yaymuffins0
43526
838
12
Oct 25, 2024 1:01 PM
yaymuffins0
43526
838
12
kusuriya
This is pretty for resets and not as risky as it seems provided there are compensating controls. I mean there are better ways but its not the worst way.
VodkaReindeer
My IT support: "write your AD password on this post-it so I can set up your new smartphone for you. You can't do it yourself because it's not secure"
PorneliusHubertII
I have to take a yearly cyber security course, on the account that hr gave me where the password was password on a computer where the login is the name of the department and the password is the login...
qyrriqat
Mine does the over-the-top cybersecurity training, too, and then upper management keeps sending out emails that trip over half the red flags we're supposed to watch out for and get upset when people ignore the emails because they look more like phishing than the phishing stuff presented in the training.
knotch2
Did they email you a temporary password? That is normal. Then it prompts you to create a new password. Or if it's for a training site that's normal too. No one wants to do your training for you.
cousteau
My cyber security training was like: "Don't just click on links, better copy-paste them into the browser to ensure they're legit (especially since the text can say https://good-site.com but the link actually be to super-shady-site.com), and also always send the URL as plain text rather than 'Click here' links", but then the company sent "Click here" links which also got obfuscated by the security proxy so that you couldn't read them. It's all a façade so they can blame you when something breaks.
Sevulturus
I keep getting messages at work that say things like, "your cyber security training is 786 days overdue." I report those as phishing. IT emails me, and says, "you need to actually do those." I report those as phishing. IT phones me and let's me know those are real links I need to follow. I say okay, and then don't do them. Seems like phishing to me.
I've never followed an outside link at work, and I never will.
o0Tektite0o
In Comic Sans font...
yaymuffins0
👌
JonWallace1985
How? APIs should even have access to the raw, it should be stored hashed and only compared against the hash of what you provided.
enderite
Wait.. I’ll read your meme in a sec. I have to let the phone scan my face 18 FUCKING TIMES before I can see my work email.
MidasTheAlchemist
This is fine if it's a random password with a short expiration and your account has little to no permissions and you are actively available to set the new password and provide confirmation that you changed it, so that if you didn't change it they can disable the account immediately and reset the password again.
numbonvalium
I think the biggest warning sign would be for companies to keep using emails when things like Slack/Signal/etc exist.
Raecracy123abc
I asked my IT to hard reset a machine because the password has been compromised, I changed it and forgot it without backup, they left it on my desk in my open open/semi public office with a sticky note on the cover with the password I was not to change---umm thanks
yaymuffins0
Classic!
Eldibs
The problem with a lot of modern cyber security is that it fails to understand a very basic rule - You cannot design your people around your systems, you have to design your systems around your people. For example, you cannot expect people to get a new password every six months that contains letters, numbers, and special characters while also not being similar to their old password. They're just gonna write it down.
TheseAreNotTheVotesYouAreLookingFor
It is bad practice to send passwords like this, but not the worst. Emails within the same mail host will be secure. Even mail between vendors can be secure with the right encrypted mail exchange between them. It should always be a password recovery situation so that you can immediately change the password again once you regain access.
yaymuffins0
Interesting, hadn't really considered that it was still within their own host. Still, seemed like bad for him
OnlyOneArman
All that is correct if it's a temporary password, but not if it's your ACTUAL OLD PASSWORD. Because that means the password was being stored as plain text on the server, which is a huge no no.
sadurdaynight
Last job I quit, I helped maintain the company's web portal. Few months after I quit I went in.. sure enough I could still log in. Emailed IT dir asking him to change the pwd, b/c we had other folks leave that knew the pwd. Anyone could go on there and deface the web-site. Current company I work for forces us to change pwds with an auto-keygen system that I can barely get any work done.
yaymuffins0
That's crazy. I've heard some horror stories of disgruntled employees with access
NewTitaniumCorvid
Would you prefer they email it hashed? Cleartext combined with policy to change at first use is common practice.
