gently caress you password policy! if my old password was good enough, my new password + an extra character is good enough! PASSWORD INVALID This password is invalid for one of the following reasons: Passwords must not contain more than 4 repeating characters Passwords must not contain your User or Client ID. Passwords must not contain a matching String of 4 consecutive characters from the old password.
|
|
# ? Mar 1, 2017 17:50 |
|
|
# ? Jun 6, 2024 22:45 |
|
Polio Vax Scene posted:gently caress you password policy! if my old password was good enough, my new password + an extra character is good enough! How does that policy work unless the system saves the password someone where? Or at the very least it's saved in a manner that be de-encrypted, right?
|
# ? Mar 1, 2017 17:52 |
I think it reads the current form, it has old password, new password, repeat new password inputs.
|
|
# ? Mar 1, 2017 17:59 |
|
Polio Vax Scene posted:I think it reads the current form, it has old password, new password, repeat new password inputs. That would be my guess as well, if can validate your current old password entered matches the one-way hashed password, and it has it in plain text because you just told the form what it was so I could validate it. Then you can do whatever you want with the plaintext password, which is a really elegant way of doing it, if true.
|
# ? Mar 1, 2017 18:26 |
|
The most infuriating is when different departments at the same company all mandate different and incompatible password requirements. Special characters over here but not over there being the most common.
|
# ? Mar 1, 2017 18:37 |
|
Polio Vax Scene posted:gently caress you password policy! if my old password was good enough, my new password + an extra character is good enough! Poor thing, you can't use hunter3.
|
# ? Mar 1, 2017 18:48 |
|
Polio Vax Scene posted:I think it reads the current form, it has old password, new password, repeat new password inputs. D'oh didn't think of that.
|
# ? Mar 1, 2017 19:33 |
|
Jerk McJerkface posted:How does that policy work unless the system saves the password someone where? Or at the very least it's saved in a manner that be de-encrypted, right? If their company is like my company, they do save all the passwords somewhere, regardless of how many times I tell them that's a terrible idea. We have to cycle our passwords every month. Each time I do it, I try setting it to the first password I ever used to see if they're still holding onto it. It's been about a year and a half and I still can't use my first password, meaning it's just sitting somewhere. I've tried explaining that cycling passwords that often isn't even very secure, considering most people are just going to do poo poo like 'password1, password2, password3' but the business people like being able to tell auditors 'our entire company cycles passwords every month!'
|
# ? Mar 1, 2017 19:41 |
|
If you're trying to re-use an identical password, they're just hanging on to the old hash. If you change one letter on an ancient password and it still complains, then yeah, there's probably a security WTF going on in there somewhere.
|
# ? Mar 1, 2017 19:44 |
|
xzzy posted:If you're trying to re-use an identical password, they're just hanging on to the old hash.
|
# ? Mar 1, 2017 19:54 |
|
anthonypants posted:It is insanely simple to check the text of the "Enter your old password" field without hashing, which is the same method they use to check if your new password meets complexity requirements. I understand that, I read the thread. I'm talking about them checking against ancient passwords that are 2+ password changes into history.
|
# ? Mar 1, 2017 19:55 |
|
Today I found out that an SQL server is reachable via the internet. Devs were more concerned about being able to access it at home than "if this server is compromised the company will no longer exist due to litigation".
|
# ? Mar 1, 2017 19:56 |
|
Polio Vax Scene posted:Passwords must not contain a matching String of 4 consecutive characters from the old password. No wait, I don't conceed this. Checking against the entire password via hashing makes sense, but how does matching against your encrypted password tell you consecutive characters but not the entire thing? I don't see how that works.
|
# ? Mar 1, 2017 19:59 |
|
Jerk McJerkface posted:No wait, I don't conceed this. Checking against the entire password via hashing makes sense, but how does matching against your encrypted password tell you consecutive characters but not the entire thing? I don't see how that works. You have to type your old password in plaintext, then your new one.
|
# ? Mar 1, 2017 20:06 |
|
Jerk McJerkface posted:No wait, I don't conceed this. Checking against the entire password via hashing makes sense, but how does matching against your encrypted password tell you consecutive characters but not the entire thing? I don't see how that works. Hash 4 consecutive characters of an n length password for n-3 extra hashes to store, assuming this was done from the beginning of your passwords. ... or store the password reversably Its pretty dumb and dramatically reduces the complexity you have to solve (even when properly salt/peppered), but it's possible to do this for older passwords. Volmarias fucked around with this message at 20:33 on Mar 1, 2017 |
# ? Mar 1, 2017 20:30 |
|
You are all vastly over complicating this. Most require you to put your old password in when you change to a new one. That's how that type of validation is done.
