• (cs)

    That's gotta be one of the most brain-dead security schemes ever.

  • AndrewVos (unregistered)

    Thats a joke!

  • APAQ11 (unregistered)

    PS: And while we're doing this if you have any other passwords you would like changed such as Pin Numbers for your bank cards or log on to your private email just send us the relevant information and we'll change those as well.

  • (cs)

    Here is my new password.   Please apply to all applicable systems.
    iquitnow

    Thank you and good bye!

  • Dr Sanchez (unregistered)

    This has to be made up...if not, WTF!

  • (cs)

    WTF?? you made this up, didn't you Alex. There is no way any one would use this approach in the modern world, right? Please tell me you made it up. No? well, how about the name of the company so I can hack their systems this weekend.

  • (cs)
    Alex Papadimoulis:
    This password must be exactly 8 characters long and can be any 
    combination of lower case letters and numbers. No special
    characters ($,@, etc.) or proper names (Mary, John, etc.) are allowed.


    This is where I call shenanigans. Why bother with a password complexity policy if you have no method to audit password security other than manually changing them? Not to mention the fun of sending them across the email system.
  • Matt (unregistered)

    Foosball girl must have found out what the forum software admin password was so she could regain the top position over bean bag girl.

  • (cs) in reply to richleick

    If it was a shared file on the network, they should have just let the users edit the Excel file directly to save time. And what is with this new buzzword called "security" I keep seeing tossed around?

  • (cs)

    Is it possible that the speadsheet in question is only to be used for the weekend? No coding related WTF's today? Assuming the spreadsheet in question was left on a publicly shared drive on their internal network, then yeah, WTF man.... Still though, not that much of a biggie... Well, it wasn't automated either sooooo..... eh... blah.

    I really think that the speadsheet in question is to be deleted immediately after the password update is done.

  • jesternl (unregistered) in reply to Skeeter S. Deskeet

    Hey, it is still a step up from storing your PW under your keyboard

  • (cs)
    Alex Papadimoulis:

    the only burglar alarm we needed was a Labrador

    No server room is complete without one.

    Alex Papadimoulis:

    Subject: 2006 Password Change


    IT IS ESSENTIAL that you reply to this email no later than
    Friday, June 2nd at 5:00.

    And also please submit your ATM card and pin number.  Reply to [email protected]

    Hmmm ... I really hope this was over the Intranet with IPsec or something

  • (cs) in reply to richleick

    One employer-related website had a few WTFs, mostly when you called in because you needed help.

    They used the website password for their voice-based authentication, so you had to speak it aloud around all your other co-workers, all of whom could have easily figured out what your mandated login ID.

    Also, they would be unable to help you if you left yourself logged into their website!  If you had exited their website without logging off, you would have to re-connect, login, then logout to allow them to help you.

    I eventually got sick of this and all the other [less WTF-worthy] problems their site kept having.  I changed my password to "thissucks".  When I first called in and responded with this password, I was rewarded with an "Are you serious?!" that made it a little more bearable.

  • Dave (unregistered) in reply to Matt

    We knew she was intelligent.

  • Dave (unregistered) in reply to Dave
    Anonymous:
    We knew she was intelligent.


    This was meant to reply to

    Foosball girl must have found out what the forum software admin password was so she could regain the top position over bean bag girl.

  • (cs) in reply to GoatCheez
    GoatCheez:
    I really think that the speadsheet in question is to be deleted immediately after the password update is done.
    After all, the staff doing the password changes can be implicitly trusted not to save a copy of this file (or a subset of its contents) for use during the next year...
  • Colin (unregistered)
    _________________________________________________________________
    From: Network Operations
    Sent: Friday, May 26, 2006 3:21 PM
    To: Everyone
    Subject: 2006 Password Change

    Please write your new password on a sticky note and put
    it on your monitor. Please also write your current
    password on the same note. Our Network Security
    Specialists will make their rounds over the weekend and
    will need both passwords to update your password.

    After being updated they will place a green checkmark
    on the note so you will now to use the new password on
    Monday. If you do not see a greek checkmark then use
    your old password and notify us.

    Also remember that the custodial staff will be bringing
    in extra, external help for their spring clean-up so tidy
    up your desk so that they may clean the desk surfaces.

    Thank you for your full cooperation.


    --Network Operations Management
  • (cs)

    Heh.

    My reply to this message would have probably been: No, thanks. I'll change my own password.

    I can't honestly believ.... nevermind. I can believe it. It makes me sad.