TychoTychoAlba
Yeah I'm almost thinking this is a test. My company sends out simulating phishing mails then tells us how many people clicked on them afterwards.
yaymuffins0
They should send me a temporary one and prompt me to make a new one, or send send me a link that just has me make a new one. Should never include plain text passwords in emails. It shouldn't even be saved on their system. When I used it to log in, it didn't prompt me to make a new password
StarshipSuperTrooper
My organization was doing some network work which kicked all the printers off the network. (Shit that's been in place for a decade. They sent an email asking me for all of my offices printer's passwords as I'm the only one who knows. I did my bullshit cyber training
SLCtechie
Emails you a temporary password when resetting your password or emailing you your actual password if you forgot it? If it’s the first, that’s fine as you need to know what the new temp password is. The later is way worse than just “plain text”. It also means they’re not hashing passwords on their end. Passwords should never be stored without hashing at the very least (salt and hash even better).
yaymuffins0
I clicked forgot password and they sent me my password is plain text. It was not a temporary password.
SLCtechie
Ooo that is so bad on so many levels.
cousteau
Hash AND salt should be a required standard when storing passwords. Like, everywhere. You shouldn't be allowed to host any service with any kind of personal information if you can't prove that your password system is up to the standards.
ClownishAntics
And for security reasons, everyone has the same password. One lock is easier to guard, right?
yaymuffins0
Exactly!
GOAE
You jest, but in some cases it actually can be in a sense. Password vaults for example are safer to guard than traditional shared passwords. If you generate random passwords for each account you set up, but they all exist within one vault, the vault can be way safer by comparison if it has a reasonably complex password that only exists in your head.
neo154
Right?
Billis75
My company sends us fake emails and if we don't report them as phishing, we have to do mandatory training. So now I just report all external emails as phishing. Your move, cyber.
yaymuffins0
Haha I would do the same. I'm sure their security team loves that
touhi2000
Picture or it didn’t happen.
ByThePowerOfSCIENCE
It's very common, and you're supposed to change it immediately and report if it doesn't work. It can also come pre-expired so you _have_ to change it after the first successful login.
Couchwarrior1337
Pics of your password or it didn't happen. We need to confirm you updated it!
Iwouldbenick
Hi there. I have worked in IT for around 12 years. This processes is not unusual if you are confident that the user will us it immediately as there is always the box checked for "User must change password upon first login". 99.9% of the time the tech uses the same temp password. Even better, if your PC is domain joined to Intune (Azure) then they are just giving you a temp password anyways.
yaymuffins0
This was not a temporary password, I clicked forgot password and rather than having me make a new one they just sent me my existing password. I used it and it did not prompt me to create a new one.
Senguie
My cybersecurity training explicitly said “changing passwords frequently and mandatory, is not a good idea. People don’t want the hassle and make easy passwords and just go +1 on the number”
This week I got the “you have to change your password again” fuckers never learn.
afterdarkart
I'm an InfoSec Analyst at my job, and before I came, we pushed a mandatory 60 day change. We're now trying to undo that because you're right. So now we've turned on a ban list of passwords you can't use. That and we have people get hired, change their IG / FB / X account to their work email, and mirror the passwords...and then the scam 'need to login' emails arrive...
VodkaReindeer
A bit silly to train users on what good password requirements are
Senguie
You would be surprised what most people use. It’s password1234
cousteau
Cybersecurity training ≠ company practice. 🙄
WhatTheFrench
I have been using a “temporary” password supplied by IT for the last 3 months because I had a nightmare SSO password reset issue that left me unable to do my job and took 3-4 IT calls to resolve, and the two people I spoke to gave me contradictory information on how to correctly reset it. I know the password I’m using is NOT secure, and I am not an idiot, but I can’t be the girl who has problems every time she changes a password, and that experience left me with zerooo faith in our IT help desk.
MissChickle
Easy passwords should not be an option. Don't companies pay for secure password management tools for their employees?
Snooj
Way loooooooooong ago I used to work for a dial-up Internet provider and the amount of people who would sign up with a password and VOLUNTARILY tell us it was easy to remember because it was their PIN for their debit card was too fuckin' high. One guy even told me it was the PIN for his alarm system on his house. He told me that. A stranger. While writing it on a piece of paper that also included his home address.
