|
deimos posted:You can't replace biometrics when they get compromised. ...YET
|
#
?
May 20, 2014 16:55
|
|
|
|
| # ? May 16, 2024 21:50 |
|
|
I like the way Linux does it. Failed password? Please wait 3 seconds before trying again. It makes brute force attempts impossible for the most part.
|
|
#
?
May 20, 2014 17:07
|
|
|
Can you imagine the wailing and gnashing of teeth from a large portion of the population if they had to supply their finger prints or retina scan or anything of that nature? Every person you hear bitch about the "gubberment" would flip their poo poo, the armchair libertarians, the far right wing nuts, the far left wing nuts, the illuminati nuts and on and on. Also most finger print scanners I've encountered suck rear end, my kids daycare has them and I had to get a bypass code, the drat thing would take 10-12 tries every time to read my finger.
|
|
#
?
May 20, 2014 17:09
|
|
|
Gunjin posted:Can you imagine the wailing and gnashing of teeth from a large portion of the population if they had to supply their finger prints or retina scan or anything of that nature? Every person you hear bitch about the "gubberment" would flip their poo poo, the armchair libertarians, the far right wing nuts, the far left wing nuts, the illuminati nuts and on and on. We use one for our hourly employees, to track their hours. Most people use their ID/PIN because it won't read their finger print anymore. I'm sure it's partially because we likely bought the cheapest possible solution, but I still don't think they are that reliable. It stopped reading my finger after I started indoor rock climbing again, as that wears away the grooves. After that, even when I wasn't climbing it still wouldn't read my print except the one week where I had a huge cut down my index finger.
|
|
#
?
May 20, 2014 17:15
|
|
|
The only biometrics I've seen that work reliably are those hand shape scanners, no muss, no fuss and they work most of the time.
|
|
#
?
May 20, 2014 17:18
|
|
|
BabyFur Denny posted:I have a dictionary of commonly used phrases that I found on the internet and whose hashes I use to crack passwords. If my dictionary is large enough, I am sure that "mint chocolate chip ice cream" is going to be in there since it is not that uncommon. Same reason why "This is my great password" is not a great password. The point that was being made is that "mint chocolate chip ice cream", when encrypted, is just 29 characters that for all you know are random. Even if you guessed "mint" was the first word, you don't know you got the first word right, because you still have 25 characters. As someone pointed out, this isn't a guessing game where someone is going to go "OKAY YOU GOT ME MINT IS THE FIRST WORD, WANNA KEEP GUESSING?" Even so, you're correct to point out that that password is more vulnerable to a dictionary attack. A password like "correct horse battery staple" (as made famous from the XKCD comic) is more secure.
|
|
#
?
May 20, 2014 17:27
|
|
|
The thing with biometrics is that it still has to digitize the analog data of your thumbprint or iris pattern or whatever, and what happens if that data is stolen? You gonna change your fingerprint? Or they could just steal the analog data -- Look up fingerprint duplication, it's been shown that a lot of systems can be fooled by rubber casts of fingerprints made from prints lifted from a doorknob or whatever that can be produced for ridiculously cheap. The advantage of biometrics is that it's basically a longer password that you don't have to remember, but it's not really "more secure" in any meaningful way.
|
|
#
?
May 20, 2014 17:31
|
|
|
wintermuteCF posted:The point that was being made is that "mint chocolate chip ice cream", when encrypted, is just 29 characters that for all you know are random. Even if you guessed "mint" was the first word, you don't know you got the first word right, because you still have 25 characters. As someone pointed out, this isn't a guessing game where someone is going to go "OKAY YOU GOT ME MINT IS THE FIRST WORD, WANNA KEEP GUESSING?" It's not more secure because its based on chained dictionary words. Are you familiar with the bitcoin concept of brain wallets ? Basically there was a system to create a cryptographic private key from phrases so that you would never have to write down the private key but could reconstruct it from a long phrase. Some enterprising genius was able to clean out lots of people by brute forcing billions of combinations of dictionary words then cleaning out the wallets as soon as anyone put money in them. It was trivial for this person to precompute the private keys using quote files, books , wikipedia etc.
|
|
#
?
May 20, 2014 17:47
|
|
|
Looking at Biometrics as passwords is a terrible, terrible idea. They should be seen as usernames if anything.
|
|
#
?
May 20, 2014 18:13
|
|
|
....forwarded to our entire ~400 person IT dept distribution list from a VP: From: dumbass Sent: Tuesday, May 20, 2014 1:19 PM To: IT&S All Subject: FW: Document I did not open this. I assume it contains a virus and that others are also getting this message ******Forwarded phishing message******
|
|
#
?
