Page 1 of 2 12 LastLast
Results 1 to 15 of 24
  1. #1
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,208
    Thanks
    129
    Thanked 1,145 Times in 1,054 Posts

    Dumb passwords yet again

    Passwords have well known limitations and the number of passwords we need to deal with on a daily basis is already unmanageable for many people (password managers can help!), but still there is no excuse for the dumb choice of passwords illustrated here:

    http://krebsonsecurity.com/2013/12/h...umb-passwords/

    Those are passwords used to secure remote access to computers, but passwords used for other purposes are often like this, too.

    If you use a computer, a website, an email account or any other service relying on a password, that can be accessed by other people, please make sure you use safer passwords, for the sake of your computer and / or your data.
    Rui
    -------
    R4

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    An organization can enforce password rules on their employees. That's the only way to avoid this sort of stupidity.

    Reminds me of TV police dramas -- everyone leaves their keys IN THE CAR!

    My company not only forces people to make good passwords, but we also force them to change them every month. We get lots of angry callers complaining about those rules, but at least we have good passwords.

  4. #3
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,208
    Thanks
    129
    Thanked 1,145 Times in 1,054 Posts
    That makes complete sense, Jim, as this article can prove (and there are so many similar stories around the net). I think smaller businesses may have more difficulties, with no dedicated IT staff and probably less understanding of the risks involved.
    Rui
    -------
    R4

  5. #4
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    Some people (even IT people) don't have a clue about this sort of thing. I can understand that in a small company, where they don't have a lot of resources; but most of the companies listed looked like large firms. They have no excuse.

  6. #5
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,208
    Thanks
    129
    Thanked 1,145 Times in 1,054 Posts
    Quote Originally Posted by mrjimphelps View Post
    Some people (even IT people) don't have a clue about this sort of thing. I can understand that in a small company, where they don't have a lot of resources; but most of the companies listed looked like large firms. They have no excuse.
    I completely agree with you .
    Rui
    -------
    R4

  7. #6
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    I'll tell you something else. After we set up security questions on users' accounts, we would sometimes get a call from a user who hadn't yet set up her security questions. IN THE BACKGROUND I COULD HEAR HER COWORKERS HELPING HER TO SET THEM UP!! Information Security shut that down after a few emails telling them that users were doing this.

    That is literally the same as giving everyone in your office the combination to your locker, the only difference being you could lose your job if someone else logs in as you and does unauthorized stuff on-line.

  8. #7
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,208
    Thanks
    129
    Thanked 1,145 Times in 1,054 Posts
    Quote Originally Posted by mrjimphelps View Post
    I'll tell you something else. After we set up security questions on users' accounts, we would sometimes get a call from a user who hadn't yet set up her security questions. IN THE BACKGROUND I COULD HEAR HER COWORKERS HELPING HER TO SET THEM UP!! Information Security shut that down after a few emails telling them that users were doing this.

    That is literally the same as giving everyone in your office the combination to your locker, the only difference being you could lose your job if someone else logs in as you and does unauthorized stuff on-line.
    And it defeats the purpose of the security question (and passwords) anyway. It's very hard to instill the need for proper password and security handling procedures in some people. That's why social engineering attacks are so successful.
    Rui
    -------
    R4

  9. #8
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,551
    Thanks
    7
    Thanked 225 Times in 213 Posts
    Forcing obscure passwords on users doesn't work in the real world because people are fallible. The best you can hope for is a reasonably secure password with 2 numbers that changes monthly and even that is too hard for many people.

    The most annoying thing I find is software developers who think that a 6 to 8 character password is all you will ever need and restrict your password choice accordingly. Then they compound the issue by not telling you what their arbitrary limit is and your reasonable 16 character password is not accepted.

    cheers, Paul

  10. #9
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    We force our users to pick a password that is at least eight characters long, that has at least three unique characteristics (upper case, lower case, numbers, special characters), that doesn't match their name, and that they haven't used the past 14 times. And they must change it at most 35 days after the last password change.

    You have to force it, because otherwise not too many people will do it.

    It works in the real world if you make them do it, that is, if that's the only way they can log in.

  11. #10
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,551
    Thanks
    7
    Thanked 225 Times in 213 Posts
    How many password reset calls does your hell desk get daily? Good old users, where would we be without them?

    cheers, Paul

  12. #11
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    My estimates: Password resets and account locks account for about 80% of our calls. Some days we get 10, other days we get 100.

    A huge problem is that we require that they reset their password at most every 35 days. This causes several potential account locks:

    1. We allow them to use their mobile device (iPhone/iPad/android) and ActiveSync to do their corporate email. Since ActiveSync doesn't grab the new password automatically, lots of people start getting continually locked when they update their password, because they failed to then update it in their mobile device, or they failed to do it quickly enough (most mobile devices are set to check the email about once every minute, resulting in a lockout if they don't immediately update their password in their mobile device). In fact, some users have multiple mobile devices set to check their email, resulting in a much higher possibility of an account lock.