Harbltron
yaymuffins0
That's nuts!
TheGlow
They tried writing me up once because the IT room was propped open by a piece of cabling. Said its a security issue and I should never do that. I said I know, I would never do that, because the locking mechanism has not worked on this since we moved in 3 years ago. I removed the cord and showed them you can still just pull it open. And then shown emails to the Facilities team repeatedly for the first few months until I gave up.
yaymuffins0
Yeah, but they thought the cable was your fault!
TheGlow
Yes. Every now and then they try and pin something minor on me and my excuse is its infinitely worse. This exec is asking why his phone call dropped? Oh because the server rooms UPS failed and took out all of the switches. I'm surprised they didnt mention the whole floor had no internet or phones.
Pheehelm
cousteau
I recall someone mentioning they were developing a password manager named hunter2
NeverDownvoteMelBrooks
+1
kojitaru
An absolute classic. I feel like I need to do a bash reread now. And a note to those that look, it seems it went down earlier this year but there’s a static archive available
Mortbise
it's missing the part where you then issue a kill ghost command
FoamingToad
I used to love trawling through BASH. Has it updated in the last ten years or so?
jherazob
It died, I believe
cousteau
It closed last year or so :( (there's an archived version somewhere though)
cousteau
https://bash-org-archive.com/
FoamingToad
Thanks both. Thoth. Sic transit and all that jazz.
Snooj
Man, I wish I could say that I refuse to believe this is true, but I've met too many people.
XennialDad
Way back in the AOL Instant Messenger days, I would try to get into my friends AIM accounts by looking at their password recovery questions, and then finding ways to get that information from them. Once I was in their account, I would message their crushes as my friend, telling them I was madly in love with them and couldn't bring myself to tell them in person. It was awesome.
SirRuppOfFigs
My employer farms cyber security, including training, out. The provider then emails us, "on behalf of our employer" that we have online training, click here. The training link looks made up, and the sending email doesn't match the sender. This is the phishing they were warning about . An hour later, our in house IT is explaining how to undelete it, it was real. SMH
Higure
Yup. I got one of those just this week. I haven't pressed it yet, and I likely never will. Allegedly the first test question in the course is "Would you click a link in a mail?"
BinkiBinks
They trained us so well… If they need to reach me they can call me. “Oh, look! Unknown caller!”*ignore call*
TheseAreNotTheVotesYouAreLookingFor
Security savvy companies set up a function group email in their mail system for those outsourced companies to use preventing this problem. Then there is the execs that don’t which confirms why it was the right choice to outsource security.
Billis75
Yes, the cyber training links always come from external links after the "DO NOT TRUST ANY EXTERNAL LINKS" crap we get hammered on.
Kodan00
For me the best course of action is to just instantly delete every single email that I get that contains a link. If it was real, I will most likely get another email again. I have no idea how many legitimate emails I've deleted that needed something of me.
Raeilgunne
That happened to me at Toyota. Corporate IT security decided to make up their own domain, not @toyota.com, so everyone was deleting their e-mails. It took them 3 months to actually get all the management to force us to take their security test.
yaymuffins0
Haha wow, but sounds about right
oldguyexlurker
I got an email from "Dave" with an attachment. I had a client with a contact named "Dave" from whom I was expecting a file. I contacted "Dave" to confirm he had sent a file and he said he thought he had. So I opened the email. Got immediately notified by the IT team that I had failed a phishing test. Fuckin' Dave... Dave may still be there, I quit. Not over that in particular, but couldn't work in the whole environment at the company. Left after 6 mos. Told my boss, "No thanks. I'm done."
mikeatike
Dave's not here, man.
Tengenstein
I had one of those with links to "website" that needed your password to log in. I wondered if they'd sanitized their inputs. They had not. They do now.