|
# ? Mar 1, 2017 20:36 |
|
bull3964 posted:You are all vastly over complicating this. Most require you to put your old password in when you change to a new one. That's how that type of validation is done. Please change your password! Enter current password: Enter new password: Re-enter new password: Check the old one's hash to make sure you're actually authorized to make the change, then check the typed old one against the new one to determine how much they match. No storing reversible passwords or hash fuckery necessary.
|
# ? Mar 1, 2017 20:38 |
|
I must be in the matrix because I'm seeing stuff repeat constantly.
|
# ? Mar 1, 2017 20:41 |
|
you ate my cat posted:Please change your password! Yes? That's kinda what I said. It's trivial to check for substring overlap with the previous password if you are required to submit it as part of a change. Now, if it's matching against a substring of 2+ passwords ago, then something odd is up.
|
# ? Mar 1, 2017 20:50 |
|
Sorry, I was agreeing with you, and I totally didn't make that clear at all.
|
# ? Mar 1, 2017 21:41 |
|
Today, in no particular order: Quickbooks, TeamViewer, Apple ID.
|
# ? Mar 1, 2017 21:44 |
|
I got blindsided and dragged into a meeting by several managers an hour ago. This is about scans from lovely other site that fucks everything up. The scans all have problems some are extremely dark others are blurry messes. I get asked why the scanner has been this bad for 2 months. This is the first I've heard of it and ask why they took until now and they assumed I was aware. No one there speaks English but I send an email out in English and CC the site contact trying to get some info on why no one has been notified so it can get translated to Spanish and maybe someone will run it through Google Translate (running it through Google Translate before sending it is seen as rude). No one knows where site contact is, but someone else gets an interesting scan. You can clearly see a keyboard under the paper. I ask for the scan files, yup they are using their cellphones it's in the metadata. The scanner is attached to a dedicated computer because it's not networked (this was purchased by the site and I was asked to help get it working). I remote into the computer, scanner looks connected, scan folder is empty, they delete stuff after they retrieve it because multiple files confuses them apparently. I'm just pissed no one notified me of a problem with the scanner, or that they have a perfectly working scanner and are too lazy to walk up to it and produce readable documents. I'll buy them a network scanner if that's what it takes they should have a network scanner anyway.
|
# ? Mar 1, 2017 21:44 |
|
Condolences if you have to deal with Apple IDs at work.
|
# ? Mar 1, 2017 21:44 |
|
MiniFoo posted:Today, in no particular order: Quickbooks, TeamViewer, Apple ID. What's wrong with TV?
|
# ? Mar 1, 2017 22:11 |
|
Samizdata posted:What's wrong with TV? Among other things, the ability for users to update the clients to 12.x when we're still only licensed for 11.x, meaning we can't connect to them due to incompatibility between those versions. Yes, I know end-users shouldn't have the capability to update/install anything, but that's a separate piece of poo poo-that-pisses-me-off. Thanks Ants posted:Condolences if you have to deal with Apple IDs at work. One of our customers has a plethora of iPhones and iPads, and one of my predecessors decided that instead of using Apple MDM, he'd just have everyone sign into each device with the same. loving. Account. As stupid as that sounds, a couple years ago it wasn't a huge problem, but then Apple changed the way iCloud device syncing worked in regards to messages and phone calls and contacts and god DAMNIT it was a shitshow for a while.
|
# ? Mar 1, 2017 22:42 |
|
MiniFoo posted:Among other things, the ability for users to update the clients to 12.x when we're still only licensed for 11.x, meaning we can't connect to them due to incompatibility between those versions. Yes, I know end-users shouldn't have the capability to update/install anything, but that's a separate piece of poo poo-that-pisses-me-off. Suck. Sorry about that. There should be a settings lockout for that.
