|
Martytoof posted:Are you adblocking anything? Just checked and mine is Gears Icon -> Security, and there I have "Password", "Security Questions", "Mobile PIN", "Customer Service PIN", "Security Key", and "Stay logged in bla bla"
|
#
?
Dec 3, 2016 17:20
|
|
|
|
| # ? May 12, 2024 19:56 |
|
|
Martytoof posted:Eh, Paypal's implementation could be better. You can still fall back to using your generic secret questions, plus I think SMS MFA is just stupid anyway when you could implement a TOTP solution but I guess it's better than nothing. I seem to recall something from a few years ago where you could order a synchronous token from them for a couple bucks. It appears they ditched that for the SMS OTP. I'm not a huge fan of it either, but it still makes sense to use than not.
|
|
#
?
Dec 3, 2016 19:30
|
|
|
Sorry that I'm late to the party with this one, butInternet Explorer posted:Sorry, I only store my hashed password database on an encrypted flash drive stuffed in my rectum that requires a specific sequence of hot peppers at random Scoville values to dislodge. Fart Knocking
|
|
#
?
Dec 4, 2016 02:22
|
|
|
Someone repost the bug bounty for PayPal's 2FA where the guy just completely bypassed it by editing the URL
|
|
#
?
Dec 4, 2016 07:25
|
|
|
Cup Runneth Over posted:Someone repost the bug bounty for PayPal's 2FA where the guy just completely bypassed it by editing the URL http://henryhoggard.co.uk/blog/Paypal-2FA-Bypass
|
|
#
?
Dec 4, 2016 09:18
|
|
|
Last I tried changing my PayPal password, I could not even paste a password into the textbox because they disabled paste...
|
|
#
?
Dec 4, 2016 09:46
|
|
|
EssOEss posted:Last I tried changing my PayPal password, I could not even paste a password into the textbox because they disabled paste... I remember working around this on I think it was battle.net by popping open the element inspector and doing $0.value = "password". Except my autogenerated password was like 20 characters and the max was 16. So they silently truncated it before storing it, which meant that my password didn't actually work.
|
|
#
?
Dec 4, 2016 10:16
|
|
|
vOv posted:I remember working around this on I think it was battle.net by popping open the element inspector and doing $0.value = "password". Except my autogenerated password was like 20 characters and the max was 16. So they silently truncated it before storing it, which meant that my password didn't actually work. This is what happened with me. It was up to me to work out why my newly generated ~40 character password wasn't working, before realising they'd truncated it to 20 characters. If you count the dots in the input box when pasting you can see that there are only 20 of them there, but really. If they can't even get decent length password entry working in a browser why should I trust them to send me a text message promptly to my phone when I'm out and about and see a good deal I want? Or if I feel that my account's become compromised and I need to log in and do something about it quickly? Why should I trust them not to gently caress that up? [facetious]What's the most secure 20 digit password?[/facetious]
|
|
#
?
Dec 4, 2016 11:14
|
|
|
apropos man posted:[facetious]What's the most secure 20 digit password?[/facetious]
|
|
#
?
Dec 4, 2016 11:32
|
|
|
apropos man posted:This is what happened with me. It was up to me to work out why my newly generated ~40 character password wasn't working, before realising they'd truncated it to 20 characters. If you count the dots in the input box when pasting you can see that there are only 20 of them there, but really. If they can't even get decent length password entry working in a browser why should I trust them to send me a text message promptly to my phone when I'm out and about and see a good deal I want? Or if I feel that my account's become compromised and I need to log in and do something about it quickly? Why should I trust them not to gently caress that up? The solution to a potentially weak password is .... to not enable 2 factor? Do you see the issue here? Also ~130 bits of entropy is enough to defend against an offline attack for as long as the Sun is going to shine for. No one wants your data that badly.
|
|
#
?
Dec 4, 2016 12:45
|
|
|
"Khablam" posted:
20 mb hard drive is all your are ever going to need.
|
|
#
?
Dec 4, 2016 16:07
|
|
|
Sickening posted:20 mb hard drive is all your are ever going to need. You're right. There is absolutely no possibility the allowed password length will increase over time.
|
|
#
?
Dec 4, 2016 16:14
|
|
|
mod saas posted:You're right. There is absolutely no possibility the allowed password length will increase over time. No, don't you see, once you set your password you can never change it. That kind of functionality would me MADNESS!!!
|
|
#
?
Dec 4, 2016 16:28
|
|
|
mod saas posted:You're right. There is absolutely no possibility the allowed password length will increase over time. RFC2324 posted:No, don't you see, once you set your password you can never change it. That kind of functionality would me MADNESS!!! Don't sperg out over even the lamest of jokes. 
|
|
#
?
