- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Occasionally, an article is so incredibly stupid that I cannot believe that it's true. Surely, someone made it up for the dramatic value.
Then I remember humanity. "What a bunch of bastards."
Admin
"So 178.8.1.44 becomes 178.80.10.44"
...that's not how "padding" works?!
Admin
It's how right-padding works, if you accept that it's two padding operations.
Admin
What if DHCP fails and you get a random IP assigned to the server? It looks like they have no record of servers and IP's.
Admin
Another, though lesser, problem with this "algorithm" is that it makes it more likely for two people to share the same password. Say person A is on 178.8.1.44 and person B is on 178.80.10.44, both will get the same result for the IP-mangling step.
Admin
So if you don't know the server's IP address because it somehow fell off the network, you have to log on to find out what the IP address is in order to work out what the password is so that you can log on to debug why it cannot get on the network.
Hmmm.
Admin
DHCP? You think they're using DHCP? Bet the IP addresses are all hard coded
Admin
Not to mention that every disgruntled former employee knows the password, and you can't change it.
Admin
Isn't it pretty much guaranteed that a group of machines in the same rack will share the same higher octects. And they were probably all brought for the same purpose sharing the same hostname structure other than perhaps a different digit on the end. So all identical servers in a rack get the same password, perhaps that is considered a feature?
Admin
No, but it's better than the standard way people normally do it!
Admin
"And just what is this 'standard way people normally do it'?" he asked, nervously.
"Well," the SOFH [appropriate modification of BOFH] replied slowly, "I guess I can give you a hint, since we don't use it anymore. It involved the word 'secret', and the number '42'."
Admin
Write down the password on a postit note and stick it to the monitor.
Admin
What if the middle 2 octets are 3 digits?
Admin
You can always write an octet as two characters
Admin
You could convert the 3 digits to hex. Maybe that's the secret "undocumented" step
Admin
Just ping the name to find out the IP?
And per-server accounts are a reasonable response if somebody came from an environment where policy was dictated by the same group preventing its implementation. Let me explain. I have AD service accounts that another department thinks I should be responsible for, even though I can't create, update, unlock, or even change the passwords for these accounts. You know the story, responsibility without authority.
And here comes authority without responsibility. The department started dictating new password rules, including shorter expiration dates. The applications run 24/7/365 but we have to file a ticket for changes and wait for somebody to get around to it. This means there's a window between the account changing and configurations changing.
On top of this, the applications are also poorly designed by H1Bs. One, configuration data is all over the place. Two, they can't separate concerns, so the same account that runs SQL Server is constantly authenticating to do different things (run services, remote I/O, etc). Three, there's no shutoff mechanism for the applications short of turning IIS and SQL off. Four, the same accounts are shared across multiple applications. Five, absolutely none of this is documented.
As you can imagine, it's tons of fun when the password gets changed right before lunch or close of business or when somebody's out or any time I'm not polling one of the seven different ticketing systems to see if anybody responded yet.
So, yeah, I can't really fault the per-server accounts. And with 300 constantly-expiring passwords to remember because we buy so much shovelware that either won't work with AD or the clowns can't configure it correctly, the password algorithm doesn't really phase me either. Stupid management won't push back on the H1Bs and won't consult anybody that knows anything so this is the sort of stupidity that results.
Admin
If the server is off the network it won't bother answering to any network traffic, pings included.
Admin
My current employer does exactly this for all domain accounts, with a simpler algorithm involving last name and first name's initial. Then, sysadmin read about ransomware and added 4 random digits (carefully written down in a public Excel document). Such passwords are often reused in internet accounts like Trello.
Admin
Why is local admin enabled on domain server?
Admin
I had an employer ages ago that generated ordinary user names using the first 2 letters of the first name and first 6 letters of the last name. This gave one unfortunate DBA the username of "SUYOSHIT". I hope she is happily retired and free of that user name!
Admin
At one place I worked, I am post a first letter of the first, first three letters of the last, as part of the username. But it wasn't set in stone, or at least I didn't think it was set in stone, past all Sensibility.
I found out how the secretary regarded the rule when a user came in that was named Charlotte Unterborn. The resulting username produced one of the top tier facepalms I've ever done in my life.
Admin
The server will not respond to ping, but even before that, ping will resolve the server name to the server IP.
Admin
Because you would use dynamic Ip addresses on servers?
Admin
A bank that I use used to have the most retarded password requirement ever - not allowing duplicate characters anywhere in the password (this greatly reduces the possible numbers of permutations, making it very vulnerable to brute force hacking).
Fortunately, the password requirement was only enforced on the front-end, which allowed me to easily bypass it by modifying the JavaScript.
