- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
The Real WTF is safety rules that force user to annotate on post-it the passwords because can't remenber it, defeating the purposes of passwords. As most attack start inside, a angry worker can steal the password from a co-worker and use it to do his damage. Your work is in real danger, mate!
Admin
Admin
Not so bad, IMHO - "NT" is a proper name, so its meaning/expansion doesn't really matter. For example, Wikipedia says that "George" means "farmer", but refering to "George the farmer" wouldn't be considered redundant.
Admin
Hard to believe but the worst of all what I experienced was a company where the ROOT password for ALL servers (for SSH, FTP, for internet production servers, anything) was written by hand with huge letters to a paper on the wall for everybody to see it and use it. As a developer / system operator first I set up a new password policy (separated passwords for everyone / task) and the employers was really angry (It's much more complex than it was before WHY we have to change to this stupid way!).... It was one of the most strangest company where I ever worked.
Admin
Admin
This post is a manual virus. Please delete all the files on your C: drive and send this post to everyone you know.
The above makes about as much sense as the password change mail...
Admin
I forgot to mention: I once worked for a company whose Lotus Notes (blech) system was set up with 123456 as the default webmail password: and the list of logins (full names too) was publicly visible on the webmail server, if you knew a tiny bit about Notes.
Admin
My favorite security story is still a newsletter I got from our security department, which included two articles.
The first one was an explaination of why we should be using different passwords for different systems -- you know, to prevent people who can guess one password from getting them all. Multiple levels of security and whatnot.
The second one was an announcement of a new tool that'll allow us to store all our passwords in one, password-protected place, for easy reference -- since we have so many passwords to remember.
Hmmm....
Admin
This cant be real!
No way, I just cant believe this is real. Really?!
Admin
This must be a joke, no network departments are that stupid.
Admin
Little known fact 1: Windows domain passwords are 'good-as-plaintext'. The hash is only there to protect the password itself, h(p) is all you need to login. The idea is that if you steal the password, you only get h(p), so if p is also your banking password, <intruder> doesn't get it.
Little known fact 2: Windows domain passwords are unsalted ('salt' means you store n,h(p,n), where n is some random number, so you can't do a dictionary lookup). This means a dictionary is trivial to do, and also, if you share passwords over domains, your windows pass is h(p) on those domains (as opposed to h(p,n1), h(p,n2)).
Little known fact 3: 98 passwords use the 'lanman' hash, which is slow. NT passwords use plain MD4
, which on short passwords is incredibly fast. Cracking a [a-z0-9]{5} password took 2 hours, and that was on a p3 500.
What really needs to be changed is the hash they use. APR-1 or BSD's 1 is far more secure.
Anyway, my mom couldn't stand the password change policy so she picks something easy. Last I checked, it was AAAabc123.
Captcha:java
Admin
This is nothing new. Especially given SunOS, it's almost certainly good ol' unixcrypt (man 3 crypt, I think). To add insult to injury, it only uses the lower 7 bits of each character (I think), not that using anything other than ASCII is a good idea.
What happens is the password check is performed on the password, and then crypt(password) is stored, but crypt only looks at the first 8 letters. "fixed" versions of crypt do something different for passwords longer than 8 characters.
captcha:truthiness
Admin
On your LCD display, nonetheless.
Captcha: Chocobot ... The heck? Chocobo robot?
Admin
WTF is a PIN number? People have started numbering their personal identification numbers?
I bet you're using a NIC card to connect to this website and you type your PIN number into ATM machines.
Admin
That's pretty standard for any Windows domain, You can even set these things up on a Windows XP desktop if you're an administrator. *nix has these restrictions availabe too.
Admin
Have to fill out a form (this is government stuff, you know, so there has to be a form) and both people sign the sign-out sheet on the safe, if an emergency has occurred where someone has to get into the safe. The envelopes are checked periodically to see if they have been opened, as well as being in a safe that is controlled by one person.
