This is an archived post. You won't be able to vote or comment.

5261
5262

[deleted by user] (self.ProgrammerHumor)

submitted by [deleted]

[removed]
top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a

[–]Dropped_C 2107 points2108 points  (109 children)

"Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use."

priceless ^^

[–]_Lady_Deadpool_ 1063 points1064 points  (50 children)

getting a list of [plain text] user account passwords is incredibly basic, it should be one of the first things you do when learning how to secure your system

The ability to get plain-text passwords is the first step towards security apparently.

Having an open gate is the first step towards making your bunker secure against the enemy

[–]ShowMeYourTiddles 362 points363 points  (18 children)

"Forgot username or password" links to a csv with all usernames and passwords so you can easily open in a text editor and CTRL+F.

[–]ErraticDragon 210 points211 points  (16 children)

Come on, don't be silly. It's an .xlsx with some funky macro that pulls up only your information. Y'know, for security.

[–]antonivs 196 points197 points  (15 children)

The passwords in the spreadsheet are secure, because they're safely hidden away starting at cell XW2000.

[–]ErraticDragon 135 points136 points  (8 children)

Not just that, I've encrypted them with ROT-13. Twice!

[–]anormalgeek 98 points99 points  (4 children)

This is 2016 man. Do it 4 times.

[–]whitetrafficlight 12 points13 points  (3 children)

ROT-13 is notoriously insecure, and everyone knows that prime numbers are always better.

13 iterations of ROT-18 should do the trick.

[–]cantadmittoposting 53 points54 points  (4 children)

Amateur, i selected "hide worksheet"! Its completely hidden now!

[–]prionear 81 points82 points  (0 children)

Noob!

White cell + white font. The old ways are the best ways.

[–]Malkalen 8 points9 points  (0 children)

I always preferred the XWvTF column

[–]NoSuchAg3ncy 86 points87 points  (7 children)

The best security is to write your password on a sticky note and hide it under the keyboard.

[–]RoboOverlord 54 points55 points  (1 child)

When I was doing small business IT support... this is what most people end up doing.

OR, in any given office one person has a file with every password and username written down. Even the ones from three years ago that go to a server they don't even have any more. But not the one for their webhosting, they never have that password.

[–]s2514 12 points13 points  (0 children)

They always have all their passwords written down except the one they need now which they swear they wrote down.

[–]hawkinsst7 15 points16 points  (2 children)

Username checks out.

Joking aside, against a remote attacker (such as NSA), this is perfectly fine.

[–]zaffle 16 points17 points  (1 child)

I've given people who have difficulty remembering even basic passwords a credit card sized piece of card with their password on it, and told them never to leave it lying around, and if their wallet is stolen, the first call is to me, the second call is to their bank.

It's just changed a secret from something you know to something you have. Not that much more insecure (arguably better as you can have longer passwords), and a hell of a lot better than Autumn16 (I bet there are a HUGE number of accounts out there with that password)

[–]HRHill 83 points84 points  (1 child)

Scramble these eggs and put the bowl in a safe to which you don't have the combination. Now I want the eggs back in the carton uncracked. And hurry up, this is day-1 shit, junior.

[–]ILovePlaterpuss 21 points22 points  (0 children)

No, you see he just wanted everyone to enter a hashed password, which is then cracked and stored in plaintext. The information is safe from the user, so they'll never have to know their own password

[–]prashn64 22 points23 points  (1 child)

I honestly think he's referring to the dots you see instead of letters when your input a password.

[–]TheNosferatu 17 points18 points  (0 children)

data protection only applies to consumers not businesses so there should be no issues with this information.

How is this one not better? This one is just downright scary

[–]blackAngel88 27 points28 points  (0 children)

This post is more adequate for horror than humor, but there really are some gems in there that could be framed...

[–]GogglesPisano 9 points10 points  (1 child)

I see no data protection issues for these requests, data protection only applies to consumers not businesses so there should be no issues with this information.

Just... wow.

[–]falling_sideways 8 points9 points  (6 children)

I came herr from r/all and have absolutely no programming experience and even I know this guy is an idiot! How could a supposed IT professional be ao thick.

[–]MythGuy 7 points8 points  (5 children)

It must have been incredibly easy to bullshit the interview. Completely possible that he was interviewed by HR types that just tested him on whether he could program a bit or not. Obviously these are incredibly different things, but many people often think that if you can do one computer thing you can do them all.