May 20, 2014 18:25
|
|
|
jre posted:It's not more secure because its based on chained dictionary words. Are you familiar with the bitcoin concept of brain wallets ? Basically there was a system to create a cryptographic private key from phrases so that you would never have to write down the private key but could reconstruct it from a long phrase. Some enterprising genius was able to clean out lots of people by brute forcing billions of combinations of dictionary words then cleaning out the wallets as soon as anyone put money in them. It was trivial for this person to precompute the private keys using quote files, books , wikipedia etc. Do you have a link or an article to something about this? I'd be very curious to read more about it.
|
|
#
?
May 20, 2014 18:34
|
|
|
Monday: user submits ticket by email, refuses to talk to us for a week because he's "Too busy", won't even schedule a time we can talk. Ticket closed. Tuesday after long weekend: user submits ticket.
|
|
#
?
May 20, 2014 18:42
|
|
|
wintermuteCF posted:Even so, you're correct to point out that that password is more vulnerable to a dictionary attack. A password like "correct horse battery staple" (as made famous from the XKCD comic) is more secure. No, they're not more secure. A combinator attack makes those passwords trivial to crack. A string of words out of the dictionary, while easy to remember, is not a secure password.
|
|
#
?
May 20, 2014 19:00
|
|
|
Especially when the password is literally "correct horse battery staple". Yes, guy who just got his bitcoins stolen, you're very clever.
|
|
#
?
May 20, 2014 19:09
|
|
|
Javid posted:After having a tech demand to screen share to diagnose an issue on a piece of hardware that wasn't even attached to the system, I can sympathize with being resistant to it if they want it for every single thing. I feel like the best course of action here would be to let them screen share, then ask what they expected to find. Maybe tell them you're waving the hard drive in front of the monitor. I once remoted into my home computer while screen sharing with IT because I got tired of trying to convince them that the problem was with their system, and not my computer. I managed to convince him, for as weird as it must have been for him to watch.
|
|
#
?
May 20, 2014 19:11
|
|
|
MisterOblivious posted:No, they're not more secure. A combinator attack makes those passwords trivial to crack. A string of words out of the dictionary, while easy to remember, is not a secure password. Except that you have to know the password has that form. What if you stick a few random characters about in it too? A digit before or after some words. Adding some punctuation. Write a word backwards. Loads of variations that increases the number of combinations required to test, but all still assuming you know the form.
|
|
#
?
May 20, 2014 19:12
|
|
|
Diceware. That'll give you XKCD compliant long passwords in nonsensical, random pairing. You can either do diceware manually or with a webapp.
|
|
#
?
May 20, 2014 19:41
|
|
|
Site manager at a satellite put in a ticket on behalf of a new user of hers, asking why the email credentials she was given don't work. New user isn't in the address book, so either access management messed something up or didn't create the account yet. Either way, put the ticket in their queue since it was out of my hands. The ticket came back... posted:<site manager> does have an email account. Reset her password to "reading comprehension" 
|
|
#
?
May 20, 2014 19:45
|
|
|
hihifellow posted:Site manager at a satellite put in a ticket on behalf of a new user of hers, asking why the email credentials she was given don't work. New user isn't in the address book, so either access management messed something up or didn't create the account yet. Either way, put the ticket in their queue since it was out of my hands. Jesus, the ball is completely in your court! On a scale of  to  , go all out.
|
|
#
?
May 20, 2014 19:46
|
|
|
One of our new VPs (we have many VPs) works out of HQ once a week. When I prepped his laptop I added the HQ copier near his office so he could print. He came to me this morning asking me if there was a copier he could print to. I wanted to say "Yes, the same one you used each time you've been here" but that would be snarky so instead I went to his PC and showed him the copier in his printers list. Even printed out a test sheet. About an hour later I see him coming my way and he tells me I must have set him to the wrong copier because he printed something and it didn't come out. I walk over to the copier and his printout is sitting in the output tray.  : "I didn't hear it print so I figured it didn't work."
|
|
#
?
May 20, 2014 19:54
|
|
|
loving hell.
|
|
#
?
May 20, 2014 19:56
|
|
|
Dick Trauma posted:One of our new VPs (we have many VPs) works out of HQ once a week. When I prepped his laptop I added the HQ copier near his office so he could print. He came to me this morning asking me if there was a copier he could print to. I wanted to say "Yes, the same one you used each time you've been here" but that would be snarky so instead I went to his PC and showed him the copier in his printers list. Even printed out a test sheet. Welcome back to your pod.
|
|
#
?
