• sol (unregistered)

    Dude, you mispelled rain.

  • (cs)

    Brillant. Now THAT's a security problem!

  • sol (unregistered)

    Okay I can not help myself. WTF why have a login at all.

  • Zxaos (unregistered)

    Why? Because they obviously need to track which actions were taken by which users. It's critically important that they know exactly what was done by whom.

  • (cs) in reply to sol
    sol:
    Okay I can not help myself. WTF why have a login at all.
    Minimum password length requirement? That, of course, would be The Real WTF(tm).
  • da1l6 (unregistered)

    This is really worse than failure.

    Sadly I experienced something similar at a small institution where all newly created user accounts were set up with username==password. Most users refuse to change the password.

    Argument: "What if user X gets ill and we need one of his files?"

  • (cs)

    Talking about security, you don't need a captcha to register an account.

    See, that's irony too.

  • AdT (unregistered)

    No one can deny that the best way to prevent thieves from breaking open the front door is...

    to remove the front door.

  • (cs)

    In my last job search I found myself explaining to a headhunter that I wanted something challenging. She informed me that the job I was being recruited for was maintaining a VB6 application with a codebase Microsoft had said was 'the biggest they have seen'.

    Not quite the challenge I was looking for....

  • Kinglink (unregistered) in reply to Poltras
    Poltras:
    Talking about security, you don't need a captcha to register an account.

    See, that's irony too.

    Just make sure you need a captcha to do anything with the account, even switch pages, and you win!

    Captcha: Atari, which didn't use Captcha, and thus was unsecure.

  • (cs)

    Uh. Yeah. And when the password expires (for security reasons), add a "1" at the end. In 60 days, that changes to a "2".

    But that won't be necessary if you'd only change the timeout to a few hours.

  • Bob (unregistered)

    Some people live in small villages where the crime rate is near zero. These people do, indeed, leave their doors unlocked, if not open.

    Security is about risk management -- there is a convenience cost with every security measure so obviously one weighs up the pros and cons and surely any entity should be entitled to make these decisions with their own possessions.

  • dude (unregistered)

    So the superuser wasn't saying, just make the timeout longer, since security is already a joke?

  • (cs) in reply to jimlangrunner
    jimlangrunner:
    Uh. Yeah. And when the password expires (for security reasons), add a "1" at the end. In 60 days, that changes to a "2".

    I tried that, but after several months it took an increasing number of tries to get the right number (and I got locked out several times). Now I just append the name of the current month. Works great.

  • Rob (unregistered)

    "It's like rain on your wedding day" is one of the few things in that song that is actually ironic.

    Hint: rain on your wedding day is supposed to be good luck.

  • (cs)

    Hey, what's the problem?

    We have physical locks on our building. Everyone has a copy of the same key.

    (Edit: because I know some people are as oblivious to sarcasm in text as I am, I'm not being serious here.)

  • Pob (unregistered)

    So... where's the irony?

    And they probably have a username/password system because they thought they'd need it, but then realised it wasn't necessary, but are keeping it around in case they change their minds.

    How about an actual What The Fuck?

  • Fub (unregistered)

    Last week, I was at the client, installing our system. They wanted to test it. Because user permissions depend on their department, they needed to test as various users from various departments to see if the permissions were set correctly. The solution? Call around and ask a few people for their passwords. Which they gave. Over the phone. Which was then written down for easy reference.

  • Jimbo (unregistered)

    I work on bank software and have gotten this same message.

    I've also gotten this one. "Could you please up the number of login fails before lockout? Our whole office uses the same login and the new girl in the morning always seems to lock everyone out for the whole day."

    They HAVE a login for each user there. They just all insist on using the same one.

    /me shakes with rage.

  • ASDF (unregistered)

    Face goes to palm.

  • (cs) in reply to da1l6
    da1l6:
    This is really worse than failure.

    Sadly I experienced something similar at a small institution where all newly created user accounts were set up with username==password. Most users refuse to change the password.

    Argument: "What if user X gets ill and we need one of his files?"

    I had a similar experience when I started at a new job, except it extended to everyone must have the same voice mail password.

    So I started setting up new accounts with the parameters that you must change your password upon first login. I also added password expirations, complexity rules, and not being able to repeat any of your past passwords.

  • AdT (unregistered) in reply to gsmalleus
    gsmalleus:
    So I started setting up new accounts with the parameters that you must change your password upon first login. I also added password expirations, complexity rules, and not being able to repeat any of your past passwords.

    Sorry, that's like fighting mosquitoes with nuclear bombs. The gnat's dead, but no one's there to enjoy it.

