|
Is it like they had in Sweden where you get basically a scratch lottery ticket with codes? Or in Norway, where you get a letter sent to your census registered address with pin codes in it?
|
#
?
Feb 9, 2015 14:18
|
|
|
|
| # ? May 17, 2024 01:52 |
|
|
flosofl posted:Is this code card electronic like an RSA or Entrust key or just a code that has to be entered? Like RSA, but with a cardboard list of keys Example: - Go to https://www.bank.dk/OnlineBank - Type User/Pass - Bank says "Enter the number at position 9835" - You find 9835 on your card, and enter that. - You're in. Sample card:  Edit: You can buy a token if you prefer that. The cards are free.  evobatman posted:Or in Norway, where you get a letter sent to your census registered address with pin codes in it? Crowley fucked around with this message at 14:25 on Feb 9, 2015 |
|
#
?
Feb 9, 2015 14:18
|
|
|
Crowley posted:Like RSA, but with a cardboard list of keys Reminds me of the old "copy protection" on computer games in the early 90s.
|
|
#
?
Feb 9, 2015 14:22
|
|
|
ookiimarukochan posted:It's 2 factor auth, it's just dumb 2 factor auth (it's what at least a few major Japanese banks use for their e-banking. SMBC at least, and I'm pretty sure Mizuho are the same) We used to call that 1.5 factor since it's really "something you know" plus "something you know". Each factor is supposed to be something different. So RSA key fob is something you know (PIN) and something you *have* (time shifting code generator). Biometric in conjunction with a password is something you know (password) and something you *are* (a unique physical attribute).
|
|
#
?
Feb 9, 2015 14:28
|
|
|
Crowley posted:Like RSA, but with a cardboard list of keys That works. At least as far as it can when people scan the code matrix. Since you can't anticipate the challenge code, this falls under the "something you HAVE" part of 2 factor. I was thinking more along the lines of something the size of the business card with "CODE: SUPERSECRETLOGONCODE" on it. I have seen those and always wonder what's the point?
|
|
#
?
Feb 9, 2015 14:31
|
|
|
myron cope posted:Since we're talking passwords, is there any obligation to tell a person their password sucks? This is a lady in benefits in HR and her password is super weak and also it's fairly obvious what her next password(s) will be. Normally I don't really care but she has basically all employee info. We used to do a thing a few times a year where we would email everyone telling them that it was password breaking day, then try and crack all of their passwords. Anyone that didn't get their password found out within a couple hours got a gift card to a nice coffeeshop, everyone else was forced to reset their passwords.
|
|
#
?
Feb 9, 2015 14:35
|
|
|
flosofl posted:That works. At least as far as it can when people scan the code matrix. Since you can't anticipate the challenge code, this falls under the "something you HAVE" part of 2 factor.
|
|
#
?
Feb 9, 2015 14:58
|
|
|
Those places with 90 different passwords are why people pick simple passwords.
|
|
#
?
Feb 9, 2015 15:22
|
|
|
A fun way to have super secure passwords is to go the nuke code route and have 2 people know each half of the admin password. So person 1 would know "pass" and person 2 would know "word"
|
|
#
?
Feb 9, 2015 15:25
|
|
|
In a previous help desk position (in a bank help desk) I once counted my total unique passwords at 87. This was mostly because they did not initially setup the teller/banker software with a central login, so each branch had its own for both sides. I pushed for years to simplify that, but it fell on deaf ears. While users didn't have nearly as many, even for a simple teller it was far more than a person can reasonably be expected to remember (somewhere close to 20, if they were a senior teller that covered nearby branches).
|
|
#
?
Feb 9, 2015 15:47
|
|
|
I found out a few weeks ago that all the exec passwords here are their license plate numbers on their company SUVs.
|
|
#
?
Feb 9, 2015 15:54
|
|
|
"I don't know why this ticket was assigned to us two months ago. We were never notified that a ticket was sent over. I'm sending it back without investigating it." I want to know what kind of hosed up world I work in where this is an acceptable update to a ticket. Who's dick is this group sucking so not only can they get away with not looking at their own ticket queues, but the group who assigns the ticket over is held responsible for not notifying them via phone or e-mail. Nobody here understands the purpose of a ticket and it leads to some...very confusing workflows.
|
|
#
?