May 20, 2014 20:03
|
|
|
Dirty Frank posted:You're in the UK? Yes sir? Edit: authentication chat - we are regularly pen tested by a variety of different companies and every time they report that although our complexity policy is good it could be stronger I think it's because they usually try 'Password1' which is technically compliant but still a rubbish password. I don't think you can block common words via a windows DC  As it happens we use biometrics quite extensively. I notice some concern about stealing the info however if you can encrypt the data then it should be relatively useless to thieves Amusingly during our most recent pen test the consultants spent a notable amount of time trying to replicate their fingerprints using cello tape and... Wine gums! They failed! angry armadillo fucked around with this message at 20:45 on May 20, 2014 |
|
#
?
May 20, 2014 20:36
|
|
|
Not to keep up the password chat, but this is pretty loving simple. You combine the old and new approaches: "uber cool password P34n^@A"
|
|
#
?
May 21, 2014 00:27
|
|
|
If you know the system you're attacking allows very long password lengths, you can make sure your bruteforce attempts will include combinations of dictionary words with spaces before it switches over to iterating through aaaaaaaB and after running the first 2000 most common passwords in password database leaks. If on the other hand you know the system caps at 16 characters you're not going to bother with sentences.
|
|
#
?
May 21, 2014 00:48
|
|
|
Come up with your own cipher; never tell it to anyone. What is the best you can do? Random SHA string or something?
|
|
#
?
May 21, 2014 00:54
|
|
|
ratbert90 posted:I like the way Linux does it. Failed password? Please wait 3 seconds before trying again. It makes brute force attempts impossible for the most part. No it doesn't. The attack scenario is the attacker cracking a system you have an account on and stealing the password hashes. This allows them to crack as fast as they physically can. This is another reason to use a password manager, and different passwords for every site; this way when dickbutts.com gets cracked, your epic pass phrase "L1ck My T@1n7" which was hashed with ROT13 won't betray your bank account. This is without getting into interesting things like timing attacks where you can use minute but consistent delays in responses to slowly get the comparison value.
|
|
#
?
May 21, 2014 01:25
|
|
|
Volmarias posted:This is without getting into interesting things like timing attacks where you can use minute but consistent delays in responses to slowly get the comparison value. I love finding security software that uses the default language string comparison to compare hashes.
|
|
#
?
May 21, 2014 01:37
|
|
|
Speaking of tickets, the new job at a Rather Large Company is sloppy as hell about internal ones. They sit for months untouched/unclosed. No one does anything as far as work notes, and one poor bastard just comes through and then calls/emails/OC's employees and asks DERP IS THIS RESOLVED/HAVE YOU BEEN CONTACTED and then closes the ticket if so. Man, that's no good.
|
|
#
?
May 21, 2014 05:57
|
|
|
KoRMaK posted:Come up with your own cipher; never tell it to anyone. cat horrifying_porn.avi | md5sum.
|
|
#
?
May 21, 2014 05:58
|
|
|
deimos posted:You can't replace biometrics when they get compromised.  As for biometrics. The one place I worked at that used fingerprints. None of the readers could ever read mine. Yay eczema!
|
|
#
?
May 21, 2014 09:36
|
|
|
AlternateAccount posted:Speaking of tickets, the new job at a Rather Large Company is sloppy as hell about internal ones. They sit for months untouched/unclosed. No one does anything as far as work notes, and one poor bastard just comes through and then calls/emails/OC's employees and asks DERP IS THIS RESOLVED/HAVE YOU BEEN CONTACTED and then closes the ticket if so. Ugh, that happens here. When I got hired we had a 6 year old ticket that basically said "Known issue...but we're not fixing it. You can't close the ticket till it's fixed though". Someone silently closed it one day and nobody noticed or cared. We have hundreds of tickets where the work log is filled with "Requested update from X" going back for months/years. We also have a problem where we have queues set up for departments that don't even have access to the ticketing system and aren't held responsible for their tickets. All we can do is e-mail them asking for an update and all they do is ignore us. (We can't close tickets due to lack of communication so they get stuck in ticket limbo. We have 2k tickets open, the oldest one going back to 2011.)
|
|
#
?
May 21, 2014 11:52
|
|
|
What the hell? My place's oldest tickets are a couple months old and they're just developers requests. If we literally can't fix something, its closed.
dogstile fucked around with this message at 12:23 on May 21, 2014 |
|
#
?
May 21, 2014 12:12
|
|
|
That's crazy. I make three efforts to contact people and if they can't be bothered to respond in that time I close the ticket.
|
|
#
?
May 21, 2014 12:22
|
|
|
dogstile posted:What the hell? My place's oldest tickets are a couple months old and they're just developers request. If we literally can't fix something, its closed. Unfortunately we can't do that. My department's queue is always kept empty, it's other departments that we have problems with. It's not as bad as it used to be, going through tickets we only have 3 that aren't from 2014. One's a vendor bug that we're keeping open for tracking purposes, for example. But yeah, this company has a huge problem with inter-departmental communication, and if someone's not held accountable for their queues and the issue is not customer facing, they really have no reason to address it.
|
|
#
?
May 21, 2014 12:26
|
|
|
wintermuteCF posted:The point that was being made is that "mint chocolate chip ice cream", when encrypted, is just 29 characters that for all you know are random. Even if you guessed "mint" was the first word, you don't know you got the first word right, because you still have 25 characters. As someone pointed out, this isn't a guessing game where someone is going to go "OKAY YOU GOT ME MINT IS THE FIRST WORD, WANNA KEEP GUESSING?" That example isn't secure at all. You can ask all the captains of industry that used exactly "correct horse battery staple" as their bitcoin password.
|
|
#
?
May 21, 2014 12:32
|
|
|
Renegret posted:But yeah, this company has a huge problem with inter-departmental communication, and if someone's not held accountable for their queues and the issue is not customer facing, they really have no reason to address it. There are still queues in the system for all departments though, so at least we can toss the ticket into limbo and not have it reflect negatively on our statistics when other departments don't call back for a week. Our ticketing system also doesn't let us close tickets without a resolution. The only valid ticket statuses are "New" "Assigned" and "Resolved", so there's no way to get statistics over how many tickets actually get resolved and how many are "resolved" because the user didn't return.  Oh, and we can't pause the SLA timer if we're waiting for a vendor or something either. Department printer broke? Prio 3 ticket with 48h SLA. The spare part we need is on backorder. Welp, that's an SLA breach warning.
|
|
#
?
May 21, 2014 12:49
|
|
|
Collateral Damage posted:Do you work for my customer? When we got a new ticketing system it was trumpeted that literally everyone would use it and the correct way to request help from another department would be to pass them the ticket. A year later only helpdesk and dba/sysadmin regularly uses the system. Application support, network support, IT Security don't use it, and neither does any of the dozen or so application-specific support teams. All of them have their own creative ways of making themselves unreachable like "Email this and this address, put exactly this in the subject, then call this number which goes to voicemail and say that you sent the email." Hah, that sounds pretty drat close. We can at least turn off the SLA timer since that only applies to any ticket marked as an outage, so I can switch it to a tracking ticket if it's sitting in limbo. The closest we can get to closing a ticket without resolution is "No Trouble Found" or "Issue Resolved/Pending RCA" but they're both not really accurate for that. The second one comes up in reporting too and I'll get hung by my balls for it. We have the same deal with app support/IT/security as well, they use their own ticketing systems and ignore the main one they're supposed to be using. I take a guilty pleasure in closing out tickets as resolved with a six month repair time, marking it as an outage and charging it to them, then when they get pissed I just point at the work log where they ignored us for months. It always gets corrected but I'd like to think that I'm teaching them an important lesson in updating your god drat tickets (even though I know I'm not)
|
|
#
?
May 21, 2014 13:04
|
|
|
nielsm posted:Except that you have to know the password has that form. Install Windows posted:If you know the system you're attacking allows very long password lengths, you can make sure your bruteforce attempts will include combinations of dictionary words with spaces before it switches over to iterating through aaaaaaaB and after running the first 2000 most common passwords in password database leaks. Many people overestimate how strong these passwords are because they don't appreciate how trivial it has become to brute force combinations of dictionary words. Hacker finds sql injection in dickbutts.com which is still using md5 for passwords and steals all the hashes. Even if they are individually hashed this does not significantly slow the the attacker down. Hashcat on this hardware 2x AMD HD 6990, 880 MHz GPU (clocked from 800), 1250 MHz RAM (stock) Catalyst 12.1 Windows 7 x64 can bruteforce md5 at MD5 23083.9 M/s md5($pass.$salt) 23082.0 M/s http://thepasswordproject.com/oclhashcat_benchmarking That's 23 Billion passwords checked per second. If you were to use one of amazon's GPU compute nodes it would be even quicker.
|
|
#
?
May 21, 2014 13:19
|
|
|
|
| # ? May 16, 2024 21:50 |
|
|
If sites use md5 for password hashing that's a problem with the site, not with your password. If you md5 hash your passwords then NO password is secure because even 20 random letters and numbers can be brute forced in a couple of hours. Use bcrypt or 
|
|
#
?
May 21, 2014 13:22
|
|