• Ernold (unregistered)

    This frist comment was not created. Please frist a different one.

  • No one (unregistered)

    this wasn't a good idea

  • neminem (cs)

    Call it... "Wish-It-Was One-Factor"?

    That is fairly incredible. I'm somewhat depressed that I can still believe it. I mean, I've seen loads of places that enforce the ridiculous "passwords must be globally unique" rule... this is just one additional degree of ridiculousity. (Well, plus a second one, I guess, if you count "passwords are submitted as fax images". But at least they're not plain-text, right? ;))

  • somedude (cs)

    Common misconception about 'factors' in multi factor authentication. Using only one field instead of 2, or 6 like B of A, constitutes 1 factor authentication. Using a zillion fields would still be 1 factor authentication.

    Someone explained it well on the web, I don't remember who or where.

    Single factor authentication usually comes down to "I know something", like a user name and password. To make it 2 factor, you add another factor such as "I have something", perhaps an RSA token or a USB fob or a fingerprint.

  • BLORB (unregistered)

    This story does not surprise me at all.

  • hoodaticus (cs)

    Am I the only one who gets frothing mad that incompetents like this have taken jobs I could have had? Because that knowledge drove me fucking nuts when I was unemployed.

  • Bryan the K (unregistered)

    Who's password was god?

    /Too obscure??

  • XXXXX (unregistered) in reply to hoodaticus
    hoodaticus:
    Am I the only one who gets frothing mad that incompetents like this have taken jobs I could have had? Because that knowledge drove me fucking nuts when I was unemployed.

    So why didn't you log in as one of them, and have the HR system hire you? How hard could it have been to guess the password? I bet interesting things happen why you login as admin/admin

  • ThingGuy McGuyThing (cs)

    We had Unisys ICONs in school, and the login system worked exactly as described here.

  • Jeb (unregistered) in reply to somedude
    1. Something you know (PIN, password)
    2. Something you have (RSA token, smart card)
    3. Something you are (fingerprint, voiceprint, etc.)

    To be two-factor, you must use two of those factors (funny, that).

  • Tom Woolf (unregistered) in reply to hoodaticus
    hoodaticus:
    Am I the only one who gets frothing mad that incompetents like this have taken jobs I could have had? Because that knowledge drove me fucking nuts when I was unemployed.

    I am assuming the "incompetents" you are referencing are whomever set up the security system, not Scott Simon (who was merely reporting something really, really odd).

  • Schol-R-LEA (unregistered)

    Interestingly enough, Bob Raskin at one point seriously suggested eliminating usernames and having users identified by means of their password alone, which would be required to consist of at least two words and a number. He made the point that the username adds little if anything to the security, while adding one more thing to what the legitimate user needs to remember. I don't think he had quite this sort of bureaucratic silliness in mind, however.

  • Crash Override (unregistered) in reply to Bryan the K
    Who's password was god?

    /Too obscure??

    How can that be too obscure for this crowd?
  • Nik (unregistered)

    "And then, one day, everything clicked. I became enlightened when I mistakenly typed in a password that I had unsuccessfully requested at one time in the past"

    TRWTF is that the password he first came up with was something that was already in use.

  • benh999 (unregistered)

    I seem to remember systems like this being pretty common in the past. My money says some mandate came down to modernize some legacy system, and this was a shortcut taken.

  • Jack (unregistered)

    Did you try hunter2?

  • JamesQMurphy (cs) in reply to Schol-R-LEA
    Schol-R-LEA:
    Interestingly enough, Bob Raskin at one point seriously suggested eliminating usernames and having users identified by means of their password alone, which would be required to consist of at least two words and a number. He made the point that the username adds little if anything to the security, while adding one more thing to what the legitimate user needs to remember. I don't think he had quite this sort of bureaucratic silliness in mind, however.

    Good Lord, if that was done, what would be shown in things like audit trails, change logs, etc.

    04/06/2011 15:22 Created by kittens2love 04/06/2011 15:24 Modified by password4hacking 04/06/2011 15:25 Modified by ponyPlay4me

  • Meep (unregistered) in reply to Crash Override
    Crash Override:
    Who's password was god?

    /Too obscure??

    How can that be too obscure for this crowd?

    Given that most people here couldn't code fizz buzz, it could very well be too obscure.

    BTW, the possessive of "who" is "whose."

  • MadX (unregistered)

    I use the IRS FIRE system to submit informational returns for clients. Last week (April 2011) I typed in an incorrect password, and after three tries it locked me out. No surprise there. They don't offer an online reset, so to get a new password I was promted to call the IRS. Result = "Due to heavier than normal volume, wait times may exceed twenty minutes." If I could have faxed in my request I would have been happier. I think the government is still behind everyone else.

  • the guy behind you (unregistered) in reply to Jack
    Jack:
    Did you try hunter2?

    Why would anyone use ******* as their password?

  • Meep (unregistered) in reply to somedude
    somedude:
    Someone explained it well on the web, I don't remember who or where, and I really have no idea what I'm talking about. TRWTF is that reading crap like what I'm posting is probably how the idiot who designed the system in the article learned to do security himself.

