- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Flogging a dead horse, perhaps? Wonder if they managed to get off all those spam lists in the end....
Admin
Yeah, good job sending an e-mail to your boss when he complains that he can't log into his e-mail!
Admin
He emailed his boss, not the client.
Admin
Yeah, I figured it was something like that but couldn't figure out why he would e-mail his own boss a lecture on password security.
And besides, I thought the clients were the boss ;-)
Admin
Am I missing something?
TFA says "He changed passwords as fast as he could type".
This is a guy who claims to be able to write scripts...
So why didn't he?
Admin
In a case like this, it's far easier to talk to your boss than the clients. Usually, the boss will have some more soothing language for the client than I would ("What the hell were you morons thinking?" would be the first thing out of my mouth :) )
Anyway, I'd usually tell the boss and let him deliver it to the client.
Admin
There were only 30 users, IMHO thats on the cusp of time to do it by hand vs time to write and test a script
Admin
Write a script to change passwords for only 30 users?
How fast can you write a script ?
Admin
I see the users went back to their old passwords. This is where you go into ass-covering mode.
Admin
The only reason he should have written a script is because it looks like he's going to have to change everyone's password again...and again...and again.
Admin
To continue the WTF is why he was able to read their passwords. I would assume that's because the passwords weren't hashed (or if they were there was no salt modifier).
/sigh
Admin
mmhmm... nice assumption. note it was never stated that he read the passwords. He could have done something simple like logged on with the old password to check if it was changed to something different.
there's also password tools like john the ripper out there...
Admin
Deprived of their original password choice, the users began choosing alternates:
chains leather dominatrix spikeheels fishnet catoninetails spankmemama ...etc.
Admin
Since that particular password was obviously already compromised, it should not have been a big deal for him to specify that they couldn't use it again, and programatically enforce that restriction.
In fact, given that he knew that spammers had cracked the site before, and would likely try again, he would have been well served to put in restrictions to prevent them from using dictionary words as passwords. In fact, I'd say given the circumstances that failure to do so was negligent, given that he did nothing of substance to try and prevent future attacks of the same kind.
Admin
He didn't write the software. It clearly states in the article that the software provided did not allow for any sort of password restrictions or rules. Given the tools he had, I wouldn't say he did anything negligent. Then again, maybe it was time for new tools.
Admin
One does not get off a spam list. Once a spammee, always a spammee.
Admin
Admin
ATTENTION:
The new global account password for WTF is: tnemmoc.
Admin
This is why I have a random password generator. Takes snippets from /usr/share/dict, slaps 'em together, ends it with two digits. I'd do more, and make it a more difficult password, but people complain about this, and instead of them following company policy on passwords (not my policy, comes from way higher up) back when I let people pick their own, they picked things like their kids' names, their spouses' names, and unhackable words like 'dog.'
Sometimes BOFH behavior is there to save people from themselves.
Admin
You know even a spouses name can be made somewhat more secure if people would only try a little harder. Let's use my login name for example: I want my password to be KattMan I hax0r it into K477M4n mix of upper and lower, with numbers and letters. I know it isn't really strong but it isn't real easy either. Most basic users can remember most of these.
Admin
When I have make new passwords for myself, the process goes like this:
Admin
What's the company's name/website? I need to... uh... email my grandmother...
Admin
[User takes gun, aims at toe, shoots] User: Hmmm, not quite what I had in mind. Tech: Don't aim at your foot! User: Let me try again. [Aims at next toe...]
Admin
Sounds like they suffered backscatter from all the NDRs, I doubt they "got signed up on lists" but more likely got flooded with NDRs and bounce messages.
Admin
After you get used to type it subconsiously, NEVER TRY TO RECALL IT. If you do, you're screwed.
Admin
Some helpful facts
Fact #1: Password cracking is usually done by computer programs Fact #2: It is possible to write computer programs to do astonishing things such as find/replace, including the extraordinarily complex transform from regular text into 1337sp33k.
Your not making anything any better at all. Any dictionary attack won't be slowed down in the slightest by your inane encoding.
Admin
That's why it is important to enforce the policy on the server. Of course the BOFH policy here is to do something insane, like require 10 characters, at least 1 lower case, 1 upper case, 2 digits, and 2 special characters, maximum age of 30 days, and your passwords can't contain the same 4-character sequence as anything in your last 500 passwords.
Admin
TRWTF is a web host doing while-u-wait telephone tech support...