  • (cs)

    Looks like a phishing scam.

    In fact if I got this message, I'd assume it was a phishing scam and delete it.

  • WeDontNeedNoStinkinSecurity (unregistered)

    It could have been worse - pictures of passwords-on-PostIt's on wooden tables might have been involved.

  • Dilbert (unregistered)

    What's great about this is that the e-mail is addressed to Everyone using the To field (instead of BCC). That way lots of people can use the Reply to All function and send their passwords to Everyone.

    Note that the e-mail says "It's that time of year again." Does that mean that they only change their passwords once a year? Maybe it's too much to ask the password change team to sacrifice more than one weekend per year in the name of security.

    Also, they don't specify that you can't reuse passwords, so "smart" employees can set up a rule to auto-reply to any e-mail from Network Security & Operations that contains Password Change in the subject with a response that specifies the same passwords each time ("My Windows Logon password should be abcd1234, EmployeeNET+ password should be 1234, and SPM, CRL, and EMS passwords should all be 1234abcd."). That way they don't have to ever really change their passwords.

  • Bob Racecar (unregistered)

    On top of being rediculously executed, doing a yearly password change seems very lax in general.  Where I'm working, we have to change passwords for all systems (by ourselves, of course.  They are OUR passwords) every 90 days.  At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.).  Is it a pain?  Yes.  Does anyone complain?  No.  Why?  Because we know we have competent Sys Admins running the show.

  • (cs) in reply to Dave

    Anonymous:
    Anonymous:
    We knew she was intelligent.


    This was meant to reply to

    Foosball girl must have found out what the forum software admin password was so she could regain the top position over bean bag girl.

    Beanbag girl couldn't get past the CAPTCHA

  • (cs) in reply to jesternl
    Anonymous:
    Hey, it is *still* a step up from storing your PW under your keyboard

    You don't understand, you must *already have* the password to log on to the shared drive, thus it's a fool proof admantium security system.
  • Someone (unregistered) in reply to MrEricSir

    If it was a phishing scam, this wouldn't be the correct password.

  • subanark (unregistered) in reply to jesternl

    Anonymous:
    Hey, it is *still* a step up from storing your PW under your keyboard

    Storing your password under your keyboard cannot be attacked by a hacker without using a physical or social attack. Having a strong password that you keep written down (perferably on you) is safer than a weak password that you memorize! Most employees are honest and will not abuse your password if they find it under your keyboard. What is more likely to get you a bigger punishement? Hacking into a company you have never worked for, or abusing your powers to steal company info? I think you know the answer.

  • (cs) in reply to subanark
    Anonymous:

    Anonymous:
    Hey, it is *still* a step up from storing your PW under your keyboard

    Storing your password under your keyboard cannot be attacked by a hacker without using a physical or social attack. Having a strong password that you keep written down (perferably on you) is safer than a weak password that you memorize! Most employees are honest and will not abuse your password if they find it under your keyboard. What is more likely to get you a bigger punishement? Hacking into a company you have never worked for, or abusing your powers to steal company info? I think you know the answer.

    More than 60% of corporate network attacks comes from the inside.

  • codemoose (unregistered) in reply to jesternl
    Anonymous:
    Hey, it is *still* a step up from storing your PW under your keyboard


    Hey!  Quit peeking under my keyboard!
  • no name (unregistered) in reply to jesternl
    Anonymous:
    Hey, it is *still* a step up from storing your PW under your keyboard

    Wrong. Under the keyboard requires physical access, and there was no company wide email telling the bad guys/girls everyones password would be convienantly located under a single keyboard.

  • (cs)

    Ok, the password is...
    1.....2.....3.....4....5

    Oh, wait, that wouldn't work....
    It is the same as my combo on my luggage!  :-P

  • (cs) in reply to pinguis
    pinguis:
    More than 60% of corporate network attacks comes from the inside.

    47.3% of statistics are made up on the spot.

  • Doug (unregistered) in reply to subanark
    Anonymous:

    Anonymous:
    Hey, it is *still* a step up from storing your PW under your keyboard

    Storing your password under your keyboard cannot be attacked by a hacker without using a physical or social attack. Having a strong password that you keep written down (perferably on you) is safer than a weak password that you memorize! Most employees are honest and will not abuse your password if they find it under your keyboard. What is more likely to get you a bigger punishement? Hacking into a company you have never worked for, or abusing your powers to steal company info? I think you know the answer.



    You keep your password on a post-it under your keyboard, don't you?  It's either that or you're the Sys Admin who came up with this hare-brained scheme!