    FTFY.

  • DeLos (cs) in reply to Jeb

    Aren't 2 & 3 the same thing? They are both something you have...

  • tsrblke (unregistered)

    Oddly, my schools library has a similar (but equally hilarious problem). On first log in your told to create a password, just enter your user ID number and a chosen password and BAM! account. I never considered the implications of this and our simple "last number+1" User ID policy until one day I typed 123457 by accident instead of my ID of 123456. I entered my password accordingly...except it obviously wan't my account. Since user 123457 hadn't created an account yet, it dutifully created one using the password I used and gave me access to his stuff. Thankfully it only allowed me to request books in his name, although I could see his address. I believe I just hit "Create new password" slammed my hand on the keyboard and logged out figuring at least now no one else could do this.

  • Frenchie (unregistered)

    OK, I call fake (or misguided embellishment) on this story based on the fact that I don't believe “two mixed-case passwords with numbers and special characters” could have collided with the password string chosen by another user. Such coincidences just don't happen.

    That being said, I distinctly remember a (money-handling!) management application (at a local gov't office that will remain undescript), written in an obscure language, which had no login field at all: You just entered the password and the system would deduce the username from it (yes, really).

  • Greg (unregistered) in reply to DeLos

    Not quite. 2 can be separated from you, 3 cannot.

  • PedanticCurmudgeon (cs) in reply to DeLos
    DeLos:
    Aren't 2 & 3 the same thing? They are both something you have...

    inb4 "YHBT. YHL. HAND."

  • Hasteur (cs)

    I call LetMeIn for mine

  • dohpaz42 (cs) in reply to DeLos
    DeLos:
    Aren't 2 & 3 the same thing? They are both something you have...

    One is a thing that is given to you, and the other is something that is physically a part of you. With that logic, it is something that you have, and something that you are; respectively.

    But, if you really wanted to be pedantic about (it's TDWTF, who doesn't want to be pedantic around here), yes technically you could consider both of those as nearly the same type of things.

  • HellKarnassus (cs) in reply to DeLos
    DeLos:
    Aren't 2 & 3 the same thing? They are both something you have...
    #1 is as well, because if you don't have a password, you can't log in
  • JohnArlen (unregistered) in reply to DeLos

    1, 2, and 3 are distinctly different burdens for someone to bypass.

    By using all 3, someone would need to: *) Guess/Extract your password *) Steal/Acquire your device *) Dismember your finger/eye

  • dpm (cs) in reply to Frenchie
    Frenchie:
    OK, I call fake (or misguided embellishment) on this story based on the fact that I don't believe “two mixed-case passwords with numbers and special characters” could have collided with the password string chosen by another user. Such coincidences just don't happen.
    He doesn't say that it happened. Read it again; it's more likely that "they" just didn't like his overly-secure submission and gave him a "normal" one instead.
  • gray goat (unregistered) in reply to Frenchie
    Frenchie:
    OK, I call fake (or misguided embellishment) on this story based on the fact that I don't believe “two mixed-case passwords with numbers and special characters” could have collided with the password string chosen by another user. Such coincidences just don't happen.

    That being said, I distinctly remember a (money-handling!) management application (at a local gov't office that will remain undescript), written in an obscure language, which had no login field at all: You just entered the password and the system would deduce the username from it (yes, really).

    From the story: Some passwords are rejected because they collide and others (the one in question) are rejected because the guy manually setting the password didn't want to type something so complicated.

  • SCSimmons (cs) in reply to Bryan the K
    Bryan the K:
    Who's password was god?

    /Too obscure??

    Damn. I never thought to try that one. Probably belonged to the CTO. :)

  • Nagesh (cs)

    Simplified system based on Alibaba and Chalis Chor (40 theifs) for other people out here. The cave had just one factor authentication. All you had to say is "Khul ja sim-sim" and the door would open. The best part of that door was it did not matter who's voice said the magic words.

    Vibration of wind is powerful magic best left to those with advanced witchcraft and sorcery knowhow.
  • Wonk (unregistered)

    What about Kronos?

  • JamesQMurphy (cs) in reply to Greg
    Greg:
    Not quite. 2 can be separated from you, 3 cannot.
    Ever see Minority Report?
  • blarg (unregistered) in reply to Tom Woolf
    Tom Woolf:
    hoodaticus:
    Am I the only one who gets frothing mad that incompetents like this have taken jobs I could have had? Because that knowledge drove me fucking nuts when I was unemployed.

    I am assuming the "incompetents" you are referencing are whomever set up the security system, not Scott Simon (who was merely reporting something really, really odd).

    Should you make any other blindingly obvious assumptions, do not feel compelled to inform us.

  • Sir Twist (cs) in reply to Greg
    Greg:
    Not quite. 2 can be separated from you, 3 cannot.
    I've got a pair of dikes that says differently.
  • somedude (cs) in reply to Greg
    Greg:
    Not quite. 2 can be separated from you, 3 cannot.

    Wanna bet? (grabs his hatchet)

  • oh (unregistered) in reply to Jack
    Jack:
    Did you try *******?

    which?