    The consequence of all this is usually that demand for Post-it(R) surges as everyone sticks his current password to the bottom edge of his computer screen because nobody is able (or willing) to memorize a new letter-number-combination every 14 days.

    Furthermore, this reminds me of a sad episode at University, when I got an auto-generated mail to "Please the f*** change your insecure password or else!" (the exact phrasing may have differed) because it, a dice-generated string of 8 lower-case letters and numbers, did not contain an upper-case letter. "Tuesday1" would have been perfectly acceptable, though, as far as the rules described in this mail were concerned.

  • david (unregistered) in reply to gsmalleus
    gsmalleus:
    I also added password expirations, complexity rules, and not being able to repeat any of your past passwords.

    That is a wtf right there. By adding password expirations, you've virtually guaranteed that everyone will write their password down instead of memorizing it. The only purpose of making passwords expire is if you think people will have their passwords compromised. You should really rethink that policy.

  • Frostcat (unregistered) in reply to da1l6
    da1l6:
    This is really worse than failure.

    Sadly I experienced something similar at a small institution where all newly created user accounts were set up with username==password. Most users refuse to change the password.

    Argument: "What if user X gets ill and we need one of his files?"

    Last place I worked, the custom app we used, and that I worked on, had an option, just like Windows accounts, to force you to change your password on next login. So when we'd get change reqs, we'd set the password to the userid, and check the box. No problem. The argument about user X's files was irrelevant, because anything that would've been stored as a file outside the app would be accessible via NTFS perms.

  • Frostcat (unregistered) in reply to Jimbo
    Jimbo:
    I work on bank software and have gotten this same message.

    I've also gotten this one. "Could you please up the number of login fails before lockout? Our whole office uses the same login and the new girl in the morning always seems to lock everyone out for the whole day."

    They HAVE a login for each user there. They just all insist on using the same one.

    /me shakes with rage.

    There's a good-sized WTF right there. There's no app-based solution, tho. You have an HR problem, requiring an HR solution: "effective immediately everyone will use their own login on pain of immediate termination."

    Well, maybe you give 'em a grace period.

  • Frostcat (unregistered) in reply to AdT

    [quote user="AdTFurthermore, this reminds me of a sad episode at University, when I got an auto-generated mail to "Please the f*** change your insecure password or else!" (the exact phrasing may have differed) because it, a dice-generated string of 8 lower-case letters and numbers, did not contain an upper-case letter. "Tuesday1" would have been perfectly acceptable, though, as far as the rules described in this mail were concerned.[/quote]

    The Real WTF here, of course, is that they could see your password unencrypted.

  • (cs) in reply to david
    david:
    gsmalleus:
    I also added password expirations, complexity rules, and not being able to repeat any of your past passwords.

    That is a wtf right there. By adding password expirations, you've virtually guaranteed that everyone will write their password down instead of memorizing it. The only purpose of making passwords expire is if you think people will have their passwords compromised. You should really rethink that policy.

    I agree, and yet every company feels this is the proper policy, not realizing that by following it, they are lowering their security rather than raising it.

    Yes make sure that passwords and user names don't match. Yes allow some complexity, but auto expirations are not necessary.

    Honestly, when was the last time you had to change the PIN on your ATM card? Now when was the last time that PIN was compromised? This will tell you how important expiring passwords are.

  • (cs)

    Long session timeouts are a problem too.

    The mail program the company I work for uses has a dedicated client and a web client. The session timeout is 24 hours, and for security reasons, you are only allowed to log in from one place at a time.

    The web client stores the login information in a session cookie. Guess what happens if your web browser crashes while you're logged in, or you close the browser without logging out?

  • Sgt. Preston (unregistered) in reply to Rob
    Rob:
    "It's like rain on your wedding day" is one of the few things in that song that is actually ironic.

    Hint: rain on your wedding day is supposed to be good luck.

    If you are of a superstitious bent, you might believe that rain on your wedding day will bring good luck, but since no one wants to be rained on during his wedding, rain on your wedding day IS bad luck. I'm not convinced that Ms Morissette had this superstition in mind anyway, since everything else that she calls ironic in her song is simply a bummer. She just needs a dictionary.

  • (cs) in reply to Jimbo
    Jimbo:
    I work on bank software and have gotten this same message.

    I've also gotten this one. "Could you please up the number of login fails before lockout? Our whole office uses the same login and the new girl in the morning always seems to lock everyone out for the whole day."

    They HAVE a login for each user there. They just all insist on using the same one.

    /me shakes with rage.

    Ok, so the real WTF there is not that they use the same account (hey, if it's an account for checking out the lunch menu, does it really matter?) but the fact the entire thing is just begging to get DoS:ed...

