- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Is the real wtf that the comment worth featuring wasn't?
Admin
The auditor was reasonable, supportive, and actually correct about our protagonist's code, and he learned something by trying to justify his design to someone else.
Where's the WTF, TRWTF, and the PHB?!
Admin
Maybe he hangs out with whales.
Admin
Note to self - add Snoofle's 24 passwords to rainbow table.
Admin
Snoofle, you're on a computer, not a typewriter. It's okay to use italics instead of is-that-a-hyperlink-oh-no-its-just-an -underline underlines now.
Admin
I had to read the story two times to understand who was talking when. And at the end TWTF is not from the auditor? I don't like that.
On the other hand, if I was that auditor I wouldn't even wasted my time explaining to Santosh how stupid his getters were and what an awful PoS all that code is.
Admin
Ask keePass to generate password every once in 30 days. Keep it simple silly!
Admin
is clear that swamiji and you're on different astral plain. in my company women beat mean at this game every time. coffee or not no make difference.
Admin
Hey don't judge fat women!
Admin
Today's article rubs me the wrong way. The code is feature-worthy, but the presentation is all backwards: why is the story not written from the submitter's perspective (and the wrong name bolded)? It reads really awkwardly as a result, especially after checking the comments and finding out it wasn't a confession post.
I'm being a whiny arse, of course, but I was similarly un-thrilled with yesterday's article for various reasons (confusing presentation and unclear ending) and I'm hoping this doesn't mark a shift away from the TDWTF we all know and love. TRWTF would be if this trend continues. :P
On second thought, though, perhaps I should be thankful. Without these two articles, mmmok's comment on p.1 wouldn't exist, which provided the heartiest laugh I've had all week.
Admin
Admin
Wait...then how do you know so much about the current status of Santosh's bladder? Is this a thing where you work?
Admin
Good point. This is why I change my password every 5 minutes.
Admin
Is it bad that this code - presumably from Snoofle's intern - looks like the regular stuff coded up by our SENIOR ENGINEERS/ARCHITECTS at my work?
SIGH
Admin
Admin
And:
Using a String array instead of an object with named fields to store the messages.
Use "stringly typed enums" for deciding which action to perform.
Using equalsIgnoreCase for comparing the (upper case) string values in case you forget to press the Shift key later.
Admin
I just start with hunter2 and increment the ending number.
Admin
How many times I've made the same invocation!!!
Seriously, didn't anyone ask this person for a code sample before hiring them?
Admin
It's a fuck of a lot bloody further than the shit that one of my arsebrained colleagues used to check into our codebase.
Admin
Guys you know there is more than one type of risk associated with passwords right? Most of they are an identity mechanism and most systems are still single factor.
Its true 'external' brute force attempts are easy to detect and defend against? What about offline attacks? Most of the time password resets/changes are logged, modifying a password store or even the reading of it by any unusual process might also be logged, but not recovering it from a backup tape etc. So there may be a number of IT administrative people in an org that at least on occasion have access to this data.
Password rotation is an important control. If can get the passwd/shadow/sam etc file off a machine I can brute force the password undetectably but assuming they are of a decent length and complexity it will take weeks or months. Once I have one of these passwords I can use the identity of that individual as much as like with little chance of any audit mechanism showing conclusively that its someone other than the account owner performing these activities; let alone produce conclusive evidence of who the perp is. For there other controls might be effectively thwarted, perhaps someone who is not on the insiders SEC list can now access insider data, etc.
This is one hole password rotation + complexity can at least help to close.
Admin
correcthoursebatterystaple
Enough said
Admin
How did you know my password?!
Admin
faint
Admin
Admin
(a) I think you mean "especially unsalted" instead of "salted" in which case just go out back and shoot yourself. Salting is easy, there is no excuse for not salting.
(b) If your concern is that someone may spend months trying to crack a salted hashed password then just increase the number of hashing rounds by a magnitude or two. If you are concerned that someone will spend years trying to crack a salted hashed password... you are the NSA and have other weaknesses to spend your time on.
Admin
WTFs not previously mentioned
That last sentence of the Auditor should have been: "Just remember - Never be afraid to ask for help from your next employer."
Admin
I can think of two things more upsetting off the top of my head.
Finding that a senior developer spent a week working on a problem that is already solved in your code base, and them then refusing to refactor to use the better of the two solutions.
Finding that you just spent a week working on a problem that is already solved in your code base. Bonus points if the existing solution is better than your solution.
Note that #2 is different to discovering that the problem is already solved badly in your code base and you spend a week improving it.
Admin
On the other hand I have hacked a system two years ago and still have full access to everything (from webserver over NAS to switches), because no one of them has changed their password...
And how did I hack them? A file traversal bug in on of their custom written cgi scripts that let me view a 3 year old database dump. Which contained the unchanged webadmin password...
