- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Dude, you mispelled rain.
Admin
Brillant. Now THAT's a security problem!
Admin
Okay I can not help myself. WTF why have a login at all.
Admin
Why? Because they obviously need to track which actions were taken by which users. It's critically important that they know exactly what was done by whom.
Admin
Admin
This is really worse than failure.
Sadly I experienced something similar at a small institution where all newly created user accounts were set up with username==password. Most users refuse to change the password.
Argument: "What if user X gets ill and we need one of his files?"
Admin
Talking about security, you don't need a captcha to register an account.
See, that's irony too.
Admin
No one can deny that the best way to prevent thieves from breaking open the front door is...
to remove the front door.
Admin
In my last job search I found myself explaining to a headhunter that I wanted something challenging. She informed me that the job I was being recruited for was maintaining a VB6 application with a codebase Microsoft had said was 'the biggest they have seen'.
Not quite the challenge I was looking for....
Admin
Just make sure you need a captcha to do anything with the account, even switch pages, and you win!
Captcha: Atari, which didn't use Captcha, and thus was unsecure.
Admin
Uh. Yeah. And when the password expires (for security reasons), add a "1" at the end. In 60 days, that changes to a "2".
But that won't be necessary if you'd only change the timeout to a few hours.
Admin
Some people live in small villages where the crime rate is near zero. These people do, indeed, leave their doors unlocked, if not open.
Security is about risk management -- there is a convenience cost with every security measure so obviously one weighs up the pros and cons and surely any entity should be entitled to make these decisions with their own possessions.
Admin
So the superuser wasn't saying, just make the timeout longer, since security is already a joke?
Admin
I tried that, but after several months it took an increasing number of tries to get the right number (and I got locked out several times). Now I just append the name of the current month. Works great.
Admin
"It's like rain on your wedding day" is one of the few things in that song that is actually ironic.
Hint: rain on your wedding day is supposed to be good luck.
Admin
Hey, what's the problem?
We have physical locks on our building. Everyone has a copy of the same key.
(Edit: because I know some people are as oblivious to sarcasm in text as I am, I'm not being serious here.)
Admin
So... where's the irony?
And they probably have a username/password system because they thought they'd need it, but then realised it wasn't necessary, but are keeping it around in case they change their minds.
How about an actual What The Fuck?
Admin
Last week, I was at the client, installing our system. They wanted to test it. Because user permissions depend on their department, they needed to test as various users from various departments to see if the permissions were set correctly. The solution? Call around and ask a few people for their passwords. Which they gave. Over the phone. Which was then written down for easy reference.
Admin
I work on bank software and have gotten this same message.
I've also gotten this one. "Could you please up the number of login fails before lockout? Our whole office uses the same login and the new girl in the morning always seems to lock everyone out for the whole day."
They HAVE a login for each user there. They just all insist on using the same one.
/me shakes with rage.
Admin
Face goes to palm.
Admin
I had a similar experience when I started at a new job, except it extended to everyone must have the same voice mail password.
So I started setting up new accounts with the parameters that you must change your password upon first login. I also added password expirations, complexity rules, and not being able to repeat any of your past passwords.
Admin
Sorry, that's like fighting mosquitoes with nuclear bombs. The gnat's dead, but no one's there to enjoy it.
The consequence of all this is usually that demand for Post-it(R) surges as everyone sticks his current password to the bottom edge of his computer screen because nobody is able (or willing) to memorize a new letter-number-combination every 14 days.
Furthermore, this reminds me of a sad episode at University, when I got an auto-generated mail to "Please the f*** change your insecure password or else!" (the exact phrasing may have differed) because it, a dice-generated string of 8 lower-case letters and numbers, did not contain an upper-case letter. "Tuesday1" would have been perfectly acceptable, though, as far as the rules described in this mail were concerned.
Admin
That is a wtf right there. By adding password expirations, you've virtually guaranteed that everyone will write their password down instead of memorizing it. The only purpose of making passwords expire is if you think people will have their passwords compromised. You should really rethink that policy.
Admin
Last place I worked, the custom app we used, and that I worked on, had an option, just like Windows accounts, to force you to change your password on next login. So when we'd get change reqs, we'd set the password to the userid, and check the box. No problem. The argument about user X's files was irrelevant, because anything that would've been stored as a file outside the app would be accessible via NTFS perms.
Admin
There's a good-sized WTF right there. There's no app-based solution, tho. You have an HR problem, requiring an HR solution: "effective immediately everyone will use their own login on pain of immediate termination."
Well, maybe you give 'em a grace period.
Admin
[quote user="AdTFurthermore, this reminds me of a sad episode at University, when I got an auto-generated mail to "Please the f*** change your insecure password or else!" (the exact phrasing may have differed) because it, a dice-generated string of 8 lower-case letters and numbers, did not contain an upper-case letter. "Tuesday1" would have been perfectly acceptable, though, as far as the rules described in this mail were concerned.[/quote]
The Real WTF here, of course, is that they could see your password unencrypted.
Admin
I agree, and yet every company feels this is the proper policy, not realizing that by following it, they are lowering their security rather than raising it.
Yes make sure that passwords and user names don't match. Yes allow some complexity, but auto expirations are not necessary.