    I work at a large software vendor, and here, your account gets locked out if you type in the wrong password three times in a row. And I mean locked out, not temporarily disabled. So just 'mistype' your username to be someone appropriate, and enter a real (or fake, whatever..) password three times...

  • YourMoFoFriend (unregistered)

    Why is everyone bashing the users for their "insecure" environments? After all, it's THEIR system, THEIR rules and THEY are stuck working with it every day. Our job is to build what they want to THEIR specifications, inform them of the risks and then STFU.

  • Anon (unregistered)

    Although the original post was about an internal system, we've had software that we've used from other companies that insists on expiring passwords when we really don't need them for our application (they usually sell to customers that really need strict audit trails) and they won't disable for us. As a result we generally have one password, written on a post-it, and such to the monitor.

  • (cs)

    The big stick came out here a few years ago when we came aboard and got serious about security. Yes, everybody changed their passwords monthly but we discovered the convention everyone used was [user_first_name][month_number] so if I wanted to log in as "Joe" today I would've used the password "Joe06".

    I took a while to get everyone on board, and we actually had to outlaw that password pattern for our words to take effect, but it's alot better now.

  • Obvious man. (unregistered) in reply to Sgt. Preston

    Did you miss the part where the song is entitled 'Ironic'.

  • (cs) in reply to YourMoFoFriend
    YourMoFoFriend:
    Why is everyone bashing the users for their "insecure" environments? After all, it's THEIR system, THEIR rules and THEY are stuck working with it every day. Our job is to build what they want to THEIR specifications, inform them of the risks and then STFU.
    And where do they complain when something goes wrong? When they loose their files? When they can't login, because their account is locked out? That's right, they complain to us. So no, it's not their system. It's our system, because we have to take the shit when it (read: they) fails.
  • been there (unregistered) in reply to YourMoFoFriend

    Personally, I'd like to see security as follows:

    -Thumb fingerprint scanner at main entrance door (change thumb-print every 3 months, but no duplicates for at least 9 months

    -Retina scan to get onto your computer (change retina-print every three months, but no duplicates for at least 9 months: seeing eye dogs allowed to substitute for user with proper authorization)

    -DNA scan to start each application (spousal and offspring authorization permitted with at least n matching genes)

    </sarcasm>
  • (cs) in reply to been there
    been there:
    Personally, I'd like to see security as follows:

    -Thumb fingerprint scanner at main entrance door (change thumb-print every 3 months, but no duplicates for at least 9 months

    -Retina scan to get onto your computer (change retina-print every three months, but no duplicates for at least 9 months: seeing eye dogs allowed to substitute for user with proper authorization)

    -DNA scan to start each application (spousal and offspring authorization permitted with at least n matching genes)

    </sarcasm>

    If your spouse as a certain number of matching genes, I would worry about your family tree.

    But yes, this actually demonstrates the "changing passwords" fallacy.

  • (cs)

    Does it count as ironic that a song titled such has little to no ironic content?

    Also, no-one has mentioned dancing on a plane yet? I'm disappointed :P

  • Stater of the Obvious (unregistered) in reply to Sgt. Preston

    ... but that's the irony of the song. It's a song about irony, but doesn't ever give a good example of irony. If that's not ironic I don't know what is.

  • (cs) in reply to AdT
    AdT:
    gsmalleus:
    So I started setting up new accounts with the parameters that you must change your password upon first login. I also added password expirations, complexity rules, and not being able to repeat any of your past passwords.

    Sorry, that's like fighting mosquitoes with nuclear bombs. The gnat's dead, but no one's there to enjoy it.

    The consequence of all this is usually that demand for Post-it(R) surges as everyone sticks his current password to the bottom edge of his computer screen because nobody is able (or willing) to memorize a new letter-number-combination every 14 days.

    Furthermore, this reminds me of a sad episode at University, when I got an auto-generated mail to "Please the f*** change your insecure password or else!" (the exact phrasing may have differed) because it, a dice-generated string of 8 lower-case letters and numbers, did not contain an upper-case letter. "Tuesday1" would have been perfectly acceptable, though, as far as the rules described in this mail were concerned.

    I never said what the exact policies were.

    Expirations: 1 year. Complexity: at least 7 characters containing numbers and letters

    This is not overkill.

    I never said anything about every 14 days. That is overkill.

  • (cs) in reply to gsmalleus
    gsmalleus:
    I never said what the exact policies were.

    Expirations: 1 year. Complexity: at least 7 characters containing numbers and letters

    This is not overkill.

    I never said anything about every 14 days. That is overkill.

    Honestly, give me one reason why you would force a random password change?