And, yes, the safe that the envelopes are in has a combination that is in yet another envelope that is in yet another safe. The place I work at has occasionally made headlines and 10:00 p.m. news for blunders, so we take this far more seriously than you can even imagine.
Someday I've got to write a book . . .
Admin
This reinforces security rule #6743: Never hire intelligent security guards.
Admin
Or, more plausibly, they don't complain because someone has written and circulated a script to quickly run through 5 passwords so they can easily get back to their 'oldie but a goodie'.
Admin
Kinda like GNU's Not Unix, right? It's a sort of reverse recursion.
Admin
Are you serious? What about the cleaning staff? And the guy who changes the light bulbs?
Admin
I hear Uri Geller was monkeying around with hacking for a while but found that bending spoons was just easier.
Admin
<font face="Arial"><font size="2">I just couldn't resist sending this to a friend in desktop security at a fairly large company, knowing he would enjoy it. I would like to share his reponse:</font>
</font>
<font color="blue" face="Arial" size="2">"The only "improvement" I could suggest for this policy is that they post the spreadsheet on the internet. In the event someone forgets their password, they can refer to that spreadsheet. My advice would be to resign and run, do not walk, to the nearest exit."</font>
<font color="#000000" face="Arial"><font size="2">Although I like seeing code here, the same as others, I definitely rate this at a "TRUE WTF"! </font></font>
<font color="blue" face="Arial" size="2"></font>
Admin
To whom it may concern:
Please return beanbag girl to her rightful place of honor, which is ABOVE foosball girl. Thank you for your attention to this matter.
Admin
<font face="Arial">No, My luggage is secure...I emailed my new combination to the sysadmin today!</font>
Admin
Damn you... Now I have another one of those to drive me nuts.
So this pirate walks into a bar with a a steering wheel on his crotch. Bartender asks, "what's up with the steering wheel?" The pirate responds, "Arrgh, it's drivin' me nuts."
Captcha = 1337
Admin
>Clueless Pointyhead Manager hits Reply All<
From: CPHM
To: Everyone
Here are my passwords. Since I have access to every type of function, but rarely use them, it's most important that you keep these secret from everyone.
pw: no1knows
pin: 1337
Admin
I dunno. If my experience with my Lab is accurate, mine barks at random things at random times, often at nothing, or at us. Nothing's worse than a burglar alarm that has a very high false alarm rate (my other dogs of different breeds never barked at shadows or other things - they usually amanged to find a good reason to bar). I suppose the other thing is after possibly finding something useful to bark at, he runs and hides. Very fun during a walk where he would bark at a stranger, then quickly hide behind the legs of whoever's walking him.
captcha = pizza. Somone's updated them again, it seems.
Admin
to avoid users doing the 'rotate password 13 times' thing, they set the windows policy to disallow password changes within the first 24 hours you change your password. So you could change your password to what it was, but it would take 13 days to do it.
Admin
I have a sticker on the underside of my keyboard at work that reads, "No passwords here. Good guess, though."
Admin
It's obsolette, the best way for password is to use word which are written on body of monitor. My root pasword is iiyama. And don't try to change my monitor! :)
Admin
Admin
Um... brute force cracking programs take a fixed amount of time to run, so:
If on day one, the pw file is stolen, you have x days until it is cracked. If before day x, all the passwords have changed, even if they were cracked by brute force, they are now no the pw being used, thus brute force can not be used to actually gain access. THAT is why pw must be changed.
Admin
And biometrics can set us free.
Admin
Like on an open forum like this, having an employee identify themselves as working on a government system that stores classified information, and implying they are cleared to access said system? Made any new 'friends' since you started posting here?
</rhetorical questions>
captcha=hacker
Admin
The time is not fixed.