    (I kid, I kid!)
  • WeDontNeedNoStinkinSecurity (unregistered) in reply to WeatherGod

    WeatherGod:
    Ok, the password is...
    1.....2.....3.....4....5

    Oh, wait, that wouldn't work....
    It is the same as my combo on my luggage!  :-P

    You just know that your luggage is going to be hacked!

  • (cs) in reply to Thuktun
    Thuktun:
    GoatCheez:
    I really think that the speadsheet in question is to be deleted immediately after the password update is done.
    After all, the staff doing the password changes can be implicitly trusted not to save a copy of this file (or a subset of its contents) for use during the next year...

    I'm taking that you were implying sarcasm, but what you said I have found to be true. You pretty much have to trust a portion of your IT staff to not do bad things. It's impossible for them not to be able to see/find the passwords or other things (yet).

    The proper thing that they should have done was use a system that did not involve user interaction.... Sadly this is very uncommon these days.

  • (cs) in reply to pinguis

    pinguis:
    More than 60% of corporate network attacks comes from the inside.

    Nevermind that any smart burgler who breaks into an office to specifically steal computer equipment is usually also smart enough to look for written passwords stored in desks, on sticky notes, etc.  This is part of the security training I took as a computer forensic investigator and also something my employer's audit division looks for when determining if we're practing proper security.

     

    But suffice to say, if this is a real email (with some edits to protect the insanely stupid), this company deserves a good hard hacking.  With no lube.

     

    Seejay

  • omni (unregistered) in reply to APAQ11
    Anonymous:
    Pin Numbers

    WTF is a PIN number? People have started numbering their personal identification numbers?

    I bet you're using a NIC card to connect to this website and you type your PIN number into ATM machines.

  • (cs) in reply to seejay
    seejay:

    pinguis:
    More than 60% of corporate network attacks comes from the inside.

    Nevermind that any smart burgler who breaks into an office to specifically steal computer equipment is usually also smart enough to look for written passwords stored in desks, on sticky notes, etc.  This is part of the security training I took as a computer forensic investigator and also something my employer's audit division looks for when determining if we're practing proper security.

    But suffice to say, if this is a real email (with some edits to protect the insanely stupid), this company deserves a good hard hacking.  With no lube.

    Seejay

    Not so sure about that. Not long ago, I helped a friend set up a new office. We brought in about 10 computer-setups. Nothing fancy, just basic large flat panels and mid-line PCs. The system was used to store data for an accounting practice (picture all the info on your federal tax return (account numbers, social security numbers, etc) times thousands of clients). The security guards in the building watched as we hauled in the equipment.

    That night, they unlocked the door, and ripped the PC's from the network. They took the junkiest boxes, and left the (very expensive) flat panels and server sitting amidst the rubble. It never occurred to them to look at the webcams pointed right at the door and computer areas, with the thick blue wire running across a white wall directly to the server. The whole thing was caught on video, which, if they had taken the server (where it was stored), wouldn't have been of much use to us.

    Afterwards, they admitted they never even tried to gain access to the boxes - they just thought they could hock them for $50 each. Apparently, you don't even need to be mildly intelligent to be a thief.

     

  • (cs)

    If this is for real it isn't only a WTF but is also a OMGHS and a WBD (What a Bunch of Dumbasses).

    Oh, wait. I just thought of something. Did Brian just go to work for the brother of a former Kenyan king and their business is doling out monies left behind in foreign accounts with the help of um, helpful American investors?

  • (cs) in reply to jesternl
    Anonymous:
    Hey, it is *still* a step up from storing your PW under your keyboard


    Not if you store your password as a RSA 256 bit hash on a sticky-note. But, that would be just about a useless as this WTF is.
  • (cs) in reply to Bob Racecar
    Anonymous:

    On top of being rediculously executed, doing a yearly password change seems very lax in general.  Where I'm working, we have to change passwords for all systems (by ourselves, of course.  They are OUR passwords) every 90 days.  At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.).  Is it a pain?  Yes.  Does anyone complain?  No.  Why?  Because we know we have competent Sys Admins running the show.



    90 days? Jeez! The default on a windows domain is 42 days. You have it easy.
  • (cs) in reply to GoatCheez

    GoatCheez:
    Is it possible that the speadsheet in question is only to be used for the weekend? No coding related WTF's today? Assuming the spreadsheet in question was left on a publicly shared drive on their internal network, then yeah, WTF man.... Still though, not that much of a biggie... Well, it wasn't automated either sooooo..... eh... blah.

