• dpm (unregistered)

    Occasionally, an article is so incredibly stupid that I cannot believe that it's true. Surely, someone made it up for the dramatic value.

    Then I remember humanity. "What a bunch of bastards."

  • sh_code (unregistered)

    "So 178.8.1.44 becomes 178.80.10.44"

    ...that's not how "padding" works?!

  • someone (unregistered) in reply to sh_code

    It's how right-padding works, if you accept that it's two padding operations.

  • Darkenon (unregistered)

    What if DHCP fails and you get a random IP assigned to the server? It looks like they have no record of servers and IP's.

  • ray10k (unregistered)

    Another, though lesser, problem with this "algorithm" is that it makes it more likely for two people to share the same password. Say person A is on 178.8.1.44 and person B is on 178.80.10.44, both will get the same result for the IP-mangling step.

  • (nodebb)

    So if you don't know the server's IP address because it somehow fell off the network, you have to log on to find out what the IP address is in order to work out what the password is so that you can log on to debug why it cannot get on the network.

    Hmmm.

  • RobyMcAndrew (unregistered) in reply to Darkenon

    DHCP? You think they're using DHCP? Bet the IP addresses are all hard coded

  • BradleyUffner (unregistered)

    Not to mention that every disgruntled former employee knows the password, and you can't change it.

  • mole125 (unregistered)

    Isn't it pretty much guaranteed that a group of machines in the same rack will share the same higher octects. And they were probably all brought for the same purpose sharing the same hostname structure other than perhaps a different digit on the end. So all identical servers in a rack get the same password, perhaps that is considered a feature?

  • Debra (unregistered) in reply to sh_code

    No, but it's better than the standard way people normally do it!

  • (nodebb)

    "And just what is this 'standard way people normally do it'?" he asked, nervously.

    "Well," the SOFH [appropriate modification of BOFH] replied slowly, "I guess I can give you a hint, since we don't use it anymore. It involved the word 'secret', and the number '42'."

  • crashmagnet42 (unregistered) in reply to Debra
    <quote> Debra (unregistered) in reply to sh_code 2018-06-20 No, but it's better than the standard way people normally do it! </quote>

    Write down the password on a postit note and stick it to the monitor.

  • Anonymous') OR 1=1; DROP TABLE wtf; -- (unregistered)

    What if the middle 2 octets are 3 digits?

  • beef (unregistered) in reply to Anonymous') OR 1=1; DROP TABLE wtf; --

    You can always write an octet as two characters

  • sd (unregistered) in reply to Anonymous') OR 1=1; DROP TABLE wtf; --

    You could convert the 3 digits to hex. Maybe that's the secret "undocumented" step

  • Zenith (unregistered) in reply to Steve_The_Cynic

    Just ping the name to find out the IP?

    And per-server accounts are a reasonable response if somebody came from an environment where policy was dictated by the same group preventing its implementation. Let me explain. I have AD service accounts that another department thinks I should be responsible for, even though I can't create, update, unlock, or even change the passwords for these accounts. You know the story, responsibility without authority.

    And here comes authority without responsibility. The department started dictating new password rules, including shorter expiration dates. The applications run 24/7/365 but we have to file a ticket for changes and wait for somebody to get around to it. This means there's a window between the account changing and configurations changing.

    On top of this, the applications are also poorly designed by H1Bs. One, configuration data is all over the place. Two, they can't separate concerns, so the same account that runs SQL Server is constantly authenticating to do different things (run services, remote I/O, etc). Three, there's no shutoff mechanism for the applications short of turning IIS and SQL off. Four, the same accounts are shared across multiple applications. Five, absolutely none of this is documented.

    As you can imagine, it's tons of fun when the password gets changed right before lunch or close of business or when somebody's out or any time I'm not polling one of the seven different ticketing systems to see if anybody responded yet.

    So, yeah, I can't really fault the per-server accounts. And with 300 constantly-expiring passwords to remember because we buy so much shovelware that either won't work with AD or the clowns can't configure it correctly, the password algorithm doesn't really phase me either. Stupid management won't push back on the H1Bs and won't consult anybody that knows anything so this is the sort of stupidity that results.

  • Smash (unregistered) in reply to Zenith

    If the server is off the network it won't bother answering to any network traffic, pings included.

  • My life sucks (unregistered)

    My current employer does exactly this for all domain accounts, with a simpler algorithm involving last name and first name's initial. Then, sysadmin read about ransomware and added 4 random digits (carefully written down in a public Excel document). Such passwords are often reused in internet accounts like Trello.

  • Joe (unregistered)

    Why is local admin enabled on domain server?

  • Friedrice the Great (unregistered) in reply to My life sucks

    I had an employer ages ago that generated ordinary user names using the first 2 letters of the first name and first 6 letters of the last name. This gave one unfortunate DBA the username of "SUYOSHIT". I hope she is happily retired and free of that user name!

  • (nodebb)

    At one place I worked, I am post a first letter of the first, first three letters of the last, as part of the username. But it wasn't set in stone, or at least I didn't think it was set in stone, past all Sensibility.

    I found out how the secretary regarded the rule when a user came in that was named Charlotte Unterborn. The resulting username produced one of the top tier facepalms I've ever done in my life.

  • Olivier (unregistered) in reply to Smash

    The server will not respond to ping, but even before that, ping will resolve the server name to the server IP.

  • Olivier (unregistered) in reply to RobyMcAndrew

    Because you would use dynamic Ip addresses on servers?

  • Daniel (unregistered)

    A bank that I use used to have the most retarded password requirement ever - not allowing duplicate characters anywhere in the password (this greatly reduces the possible numbers of permutations, making it very vulnerable to brute force hacking).