"aaaaaaaa" can be brute forced a lot quicker than "zzzzzzzz"
Admin
Actually, the answer to that is on a need-to-know basis. However, they would all be properly reported to the F.B.I. on the official form and within the time limit for such contacts. I'm great fun at parties. Most people never ask me twice what I do for a living, nor do they say much, because the answer tells them to quietly go away and not ask questions.
Want to be my friend? Could have a couple guys in black suits at your door in a few minutes . . .
Seriously, though, I am often appalled at the lack of security for what should actually be "classified" information for businesses. Certainly, nobody cares much for the personal email from your girlfriend, or the business memo that was drafted concerning the need for another bottled water dispenser in the office area. But what about those lists of business contacts, that contains names, addresses and phone numbers? The specifics of that new electronic gizmo? Lists of raw ingredients to be shipped to a factory? Source code for an operating system?
It does almost seem that businesses are daring people to try and work around their attempts at security, but the rules exist for a good reason (however badly they might be implemented). You don't give users access to a root account. You shouldn't allow just anyone to be able to walk up to your computer (or dial in) and access company information. The insider threat is very real, and it is best not to compound it by making industrial espionage easy. We use TLC out here: Turn everything off, Lock everything up, check that all surfaces are Clear.
Sorry, I know I'm preaching to the choir here. So many users just seem so oblivious to simple security measures, and it is just made worse by badly implemented security plans.
Admin
I did work experience at a company where the admin password for every system was the initials of the boss - As far as I could tell it hadn't changed for a while (years probably) either.
Admin
Shoulda thrown in other characters like underscores between each word, just to slow him down even more...:P
Seriously though, I worked for a company that used a keycard that would display an alphanumeric password to the user (the keycard was of course registered to that user). You would login to the application using your pre-determined login, a password of your choosing ( 8+ characters, must be alphanumeric and mixed case etc..) plus the password currently displayed on the keycard...which changed every 60 seconds. meaning that not on;y are there two passwords, one changes every 60 seconds and the other changes every two months. On top of that, the server checked the incoming IP address, and it had to match the IP address of your assigned station (you could have up to five stations assigned to your username IIRC, in case one was non-functional, in use etc). Now THAT'S secure.
Admin
The sad part is some users are so pathetic that they need the IT staff to talk them through changing their password. Our helpdesk gets flooded with questions when the password change thing comes up - its almost so sad to be pathetic. We eventually pushed a corperate memo that explained the process for Windows login.
Admin
Tell your admins to do the following --
After that, passwords will be stored using an MD5 hash (whole password) by default, while providing backwards compatibility for existing crypt hashes.In /etc/security/policy.conf set the following variables:
Admin
That reminds me of a password WTF I experienced at University. One sunny day the network administrators obviously decided that implementing some basic checks to improve password security would be good to have. Now the first WTF, though, was that I received an email telling me I was using an "insecure password" and threatening me that my account would be locked if I did not change it ASAP. And according to said email, the password was insecure because, although consisting of the required 8 characters, it did not contain "at least one uppercase, one lowercase letter and one digit". Now the funny part is that my password consisted of 8 random-generated lowercase letters. Don't you think some 104 billion failed login attempts, the average for 26^8 random combinations, would show up in the logs? And this means that something like "qwjfrimx" would be deemed "insecure", but "Foobar11" would be just fine to the password checking algorithm.
Now I didn't really mind about having uppercase letters and digits in my password, but the email text was certainly braindead enough. Why didn't they just, instead of saying "You chose an insecure password, you fscking luser!", say "Your password does not meet the new and fancy security guidelines that we just pulled out of our ***es."?
But this was a minor WTF, anyway. The major WTF was: How the hell did they come by my password *in plaintext*, which was obviously required to perform this check *after* the password had been last set? Did they brute-force all the crypted passwords to obtain the plaintexts? Did they wait for each user to log in, then intercept the login password? I doubt it. Also, the latter would not work under a proper replay-safe challenge-response authentication scheme. My sneaky suspicion is that they just stored all passwords in plaintext, rather than the much more secure cryptographically strong, salted hash. Certainly makes life easier for hackers.
