetics

5. When password change time comes, use the next two letters in "the word", and the same separator characters.

Saves me from trying to remember a new password every 30 days, and is "unique enough" to pass the automated filter. All I have to remember is the original word and the separator sequence.

Interesting. I too, use an algorithm. I have 24 passwords I rotate through. Starting with "Z", go diagonally up, over one and down the next row, capitalizing the first letter encountered. For example: Zaq12wsx. The next password change, start with X, then C, V, B and finally N. The do the same thing in reverse, but diagonally the other way: Zse45rdx. Then repeat, but from the numbers down and back up: 1Qazxsw2, ..., 0Okmnji9. If you need a character from !, @, #, ..., (, ), just use it as the first (last) character, depending upon which end of the keyboard from which you start.

It's pretty secure as I can't even remember them unless I'm looking at a keyboard, but trivial to type. And even when I tell someone what the current password is, they invariably get it wrong.

The best part is all you have to remember is the starting character and which way to zig-zag.


Zaq12wsx scores "instantly"
Zse45rdx scores 15 hours

Re: Encapsulation in the Hot Seat

2013-02-06 20:56 • by Chekov's Gun (unregistered)
400793 in reply to 400694
I was going to write a longer response, but oops, gotta go...

Re: Encapsulation in the Hot Seat

2013-02-06 21:07 • by Mitch (unregistered)
400794 in reply to 400791
Meep:
Remy Porter:
And fun fact: there's never actually been a study done to see if frequent password changes actually improve security.


Has there even been a study to figure out what counts as an improvement? I mean, how do you even measure this stuff? Presumably I'm running some firm and we have a mission that is, over a certain period, worth something. When we implement a security policy, we lose an amount of productivity worth S, but it either reduces the likelihood of an expected attack or the severity of the damage of that attack, such that our overall expected losses are less by T. If we can show that S < T, we win.

And there's no reason to think it would- at best, you're revoking an already compromised password. But on a 90 day password cycle, that means you have an average of 45 days of unfettered access. On a 30-day password cycle, it's an average of 15.

And what's the average amount of time an attacker needs to exploit a compromised password? I'm sure it varies, but I can guarantee that the number isn't measured in days.

It's cargo-cult logic.


It sort of makes sense if someone wants to lurk quietly and snarf up data. On a secured military network for instance, or maybe a corporate network.

That said, if an attacker can get into such a network, they're far better off setting up a backdoor than reusing your password.

For most of our important passwords, such as with financial institutions, it makes no sense at all. They're going to empty your accounts the instant they're in.

I think customers of financial institutions are relatively small fry. A hacker who can get in far enough to start brute forcing a password file is probably not interested in the small fry.
Of course, an insider is a threat, though, because they may have access to the password file (to brute force it). They also may understand banking better and have ideas about lots of small unnoticeable thefts vs larger ones (stealing from individuals is less risk than stealing from the organisation - because the organisation will typically not believe the individual, so they have a massive battle to even get the bank interested that $20 is missing from their account).

CAPTCVHA: Appellatio....never mind

Re: annoying password expiration

2013-02-06 23:03 • by Norman Diamond (unregistered)
400797 in reply to 400792
http://www.howsecureismypassword.net/:
How Secure Is My Password?
一二三四五六七八九十九八七六五四三二一
It would take a desktop PC about 0 seconds to crack your password
Length: Long
Your password is over 16 characters long. It should be pretty safe.
Character Variety: Non-Standard Character
Your password contains a non-keyboard character. This should make it more secure.
If safe and secure would take about 0 seconds to crack, how long would dumber passwords take?

Re: annoying password expiration

2013-02-06 23:08 • by Bill C. (unregistered)
the president's daughter
would take
37 sextillion years
to crack.
You sure that makes her safe?

Re: Encapsulation in the Hot Seat

2013-02-06 23:36 • by Kef Schecter (unregistered)
400800 in reply to 400712
darkmattar:
He didn't post his own WTF. Snoofle (author) is the auditor.

Then maybe whoever edited the article shouldn't have put Santosh's name in bold, considering how, in every other article, the name in bold corresponds to the submitter.