Adamorweirforcatchingfish
The struggle is real LOL
plaidporcupine
A coworker fell for a fake phishing email sent by IT to test us. And when she received the email telling her she failed the test and needed to do remedial training, she asked me to come look at it because she thought it was fake. Amazing.
mikeatike
We use a 3rd party company that does somewhat plausible spear-finishg attacks pretending to be the CEO.
Jokes on them, I always delete his emails unread.
Badprenup
I once had a team member flag me to ask if an email was a phishing test. I glanced at it and confirmed it was so I said "Yeah that's a phishing test, do not click that link. Press this button up here to report it and pass the test (physically pointing at the 'report' button)".
Immediately they click the link and get remedial training scheduled. All I could do was walk away.
WaterUnderTheRocketAppliances
The phish test emails where I work all have a certain header from the 3rd party that gives them away, so I just made an outlook rule to delete them automatically.
ForlornHopeful
Ours use a link right at the bottom but I have Outlook flag it up so I can report it properly as they ding us if it's not reported
yoyo42
Ours has links with a different mique number so they know who clicked it. A lot of people run scripts that follow the link with every possible number so _everyone_ fails.
badexampleforagrownup
thats evil ...... and funny
mikeatike
IT: "Huh, why did every single failure come from the same PC? Oh well, everybody fails!"
yoyo42
Yeah, everybody. The CEO. The infosec guys. Everyone. And when the Devs work on things like DDoS protection with the associated test farms you can bet all those answers are not coming from one place...
rihani3
Resetting passwords so often that no one can keep remembering them. Been clearing up after my old boss retired, and he had passwords written with a Sharpie on the wall next to his PC...
williagr
noob, have to put it on a post-it and stick on the monitor
SinfulBasilisk
The standard now is actually to not have password changes at all! It's proven to be more insecure than requiring changes. Instead, there's a much bigger push to go passwordless completely! Using things like authenticator applications, or PIV hardware (badges, USB, etc.) to log in instead of a password at all.
PleaseRespectMyAsshole
Bitwarden for the win!
cousteau
This is what happens when you put stupid and annoying requirements on password policy.
gunnexx
Work in cyber security and whilst in an office its dumb, at home its not such a bad idea these days. With the amount of breaches and PW manager failures...
METROlD
Thats what password software is for.
zFUBARz
My company said I needed to do a password reset. I completed the process, did the change, then next week it randomly reverted to the previous password. So silly.
offroadguy56
My old boss kept passwords in an excel sheet with the cells blacked out to the same color as the text.
FlippedOut
We onboarded a client, every non user password in the company was the same 8 character lowercase password. Users had a 12 character, upperlower special requirement that needed to change every 30 days.
YummyBubb1es
I did this with one of our departments at work. I'm one of the cybersec guys lol. They had their password written down on a whiteboard. To show them how easy it was to read it, I grabbed a random associate, walked them down a walkway outside the office and had the associate read the password to the QA people through the window. New policy 10 minutes later and a very embarrassed manager
pyroshen
This sounds like an escape room concept
Euchre
At this point, password hashes are fairly easily breakable, just a question of how much time you want to wait for usable results - and that usually isn't long. Your password should just be hard enough to be one of the last broken, but be assured, it can and WILL be broken, if someone gets the hashed database. Not having the same password everywhere is key, and that means not the same hash - but not precisely not the same base password itself. P4$sw0rdEmail and P4$sw0rdBank are different hashes.
Euchre
The password shouldn't be the last line of defense, either - two factor authentication is the best mechanism we have now to give you more layers of defense. 2FA also isn't something a person can download and crack, but shifts the vulnerability to human discipline and social engineering. Don't give out that 2FA code to ANYONE, even if you think it's not for YOU.
Kittynomnoms
This is how I feel when websites require increasingly complicated/long passwords. All that does is encourage me to use the same password for everything and/or write it down.
gingen
I once worked for a company with an IT lady that was super good. She promoted pass phrases as common use with no constant password refreshes, requiring two factor on everything, but no two passwords alike on critical systems. She was so good. Very practical.
potatoispeople
Or requiring the password to be 8 characters. Not more than 8. 8.