|
# ? Mar 1, 2017 22:50 |
|
MiniFoo posted:One of our customers has a plethora of iPhones and iPads, and one of my predecessors decided that instead of using Apple MDM, he'd just have everyone sign into each device with the same. loving. Account. As stupid as that sounds, a couple years ago it wasn't a huge problem, but then Apple changed the way iCloud device syncing worked in regards to messages and phone calls and contacts and god DAMNIT it was a shitshow for a while. This was me for a school district Apple totally dicked me over multiple times w/r/t iPad management
|
# ? Mar 2, 2017 00:02 |
|
MiniFoo posted:Among other things, the ability for users to update the clients to 12.x when we're still only licensed for 11.x, meaning we can't connect to them due to incompatibility between those versions. Yes, I know end-users shouldn't have the capability to update/install anything, but that's a separate piece of poo poo-that-pisses-me-off. Can confirm, this has been an issue going back to at least TV8.
|
# ? Mar 2, 2017 00:07 |
|
We use teamviewer host pushed out via GPO to avoid that. However we still have some external clients with no domain infrastructure where this can be an issue.
|
# ? Mar 2, 2017 01:06 |
|
Varkk posted:We use teamviewer host pushed out via GPO to avoid that. However we still have some external clients with no domain infrastructure where this can be an issue. Why the gently caress would you use Team viewer? What a horrible secfuck waiting to happen.
|
# ? Mar 2, 2017 04:43 |
|
ratbert90 posted:Why the gently caress would you use Team viewer? What a horrible secfuck waiting to happen. At an MSP, it's a relatively cheap way to use a simple program that even users can figure out. For a while we had a website where they could just download a one use one way client. Then internal systems put a new version of that up before help desk had a license for the new version.... we use Kaseya for the most part now. Probably more secure, and requires no intervention from the user for us to remote in. Except for a few clients that have a prompt on the remote computer asking for access that some users always hit no on, even though YOU ARE LITERALLY ON THE PHONE TELLING THEM YOU ARE REMOTING IN
|
# ? Mar 2, 2017 05:14 |
|
MANime in the sheets posted:At an MSP, it's a relatively cheap way to use a simple program that even users can figure out. For a while we had a website where they could just download a one use one way client. Then internal systems put a new version of that up before help desk had a license for the new version.... we use Kaseya for the most part now. Probably more secure, and requires no intervention from the user for us to remote in. And if it was some rando request they'd hit yes on it.
|
# ? Mar 2, 2017 05:41 |
|
MANime in the sheets posted:At an MSP, it's a relatively cheap way to use a simple program that even users can figure out. For a while we had a website where they could just download a one use one way client. Then internal systems put a new version of that up before help desk had a license for the new version.... we use Kaseya for the most part now. Probably more secure, and requires no intervention from the user for us to remote in. It's a relatively cheap way to get a bunch of data stolen. It's a god awful idea to pass your/a client's desktop over to a third party server. No way no how gigantic infosec fuckup. FlapYoJacks fucked around with this message at 17:14 on Mar 2, 2017 |
# ? Mar 2, 2017 06:10 |
|
We run the Kaseya servers in house
|
# ? Mar 2, 2017 06:25 |
|
MANime in the sheets posted:At an MSP, it's a relatively cheap way to use a simple program that even users can figure out. For a while we had a website where they could just download a one use one way client. Then internal systems put a new version of that up before help desk had a license for the new version.... we use Kaseya for the most part now. Probably more secure, and requires no intervention from the user for us to remote in. Was there ever a resolution to the teamviewer hack?
|
# ? Mar 2, 2017 07:25 |
|
It was a bunch of people using the same email address/pass combo for LinkedIn and teamviewer. Coupled with some malware bundling it for remote access on victims around the same time.
|
# ? Mar 2, 2017 07:59 |
|
lampey posted:Was there ever a resolution to the teamviewer hack? No idea. Last I heard, TV was saying they were not hacked, that it was people reusing passwords and stuff. Though that was the time we sort of moved away from it and only use it as a backup now. Edit: ^^well there you go.
|
# ? Mar 2, 2017 07:59 |
|
We use Teamviewer to support our clients, how the gently caress else am I gonna be able to have a end user start a program while on a call and get to their desktop? I give them a link to download our QS and they give me the ID, done.
|
# ? Mar 2, 2017 08:43 |
|
SEKCobra posted:We use Teamviewer to support our clients, how the gently caress else am I gonna be able to have a end user start a program while on a call and get to their desktop? I give them a link to download our QS and they give me the ID, done.
|
# ? Mar 2, 2017 09:53 |
|
|
# ? Jun 6, 2024 22:45 |
|
anthonypants posted:The TeamViewer persistent service is different from the TeamViewer QuickSupport app. QuickSupport is what I was talking about.
|
# ? Mar 2, 2017 11:17 |