Admin
That, by itself, does not make them "good-as-plaintext". I'll take Unix as an example because I'm more familiar with it than with Windows. Let's say I hack into your "server-1" box. What do I need to take a glimpse of your /etc/passwd rsp. /etc/shadow, where the password hashes are stored? Usually root access. Not always, of course, there could be security holes that allow me to see /etc/shadow without full root access, for instance a braindead or badly misconfigured FTP daemon running as root. (There are things like that, sigh...)
But apart from these exceptions - if I am root on your "server-1", I don't really need user's passwords anymore to do anything I like on this box. Let's say I'm interested in john_doe's account. As root, I can already do things like "ls -la /home/john_doe" to see his files, "su - john_doe" to get a shell, "passwd john_doe" to change his password, and so on. I could even manipulate the box so that john_doe can now log in with two different passwords, his own, and my privately made up one. But if the box uses proper password hashes, I can not login as john_doe on your "server-2", "server-3", "mail" and "whatever" boxes, even if john_doe uses the same passwords on all of them (not that unlikely, is it?). And even if his password contains his banking PIN, I cannot peruse his account. So basically having the local salted hash doesn't buy me much. And as far as the exceptions are concerned, that's a problem, but it's unsolveable if you use symmetric password verification. Because a symmetric scheme requires a shared secret which is not only necessary but sufficient for verification. The only way around this is to use asymmetric cryptography, IOW client certificates. Those are a very good idea if handled properly, but you'll find your users will rarely appreciate the added complexity of maintaining a certificate. And it's easy to misuse them in ways which eliminate most or all of their theoretical advantages, especially when the users could care less about strong authentication.
Now, hashing passwords has undeniable advantages if performed properly. Unfortunately, of course, Windows does not perform this properly, and this makes most of the theoretical advantages moot. Using hashes but then not using proper random salt values is a WTF in itself. It means that, as you wrote, the same hash will work on all other Windows servers where the same password was used, and it makes dictionary attacks very cheap. The only consolation is that the hashes won't work on systems that use an entirely different hashing algorithm (let's say Unix boxes).
I agree. Not only has MD4 been considered insecure for a while, but also it is not a good idea in applied cryptography to make an operation which is essential to certain brute-forcing attacks faster than necessary.
For example, assume a file is secured by a password that is somehow hashed with a random salt value to produce a 256-bit session key. Now if I only need to access this file once a day it doesn't matter to me whether the session key calculation takes one microsecond or 100ms on my system.
But an attacker who attempts to brute-force the file will almost certainly try to brute-force the password, which on average has much less than 256 bit entropy, than the session key. And then, provided it cannot be broken otherwise, he needs to perform the session key computation for every single password he tries. So the difference between a fast and a slow computation will - for him - mean the difference between being able to try 10 password candidates a second, or one million.
So the slower algorithm will be 5 orders of magnitude harder to brute-force.
Admin
Brute forcing takes a fixed amount of time? I call bullshit on you!
Changing passwords does not save you from brute-force hacks, it only means that the passwords that could be obtained by brute forcing will stop working some time in the future. Often, though, it's not hard to manipulate the hacked account in such a way that you can obtain the new password as well or won't be needing it any more.
Admin
Admin
Thanks for the laugh, SkyProphet! I provide IT services to multiple companies, and have seen some very shabby practices. Your tale is classic! Several of my customers have formula passwords, so everybody knows everybody else's password by simple deduction.
At one place we serviced everybody had the same password, because they couldn't remember individual passwords!
Admin
It is good the hear lots of things about the password.
Admin
I always use the name of my secretary as my password. What's interesting is to see how many other people use that one, too...
Admin
Well I guess it's quite long... "the name of my secretary", 24 characters, or 20 is you don't use the spaces ;D
Admin
TRWTF is that they didn't remind people not to click Reply All.