Dec 4, 2016 17:00
|
|
|
Two-factor feels like a really marginal increase in security in many cases. An attacker sophisticated enough to get my password in spite of good password hygiene is probably sophisticated enough to phone in to customer service to turn off 2-factor, or to just port my phone number. The weakest points of the system are mostly outside of our control.
|
|
#
?
Dec 4, 2016 18:07
|
|
|
Sickening posted:Don't sperg out over even the lamest of jokes. 
|
|
#
?
Dec 4, 2016 18:11
|
|
|
Sickening posted:Don't sperg out over even the lamest of jokes. sorry that your venn diagram of jokes overlaps with both "things that aren't funny" and "things that aren't jokes"
|
|
#
?
Dec 4, 2016 19:31
|
|
|
DuckConference posted:Two-factor feels like a really marginal increase in security in many cases. An attacker sophisticated enough to get my password in spite of good password hygiene is probably sophisticated enough to phone in to customer service to turn off 2-factor, or to just port my phone number. The weakest points of the system are mostly outside of our control. It's not designed to stop the GRU from intercepting a SMS in transit to your phone. It's designed to stop people from using keylogged or cracked passwords paired with email addresses from automating access to your poo poo. Enterprise 2FA using poo poo like smart cards or machine certs is a lot harder to defeat without insider help. Of course, APTs who want it badly enough are starting to get around that, so the new thing is pairing it with attribute based access control to limit permissions far more than normal RBAC.
|
|
#
?
Dec 4, 2016 21:07
|
|
|
apropos man posted:[facetious]What's the most secure 20 digit password?[/facetious] In a previous job, the admin password for every production database was "productnamePR0DUCTNAME!". The '0' makes it secure, I guess.
|
|
#
?
Dec 5, 2016 08:16
|
|
|
I inherited a pretty sensitive and integral piece of equipment when I worked at a large bank. The password was "Q1w2E3r4Y7u8I9o0", which, after glancing at a keyboard is about as stupid as it looks.
|
|
#
?
Dec 5, 2016 11:46
|
|
|
The best password is the default Oracle one which they use on everything from the JRE keystore to StorageTek LTO tape libraries: changeme I've never seen it changed...
|
|
#
?
Dec 5, 2016 12:04
|
|
|
cheese-cube posted:The best password is the default Oracle one which they use on everything from the JRE keystore to StorageTek LTO tape libraries: changeme Doesn't dell use it too? I know it was the default for both Sun and Dell servers at one fortune 500 I have worked at, tho it may have been baked into the dell firmware update they ran before I got my hands on the hardware.
|
|
#
?
Dec 5, 2016 14:33
|
|
|
scott/tiger
|
|
#
?
Dec 5, 2016 14:44
|
|
|
DuckConference posted:Two-factor feels like a really marginal increase in security in many cases. An attacker sophisticated enough to get my password in spite of good password hygiene is probably sophisticated enough to phone in to customer service to turn off 2-factor, or to just port my phone number. The weakest points of the system are mostly outside of our control. And this is why you don't work in infosec (I hope).
|
|
#
?
Dec 5, 2016 16:22
|
|
|
Subjunctive posted:scott/tiger cisco/cisco
|
|
#
?
Dec 5, 2016 16:31
|
|
|
Inspector_666 posted:cisco/cisco U: admin P: Is always my favorite. Kind of a head-fake: "Ha, you keep trying all these 'default' passwords! Jokes on you, there IS no password for unfettered access!"
|
|
#
?
Dec 5, 2016 16:36
|
|
|
RFC2324 posted:Doesn't dell use it too? I know it was the default for both Sun and Dell servers at one fortune 500 I have worked at, tho it may have been baked into the dell firmware update they ran before I got my hands on the hardware. Never worked with Dell but maybe the commonality is JRE-based management thingos? Is there a default password constant in JRE which happens to be changeme? pr0zac posted:And this is why you don't work in infosec (I hope). Also 1000x this ^^^
|
|
#
?
Dec 5, 2016 17:10
|
|
|
root/calvin is my personal fave
|
|
#
?
Dec 5, 2016 17:12
|
|
|
CLAM DOWN posted:root/calvin is my personal fave This one was really convenient for me after a merger a few years ago.
|
|
#
?
Dec 5, 2016 18:33
|
|
|
pr0zac posted:And this is why you don't work in infosec (I hope). I don't, I was mostly speaking for myself personally rather than enterprise policy or something
|
|
#
?
Dec 5, 2016 20:47
|
|
|
DuckConference posted:I don't, I was mostly speaking for myself personally rather than enterprise policy or something And you're still wrong. 2 factor for individuals is good. Even as just a defense in depth against phishing alone makes it worthwhile.
|
|
#
?