Feb 9, 2015 16:03
|
|
|
Javid posted:Those places with 90 different passwords are why people pick simple passwords. God I wish I could just quote this over and over again. I tried to be good about the 10 or so passwords I have at work, but when you have a history of 30 passwords and 45 day changes and different special character requirements for each (including a mainframe system that can't use them at all), that discipline slips. I don't want to be the guy calling helpdesk for password resets all the time so they end up being easy for me to remember with minimal changes, and as close to being the same for each system as I possible can make them. Anything too abberant gets written down in my password hidey-hole. Even then they're still alphanumeric gibberish, so I guess I'm ahead of the average user.
|
|
#
?
Feb 9, 2015 16:06
|
|
|
Renegret posted:"I don't know why this ticket was assigned to us two months ago. We were never notified that a ticket was sent over. I'm sending it back without investigating it." The other day I had a great conversation with one of the other groups. "Hey, Jim Truds, your groupd needs to tell us when you assign us tickets. We don't have any way to see them unless you tell us." "Don't you use the ticketing system? Open up Alert Monitor and it will show you all your tickets." "We don't use that, you have to tell us when we get tickets." 
|
|
#
?
Feb 9, 2015 16:09
|
|
|
jim truds posted:The other day I had a great conversation with one of the other groups. I even offered to write all the search macros for one group one day. "Oh no, we don't need you do that, we know how to use Remedy" Then why the gently caress are you calling me back asking for the ticket number I just called over 5 minutes ago because you forgot it? 'Status' != "Closed" AND 'Assigned-to Group' = "My_Department" Done, there ya go, that's all you need. Good job. You did it! </rant> huff...huff...huff... edit: That same group just sent over 4 tickets to me that they opened themselves in December requesting they be closed because they're unable to reproduce the issue. Nope. Have your ticket back, where I'm sure it'll sit for another two months before it gets kicked back to me again. Sure I can close them myself in under a minute, but it's the principle of the thing. I'm not a ticket secretary. (I totally am a ticket secretary) Renegret fucked around with this message at 16:50 on Feb 9, 2015 |
|
#
?
Feb 9, 2015 16:30
|
|
|
Javid posted:Those places with 90 different passwords are why people pick simple passwords. We have single sign on here, and its great. I only have about eleven "single" sign-on passwords to remember.
|
|
#
?
Feb 9, 2015 16:56
|
|
|
Ransomeware worm took our network by storm today and infected well over 1,000 machines. Good thing I'm in engineering and not incident handling!
psydude fucked around with this message at 19:04 on Feb 9, 2015 |
|
#
?
Feb 9, 2015 19:01
|
|
|
psydude posted:Ransomeware worm took our network by storm today and infected well over 1,000 machines. Good thing I'm in engineering and not incident handling! It sucks but all it takes is reimaging and restoring backups.  You do have backups right? Also, everybody should block exe's (and exe in zip) in emails goddamn.
|
|
#
?
Feb 9, 2015 19:13
|
|
|
spankmeister posted:It sucks but all it takes is reimaging and restoring backups. So a few weeks ago I implemented a .zip block on emails (as well as other common file types). Last week I get a phonecall because our email system isn't letting emails through. Apparently reading the bounce back message of ".zip files are not an accepted file type" is too hard for them. I told my boss this has been implemented to prevent system breaches and vulnerabilities. I give it 1 month before she asks for me to revert it.
|
|
#
?
Feb 9, 2015 19:23
|
|
|
Eldercain posted:Even then they're still alphanumeric gibberish, so I guess I'm ahead of the average user. Didn't they find that those alphanumeric gibberish passwords are actually weaker than a simple multiword phrase, since they are equally hard for a machine to brute force, but the alphanumerics have bigger flaw in human security(you write it down and put it somewhere)?
|
|
#
?
Feb 9, 2015 19:27
|
|
|
m.hache posted:I give it 1 month before she asks for me to revert it. Plenty of companies I've worked with in the past do that - and so everyone sends encrypted files as 7z, or rar, or lzh, or - well, you get the idea.
|
|
#
?
Feb 9, 2015 19:30
|
|
|
ookiimarukochan posted:Plenty of companies I've worked with in the past do that - and so everyone sends encrypted files as 7z, or rar, or lzh, or - well, you get the idea. I wouldn't care if they did that. I just hate having to modify our security settings because some dipshit on the far end doesn't understand that sending .zips is less likely to succeed.
|
|
#
?