  • somedude (cs) in reply to Meep
    Meep:
    somedude:
    Someone explained it well on the web, I don't remember who or where, and I really have no idea what I'm talking about. TRWTF is that reading crap like what I'm posting is probably how the idiot who designed the system in the article learned to do security himself.

    FTFY.

    Alrighty Captain Random. I'll bite. Enlighten us please, as to where I was in error.

  • boog (cs)
    I mistakenly typed in a password that I had unsuccessfully requested at one time in the past: instead of a invalid credentials message, I found myself logged in as a completely different user.
    Good thing they didn't grant you that password; it can't have been all that secure if another user chose the same password.
  • Your Name (unregistered) in reply to MadX
    MadX:
    I use the IRS FIRE system to submit informational returns for clients. Last week (April 2011) I typed in an incorrect password, and after three tries it locked me out. No surprise there. They don't offer an online reset, so to get a new password I was promted to call the IRS. Result = "Due to heavier than normal volume, wait times may exceed twenty minutes." If I could have faxed in my request I would have been happier. I think the government is still behind everyone else.

    Hey, if you waited until next week, there wouldn't be anyone on the other end of the phone line at all!

  • neminem (cs) in reply to somedude
    somedude:
    Greg:
    Not quite. 2 can be separated from you, 3 cannot.

    Wanna bet? (grabs his hatchet)

    Don't even necessarily need to resort to such violent methods; as spy shows have shown repeatedly, in many different ways, all you need is a sufficiently similar replica. As Michael Westen once pointed out, "Nobody wipes off a fingerprint scanner after they use it, so what's left on the scanner, nine times out of ten, is a fingerprint." Just stick the fingerprint on something else, reuse it, bang. Fingerprint, separated from the guy's finger without having to actually... separate the guy's finger.

  • Seattle System Engineer (unregistered)

    recent job had a password scheme where it would reject your password if anyone else in the company had ever used that password before -- and the password rejection message would let you know that you had failed that test. combinations of swear words with the company name had already been pretty well explored by previous employees.

  • SCSimmons (cs) in reply to gray goat
    gray goat:
    Frenchie:
    OK, I call fake (or misguided embellishment) on this story based on the fact that I don't believe “two mixed-case passwords with numbers and special characters” could have collided with the password string chosen by another user. Such coincidences just don't happen.
    From the story: Some passwords are rejected because they collide and others (the one in question) are rejected because the guy manually setting the password didn't want to type something so complicated.
    Yes, that's right. I wasn't all that sophisticated in the ways of security early on (I was just a CSR, for heaven's sake!), and sent simple dictionary words for my first few requests. The fax method works great for those, but really failed on more complicated passwords. (Is that a number 1, an upper-case I, or a lower-case l? Screw it, we'll make up our own password to assign to him.)

    (I submitted this, in case it's not obvious. A long, long time ago; but I was really hoping to see it someday, as it's one of my personal favorite stories. Very well obfuscated too, which probably doesn't matter any more as I'm pretty sure that the company involved has gone under. Can't imagine how that happened.)

  • Peter (unregistered) in reply to XXXXX
    XXXXX:
    hoodaticus:
    Am I the only one who gets frothing mad that incompetents like this have taken jobs I could have had? Because that knowledge drove me fucking nuts when I was unemployed.
    So why didn't you log in as one of them, and have the HR system hire you? How hard could it have been to guess the password? I bet interesting things happen why you login as admin/admin
    He didn't "log in as one of them" because he's commenting on a story that happened to someone else. Didn't you notice that?
  • J (unregistered)

    So? Where´s the WTF? Because they´re still using passwords? We enable auto-login as domain admin on every workstation. This way users don´t bother us with any file access requests, software installations or proxy exceptions...

  • Naresh Kookaburra (unregistered) in reply to neminem
    neminem:
    somedude:
    Greg:
    Not quite. 2 can be separated from you, 3 cannot.

    Wanna bet? (grabs his hatchet)

    Don't even necessarily need to resort to such violent methods; as spy shows have shown repeatedly, in many different ways, all you need is a sufficiently similar replica. As Michael Westen once pointed out, "Nobody wipes off a fingerprint scanner after they use it, so what's left on the scanner, nine times out of ten, is a fingerprint." Just stick the fingerprint on something else, reuse it, bang. Fingerprint, separated from the guy's finger without having to actually... separate the guy's finger.

    I do second job on weekends in masonry to prevent this problem.

  • hikari (cs) in reply to somedude
    somedude:
    Common misconception about 'factors' in multi factor authentication. Using only one field instead of 2, or 6 like B of A, constitutes 1 factor authentication. Using a zillion fields would still be 1 factor authentication.

    Someone explained it well on the web, I don't remember who or where.

    Single factor authentication usually comes down to "I know something", like a user name and password. To make it 2 factor, you add another factor such as "I have something", perhaps an RSA token or a USB fob or a fingerprint.

    Something I Am (username) Something I Know (password) Something I Have (RSA Key or similar)

Leave a comment on “The Phantom Password”

Log In or post as a guest

Replying to comment #:

« Return to Article