- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
That's gotta be one of the most brain-dead security schemes ever.
Admin
Thats a joke!
Admin
PS: And while we're doing this if you have any other passwords you would like changed such as Pin Numbers for your bank cards or log on to your private email just send us the relevant information and we'll change those as well.
Admin
Here is my new password. Please apply to all applicable systems.
iquitnow
Thank you and good bye!
Admin
This has to be made up...if not, WTF!
Admin
WTF?? you made this up, didn't you Alex. There is no way any one would use this approach in the modern world, right? Please tell me you made it up. No? well, how about the name of the company so I can hack their systems this weekend.
Admin
This is where I call shenanigans. Why bother with a password complexity policy if you have no method to audit password security other than manually changing them? Not to mention the fun of sending them across the email system.
Admin
Foosball girl must have found out what the forum software admin password was so she could regain the top position over bean bag girl.
Admin
If it was a shared file on the network, they should have just let the users edit the Excel file directly to save time. And what is with this new buzzword called "security" I keep seeing tossed around?
Admin
Is it possible that the speadsheet in question is only to be used for the weekend? No coding related WTF's today? Assuming the spreadsheet in question was left on a publicly shared drive on their internal network, then yeah, WTF man.... Still though, not that much of a biggie... Well, it wasn't automated either sooooo..... eh... blah.
I really think that the speadsheet in question is to be deleted immediately after the password update is done.
Admin
Hey, it is still a step up from storing your PW under your keyboard
Admin
No server room is complete without one.
And also please submit your ATM card and pin number. Reply to [email protected]
Hmmm ... I really hope this was over the Intranet with IPsec or something
Admin
One employer-related website had a few WTFs, mostly when you called in because you needed help.
They used the website password for their voice-based authentication, so you had to speak it aloud around all your other co-workers, all of whom could have easily figured out what your mandated login ID.
Also, they would be unable to help you if you left yourself logged into their website! If you had exited their website without logging off, you would have to re-connect, login, then logout to allow them to help you.
I eventually got sick of this and all the other [less WTF-worthy] problems their site kept having. I changed my password to "thissucks". When I first called in and responded with this password, I was rewarded with an "Are you serious?!" that made it a little more bearable.
Admin
We knew she was intelligent.
Admin
This was meant to reply to
Admin
Admin
Admin
Heh.
My reply to this message would have probably been: No, thanks. I'll change my own password.
I can't honestly believ.... nevermind. I can believe it. It makes me sad.
Admin
Looks like a phishing scam.
In fact if I got this message, I'd assume it was a phishing scam and delete it.
Admin
It could have been worse - pictures of passwords-on-PostIt's on wooden tables might have been involved.
Admin
What's great about this is that the e-mail is addressed to Everyone using the To field (instead of BCC). That way lots of people can use the Reply to All function and send their passwords to Everyone.
Note that the e-mail says "It's that time of year again." Does that mean that they only change their passwords once a year? Maybe it's too much to ask the password change team to sacrifice more than one weekend per year in the name of security.
Also, they don't specify that you can't reuse passwords, so "smart" employees can set up a rule to auto-reply to any e-mail from Network Security & Operations that contains Password Change in the subject with a response that specifies the same passwords each time ("My Windows Logon password should be abcd1234, EmployeeNET+ password should be 1234, and SPM, CRL, and EMS passwords should all be 1234abcd."). That way they don't have to ever really change their passwords.
Admin
On top of being rediculously executed, doing a yearly password change seems very lax in general. Where I'm working, we have to change passwords for all systems (by ourselves, of course. They are OUR passwords) every 90 days. At least 8 characters, containing upper and lower case characters, numbers, symbols, cannot be one of our last 5 passwords (the systems check against a list of our old passwords), cannot contain dictionary words, and cannot be a sequence (ie: May2006!, Jun2006!, etc.). Is it a pain? Yes. Does anyone complain? No. Why? Because we know we have competent Sys Admins running the show.
Admin
Beanbag girl couldn't get past the CAPTCHA
Admin
You don't understand, you must *already have* the password to log on to the shared drive, thus it's a fool proof admantium security system.
Admin
If it was a phishing scam, this wouldn't be the correct password.
Admin
Storing your password under your keyboard cannot be attacked by a hacker without using a physical or social attack. Having a strong password that you keep written down (perferably on you) is safer than a weak password that you memorize! Most employees are honest and will not abuse your password if they find it under your keyboard. What is more likely to get you a bigger punishement? Hacking into a company you have never worked for, or abusing your powers to steal company info? I think you know the answer.
Admin
More than 60% of corporate network attacks comes from the inside.
Admin
Hey! Quit peeking under my keyboard!
Admin
Wrong. Under the keyboard requires physical access, and there was no company wide email telling the bad guys/girls everyones password would be convienantly located under a single keyboard.