Feb 9, 2015 19:38
|
|
|
RFC2324 posted:Didn't they find that those alphanumeric gibberish passwords are actually weaker than a simple multiword phrase, since they are equally hard for a machine to brute force, but the alphanumerics have bigger flaw in human security(you write it down and put it somewhere)? The opposite, actually. I read an article on this before, I really wish I remembered where to find it. The short of it was that there's methods of brute forcing that have been developed that will attempt to use dictionary words and combinations of dictionary words since there's a higher chance that's what people will use. With gibberish, it has to get brute forced the old fashioned way. This is assuming the crackers have access to the password hashes so they could attempt hundreds of passwords a second. I've always been under the impression that password security is something that nobody will ever be able to agree on. My Security+ book said things about password security that I will disagree with until the day that I die. e: not to mention that I'm more afraid of some schmuck across the Atlantic getting access to my passwords, rather than my coworker who sees it on a post it note and probably doesn't care. Not that I'm condoning the use of notebooks or post its either. Renegret fucked around with this message at 19:46 on Feb 9, 2015 |
|
#
?
Feb 9, 2015 19:42
|
|
|
RFC2324 posted:Didn't they find that those alphanumeric gibberish passwords are actually weaker than a simple multiword phrase, since they are equally hard for a machine to brute force, but the alphanumerics have bigger flaw in human security(you write it down and put it somewhere)? Actually aren't multiword passwords generally harder, because they're usually many characters longer and each character increase in length increases the brute-force time exponentially?
|
|
#
?
Feb 9, 2015 19:42
|
|
|
m.hache posted:So a few weeks ago I implemented a .zip block on emails (as well as other common file types). Last week I get a phonecall because our email system isn't letting emails through. Blocking zips is actually counter productive because then people start to use alternative means for file transfer that you have even less control over. your scanning solution should block executables, and also scan archives for them.
|
|
#
?
Feb 9, 2015 19:48
|
|
|
Renegret posted:"I don't know why this ticket was assigned to us two months ago. We were never notified that a ticket was sent over. I'm sending it back without investigating it." One thing i love about my company is that, if this happened, I'd escalate the ticket to incident management and they'd inquire why they had an unassigned ticket sitting with them for 2 months, then force them to take care of it. Because gently caress people who do this.
|
|
#
?
Feb 9, 2015 19:49
|
|
|
Renegret posted:The opposite, actually. I read an article on this before, I really wish I remembered where to find it. The short of it was that there's methods of brute forcing that have been developed that will attempt to use dictionary words and combinations of dictionary words since there's a higher chance that's what people will use. With gibberish, it has to get brute forced the old fashioned way. I remember there was a big hoopla when that one XKCD comic came out a long time ago. Recently I was looking for some rebuttals on it but the only ones I found either made zero sense or, in 2 cases, were people trying to shill their own security storage programs. I'm also pretty certain that most people missed the point of the comic anyway. Basically the idea is that there's more word variations then there are character variations, so a 4 word password that's easy to memorize is still harder to crack then someone using an 8 character jumble of letters that they have to reset their password every 2 weeks because they forgot / lose the post it note or whatever. I guess ideally everybody would use encrypted password storage programs that allows people to use long and complex passwords and only have to memorize the one that gets them into it, but that doesn't seem particularly likely to happen anytime soon. I'm not a security professional so please if anybody thinks I'm wrong feel free to tear me a new one.
|
|
#
?
Feb 9, 2015 19:55
|
|
|
m.hache posted:So a few weeks ago I implemented a .zip block on emails (as well as other common file types). Last week I get a phonecall because our email system isn't letting emails through. People can't read bounce messages, and honestly I don't blame them. The actual reason text tends to be buried 20 lines down surrounded by irrelevant technical details. Nobody who doesn't already speak SMTP will ever get that far without turning off and giving up. It also doesn't help when the reason text can't be internationalized. Plenty of our users don't speak technical English.
|
|
#
?
Feb 9, 2015 20:00
|
|
|
Stanford knows what's up:
|
|
#
?
Feb 9, 2015 20:04
|
|
|
And then you run into the issue of users spending And then the weirdest issue we run in to constantly at my place: Users managing to place one or more space characters before or after their username, causing password errors that no reset will solve. Why. Why does Windows even allow usernames with whitespace before or after? Why doesn't it just trim that off? nielsm fucked around with this message at 20:10 on Feb 9, 2015 |
|
#
?