    2. Many users attach to the corporate wifi with their mobile device(s). When they change their password, if they don't also change it in EVERY such mobile device, they will get locked (and stay locked) as soon as they show up at work. (There have even been cases where a user loaned his iPad to a coworker. He was then unable to update the password on his iPad, because his coworker had it!)

    3. If the user logs on to a network-connected computer, then logs off, then goes to another computer, logs on, and changes his password, the first computer will lock his account after about an hour, and every hour after that, BECAUSE IT IS PINGING THE NETWORK WITH THE LAST USERNAME AND PASSWORD! EVEN THOUGH THEY LOGGED OFF! This is particularly a problem on Friday afternoon, when someone logs out, then logs in from home and changes his password. He will get locked out every hour, because no one is at work to turn off the offending PC.

    I am convinced (and have been since the Novell days) that Microsoft networking is largely client-centric rather than server-centric. That's why this sort of thing happens. It's too bad that when Microsoft was on the warpath, knocking off one major company after another, Novell responded so ineptly. If Novell had been smart and had stuck strictly with networking, we would have much better networking today.

    That's my rant for the day.
    Last edited by mrjimphelps; 2013-12-16 at 12:54.

  13. #12
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,551
    Thanks
    7
    Thanked 225 Times in 213 Posts
    80% is just a disaster. Who is the clown driving policy that allows that to happen - it's not you I hope.
    If you are seeing PCs re-authenticating and locking out users then they haven't logged off, contrary to the user's assurances. I use the MS tool lockoutstatus.exe to find the DC that initiated the lock, then trawl the logs to find the offending machine. Recently it's been iThingys where the user attempted to connect to the secure wi-fi with their user/pass - never going to work, but it locks them out at random intervals.

    cheers, Paul

  14. #13
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    I am 100% confident that PCs which the user has logged off of, but not powered down, and then no one else uses them, are locking user accounts if a user then logs on from another PC and then resets his password. It happens over and over. Information Security, who has a lot more tools and expertise on these matters, tell us that this is why the user is getting locked out in many cases. In most cases, we can see the PC name listed in our password management software.

    In fact, I've seen many cases where the PC that the user is logged onto is locking him out! I'm not making this up, and I've been in this business since DOS 3.2 (earlier than that, if you count the Atari-ST and mainframes). Somehow Windows has stored the old password and is pinging the network with it.

    Most people have drunk the Microsoft koolaid, which is what I conclude when I read the various blog postings. But in the area of networking, Microsoft leaves a lot to be desired.

    You NEVER saw all of this in a Novell environment. Of course, in all fairness, I should point out that there weren't so many different devices trying to log onto your account in the past. But I guarantee you that if this were Novell networking, ALL network access would be centrally controlled and managed (i.e. server-centric), like it should be. Instead, we have this monstrosity known as Microsoft "networking", which is in fact nothing more than a bunch of clients all patched together.
    Last edited by mrjimphelps; 2013-12-17 at 14:47.

  15. #14
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    Quote Originally Posted by Paul T View Post
    80% is just a disaster. Who is the clown driving policy that allows that to happen - it's not you I hope.
    As far as who is driving policy, we deal with lots of confidential medical information in my job, and so we are subject to HIPAA regulations. Hence, we must put in extra effort to secure the information. One of the ways we deal with it is to require password changes in no more than 35 days since the last password change. Another thing is to require a hard-to-crack password.

    In a well-designed networking environment, this would cause no problems. When the user reset his password, all authorized devices would be able to connect to the user's account with the new password, and the account wouldn't lock. Instead, in our client-centric monstrosity known as Microsoft "networking", whenever a user resets his password, even domain-connected computers which are logged off lock the user's account!! The user has to go to extraordinary lengths to prevent lockouts.

    One of the great tragedies in computing was the day that Novell didn't stick to networking, but instead bet the farm (almost a billion dollars) to try to compete with Microsoft on the desktop and in other areas. Microsoft ran right past them and took over the networking market; and today there is no more Novell.

    Well, I guess I could look at it as job security, because the monstrosity sure keeps us busy.
    Last edited by mrjimphelps; 2013-12-17 at 15:02.

  16. #15
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,139
    Thanks
    202
    Thanked 206 Times in 198 Posts
    Quote Originally Posted by mrjimphelps View Post
    Most people have drunk the Microsoft koolaid, which is what I conclude when I read the various blog postings. But in the area of networking, Microsoft leaves a lot to be desired.
    I apologize if I have offended anyone who is a fan of Microsoft. Microsoft has done a lot of good in computing, mainly in standardizing everything.

    But their networking offerings leave a lot to be desired, in my opinion. And even when their product is substandard, they always seem to have the ability to convince a lot of people that their way is the best way.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •