|
Mercurius posted:Not all of us are in the US and are, in fact, used to some level of privacy on company equipment But you should expect none and know precisely why.
|
#
?
May 20, 2014 00:44
|
|
.
|
|
| # ? May 15, 2024 03:31 |
|
|
go3 posted:But you should expect none and know precisely why. No thanks, I'll continue to hold companies to my standard which I explained above and is entirely reasonable. I also expect every manager I ever work for to treat me with respect and conduct themselves like adults working with another adult. People fail to live up to my expectations all the time, and there are consequences, but that doesn't change those expectations.
|
|
#
?
May 20, 2014 00:52
|
|
|
We're finally making our users choose their own passwords. Complex passwords! I send an email to 10 people at a time. "Your password is expiring, you need to choose your own. Heres a bunch of info you might want to read". Holy loving GOD. The questions I'm getting are pretty bad. "I just changed my password, and my old password is not working in $service" But the best ones are the senior (old) staff who have clearly forgotten their new password but are blaming "The system" for screwing the process up. I have to nod and pretend like they might be onto something, so I walk back to my desk, have a sip of coffee and then return to their office and assure them that things are now 'synchronized' and voila, their password works now because they've had 5 minutes to think about it. Still, the majority of users have been pretty good so far. I'm glad this is happening.
|
|
#
?
May 20, 2014 01:27
|
|
|
The users in the department have two different password systems set up (university-wide and department-wide) and it's kind of hilarious how differently they're managed: University wide: - No character type requirements - Minimum 16-digit length - Statement on password creation screen encouraging you to think up a sentence as a password Department wide: - Must contain upper case letters, lower case letters, numbers, and symbols. All. - Cannot contain any dictionary words, even if they're inside of a longer text string. Both have to be changed every six months. Guess which one users have an easier time remembering.
|
|
#
?
May 20, 2014 01:36
|
|
|
Bobulus posted:
Can you do this on a Windows domain? If so, how?
|
|
#
?
May 20, 2014 01:37
|
|
|
Swink posted:We're finally making our users choose their own passwords. Complex passwords! Weekly, we get people complaining that they changed their domain password, and trying to use that to log in to Banner.
|
|
#
?
May 20, 2014 01:39
|
|
|
^ By the same token, every single one of our systems uses the same password as the domain. Yet we always get people asking "Whats my app login?" It's the same thing you use for literally everything. You dont have any others!
|
|
#
?
May 20, 2014 02:07
|
|
|
Swink posted:Can you do this on a Windows domain? If so, how? Sorry, it's a website in our case.
|
|
#
?
May 20, 2014 02:24
|
|
|
Christ, I miss corporate passwords. I have ten network logins, plus a couple local administrator logins across five domains. Passwords must be a minimum of 16 characters in length, must have the usual complexity requirements, plus they cannot have more than two characters that are the same placed together. Passwords must be changed every 60 days, and AD remembers the last 20 passwords you've used. I try to keep mine relatively sane, but I've seen some other people who virtually write a freaking sentence when they enter theirs, with at least 40 or so characters. It's like watching someone make a Twitter post.
|
|
#
?
May 20, 2014 02:44
|
|
|
I'm sitting here on vacation trying to remember my Cisco VPN password (that I rarely use). The worst part is that I have Keepass on this machine, but I didn't think to put it in there.  I guess I'm going to have to open a ticket tomorrow morning. 
|
|
#
?
May 20, 2014 02:49
|
|
|
I'm glad our Cisco VPN password is synced to AD.
|
|
#
?
May 20, 2014 02:56
|
|
|
Screenshare chat - why not? They're IT, they are trying to help, and they think they need to do some stuff on your pc (like get computer names, ips, start a serivce, etc) Point is, they know something you may not, so just get out of their way and let them fix the company property. Close the stuff you don't want them to see, and re-open it when they're done. I get being against credit-checks and drug tests in some cases, but if a maintenance main wants to maintain company property then get out of the way. Resisting that is :psyduck;
|
|
#
?
May 20, 2014 03:05
|
|
|
E: Wrong thread.
|
|
#
?
May 20, 2014 03:24
|
|
|
An idiot in Japan wants to know why his control panel is down. I check it. No panel, no port 80, no FTP, SSH, SCP, can't hit it with the Secure Login Server's relay setup. Doesn't ping. nmap -P0 shows nothing. Your server's dead, mang. I tell him that the entire box appears to be down. He submits not one, but three more tickets. To all the divisions that aren't support.
|
|
#
?
May 20, 2014 03:48
|
|
|
Mercurius posted:Not all of us are in the US and are, in fact, used to some level of privacy on company equipment  That being said you should still worry about the US watching what you're doing anyway.
|
|
#
?
May 20, 2014 04:07
|
|
|
DisMafugga posted:
That is a great smilie and I hate it. (Everyone else at Google also hates it) fakeedit: For those of you who don't know:  quote:According to the Post, “Two engineers with close ties to Google exploded in profanity when they saw the drawing. ‘I hope you publish this,’ one of them said.”
|
|
#
?
May 20, 2014 06:33
|
|
|
Can someone explain to me why that picture is a thing? It looks to my untrained eye like an explination of how anyone might set up a large public facing system? Unless the worlds smuggest face is next to the ssl stuff suggesting they broke into that part? Im no security guy, please help.
|
|
#
?
May 20, 2014 07:08
|
|
|
|
|
#
?
May 20, 2014 07:13
|
|
|
I have to remote into computers fairly often and I always try to call ahead, but if you submit a ticket and then don't pick up the phone when I call you back 2 minutes later, I'll pop in. That said, if I see something unproductive in your browser, I don't give a gently caress as long as it's not something like bittorrent or porn. If you're checking your ESPN scores every 5 minutes, that's between you and your boss. If your boss is happy with your performance, then I encourage you to keep doing what you're doing. There's nothing in my job description that includes loving with people and taking away something that makes their lovely job slightly tolerable. Rules For The Selection of Passwords In order to increase the security of all company computing facilities, and to avoid the possibility of unauthorized use of these facilities, new rules are being put into effect concerning the selection of passwords. All users of computing facilities are instructed to change their passwords to conform to these rules immediately. A password must be at least six characters long, and must not contain two occurrences of a character in a row, or a sequence of two or more characters from the alphabet in forward or reverse order. Example: HGQQXP is an invalid password. GFEDCB is an invalid password. A password may not contain two or more letters in the same position as any previous password. Example: If a previous password was GKPWTZ, then NRPWHS would be invalid because PW occurs in the same position in both passwords. A password may not contain the name of a month or an abbreviation for a month. Example: MARCHBC is an invalid password. VWMARBC is an invalid password. A password may not contain the numeric representation of a month. Therefore, a password containing any number except zero is invalid. Example: WKBH3LG is invalid because it contains the numeric representation for the month of March. A password may not contain any words from any language. Thus, a password may not contain the letters A, or I, or sequences such as AT, ME, or TO because these are all words. A password may not contain sequences of two or more characters which are adjacent to each other on a keyboard in a horizontal, vertical, or diagonal direction. Example: QWERTY is an invalid password. GHNLWT is an invalid password because G and H are horizontally adjacent to each other. HUKWVM is an invalid password because H and U are diagonally adjacent to each other. A password may not contain the name of a person, place, or thing. Example: JOHNBOY is an invalid password. Because of the complexity of the password selection rules, there is actually only one password which passes all the tests. To make the selection of this password simpler for the user, it will be distributed to all supervisors. All users are instructed to obtain this password from his or her supervisor and begin using it immediately.
|
|
#
?
May 20, 2014 07:45
|
|
|
Cast_No_Shadow posted:Can someone explain to me why that picture is a thing? It looks to my untrained eye like an explination of how anyone might set up a large public facing system? Unless the worlds smuggest face is next to the ssl stuff suggesting they broke into that part? Im no security guy, please help. The motherfuckers read our inter-datacenter traffic, which was not encrypted (now it is! Not cleartext anymore, fuckers). That's how they read your Gmail, they tapped our private fiber, spied on us sending it to ourselves. You're right, that's how anyone would set up a service, but we're huge and we've got all kinds of data they want. I mean, hell, our mission is to "organize the world's information and make it universally accessible and useful". We're important enough that they've got slides about us. Assholes stole it in a way we didn't even think would be possible, since it would be horribly illegal if they weren't a government with secret courts and secret laws. Also, probably wouldn't be so mad if it weren't for the world's smuggest smugface.
|
|
#
?
May 20, 2014 08:38
|
|
|
Bobulus posted:Department wide: This is the worst thing and anyone mandating such a policy deserves to have work grind to a halt as everyone forgets their password two times a day. Bobulus posted:- Cannot contain any dictionary words, even if they're inside of a longer text string. This is complete madness. How do you fumble something as basic as passwords?
|
|
#
?
May 20, 2014 09:05
|
|
|
SuccinctAndPunchy posted:This is complete madness. How do you fumble something as basic as passwords? It's brilliant. If their password is 15 characters long but it contains a 10-letter dictionary word, a hacker can run a dictionary attack and lock that word in, and then he'll only have 5 characters left to brute force! Haven't you seen the movies?  quote:This is the worst thing and anyone mandating such a policy deserves to have work grind to a halt as everyone forgets their password two times a day. I've had to deal with this one before and it just means you add 1! to the end of all your normal easy-to-remember passwords. It's asinine, but easy enough to get around. The embedded dictionary word rule though, there's just no basis in reality for that rule at all. Che Delilas fucked around with this message at 09:18 on May 20, 2014 |
|
#
?
May 20, 2014 09:12
|
|
|
While we're on the topic of passwords, I really really really hope the Stanford password policy gains popularity, as it's a breath of fresh air in an otherwise stagnant hellhole where people keep trying to increase password complexity through chartypes rather than more chars. 20 characters, all lowercase? 1.9928148895209409152340197376 × 10^28 combinations (about 4.239x10^28th if you include spaces) 8 characters, including lowercase and caps, numbers, and basic non-alphas? 4.3046721 × 10^15 combinations Even if you use dictionary words, a password like "mint chocolate chip ice cream" is 29 characters, easy to remember, easy to type, but would take a computer a looooooong time to guess it.
|
|
#
?
May 20, 2014 14:41
|
|
|
That doesn't help much. Your password may as well be g z n y t. I think this has been discussed before in this thread?
|
|
#
?
May 20, 2014 15:12
|
|
|
Manslaughter posted:That doesn't help much. Your password may as well be g z n y t. Your example doesn't satisfy the requirements.
|
|
#
?
May 20, 2014 15:21
|
|
|
Manslaughter posted:That doesn't help much. Your password may as well be g z n y t. What part of 20 characters was unclear to you? Skim the drat article. The point is that password complexity is allowed to become simpler as you add more characters to your password. Only want to type 8 characters? Then you better have an upper and lower, number, and a non-alpha. Willing to have a 20+ character password? Well then by all means feel free to use all lowercase. The point was to make it easier for you to type on a smartphone when you have to authenticate, so you don't have to shift or get to the non-alpha keys.
|
|
#
?
May 20, 2014 15:32
|
|
|
wintermuteCF posted:Even if you use dictionary words, a password like "mint chocolate chip ice cream" is 29 characters, easy to remember, easy to type, but would take a computer a looooooong time to guess it. No, that password specifically won't. The words in "mint chocolate chip ice cream" are not independent from each other. Once you guess one of those words, you can get the other four in probably less than a 100 tries each. On top of it, none of these words is particularily unusual, they probably all belong to the top-3000 words, so the complexity of that passphrase is like 3000*1004 or about as strong as a 6 letter truly random password. If you want to use a passphrase like that it needs to be something like "marathon advocacy ibis constitution cream". Now that is a complexity of around 100005, or about 11 random letters. peak debt fucked around with this message at 15:43 on May 20, 2014 |
|
#
?
May 20, 2014 15:40
|
|
|
peak debt posted:No, that password specifically won't. How... How would it KNOW it has one of the words, though? It's not like password prompts pass back YOU GOT ONE OF FIVE WORDS RIGHT. KEEP GUESSING!. This isn't Mastermind, after all.
|
|
#
?
May 20, 2014 15:44
|
|
|
I do not get why those examples always include spaces. Seems like making word boundaries explicit would make dictionary attacks even more easy, while it does nothing to make the password easier to remember or enter. ; edit: wait, per the post above (  ) it probably doesn't really matter.
|
|
#
?
May 20, 2014 15:46
|
|
|
Neito posted:How... How would it KNOW it has one of the words, though? It's not like password prompts pass back YOU GOT ONE OF FIVE WORDS RIGHT. KEEP GUESSING!. This isn't Mastermind, after all. Exactly, which is why the first word will take the 3000 truly random dictionary guesses to get right. Only the additional ones can use the shortlist. That's why the complexity is 3000*1004 instead of 1005. Flipperwaldt posted:I don not get why those examples always include spaces. Seems like making word boundaries explicit would make dictionary attacks even more easy, while it does nothing to make the password easier to remember or enter. Varying the spacing between the words won't add that much complexity though. If you randomly skip or replace the spaces between 4 words you add at most (low-single-digit)4 possibilities. That's analogous to the often used "replace random e with 3" strategy in passwords that doesn't work that well either. peak debt fucked around with this message at 15:50 on May 20, 2014 |
|
#
?
May 20, 2014 15:46
|
|
|
But you won't know you have a match until you have the entire string.
|
|
#
?
May 20, 2014 15:48
|
|
|
peak debt posted:Exactly, which is why the first word will take the 3000 truly random dictionary guesses to get right. Only the additional ones can use the shortlist. Let's say my password is "Mint Chocolate Chip Ice Cream". If you try "Mint" as a password, it's not going to indicate that even part of that is right. gently caress, even using unsalted hashes, there'd be no indication: C:\Program Files\ConEmu> echo "mint" | md5sum 606e95ced8533ec24290a383ce4436dd *- C:\Program Files\ConEmu> echo "mint chocolate chip ice cream" | md5sum 218b63304857e5f46ed91b305697ca20 *- I'm confused as to how an attacker would get to know when to use this mythical "short list".
|
|
#
?
May 20, 2014 15:50
|
|
|
Of course I won't start with "mint" on the first try. Maybe I'll grab "potato" first and go through all the varieties of "potato fries gravy ...". But if I grab each of the 3000 top dictionary words, and then for each of those words try the 100 most likely followups, it will cost me the number of guesses I wrote above. And the reason why I know to use this mythical short list is because like 90% of people immediately commit this terrible error when exposed to this password system.
|
|
#
?
May 20, 2014 15:55
|
|
|
Yeah? Well what if you put an exclamation mark on the end?! What would you do then, huh? Huh?! OWNED!
|
|
#
?
May 20, 2014 16:14
|
|
|
my password is "obscurity" get it hah
|
|
#
?
May 20, 2014 16:20
|
|
|
DrAlexanderTobacco posted:my password is "obscurity" I'm kind of shocked that no tech security start-up has named themselves Obscurity.
|
|
#
?
May 20, 2014 16:21
|
|
|
Inspector_666 posted:I'm kind of shocked that no tech security start-up has named themselves Obscurity.
|
|
#
?
May 20, 2014 16:27
|
|
|
Neito posted:Let's say my password is "Mint Chocolate Chip Ice Cream". I have a dictionary of commonly used phrases that I found on the internet and whose hashes I use to crack passwords. If my dictionary is large enough, I am sure that "mint chocolate chip ice cream" is going to be in there since it is not that uncommon. Same reason why "This is my great password" is not a great password. Of course all those hashes are also computed with standard replacements and additions (@ instead a, 3 instead e, !1 at the end and so on)
|
|
#
?
May 20, 2014 16:29
|
|
|
So how good are the uncommon characters in passwords? Alt + 254 type things? With how lovely your average user is at passwords youd really think there would be more biometrics kick around.
|
|
#
?
May 20, 2014 16:49
|
|
|
|
| # ? May 15, 2024 03:31 |
|
|
Cast_No_Shadow posted:So how good are the uncommon characters in passwords? Alt + 254 type things? You can't replace biometrics when they get compromised.
|
|
#
?
May 20, 2014 16:53
|
|