Admin
Ok, the password is...
1.....2.....3.....4....5
Oh, wait, that wouldn't work....
It is the same as my combo on my luggage! :-P
Admin
47.3% of statistics are made up on the spot.
Admin
You keep your password on a post-it under your keyboard, don't you? It's either that or you're the Sys Admin who came up with this hare-brained scheme!
(I kid, I kid!)
Admin
You just know that your luggage is going to be hacked!
Admin
I'm taking that you were implying sarcasm, but what you said I have found to be true. You pretty much have to trust a portion of your IT staff to not do bad things. It's impossible for them not to be able to see/find the passwords or other things (yet).
The proper thing that they should have done was use a system that did not involve user interaction.... Sadly this is very uncommon these days.
Admin
Nevermind that any smart burgler who breaks into an office to specifically steal computer equipment is usually also smart enough to look for written passwords stored in desks, on sticky notes, etc. This is part of the security training I took as a computer forensic investigator and also something my employer's audit division looks for when determining if we're practing proper security.
But suffice to say, if this is a real email (with some edits to protect the insanely stupid), this company deserves a good hard hacking. With no lube.
Seejay
Admin
WTF is a PIN number? People have started numbering their personal identification numbers?
I bet you're using a NIC card to connect to this website and you type your PIN number into ATM machines.
Admin
Not so sure about that. Not long ago, I helped a friend set up a new office. We brought in about 10 computer-setups. Nothing fancy, just basic large flat panels and mid-line PCs. The system was used to store data for an accounting practice (picture all the info on your federal tax return (account numbers, social security numbers, etc) times thousands of clients). The security guards in the building watched as we hauled in the equipment.
That night, they unlocked the door, and ripped the PC's from the network. They took the junkiest boxes, and left the (very expensive) flat panels and server sitting amidst the rubble. It never occurred to them to look at the webcams pointed right at the door and computer areas, with the thick blue wire running across a white wall directly to the server. The whole thing was caught on video, which, if they had taken the server (where it was stored), wouldn't have been of much use to us.
Afterwards, they admitted they never even tried to gain access to the boxes - they just thought they could hock them for $50 each. Apparently, you don't even need to be mildly intelligent to be a thief.
Admin
If this is for real it isn't only a WTF but is also a OMGHS and a WBD (What a Bunch of Dumbasses).
Oh, wait. I just thought of something. Did Brian just go to work for the brother of a former Kenyan king and their business is doling out monies left behind in foreign accounts with the help of um, helpful American investors?
Admin
Not if you store your password as a RSA 256 bit hash on a sticky-note. But, that would be just about a useless as this WTF is.
Admin
90 days? Jeez! The default on a windows domain is 42 days. You have it easy.
Admin
Ah, but suppose the Spreadsheet was printed,
laid on a wooden table,
photographed.....
Admin
Dear Network Operations,
Please change all my passwords to 1mS01337 for everything but windows. Please make my windows password BhAx0red. Additionally, please send me all of your passwords to the aforementioned systems.
Thank you.
Admin
I wonder if the password file is sorted alphabetically? So if my name is Zute and the CEO's name is Arthur, and I'm a lazy bastard, then I don't have read past the first page. I can just use the CEO's creds right?!?!
"Bad, bad, naughty Zute!"
Admin
Wait, you were robbed by your own security guards??? WTF?
Admin
What I can't get past is the Windows Logon. It's so easy for an admin to set password policies that require a change every xx days, and to force constraints. Why would anyone stay for a whole weekend doing somethig that doesn't require any manual work? Are you sure this isn't made up?
Admin
So, the task before you now is to navigate to the XML file, snag the network admin's ID/PW, relogin to the network with that ID at someone elses station and delete the XML file.
Admin
because then there would be the added level of work for the admin to figure out everyone's passwords....duhhh :)
Admin
I read an interview with Clifford Stoll (the guy who wrote "The Cuckoo's Egg," if you're familiar with it) in which he confessed that he once wrote the root password to one of his servers on a Post-It, stuck it to his monitor, then gave a television interview in which the sticky note and password was clearly visible in the shot the whole time.
Not that most of us need to worry about that particular threat...
Admin
Have you ever thought about the theory behind mandatory password changing every X months?
If you suspect your password has been compromised, it should be changed immediately. If it hasn't, there's no need to change it. Forcing users to change their passwords (some places have dozens of them) results in users writing them down, thus making them more susceptible to being compromised, thus requiring that they are changed more often.
Admin
Actually, changing the password once a year is a bit better than a quarterly change. For those of us using strong passwords, it gets difficult to remember so many strong passwords.
Every important website, ssh keypair, remote host, gpg keyring....
That's a lot of passwords/passphrases. If this was the only password I had to remember, yes, a 90 day change policy is good.