Admin
Sounds like this client was completely FLOGGED UP
Admin
Admin
Actually, it will. The typical attack program will first test a "common passwords" list (10,000 passwords or so), then a dictionary (100,000 words or so), then mangled versions of the first two (100,000,000 passwords or so). If they've got access to the hashed password list, it'll take ten seconds rather than a millisecond, but if they're attacking over the internet, it may delay things several months.
Admin
If that system is only halfway decent and has a method do set the passwords on the command-line, it should be something like
I'd never do something by hand for more than say 10 recurrences. It's just much too easy to get distracted or make typos. And above snippet, written in one line, takes no longer than 10 seconds or so to type.
Admin
Back when I was in college the main system that people had shell/email accounts on used to run a background process which would actively try to hack people's passwords using dictionary attacks, etc. If your password proved to be vulnerable in this way then you were forced to change it ASAP or your account would be deactivated. I always thought this was a pretty slick way of enforcing password security (more than, say, artificial "complexity" requirements).
Admin
Passwords are very sensitive. Write a script that does something seriously wrong one time, and you'll start testing all your scripts. It only makes sense, especially if the consequences of a screwed up script will cause major issues.
Admin
I don't think so...5 or 6 users is the threshold. In ksh, I would just type this into the shell:
$ while read username filler; do
Obviously you have to figure out how to generate the new passwords (assigning the same pass to each user isn't good), but you have to do that anyway, so I don't subtract that time from this method.
Admin
Admin
You are completely correct. Good catch.
Admin
I remember when I was in college we went through student orientation. At one point we had to pick a username and password. We had requirements on the password, had to be 8 characters, no dictionary words, etc. The instructor gave an example: Use the your initials followed by your zip code. So, for instance you'd end up with something like ABC12345. I picked a password (not my initials and zip code) and went on thinking nothing of it. A couple of years later I saw my friend logging in. I noticed he hit 3 letters then the rest of the password was numbers. So I said hey, is your password your initials and zip code? Yep, he said how did you know? And it gets worse, the university had a student directory available to the public that showed first, middle, and last names as well as address. And it had a really great search feature. You could find any student you wanted to and get the initials and zip code in no time. I was curious and picked a hand full of students at random and tried logging in with the initials and zip code password and the success rate was over 50%. It seems that every year each orientation group was given the same password example. Talk about killing password security.
Admin
Point taken. Guess I hadn't had enough coffee to kick start my brain. Just seemed odd to me still...
Admin
Pretty much anyone who has ever scripted already has a password changing script written... It's usually one of the first scripts you write
Admin
Or, if he could write the script faster than he could generate, record, and set thirty users' passwords--I know I could (at least, with a system that has decent command line tools). I learned a long time ago that scripting is not merely for reuse, it is also for speed.
Admin
You're all assuming the email system is scriptable... (or at least easily scriptable).
Admin
Admin
Our university claimed to do this, but then a few people got their hands on the password list and started cracking it themselves (purely as an educational exercise) the first one took about 20 minutes, within a day or two they had a couple of dozen including a couple of staff accounts (this was back in the day, cracking more than 1 pw/day was pretty good).
Admin
I love mashed up song lyrics for passwords: i@M+th3_m4||-1n+t|-|E_|30x!
Feel free to use that one.
Admin
The policy you have listed is only a slight exaggeration of the current password policy for my place of employment. Just when you start to remember the incredibly complex password you carefully crafted to meet the requirements it is time to change it again.. and forget about using any of the ones you spent so much time making in the past.
Admin
Why is everyone asuming it's (easily) possible to write a script for whatever arcane email solution they're using?
Depending on how important it is, my password is 20-some character long alphanumeric string, including my very first Dail-up password, PIN number, D&Dmonster and first Student number. Used unly for important truecrypt files, and laptop passwords.
vereor me!
Admin
Nothing to be lost by simply setting all of their passwords to the same value, again, and then requiring them to change them. UPDATE Users SET Password = 'tchaynje m3'
At least on SQL-backed systems (which most email software is capable of)...
Admin
Heh. The joke's on the BOFH, because those insane requirements actually make the system less secure. If I know that the minimum password length is 10 characters, and has at least 2 digits, 2 special characters, 1 uppercase, and 1 lowercase letter, I suddenly have a lot fewer permutations to brute force than if the BOFH simply disallowed dictionary words but and set the minimum password length to, say, 5-6 characters.
Admin
My effing god!!!! If there was ever a case where the public good demanded that the offender's identity be revealed...
"We'll all share the same password, 'flog'"?!?!?!
These imbeciles should be beaten with large blunt objects if they EVER venture too close to a computer again! And for their own good too, how long until everyone in Nigeria knows their credit card numbers?
As good netizens is it ethical to allow these plagues upon the entire internet community to continue their destructive ways?