    I really think that the speadsheet in question is to be deleted immediately after the password update is done.

    Ah, but suppose the Spreadsheet was printed,

    laid on a wooden table,

    photographed.....

  • (cs)

    Dear Network Operations,

        Please change all my passwords to 1mS01337 for everything but windows. Please make my windows password BhAx0red. Additionally, please send me all of your passwords to the aforementioned systems.

       Thank you.

  • (cs)

    I wonder if the password file is sorted alphabetically?  So if my name is Zute and the CEO's name is Arthur, and I'm a lazy bastard, then I don't have read past the first page.  I can just use the CEO's creds right?!?!

    "Bad, bad, naughty Zute!"

  • (cs) in reply to snoofle
    snoofle:

    Not so sure about that. Not long ago, I helped a friend set up a new office. We brought in about 10 computer-setups. Nothing fancy, just basic large flat panels and mid-line PCs. The system was used to store data for an accounting practice (picture all the info on your federal tax return (account numbers, social security numbers, etc) times thousands of clients). The security guards in the building watched as we hauled in the equipment.

    That night, they unlocked the door, and ripped the PC's from the network. They took the junkiest boxes, and left the (very expensive) flat panels and server sitting amidst the rubble. It never occurred to them to look at the webcams pointed right at the door and computer areas, with the thick blue wire running across a white wall directly to the server. The whole thing was caught on video, which, if they had taken the server (where it was stored), wouldn't have been of much use to us.

    Afterwards, they admitted they never even tried to gain access to the boxes - they just thought they could hock them for $50 each. Apparently, you don't even need to be mildly intelligent to be a thief.

     

    Wait, you were robbed by your own security guards??? WTF?

  • (cs)

    What I can't get past is the Windows Logon.  It's so easy for an admin to set password policies that require a change every xx days, and to force constraints.  Why would anyone stay for a whole weekend doing somethig that doesn't require any manual work?  Are you sure this isn't made up?

  • Anonymous (unregistered)

    So, the task before you now is to navigate to the XML file, snag the network admin's ID/PW, relogin to the network with that ID at someone elses station and delete the XML file.

  • (cs) in reply to shadowman

    because then there would be the added level of work for the admin to figure out everyone's passwords....duhhh :)

  • (cs) in reply to seejay

    seejay:
    Nevermind that any smart burgler who breaks into an office to specifically steal computer equipment is usually also smart enough to look for written passwords stored in desks, on sticky notes, etc.  This is part of the security training I took as a computer forensic investigator and also something my employer's audit division looks for when determining if we're practing proper security.

     

    I read an interview with Clifford Stoll (the guy who wrote "The Cuckoo's Egg," if you're familiar with it) in which he confessed that he once wrote the root password to one of his servers on a Post-It, stuck it to his monitor, then gave a television interview in which the sticky note and password was clearly visible in the shot the whole time.

    Not that most of us need to worry about that particular threat...

     

  • Viflux (unregistered) in reply to Bob Racecar
    Anonymous:

    On top of being rediculously executed, doing a yearly password change seems very lax in general.  Where I'm working, we have to change passwords for all systems (by ourselves, of course.  They are OUR passwords) every 90 days.  At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.).  Is it a pain?  Yes.  Does anyone complain?  No.  Why?  Because we know we have competent Sys Admins running the show.



    Have you ever thought about the theory behind mandatory password changing every X months?

    If you suspect your password has been compromised, it should be changed immediately.  If it hasn't, there's no need to change it.  Forcing users to change their passwords (some places have dozens of them) results in users writing them down, thus making them more susceptible to being compromised, thus requiring that they are changed more often.
  • (cs) in reply to Bob Racecar
    Bob Racecar:
    On top of being rediculously executed, doing a yearly password change seems very lax in general.  Where I'm working, we have to change passwords for all systems (by ourselves, of course.  They are OUR passwords) every 90 days.  At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.).  Is it a pain?  Yes.  Does anyone complain?  No.  Why?  Because we know we have competent Sys Admins running the show.


    Actually, changing the password once a year is a bit better than a quarterly change. For those of us using strong passwords, it gets difficult to remember so many strong passwords.

    Every important website, ssh keypair, remote host, gpg keyring....
    That's a lot of passwords/passphrases. If this was the only password I had to remember, yes, a 90 day change policy is good.

Leave a comment on “Annual About Security”

Log In or post as a guest

Replying to comment #:

« Return to Article