Re: Encapsulation in the Hot Seat

2013-02-07 01:21 • by Scarlet Manuka
400801 in reply to 400694
QJo:
It reminds me of a novel I read some time ago (can't remember what, might have been Michael Moorcock) where it was pointed out that the protagonist was fairly desperate to void his bladder. And that was the last time the matter was mentioned. For the whole of the rest of the book your legs were crossed for the poor guy.

This reminds me of the bit in "Mostly Harmless" about the book where the protagonist suddenly dies of thirst about two thirds of the way through, due to a problem with the plumbing that was mentioned near the beginning.

Re: annoying password expiration

2013-02-07 02:46 • by Swedish tard (unregistered)
400803 in reply to 400739
Peter:
Scott:
Andy:
What kind of auditor is this? Most auditors I've encountered just say things like "your passwords aren't being changed every 30 days."

If you ask "why 30 days and not 90?" they reply "because that's what it says on my checklist here."
Auditors like this drove the final nail in any chance of remembering your password. Thanks to them, I haven't known any of my passwords in 5 years, except the passwords I need to get to my password vault.

Talk about a high-risk target! And it didn't exist, until the auditors forced it on me.


Password validation algorithms force password generation algorithms. Here's mine:

1. Pick a word whose letter count is greater than 2x then umber of previous passwords the algorithm remembers

2. Pick a separator character sequence that includes whatever characters the password validation algorithm requires (one special character and two numbers, for example)

3. Spell the first two letters of the word chosen in #1, phonetically (e.g.: Alpha Bravo)

4. Insert the separator sequence between the two phonetics

5. When password change time comes, use the next two letters in "the word", and the same separator characters.

Saves me from trying to remember a new password every 30 days, and is "unique enough" to pass the automated filter. All I have to remember is the original word and the separator sequence.


I just use a chronogically ascending list of women i've had sex with, appended with a quasiramdom sequence of characters (same every time).
Never have any problems. Plus, I can keep a post it with the passwords on my monitor, sans the quasirandom sequence and it looks like a random list of female names.
Even if someone got the list, it's just a bunch of names, with no clue as to what name is used as a password where and even if they managed to figure that out, the quasirandom sequence exists only in my head...
Otoh, a half decen keylogger would work any password out in no time... And there are hardwareloggers that no software scanner can detect. I'm even fairly sure I've seen adverts for hardware keyloggers that are capable of phoning home.

Re: annoying password expiration

2013-02-07 03:31 • by Steve The Cynic
400804 in reply to 400792
[quote user="fe"]The best part is all you have to remember is the starting character and which way to zig-zag.

[/quote]
Zaq12wsx scores "instantly"
Zse45rdx scores 15 hours[/quote]
Curiously, on my keyboard, the first has jumps and shifts in the middle, but is otherwise moderately zigzaggy, while the second is south, NE, NE, E, SW, SW, SW. I despise AZERTY keyboards, except when I can poke fun at people assuming the whole world uses US-QWERTY[*].

[*] I note in passing that most of these people aren't aware that UK-QWERTY differs in a number of significant ways, and that they also aren't old enough to have used a Commodore-64, which had a modified UK-QWERTY layout even in the US.

Re: annoying password expiration

2013-02-07 04:12 • by Steve The Cynic
400805 in reply to 400742
snoofle:
It's pretty secure as I can't even remember them unless I'm looking at a keyboard, but trivial to type. And even when I tell someone what the current password is, they invariably get it wrong.

The best part is all you have to remember is the starting character and which way to zig-zag.

It also helps to remember the keyboard layout you used. If I used your algorithm on my keyboard, I'd get different passwords.

First: Zé"edcvf (assuming you zigzag again at the bottom and you don't use spaces)
Second: Z"'eswxd

Key point: on AZERTY keyboards, the top-row keys require shift to get the numbers. And the so-called Caps Lock key also affects the top-row keys. And square brackets, hashes, backslashes, carets, and braces all require AltGr. I despise this layout, but I use it so I don't have problems between my machines and those of colleagues, nor between work and home. QWERTY keyboards are hard to find in France.
« PrevPage 1 | Page 2 | Page 3Next »

Add Comment