Feb 9, 2015 20:08
|
|
|
nielsm posted:And then you run into the issue of users spending two minutes logging in because they hunt and peck. their problem
|
|
#
?
Feb 9, 2015 20:09
|
|
|
spankmeister posted:their problem
|
|
#
?
Feb 9, 2015 20:12
|
|
|
We have some systems that have an upper bound on number of charcaters, so I really am stuck in the 8-10 character range. I'd love to use a pass phrase type thing but it's just not feasible. That doesn't stop upper management from making us watch a bunch of "how to safely use the internet videos" every 2 months regardless of circumstance. I know it's probably a good idea, but do I really need to spend half an hour learning how to protect my non-existent kids from the dangers of the web? And how does turning a 30 character password into leetspeak make it "easy to remember"? Why aren't we just using biometric SSO and maybe a security token already? Passwords rule my life but rank extremely low on stuff I give a poo poo about.
|
|
#
?
Feb 9, 2015 20:13
|
|
|
Fuschia tude posted:Actually aren't multiword passwords generally harder, because they're usually many characters longer and each character increase in length increases the brute-force time exponentially? The argument against them is that if those words are "common", such as in the Oxford English Dictionary, Wikipedia for the relevant language or the dump of a previously hacked site, then that 4 word password is no better than a 4 character password. This is obviously a exaggeration, but the claim is still interesting. They're probably stronger, but not as strong as a similar length random character password. Eldercain posted:We have some systems that have an upper bound on number of charcaters, so I really am stuck in the 8-10 character range. I'd love to use a pass phrase type thing but it's just not feasible. These biometric systems still won't work on the systems you mention above since no company will willingly pay money to update them to work since the current setup already works just fine.
|
|
#
?
Feb 9, 2015 20:20
|
|
|
It's just baffling that something like that could possibly cost more than all the lost manhours that go into remembering passwords and then resetting them etc. But then again that is why this thread exists, I suppose. A ticket came in last week for a guy who couldn't firgure out how to pay using our website. I go look up his transaction history, and literally 3 minutes after the ticket was put in (and mabye 30 minutes after his first logon) he has figured it out and made a payment. Going to venture that there isn't any code that needs to be fixed here 
|
|
#
?
Feb 9, 2015 20:25
|
|
|
Eldercain posted:It's just baffling that something like that could possibly cost more than all the lost manhours that go into remembering passwords and then resetting them etc.
|
|
#
?
Feb 9, 2015 20:31
|
|
|
sloshmonger posted:The argument against them is that if those words are "common", such as in the Oxford English Dictionary, Wikipedia for the relevant language or the dump of a previously hacked site, then that 4 word password is no better than a 4 character password. It'd probably be best to describe it as a 4 character password where each character can be one of 10,000 options. That's still 10 quadrillion. Now, if you also encourage them to include just one special character, you're going to dramatically increase the complexity.
|
|
#
?
Feb 9, 2015 20:33
|
|
|
spankmeister posted:It sucks but all it takes is reimaging and restoring backups. I have no idea, I work in the SOC. That's infrastructure's realm. 
|
|
#
?
Feb 9, 2015 20:35
|
|
|
sloshmonger posted:This is obviously a exaggeration, but the claim is still interesting. They're probably stronger, but not as strong as a similar length random character password. The trick is they're only less-strong than a similar random-character password if the person attempting to crack it knows the rules by which the password was generated. If you can preemptively say "yes I know this password is 4 dictionary letters with spaces between them" then it cuts down on the possibilities, but even if you know that for sure and you know they're space-delimited and you know there's no intentional misspellings or substitutions, you have about 1.1x10^24 possibilities to work through. Assuming my math isn't terrible, that puts it on a security level somewhere between a 12- and 13-character fully-randomized password string.
|
|
#
?
Feb 9, 2015 20:38
|
|
|
|
| # ? May 17, 2024 01:52 |
|
|
Realistically your password is going to be one of thousands in a stolen bunch and they'll go for low-hanging fruit, the 1 in 100 when they discover "password123" OR they were stored incorrectly and can be easily reversed directly into plain text, but these realities don't make good security policy.
|
|
#
?
Feb 9, 2015 20:49
|
|
