Moron where I used to work

[peewee_RotA]

At one of my previous jobs I used to do tech support. At one point the entire IT department was led into a meeting in small groups with a newly appointed VP of security. The purpose of the little meetings was to discuss password strength and how to best enforce it. This is all well and good, but the way that this stunning genius went about it is awe inspiring.

His idea was to take a copy of the central windows password file and brute force it to test the password strength of everyone in the company. He let this run for 2 days and then he created an excel spreadsheet containing all of those passwords once they were determined and saved a time for how long it took. He then sent copies of any password containing offensive language to VP's and presidents of each department who sent out disciplinary letters to every employee that used offensive passwords. The windows password file, the brute force application (most likely riddled with viruses), and the spreadsheet all existed on his own work laptop that he transported between home and work often. This laptop was secured behind a single windows password which would have been contained on that spreadsheet.

...Then this information security savant had the nerve to argue with me when I corrected his action of limiting people to no longer using offensive terminology and for sending that information to people's bosses. He especially got snippy when I quoted some IS books from college that disagreed with him.

That one action was SOOOO bad that it was the sole reason I left that company for my next job. The kicker to all of this. That company was a fortune 100 financial institution. We're talking about risking untold numbers of other people's money by doing something like that.

 


And they reprimanded people for having offensive passwords. 



*EDIT* I may have posted this before but It's one of those things that bothers me enough to risk a duplicate post.

[[BTF]Sigma]

Wow. Yup, passwords are passwords. Going ahead and sharing how long it took to crack it seems acceptable. Just means the individual needs to add some variety to characters. Sounds like a power tripper.

[peewee_RotA]

Wow. Yup, passwords are passwords. Going ahead and sharing how long it took to crack it seems acceptable. Just means the individual needs to add some variety to characters. Sounds like a power tripper.

No he actually shared the real passwords with people.

And not just people's accounts but passwords to generic services that run processes and have insane admin rights on critical machines.

[QwazyWabbit]

This inDUHvidual has no clue. Disclosing those passwords and keeping them in a spreadsheet was simply beyond stupid. That his superiors allowed it to happen and took no action proves they are pointy-haired boss material. He clearly could have expired those passwords and forced a change without a meeting but the power-trip meeting was a hey look-at-me thing. Sounds like he discovered LC4 or L0pht toys and decided he was a security expert.

Our company has a 90 day expire and complexity requirement. I lost count of the times people have locked themselves out or forgotten their new password. The IT response is to reset the password to "password", leaving the account vulnerable until the user gets around to logging back in, forcing a reset to yet another forgettable password.

[peewee_RotA]

Our company has a 90 day expire and complexity requirement. I lost count of the times people have locked themselves out or forgotten their new password. The IT response is to reset the password to "password", leaving the account vulnerable until the user gets around to logging back in, forcing a reset to yet another forgettable password.

A different place that I worked addressed this once. We blocked "password", "password1" "nameofthecompany1" and things like that so it forced all of us to come up with better methods.

I used a clever method based on date and name. It was something like day, excluding month, the current second on the clock, and the first three letters of the first name. The first two numbers were both arbatrary but being only 4 digits, it is easy to communicate over a phone.

I even once started deriving passwords based on lucky numbers listed on fortune cookies. As long as your formula never ties to the client then it's not guessable. You could use your own address or birthdate and it is not a security risk, just so long as the number doesn't tie back to the client who will use it.

[[BTF]Jehar]

I'm starting to work at a local ISP, and this sometimes involves setting up wifi networks in client's houses. I'm wary of generating a new auth key for each home network, as this could easily become messy to keep track of and make sure the client knows about it. I'm considering having keys based in part by the router, and also by the manufacturer of their main box, and the first letter of the street they are on. This'll make something that's easy for me to derive if the key is ever lost, but wardrivers will have a hell of a time figuring it out.

[[BTF]Sigma]

My fav was to take a verse in a song that you can remember and use the first letters of the words as your characters. Modify the characters by substituting a few symbols/numbers for the letterrs and you have yourself a relatively safe password.

[Slayer :D]

My passwords are like this one (and this is NOT one I use!!!):

f^s7L2(fAAg_72

And no, it does not have any meaning to me. It is just random.

[[BTF]Sigma]

But I'm sure the choderider mentioned above would have reported it as vulgar language had it been.

[Slayer :D]

OH NO IT HAS "faag" IN IT!!!