    Fortunately, the password requirement was only enforced on the front-end, which allowed me to easily bypass it by modifying the JavaScript.

    Its ironic how banks have among the worst IT security, when we're trusting them with so much personal information.

  • Barry W (unregistered)

    Ahem.

    Barry did write a script... he got it 99% working and then lost the will to live.

  • (nodebb) in reply to Zenith

    Just ping the name to find out the IP?

    What part of "fell off the network" makes you think you'll be able to ping it? (And I'm including "the name is not in DNS any more" in that...)

  • bobcat (unregistered)

    Every so often you get a WTF that just makes you groan "Whyyyyyy....?"

  • Anon (unregistered) in reply to Darkenon

    Then you ping the hostname to find the new IP

  • Zenith (unregistered)

    Oh, you must be one of those lucky people who has their servers in the same building that they work in.

    Point still stands about the per-server accounts though. The only WTF here is using the IP. Even that's not such a WTF if you do what we still do with printers and slap a label on the side with its hardcoded IP (and other pertinent details).

  • Erwin (unregistered)

    But why use a spreadsheet when DNS can store the correct password?

    prd-app2-serv4 IN A 178.8.1.44 prd-app2-serv4 IN TXT "totally-secret-password=8010RDVAP"

  • Erwin (unregistered) in reply to Erwin

    sorry, the lines got merged after submit. I meant:

    prd-app2-serv4 IN A 178.8.1.44

    prd-app2-serv4 IN TXT "totally-secret-password=8010RDVAP"

  • Zenith (unregistered)

    And because I can't really be bothered to wait for moderation because cellphone...

    "Oh, so you're lucky enough to have your servers still in the building where you work? That must be great.

    Rest of the point still stands though. The IP is only a little bit of a WTF and really only if you use DHCP. But it wouldn't if you did like we still do with printers, slap a label on the side with pertinent information, including a fixed IP."

  • Dave (unregistered) in reply to Friedrice the Great

    We had a T W Waterman who complained that his email address started with watatw@. There was no set policy, he was just a tw@ to the guy setting up his account.

  • Decius (unregistered) in reply to Zenith

    If you slap a label on the side with an obfuscated password, why not obfuscate the password with rot13?

  • Zenith (unregistered) in reply to Decius

    Putting the printer name's and IP on the side of the machine is not the same as putting the password there.

  • Aninnymouse (unregistered) in reply to Friedrice the Great

    Our system generates first initial, partial last name, and incremented number if the account exists. One user got the username "COCKEND".

    Did I mention I work for an elementary school?

  • isthisunique (unregistered)

    I once wanted something like this because I occasionally get sent out to fix remotely located integrated Linux machines that for one reason or another weren't coming online with nothing but a crowbar and a USB keyboard usually with the wrong layout. By default the root password was 123 often secured only by that you needed a screwdriver to lever a lid, cover or door open to get at a USB port.

    I did ask someone to come up with a "wizard" scheme for the meantime until the legacy horror of the system could be sorted out (people were still doing things like manual install rather than kickstart) but not one as bad as the one in this article. The guy wasn't good with unspecific instructions so it never happened. I ended up just making the passwords based on some arbitrary scheme for the meantime that I kept in the DB. The emergency work around being to live boot a standard USB stick to override the root password (again another security hole). After some time I eventually managed to hash out a half way sane install process in between everything else and they learnt/accepted that engineers only ever being armed with a USB keyboard and a butter knife to get into things wasn't such a good idea.

  • anonymous (unregistered)

    Ah yes, security through obscurity.

    Also, even assuming that the "secret algorithm" doesn't get out, it's impossible to give different admins access to different servers because they'll be able to work out the password for any server.

  • (nodebb)

    Have you ever tried to change the password on a Vodafone Connect router? Here's the blurb from the password change screen:

    Your password needs to contain at least 8 characters - including at least one lower or upper case letter, a number and a symbol

    The router requires you to reset the password on initial login, so I couldn't configure the router to gain Internet access until after I had logged in, which meant that I was limited to IE8 and Firefox 21. As it happens, you can change the password in Firefox 21, as long as you use the actual password requirements, which are 8 characters including at least one digit, one lower case letter and one upper case letter, but by that time I found that out I'd already downloaded the latest Firefox via a different source, so I'd effectively wasted hours trying to reset the password on it because my passwords were too complex.

  • John (unregistered) in reply to Barry W

    LMAO this just made my day thanks.

  • medievalist (unregistered)

    Y'all do realize that all the vendor managed systems you've got have passwords at least this bad, and many of them have the same password as every other system installed by that vendor everywhere in the world? Avaya, HP, Verizon, Comcast, and your local printer maintenance shop aren't using unique and complex passwords - their techs use "Password1" and "Oct+123" or something like that and they use those passwords globally.

    That time I had to crack a mission critical Avaya Mosaix dialer it seems I accidentally hacked every single one in the world... generally speaking, if the vendor won't let you have the root password, it's because that password is not unique. The vendor will say it is, maybe even believe it is, but it'll be a lie.

  • eric bloedow (unregistered)

    oh, this reminded me of an older story...a company offered two services, (telephone and internet, i think), BUT forced users to use the same password for both, WITHOUT TELLING THEM! they somehow set things up so changing the password for one would ALSO change the other, WITHOUT TELLING THE USER! but then things got worse when they changed the minimum length for ONE and made it longer than the MAXIMUM length for the other...making one of them completely inaccessible!

Leave a comment on “The Wizard Algorithm”

Log In or post as a guest

Replying to comment #:

« Return to Article