Admin
Admin
Admin
Admin
Admin
Is this your own observation, or one you culled from elsewhere. It may well be the most cogent thought I have ever seen on the art of programming.
Admin
I prefer umber hulks.
Admin
I've seen a lot of literature online talking about the increased vulnerability (people select easier passwords, or write them down), increased cost (people keep locking their accounts) etc.
One of the most interesting ones I;ve read even tried to assess the situation where a "bad guy" was in the process of brute forcing and a password was changed, whether it would increase, decrease or not affect the likelihood of an eventual breach.
For accounts that lock after x failed attempts, brute forcing is pretty effectively stopped (I suppose it would be possible for someone to try once a day on the assumption that a user will have a successful log in in between or someething, but for brute force that makes for a LOOOOOONG time anyways).
For situations where people are playing rainbow table games, the system must already be compromised to some degree to have leached the hashes....and (as someone else pointed out) the only benefit of expiration is in the case that your account is already breached....Incidentally, I don't think secure passwords are particularly resistant to rainbow table attacks - because hashes are not unique - of course a well salted hash makes these a lot more difficult....YUM
But I increasingly learn that there are certain types who enjoy arbitrary rules. These are usually (not always) the people who you work with who really make you wonder whether qualifications were on sale at the flea market. They tend to obsess on the letter of the law rather than the spirit of the law, because they understand what the rule is, not why the rule exists. They also thrive on process - because you don't need to think - you just become a process automaton. For some reason (possibly because there's a certain necessity for rules) they seem to end up in management, security and audits.....
Oh, they also love metrics - and you can often get them off your case by giving them some fun meaningless number puzzle to work on (like calculating number bugs vs number potential bugs - SixSigma...oh yeah).
Our security dept is like that. We have an obsession with expiring passwords - on systems that are only connected to the outside world through other theoretically impenetrable systems. If someone is brute forcing my account on this account, then they must have already breached a network that (we'd like to think) is pretty secure.....
Admin
So changing passwords every 5 minutes wouldn't help, once you're in.
Admin
You're becoming one of THEM....
Admin
Alpha!23Bravo scores: 26 Million years...that's not bad
Admin
Has there even been a study to figure out what counts as an improvement? I mean, how do you even measure this stuff? Presumably I'm running some firm and we have a mission that is, over a certain period, worth something. When we implement a security policy, we lose an amount of productivity worth S, but it either reduces the likelihood of an expected attack or the severity of the damage of that attack, such that our overall expected losses are less by T. If we can show that S < T, we win.
It sort of makes sense if someone wants to lurk quietly and snarf up data. On a secured military network for instance, or maybe a corporate network.
That said, if an attacker can get into such a network, they're far better off setting up a backdoor than reusing your password.
For most of our important passwords, such as with financial institutions, it makes no sense at all. They're going to empty your accounts the instant they're in.
Admin
Admin
I was going to write a longer response, but oops, gotta go...
Admin
CAPTCVHA: Appellatio....never mind
Admin
Admin
the president's daughter would take 37 sextillion years to crack. You sure that makes her safe?
Admin
Admin
Admin
I just use a chronogically ascending list of women i've had sex with, appended with a quasiramdom sequence of characters (same every time). Never have any problems. Plus, I can keep a post it with the passwords on my monitor, sans the quasirandom sequence and it looks like a random list of female names. Even if someone got the list, it's just a bunch of names, with no clue as to what name is used as a password where and even if they managed to figure that out, the quasirandom sequence exists only in my head... Otoh, a half decen keylogger would work any password out in no time... And there are hardwareloggers that no software scanner can detect. I'm even fairly sure I've seen adverts for hardware keyloggers that are capable of phoning home.
Admin
[quote user="fe"]The best part is all you have to remember is the starting character and which way to zig-zag.
[/quote] Zaq12wsx scores "instantly" Zse45rdx scores 15 hours[/quote] Curiously, on my keyboard, the first has jumps and shifts in the middle, but is otherwise moderately zigzaggy, while the second is south, NE, NE, E, SW, SW, SW. I despise AZERTY keyboards, except when I can poke fun at people assuming the whole world uses US-QWERTY[*].
[*] I note in passing that most of these people aren't aware that UK-QWERTY differs in a number of significant ways, and that they also aren't old enough to have used a Commodore-64, which had a modified UK-QWERTY layout even in the US.
Admin
First: Zé"edcvf (assuming you zigzag again at the bottom and you don't use spaces) Second: Z"'eswxd
Key point: on AZERTY keyboards, the top-row keys require shift to get the numbers. And the so-called Caps Lock key also affects the top-row keys. And square brackets, hashes, backslashes, carets, and braces all require AltGr. I despise this layout, but I use it so I don't have problems between my machines and those of colleagues, nor between work and home. QWERTY keyboards are hard to find in France.