- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
This frist comment was not created. Please frist a different one.
Admin
this wasn't a good idea
Admin
Call it... "Wish-It-Was One-Factor"?
That is fairly incredible. I'm somewhat depressed that I can still believe it. I mean, I've seen loads of places that enforce the ridiculous "passwords must be globally unique" rule... this is just one additional degree of ridiculousity. (Well, plus a second one, I guess, if you count "passwords are submitted as fax images". But at least they're not plain-text, right? ;))
Admin
Common misconception about 'factors' in multi factor authentication. Using only one field instead of 2, or 6 like B of A, constitutes 1 factor authentication. Using a zillion fields would still be 1 factor authentication.
Someone explained it well on the web, I don't remember who or where.
Single factor authentication usually comes down to "I know something", like a user name and password. To make it 2 factor, you add another factor such as "I have something", perhaps an RSA token or a USB fob or a fingerprint.
Admin
This story does not surprise me at all.
Admin
Am I the only one who gets frothing mad that incompetents like this have taken jobs I could have had? Because that knowledge drove me fucking nuts when I was unemployed.
Admin
Who's password was god?
/Too obscure??
Admin
So why didn't you log in as one of them, and have the HR system hire you? How hard could it have been to guess the password? I bet interesting things happen why you login as admin/admin
Admin
We had Unisys ICONs in school, and the login system worked exactly as described here.
Admin
To be two-factor, you must use two of those factors (funny, that).
Admin
I am assuming the "incompetents" you are referencing are whomever set up the security system, not Scott Simon (who was merely reporting something really, really odd).
Admin
Interestingly enough, Bob Raskin at one point seriously suggested eliminating usernames and having users identified by means of their password alone, which would be required to consist of at least two words and a number. He made the point that the username adds little if anything to the security, while adding one more thing to what the legitimate user needs to remember. I don't think he had quite this sort of bureaucratic silliness in mind, however.
Admin
Admin
"And then, one day, everything clicked. I became enlightened when I mistakenly typed in a password that I had unsuccessfully requested at one time in the past"
TRWTF is that the password he first came up with was something that was already in use.
Admin
I seem to remember systems like this being pretty common in the past. My money says some mandate came down to modernize some legacy system, and this was a shortcut taken.
Admin
Did you try hunter2?
Admin
Good Lord, if that was done, what would be shown in things like audit trails, change logs, etc.
04/06/2011 15:22 Created by kittens2love 04/06/2011 15:24 Modified by password4hacking 04/06/2011 15:25 Modified by ponyPlay4me
Admin
Given that most people here couldn't code fizz buzz, it could very well be too obscure.
BTW, the possessive of "who" is "whose."
Admin
I use the IRS FIRE system to submit informational returns for clients. Last week (April 2011) I typed in an incorrect password, and after three tries it locked me out. No surprise there. They don't offer an online reset, so to get a new password I was promted to call the IRS. Result = "Due to heavier than normal volume, wait times may exceed twenty minutes." If I could have faxed in my request I would have been happier. I think the government is still behind everyone else.
Admin
Why would anyone use ******* as their password?
Admin
FTFY.
Admin
Aren't 2 & 3 the same thing? They are both something you have...
Admin
Oddly, my schools library has a similar (but equally hilarious problem). On first log in your told to create a password, just enter your user ID number and a chosen password and BAM! account. I never considered the implications of this and our simple "last number+1" User ID policy until one day I typed 123457 by accident instead of my ID of 123456. I entered my password accordingly...except it obviously wan't my account. Since user 123457 hadn't created an account yet, it dutifully created one using the password I used and gave me access to his stuff. Thankfully it only allowed me to request books in his name, although I could see his address. I believe I just hit "Create new password" slammed my hand on the keyboard and logged out figuring at least now no one else could do this.
Admin
OK, I call fake (or misguided embellishment) on this story based on the fact that I don't believe “two mixed-case passwords with numbers and special characters” could have collided with the password string chosen by another user. Such coincidences just don't happen.
That being said, I distinctly remember a (money-handling!) management application (at a local gov't office that will remain undescript), written in an obscure language, which had no login field at all: You just entered the password and the system would deduce the username from it (yes, really).
Admin
Not quite. 2 can be separated from you, 3 cannot.
Admin
inb4 "YHBT. YHL. HAND."
Admin
I call LetMeIn for mine
Admin
One is a thing that is given to you, and the other is something that is physically a part of you. With that logic, it is something that you have, and something that you are; respectively.
But, if you really wanted to be pedantic about (it's TDWTF, who doesn't want to be pedantic around here), yes technically you could consider both of those as nearly the same type of things.
Admin
Admin
1, 2, and 3 are distinctly different burdens for someone to bypass.
By using all 3, someone would need to: *) Guess/Extract your password *) Steal/Acquire your device *) Dismember your finger/eye
Admin
Admin
From the story: Some passwords are rejected because they collide and others (the one in question) are rejected because the guy manually setting the password didn't want to type something so complicated.
Admin
Admin
Simplified system based on Alibaba and Chalis Chor (40 theifs) for other people out here. The cave had just one factor authentication. All you had to say is "Khul ja sim-sim" and the door would open. The best part of that door was it did not matter who's voice said the magic words.
Vibration of wind is powerful magic best left to those with advanced witchcraft and sorcery knowhow.Admin
What about Kronos?
Admin
Admin
Should you make any other blindingly obvious assumptions, do not feel compelled to inform us.
Admin
Admin
Wanna bet? (grabs his hatchet)
Admin
which?
Admin
Alrighty Captain Random. I'll bite. Enlighten us please, as to where I was in error.
Admin
Admin
Hey, if you waited until next week, there wouldn't be anyone on the other end of the phone line at all!
Admin
Admin
recent job had a password scheme where it would reject your password if anyone else in the company had ever used that password before -- and the password rejection message would let you know that you had failed that test. combinations of swear words with the company name had already been pretty well explored by previous employees.
Admin
(I submitted this, in case it's not obvious. A long, long time ago; but I was really hoping to see it someday, as it's one of my personal favorite stories. Very well obfuscated too, which probably doesn't matter any more as I'm pretty sure that the company involved has gone under. Can't imagine how that happened.)
Admin
Admin
So? Where´s the WTF? Because they´re still using passwords? We enable auto-login as domain admin on every workstation. This way users don´t bother us with any file access requests, software installations or proxy exceptions...
Admin
I do second job on weekends in masonry to prevent this problem.
Admin
Something I Am (username) Something I Know (password) Something I Have (RSA Key or similar)