Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
passwords are mostly harvested in 3 ways: [...] and from just plainly asking people for their passwords.

Simply asking for credentials works shockingly well. You need one bar of chocolade per password: https://orbilu.uni.lu/handle/10993/26214 (via https://www.heise.de/hintergrund/Passwort-gegen-Schokolade-3245447.html).

And it becomes much worse in an environment were people trust each other. Just today, a co-worker showed me a really old piece of paper with his/her current (Samba) Active Directory password, which would give me access to Windows, mails, calendar, vacation planner, and other systems. The account name is trivially firstname.lastname, so just handing out the password is sufficient to gain access. The password is really bad, it can be found in every dictionary, and just adds one non-alphanumeric character. To make things worse, we have just finished migrating our legacy Samba NT4 domain to Active Directory, including a mandatory password reset for all users. And people simply reuse their old, insecure passwords hidden under keyboards, desk pads, or in the top drawer. And the really, really worst part of that password: It was the default passwort for new accounts used for at least a decade.

I'm a developer, but one day every two weeks is reserved for admin work. I can get root/Administrator access on all machines, and so I could bypass all ACLs and Unix permissions. I would not need anyone's password to get access to all data. So handing out a personal password to me technically does not make things worse. But just the fact that co-workers hand out their password at all is wrong. I don't want to know their passwords, I don't want access to their data.

I would really like to hire a trustworthy friend to repeat the chocolade-for-password experiment at work. Followed by a mandatory password security training, after asking who has got a sweet present.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

In reply to Re^5: Replacing crypt() for password login via a digest - looking for stronger alternative by afoken
in thread Replacing crypt() for password login via a digest - looking for stronger alternative by davebaker

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (3)
As of 2021-09-25 04:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?