Its ironic how banks have among the worst IT security, when we're trusting them with so much personal information.
Admin
Ahem.
Barry did write a script... he got it 99% working and then lost the will to live.
Admin
What part of "fell off the network" makes you think you'll be able to ping it? (And I'm including "the name is not in DNS any more" in that...)
Admin
Every so often you get a WTF that just makes you groan "Whyyyyyy....?"
Admin
Then you ping the hostname to find the new IP
Admin
Oh, you must be one of those lucky people who has their servers in the same building that they work in.
Point still stands about the per-server accounts though. The only WTF here is using the IP. Even that's not such a WTF if you do what we still do with printers and slap a label on the side with its hardcoded IP (and other pertinent details).
Admin
But why use a spreadsheet when DNS can store the correct password?
prd-app2-serv4 IN A 178.8.1.44 prd-app2-serv4 IN TXT "totally-secret-password=8010RDVAP"
Admin
sorry, the lines got merged after submit. I meant:
prd-app2-serv4 IN A 178.8.1.44
prd-app2-serv4 IN TXT "totally-secret-password=8010RDVAP"
Admin
And because I can't really be bothered to wait for moderation because cellphone...
"Oh, so you're lucky enough to have your servers still in the building where you work? That must be great.
Rest of the point still stands though. The IP is only a little bit of a WTF and really only if you use DHCP. But it wouldn't if you did like we still do with printers, slap a label on the side with pertinent information, including a fixed IP."
Admin
We had a T W Waterman who complained that his email address started with watatw@. There was no set policy, he was just a tw@ to the guy setting up his account.
Admin
If you slap a label on the side with an obfuscated password, why not obfuscate the password with rot13?
Admin
Putting the printer name's and IP on the side of the machine is not the same as putting the password there.
Admin
Our system generates first initial, partial last name, and incremented number if the account exists. One user got the username "COCKEND".
Did I mention I work for an elementary school?
Admin
I once wanted something like this because I occasionally get sent out to fix remotely located integrated Linux machines that for one reason or another weren't coming online with nothing but a crowbar and a USB keyboard usually with the wrong layout. By default the root password was 123 often secured only by that you needed a screwdriver to lever a lid, cover or door open to get at a USB port.
I did ask someone to come up with a "wizard" scheme for the meantime until the legacy horror of the system could be sorted out (people were still doing things like manual install rather than kickstart) but not one as bad as the one in this article. The guy wasn't good with unspecific instructions so it never happened. I ended up just making the passwords based on some arbitrary scheme for the meantime that I kept in the DB. The emergency work around being to live boot a standard USB stick to override the root password (again another security hole). After some time I eventually managed to hash out a half way sane install process in between everything else and they learnt/accepted that engineers only ever being armed with a USB keyboard and a butter knife to get into things wasn't such a good idea.
Admin
Ah yes, security through obscurity.
Also, even assuming that the "secret algorithm" doesn't get out, it's impossible to give different admins access to different servers because they'll be able to work out the password for any server.
Admin
Have you ever tried to change the password on a Vodafone Connect router? Here's the blurb from the password change screen:
The router requires you to reset the password on initial login, so I couldn't configure the router to gain Internet access until after I had logged in, which meant that I was limited to IE8 and Firefox 21. As it happens, you can change the password in Firefox 21, as long as you use the actual password requirements, which are 8 characters including at least one digit, one lower case letter and one upper case letter, but by that time I found that out I'd already downloaded the latest Firefox via a different source, so I'd effectively wasted hours trying to reset the password on it because my passwords were too complex.
Admin
LMAO this just made my day thanks.
Admin
Y'all do realize that all the vendor managed systems you've got have passwords at least this bad, and many of them have the same password as every other system installed by that vendor everywhere in the world? Avaya, HP, Verizon, Comcast, and your local printer maintenance shop aren't using unique and complex passwords - their techs use "Password1" and "Oct+123" or something like that and they use those passwords globally.
That time I had to crack a mission critical Avaya Mosaix dialer it seems I accidentally hacked every single one in the world... generally speaking, if the vendor won't let you have the root password, it's because that password is not unique. The vendor will say it is, maybe even believe it is, but it'll be a lie.
Admin
oh, this reminded me of an older story...a company offered two services, (telephone and internet, i think), BUT forced users to use the same password for both, WITHOUT TELLING THEM! they somehow set things up so changing the password for one would ALSO change the other, WITHOUT TELLING THE USER! but then things got worse when they changed the minimum length for ONE and made it longer than the MAXIMUM length for the other...making one of them completely inaccessible!