Using the password 'admin123' wasn't as bad as sharing it on Slack

Re: I'm surprised...

According to Shein, this change reduced unauthorized access attempts by a full 60 percent in a period of just three months.

75% of statistics are made up, and then there's meaningless drivel like this. Internal procedural changes don't have any bearing on the number of unauthorized access attempts made. If you were misquoted, contact the author, otherwise, you should probably resign and go to work for McDonalds as a cashier.

Re: I'm surprised...

At the very least, they should have remembered that each extra character adds about six bits of entropy (depending on how restrictive the system is about what characters it will accept.)

Had they gone with 123456789, they'd have been fine.

Re: I'm surprised...

My password goes to 11.

Re: I'm surprised...

>..they didn't use 12345!

Pretty secure, but a bit inconvenient. It's approx 45650 digits long so will take a while to enter

It all boils down to the lack of engineering principles.in technology, once again... Poorly qualified people who don't know what they don't know half of the time, no oversight, no need for CPD, no legal leg to stand on if a beancounter tries to overrule you, no certifying body to hold your feet to the flames if you screw up, and tech bros shovelling new flavours of shit in your general direction on a daily basis.

The stable door's still open, the horse has long bolted, and now corporations can make massive screw-ups that seriously affects people's lives, and at best get hit with a slap on the wrist level of fine, with no true individual accountability at either a technical or board level.

"I wonder when we're just going to accept humans are not secure and built the system around that?"

Probably as soon as one of the people who say things like this explains how you can do that. The suggestion, if interpreted literally, means that you build a computer such that a person, no matter how stupid, cannot possibly do anything dangerous but can still do the things they need done. A person with a little experience of basically anything will notice this as the way that nothing works.

We can implement layer after layer of safeguards. We can make it possible for admins to limit what users can execute. We can implement detailed authentication mechanisms where everyone logs in to a separate account with multiple factors and the accounts are limited very specifically to the activities they are granted. None of that helps if the people who are supposed to set those requirements deliberately choose to not configure the former and create one account with all privileges within the latter. They still sometimes choose to do this because properly setting very granular roles for a user takes more time and causes delays when a user first finds another one they need but don't have, so the insecure option is the easier and faster one. If you can do it better, please do so. If you can tell us how to do it better, I'm eager to hear, but expect that I'm going to question the approach heavily because most suggestions along this line I've seen so far are simplistic and weak if they work at all.

I’m sure I have mentioned this before, but an ex-client of mine asked that we disable all Windows updates, because they sometimes broke their SAP installation. To be fair SAP can break if you look at it wrongly, but still. Despite telling them this is not a good policy (in fact I think I literally said to their head of IT that this is a fucking stupid idea); but they insisted, so....!

Now a little later, they decided to move to another IT support company, and that’s fine, no hard feelings, you win some and lose some. Two months later they were hit with a massive ransomware attack - using an exploit that had been mitigated six months before by a Windows update, which, of course hadn’t been applied*

I found out afterwards from a friend that worked there, that the company was that close to going out of business. Anyhow being a nice person, I advised them what to do, and even helped with recovery - for a fee of course.

And then the legal threats started, how was this allowed to happen....etc? I did point out that at the time, we weren’t doing their IT support, and eventually dug out the old emails from them instructing us to do it, my replies telling them that this is not a good idea because it leaves you vulnerable, and their response from senior management saying ‘yes we know, but just do it’! Copies of which I sent to them, along with a final message of ‘fine, see you in Court’! Never heard anything further.

Although it shouldn’t be necessary, when a client is doing something and/or insisting on an action which you know is really fucking stupid, then CYA applies!

* Yes, yes, I promise you I know; stage the update rollout, test it with a small subset of users, get sign-off that the update has not broken anything, and then proceed with a wider roll-out. Which costs money and time, but is the only way to reduce issues and downtime.

Meanwhile, back in the real world.......

Re: they didn't use 12345!

> Oddly no one ever uses 1,2,3,4,5 or even counting from 0.

It probably breaks some arcane rule about repeating every other character.

Re: Security Measures

There is no good reason to do this without at least some evidence of attempted intrusion (or access from "unlikely" networks).

And if you have a decent password along with a sane second factor (not sms) then it really should only be "attempted intrusion" which flags a cycle.

Re: Security Measures

Rotation is annoying but there is some justification. Correct security paranoia is to assume that every password is compromised even if it hasn't been (ab)used yet. By changing them out you lessen the window of opportunity for any given password to cause problems. Of course, the quick "fix" for users is to keep the same password and add 1 to the number on the end.

Lateral random thought on the brute-force approach. Given that the usual password authentication method is that you type in the password and at some point it gets converted into a cryptographic hash which is then compared to the stored value, what happens if you happen to have managed to generate a 20-character random string that just happens to have a hash collision with "123456"? Apart from recommending purchase of a lottery ticket. Probably not likely with modern hash functions, but there is always the chance.

Re: “Vu+}?8wV?5TPy2cLBqc=,”?

Mine starts with correct horse :p

Re: Really?

I do get what you are saying and I strongly suspect that all of us on here need no lectures on password security. But the issue is end users, the clients we deal with.

As a former colleague of mine used to say, many companies seem to have a motto of ‘give me convenience, or give me death’. My particular favourite are the companies that I have managed to persuade to enforce 2FA and longer (not necessarily complex) passwords. This tends to last about three days, until we are instructed to remove this requirement from the C-suite brigade as they are far too important, no sorry, busy to have to deal with this inconvenience. So who will the potential hackers target, will it be the CEO or the car-park attendant, whose account is forced to be MFA’d up the wazoo?

At least this gives an example, that we can quote when asked, ‘why should we....’, and provide the links to the story. Even though this company spent £$x,000 on tech, the thieves simply entered through the open window! It’s the same old story of companies trying to impose a tech solution on what is actually an HR one!

Re: WHAT DECADE IS THIS?

Yeah, it it means it becomes

Password1

Password2

Password3

Etc

Re: Doesn't anyone audit passwords anymore?

If your password repository can be audited I think you probably have a bigger problem?

Although I suppose you could try a dictionary attack on it. The cost / benefit depends how many users you have and how big your dictionary is though.

You've been forced to change your password 8 times?