ThomasTheWankEnglne
thats 90% of people over 40. half of our laptops have postits with passwords on them
bkcantthinkofanythingclever
FYI NIST updated the standard to no longer needing to change passwords. I’ll post the link when I find it
tclothingw
please do
vizeroy42
They did that quite a while ago... there are still many companies all over the world which insist on regular interval password changes
majortool
Use a password manager.
Euchre
Until that gets compromised. Two factor authentication involves enough physical separation and interaction that doesn't require relying on heaps of black boxed code, or changing single point of failure PINs and passwords so much people store them in extremely leaky ways.
majortool
Well for when 2FA is available, I always use it, including for my password manager, but passkeys are pretty much the new standard for 2FA, and I love it.
marsgoose
asdf123 > asdf124 > asdf125
cousteau
passw0rd! passw0rd@ passw0rd# passw0rd$ passw0rd%
madjo
Needs a capital letter and a special character. so Asdf123! > Asdf124! > Asdf125!
BluePlanet514
Thank you for my new password next time I need one.
Thornaxe
But then it’s not “technically” the IT departments fault when something goes wrong.
DavidBrooker
The NIST made the recommendation of frequent password changes, and everyone adopted it. When the NIST realized that this encouraged weak passwords, or weak password practices, they reversed that recommendation and said that they regretted the earlier advice... But those same people refused to adopt the updated protocol, for some reason.
SirenBrick
because if a manager reverses a previous decision, it means they are a bad manager and could lose promotion/raise/bonuses for it.
ThatNaysayer
In the process of rolling out fido2 org wide to lessen our password usage. Had some breaches that lead management to think we should change passwords monthly, luckily they listened when I brought up the NIST guidelines and walked them through the reasoning.
yaymuffins0
That sounds like a PITA
Strategicgnomer
No, a sharpie is a type of pen and can't be stuffed with spiced lamb and tzaziki.
rihani3
Many years ago back at Uni, they reset passwords every 3 or 4 months. They had a full time IT job that was just manually resetting passwords for people again once their login tokens timed out, because they forgot whatever crazy password they were forced to create last time.
ReaperCDN
Can't have more than two of the same letter of number in a row. Must use special characters. Can't use more than 4 letters or numbers in a row without changing to a special character. Must have at least 3 caps. Must have 2 special characters minimum. Has to be between 9 and 12 characters. Resets every 30 days.
ReaperCDN
The weird part is, this actually makes it easier to break since you've just restricted the number of possibilities greatly. Once you eliminate all those conditions, there's a lot less passwords in that 9-12 range that would fit the criteria.
sillyDad
To be fair, that's probably safer than sending them by email or storing them in digital format.
Frostedjakes
Passwords don't need to be so complex they're impossible to remember and with SSO, employees only need to remember a single password. There really is no reason for employees to store passwords at all, whether on paper or in a file.
Either way, sending passwords in plain text over email is inexcusable.
Lithens
Only if the facility has any kind of ok physical security
Frostedjakes
Even with exceptional physical security, it's surprisingly easy to gain access to a facility.
ThatShiftyMonkey
All of my work passwords are on a post next to my monitor. Blame corporate for making us change our increasingly complex passwords as often as our damn socks. If someone breaks in and suddenly has access to whatever, idgaf.
ThatShiftyMonkey
Hell, and most of it is access to shit that shouldn't really even need a password. Like password each location is Loc1230001 (7digit location#). But we also have to change passwords quarterly, but always in some rotation of Loc LOc LoC loC etc.
If it's stabdard enough that 1000s of employees know it, but we still need to guess 4 times to get the right one, it's not security, it's theatre. And it's locking something with zero access to anything that needs securing.
ThatShiftyMonkey
Just to inconvenience every employee 67 times a day. Just set an eternal 4digit pin and move on ffs.
But yeah, let's also tack on 2factor authentication, so a 6digit pin gets send to... who is assigned to this location again? Can you call Bob and get the pin that just pinged his phone? (further undermining good security practices)
Oh, Bob changed his phone number and now no one can get into this thing that shouldn't even be pw protected until HR updates his acct's phone# sometime Monday, maybe?