Dec 5, 2016 22:41
|
|
|
2FA for individual personal accounts is an incredibly good idea and a good thing in general. It's stupid and irresponsible to suggest otherwise.
|
|
#
?
Dec 5, 2016 22:49
|
|
|
CLAM DOWN posted:2FA for individual personal accounts is an incredibly good idea and a good thing in general. It's stupid and irresponsible to suggest otherwise. CLAM DOWN made a good and accurate post.
|
|
#
?
Dec 6, 2016 02:18
|
|
|
psydude posted:CLAM DOWN made a good and accurate post. Not the first time, and god willing not the last.
|
|
#
?
Dec 6, 2016 02:19
|
|
|
ty babes
|
|
#
?
Dec 6, 2016 03:03
|
|
|
Trabisnikof posted:And you're still wrong. 2 factor for individuals is good. Sure it's good in general. I mean I have it turned on for gmail. But why deal with the hassle for, say, dropbox when all of my bank accounts are protected with only 6 digit passwords and have no option for anything better? "I got keylogged and all my money is gone, but thank god they didn't get some random spreadsheets."
|
|
#
?
Dec 6, 2016 07:27
|
|
|
DuckConference posted:Sure it's good in general. I mean I have it turned on for gmail. But why deal with the hassle for, say, dropbox when all of my bank accounts are protected with only 6 digit passwords and have no option for anything better? "I got keylogged and all my money is gone, but thank god they didn't get some random spreadsheets." Having access to someone's Dropbox seems like a good way to get a keylogger on their computer. edit: Also, move to a better bank.
|
|
#
?
Dec 6, 2016 08:02
|
|
|
DuckConference posted:Sure it's good in general. I mean I have it turned on for gmail. But why deal with the hassle for, say, dropbox when all of my bank accounts are protected with only 6 digit passwords and have no option for anything better? "I got keylogged and all my money is gone, but thank god they didn't get some random spreadsheets." Because my information is worth more than [temporary, reversible] access to my bank account. You can open new bank accounts, new credit cards, and find and gain access to other accounts of mine through simple "social engineering" by logging into my Dropbox and make my world difficult for the foreseeable future. I don't really give a poo poo if you've managed to brute force my 6 digit bank password that must be in all lowercase because the worse that will happen is I'm stuck on the phone for a bit while they reverse the charges/suspend my account/what have you. e: No I don't keep a txt file in my Dropbox called SOCIAL_SECURITY_NUMBER.txt or anything silly like that. But if you were willing to spend a modicum amount of time you could probably find out who my parents and sisters are from things in my Dropbox, my friends even, and there's probably enough information in there to figure out how to contact these people and impersonating someone else in my circle until you get the information you're looking for. Not that I'm famous or important or anything but that doesn't excuse the possibility. Boris Galerkin fucked around with this message at 08:38 on Dec 6, 2016 |
|
#
?
Dec 6, 2016 08:35
|
|
|
flosofl posted:I inherited a pretty sensitive and integral piece of equipment when I worked at a large bank. The password was "Q1w2E3r4Y7u8I9o0", which, after glancing at a keyboard is about as stupid as it looks. My last corporate job, I poo poo you not, had a default password of something even more stupid along the lines of ACME321 where Acme was just the company's one word name and the 321 is not hyperbole. I'm loving serious. You're a new hire? Here's your exchange account. Here's your ssh access to the compute nodes/servers. Here's your offsite VPN account. All ACM321. Need to send sensitive data to customers? Just zip it up and password protect it (ACME321 was also the default go to here). Hell it wasn't even just us that did this because one time I had to upload some files to a customer (a top tier defense contractor) who provided us a secure ftp account on their servers. Except they gave us a password of something like ACME321-CUSTOMER and we passed a loving post it note around the office with the ftp server and this password written on it. (On the other hand some companies we worked with did request we have our IT guys encrypt everything onto enterprise grade hard drives and physically mail those as opposed to sending data ~via the cloud~ so it wasn't all bad .)
|
|
#
?
Dec 6, 2016 08:49
|
|
|
|
| # ? May 12, 2024 19:56 |
|
|
DuckConference posted:Sure it's good in general. I mean I have it turned on for gmail. But why deal with the hassle for, say, dropbox when all of my bank accounts are protected with only 6 digit passwords and have no option for anything better? "I got keylogged and all my money is gone, but thank god they didn't get some random spreadsheets." So 2FA is garbage because your bank uses an antiquated system? 
|
|
#
?
Dec 6, 2016 15:55
|
|