Honestly, when was the last time you had to change the PIN on your ATM card? Now when was the last time that PIN was compromised? This will tell you how important expiring passwords are.
Admin
Long session timeouts are a problem too.
The mail program the company I work for uses has a dedicated client and a web client. The session timeout is 24 hours, and for security reasons, you are only allowed to log in from one place at a time.
The web client stores the login information in a session cookie. Guess what happens if your web browser crashes while you're logged in, or you close the browser without logging out?
Admin
Admin
I work at a large software vendor, and here, your account gets locked out if you type in the wrong password three times in a row. And I mean locked out, not temporarily disabled. So just 'mistype' your username to be someone appropriate, and enter a real (or fake, whatever..) password three times...
Admin
Why is everyone bashing the users for their "insecure" environments? After all, it's THEIR system, THEIR rules and THEY are stuck working with it every day. Our job is to build what they want to THEIR specifications, inform them of the risks and then STFU.
Admin
Although the original post was about an internal system, we've had software that we've used from other companies that insists on expiring passwords when we really don't need them for our application (they usually sell to customers that really need strict audit trails) and they won't disable for us. As a result we generally have one password, written on a post-it, and such to the monitor.
Admin
The big stick came out here a few years ago when we came aboard and got serious about security. Yes, everybody changed their passwords monthly but we discovered the convention everyone used was [user_first_name][month_number] so if I wanted to log in as "Joe" today I would've used the password "Joe06".
I took a while to get everyone on board, and we actually had to outlaw that password pattern for our words to take effect, but it's alot better now.
Admin
Did you miss the part where the song is entitled 'Ironic'.
Admin
Admin
Personally, I'd like to see security as follows:
-Thumb fingerprint scanner at main entrance door (change thumb-print every 3 months, but no duplicates for at least 9 months
-Retina scan to get onto your computer (change retina-print every three months, but no duplicates for at least 9 months: seeing eye dogs allowed to substitute for user with proper authorization)
-DNA scan to start each application (spousal and offspring authorization permitted with at least n matching genes)
</sarcasm>Admin
If your spouse as a certain number of matching genes, I would worry about your family tree.
But yes, this actually demonstrates the "changing passwords" fallacy.
Admin
Does it count as ironic that a song titled such has little to no ironic content?
Also, no-one has mentioned dancing on a plane yet? I'm disappointed :P
Admin
... but that's the irony of the song. It's a song about irony, but doesn't ever give a good example of irony. If that's not ironic I don't know what is.
Admin
I never said what the exact policies were.
Expirations: 1 year. Complexity: at least 7 characters containing numbers and letters
This is not overkill.
I never said anything about every 14 days. That is overkill.
Admin
Honestly, give me one reason why you would force a random password change?
In case of breech? Well, if it isn't breeched why change it? If you ever find a breech? Then you change it right away, not wait for the schedule.
I have never once heard a good reason for it. Most of the time I simply hear, "It's policy" and no one knows why. Yeah yeah, and the earth is flat, and the moon is made of green cheese.
Admin
So, you get "Joea", "Joeb", ...? Or "onejoe", "twojoe", ...?
As others have already said, password expiration seems ineffective and counter-productive. More work for the end-user does not translate into more work for the would-be intruder.
Admin
The REAL Wtf is that no one seems to know WTF Irony is. And some even write songs about it.
Jake, your example about the re-assuring comment, NOT irony. A mistake != irony. Misjudging appropriateness != Irony.
Admin
And you sir also seem not to understand it, although you might.
While a mistake is not irony, It could be ironic depending on the mistake made, and while inappropriate comments or actions may not be ironic, and ironic situation could be the result of an inappropriate action or comment.
It is essentially the same as saying a rectangle is not a square, and while that is true, this does not mean that a square is not a rectangle, because a square is a rectangle.
Irony is not the result of the intended. As the email previously stated was not ironic from the writers viewpoint, but it could be ironic depending on the result of the reader, or maybe not. Irony depends on more then an isolated comment, irony relies on the intended result as opposed to the actual effect, and usually resulting in something unwanted.
Admin
Admin
Admin
Interesting - I was just thinking about this song and how the situations she mentions really aren't ironic. A perfect example of ironic can be portrayed in a twilight zone episode, "Time enough at last" A man is constantly seeking time to have quiet to himself so he can read and eventually decides to lock himself in a vault. While in the vault, nuclear fallout takes place and he is safe inside the vault. After getting out and realizing what has happened, he is happy to know that there is "time enough at last" to do is reading. Then he breaks his glasses.
Admin
Even though the security is a joke, there's still a potentially good reason to deny superuser's request and keep timeouts relatively short (like 20min..hour): If periodic maintenance requires exclusive use of some resource like a database, you don't want Basement Bob's logged in but unattended machine preventing it for some rediculously long period of time.
Admin
I don't see the irony.
What might make it ironic is if everytime someone logged in with the same user/pass it invalidated everyone else's session with the same user/pass combination, thus the problem isn't session timeout length but instead the simple fact that they're all sharing one login. Sure, I'm reading way into it.. but otherwise, I see no real irony. Just stupidity. :l
Admin
Ha ha, that sounds like a place I worked! And I once went to help a woman who said her password wasn't working. After investigating, I was not making any progress into the problem until she said "But, see, if I type in the word password, it lets me in!!!" Doh!