Mezinov
My current employers employee portal/payroll system requires the user do a password reset every 6 weeks. The password must contain a capital, a special character, a number, and be more than 8 characters but less than 16. It isn't listed as a requirement but there is also a similarity check against your 5 most recent passwords; no more than 4 characters can be in the same position between the new password you entered and your 5 most recent.
PleaseRespectMyAsshole
NIST recently updated best practice to passwords should not change unless an account has been compromised.
MarsIsNotTheRightDirectionForADysonSphere
How do they know about the same position? Do they keep the passwords in plaintext in the backend database?
NairouTryyshokk
This guy gets it. It's the worst system. They think more complex and random is good, when really you are training people to follow very specific patterns which make them easier to guess, not harder.
PorneliusHubertII
I usually use the last name of characters from whatever anime I am currently reading paired with a 5 digital segment of either pi or the fibanocci sequence.
SirenBrick
Same, which goes against most security experts advice. Overly frequent changes with complex rulesets just means more predictable passwords (hackers can use the rulesets to eliminate possibilities), it means hackers know anyone who has to have 30 passwords a year isn't going to choose strong ones after a while, and it forces more people to write them down to remember something they haven't used yet.
marsgoose
The only way they can know if more than 4 characters are the same is if they store them in plain text.
marsgoose
inb4 salt and hash every single character separately
ThatShiftyMonkey
Passw0rd!
w0rdPass!
PASSw0rD!
passW0RD!
!Passw0rd
!PAssw0rD
etc
Written as a list on a post-it next to their monitor with a line through previous ones.
bacross
My last job did this for handhelds/registers/email.. the cash office.. well it hadn't been changed in a decade
SirRichardOfHead
P4ssword!
4ssword!P
ssword!P4
sword!P4s
etc.
Fuck 'em
breadedfishstrip
I used to have a secure password for AD at work. Now we have two domains that each reset every 8 weeks and have similar reqs. 1/2
vegivamp
Microsoft is just about the worst IT company in the world, and even *they* have caught on by now that that is a terrible idea.
Current security guidelines (from competent people, ms just copied them) are that you don't ask prior to change their password unless there is reasonable cause to assume it may have been compromised - and at that point, 2fa still protected you.
breadedfishstrip
Many ended up finding a complex pw that works and then just adding a different increment on the end each time they reset. So safe now!
Affray
1)My wife's work does that, and she has to enter her password every time she uses the computer, which is every customer. So more often than
Affray
2)not the customer starts rifling off what they need immediately while my wife tries to remember which password is the right one. Then she
Affray
3)has to ask them to repeat themselves because she couldn't do anything until the password is entered, which makes everyone working there
Affray
4)look incompetent and starts every customer interaction off on the wrong foot. It's frustrating to watch companies implement things without
rihani3
Yeah.. That is just idiotic and bound to lead to people writing it down. Just get some robust multiple factor authentication instead... Also makes me wonder how sure they are storing all our previous passwords... Current place where I work seem to remember ALL previous passwords...
Alavar
I get they are important but the authentication are freaking annoying too. Especially since lately the portal i use for work logs me out after 15 mins of idle time.
theworldcouldbeflat
Sometimes the solution to reducing the costs of " online" security is to take the data that needs to be secure "offline". However that is rarely a recommended solution.
Frostedjakes
Multi factor authentication is not an alternative to strong passwords. Passwords expiring after 6 weeks may be a little extreme, but then again, everyone complains about security breaches but employees complain about having to remember a password.
keraos
The default for Windows policy is either 25 or 35 passwords remembered, I don't recall exactly. I've talked most of our clients into eliminating password expiration entirely. Much better to have no complexity but a 14 character minimum. Basic passphrase (e.g. squirrelmeatstew) is significantly more secure than an 8 character complex password.
Eldibs
correcthorsebatterystaple
ultradongle
There is an XKCD for everything.
keraos
elbowdeepinelbowdeepinahorse <-- very secure password