    In case of breech? Well, if it isn't breeched why change it? If you ever find a breech? Then you change it right away, not wait for the schedule.

    I have never once heard a good reason for it. Most of the time I simply hear, "It's policy" and no one knows why. Yeah yeah, and the earth is flat, and the moon is made of green cheese.

  • Fandango (unregistered) in reply to webhamster

    So, you get "Joea", "Joeb", ...? Or "onejoe", "twojoe", ...?

    As others have already said, password expiration seems ineffective and counter-productive. More work for the end-user does not translate into more work for the would-be intruder.

  • Unklegwar (unregistered)

    The REAL Wtf is that no one seems to know WTF Irony is. And some even write songs about it.

    Jake, your example about the re-assuring comment, NOT irony. A mistake != irony. Misjudging appropriateness != Irony.

  • (cs) in reply to Unklegwar
    Unklegwar:
    The REAL Wtf is that no one seems to know WTF Irony is. And some even write songs about it.

    Jake, your example about the re-assuring comment, NOT irony. A mistake != irony. Misjudging appropriateness != Irony.

    And you sir also seem not to understand it, although you might.

    While a mistake is not irony, It could be ironic depending on the mistake made, and while inappropriate comments or actions may not be ironic, and ironic situation could be the result of an inappropriate action or comment.

    It is essentially the same as saying a rectangle is not a square, and while that is true, this does not mean that a square is not a rectangle, because a square is a rectangle.

    Irony is not the result of the intended. As the email previously stated was not ironic from the writers viewpoint, but it could be ironic depending on the result of the reader, or maybe not. Irony depends on more then an isolated comment, irony relies on the intended result as opposed to the actual effect, and usually resulting in something unwanted.

  • YourMoFoFriend (unregistered) in reply to freelancer
    freelancer:
    YourMoFoFriend:
    Why is everyone bashing the users for their "insecure" environments? After all, it's THEIR system, THEIR rules and THEY are stuck working with it every day. Our job is to build what they want to THEIR specifications, inform them of the risks and then STFU.
    And where do they complain when something goes wrong? When they loose their files? When they can't login, because their account is locked out? That's right, they complain to us. So no, it's not their system. It's our system, because we have to take the shit when it (read: they) fails.
    They complain to those who they pay for the support. And if it's you, then please take the money, do the work and STFU. Oh, yeah, didn't I say "INFORM THEM OF THE RISKS"? Right, I did. And if that's the risk they are willing to take... so be it, you just charge them more for your services since the risk is higher.
  • (cs) in reply to da1l6
    da1l6:
    Sadly I experienced something similar at a small institution where all newly created user accounts were set up with username==password. Most users refuse to change the password.
    I've had the same for the source code repository at a place where I used to work, and though I never tried it, I bet at least half the people were too lazy to change their password. The kicker is in what we were doing: programming ATMs. I am quite certain I could have smuggled a "jackpot mode" into the code using someone else's login so they would appear to be the culprit.
  • Jesse (unregistered)

    Interesting - I was just thinking about this song and how the situations she mentions really aren't ironic. A perfect example of ironic can be portrayed in a twilight zone episode, "Time enough at last" A man is constantly seeking time to have quiet to himself so he can read and eventually decides to lock himself in a vault. While in the vault, nuclear fallout takes place and he is safe inside the vault. After getting out and realizing what has happened, he is happy to know that there is "time enough at last" to do is reading. Then he breaks his glasses.

  • (cs)

    Even though the security is a joke, there's still a potentially good reason to deny superuser's request and keep timeouts relatively short (like 20min..hour): If periodic maintenance requires exclusive use of some resource like a database, you don't want Basement Bob's logged in but unattended machine preventing it for some rediculously long period of time.

  • Jason (unregistered)

    I don't see the irony.

    What might make it ironic is if everytime someone logged in with the same user/pass it invalidated everyone else's session with the same user/pass combination, thus the problem isn't session timeout length but instead the simple fact that they're all sharing one login. Sure, I'm reading way into it.. but otherwise, I see no real irony. Just stupidity. :l

  • stupid old me (unregistered) in reply to da1l6
    da1l6:
    This is really worse than failure.

    Sadly I experienced something similar at a small institution where all newly created user accounts were set up with username==password. Most users refuse to change the password.

    Argument: "What if user X gets ill and we need one of his files?"

    Ha ha, that sounds like a place I worked! And I once went to help a woman who said her password wasn't working. After investigating, I was not making any progress into the problem until she said "But, see, if I type in the word password, it lets me in!!!" Doh!

Leave a comment on “It's Like Raiiiiiin”

Log In or post as a guest

Replying to comment #:

« Return to Article