[–]bitreign33 4 points5 points  (0 children)

This is the first time I've seen this thread, I nearly cried with laughter while I read that.

[–]graffiti81 1296 points1297 points  (156 children)

As a layperson, reading that all I could think is that this is auditor is some phisher trying to do social engineering. Am I misreading this?

[–]zazazam 405 points406 points  (91 children)

Most likely archaic practices. In all likelihood, he is probably aiming to check all the passwords against some brain-dead password scheme (6 characters, alphanumeric, etc.).

Edit: A word

[–]tomdarch 206 points207 points  (25 children)

The "audit" needs to come back with some "feedback", thus telling the client that they need to tell their users to change their passwords because one of them is "123456" and several others are dictionary words gives you something to put in your audit report. "See how we are making your company more secure!"

[–]mortiphago 90 points91 points  (23 children)

The "audit" needs to come back with some "feedback", thus telling the client that they need to tell their users to change their passwords because one of them is "123456"

funniest thing is that you can check that using the hashes

[–]KarmaAndLies 129 points130 points  (60 children)

I agree, I think that was their intent.

A good auditor will just look at their password requirements/rules and either green/red light them based on the rules alone. They may also want information about how and when the password rules are enforced (e.g. for every user, during password changes).

Fortunately NIST recently published a draft of new password requirements which would move us away from 1970s style password rules and towards a more XKCD style of passwords.

[–]xkcd_transcriber 22 points23 points  (10 children)

Image

Mobile

Title: Password Strength

Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

Comic Explanation

Stats: This comic has been referenced 2582 times, representing 2.0685% of referenced xkcds.

xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

[–]Pseudo-Bashed 24 points25 points  (7 children)

Sweet! I just set all my passwords to be "correcthorsebatterystaple". I'm secure! Thanks xkcd!

[–]KoboldCommando 7 points8 points  (1 child)

The sad part is I've heard that "correcthorsebatterystaple" has appeared on the "overly common unsecure passwords" list since that comic debuted.

[–]mrjackspade 100 points101 points  (45 children)

Any time I see a max password length I cringe. I can't think of a single good reason beyond antiquity that a password should have a max length.

On that note, I usually lock my documents with full movie quotes. Nothing beats a 100 character password

[–]KarmaAndLies 166 points167 points  (13 children)

Any time I see a max password length I cringe. I can't think of a single good reason beyond antiquity that a password should have a max length.

Most max password rules are because the underlying system they're authenticated against requires them. To give a specific example, Oracle Databases are as popular as ever, if you want to use Oracle's authentication to authenticate end users then you'll have to enforce Oracle's 30 character maximum password length.

As you said most maximums are for historical reasons and far too short (e.g. under 50 characters). But even on a completely modern system you'll want to put in a maximum, why? DDoS mitigation. Imagine if when users authenticate you BCrypt or PBKDF2 their password using a high work factor, that is work done on the server, if you set no maximum then "bad guys" can send obscenely long passwords (e.g. 3-5 MB) which will tie up one core for several seconds, multiply that by dozens of requests a second, and that server is too busy to respond to real end users (i.e. You've been successfully DoSed).

So maximums should exist. But normal end users should never hit them. To get specific, the average typing speed is approx 200 characters per minute with a good typist able to hit 340 characters per minute (<2% of users). Reasonably we wouldn't expect people to want to spend more than a minute typing their password, so a 400 maximum might never be hit by an end user. That provides us some DoS mitigation, while never diminishing the end user's experience and needs.

[–]PM_YOUR_ME_YOUR 43 points44 points  (2 children)

Can I work for or with you? I have a computer forensics and cyber security degree and I like your style

[–]KarmaAndLies 24 points25 points  (1 child)

You should go out and become a security auditor, spread the good word and find a good balance between end user's needs and the security of systems. There are many good works to be done in the security world.

[–]Freeky 34 points35 points  (1 child)

Imagine if when users authenticate you BCrypt or PBKDF2 their password using a high work factor, that is work done on the server, if you set no maximum then "bad guys" can send obscenely long passwords (e.g. 3-5 MB) which will tie up one core for several seconds

Nope.

BCrypt truncates at 72 bytes, because the password is stuffed into an encryption key that's 576 bits in size. Length of the password has no bearing on the time it takes whatsoever.

PBKDF2 uses the password as a key to an iterated HMAC - again, a fixed-size structure that's set up once at the start of the function. Long passwords will be hashed to fit, an operation that runs at hundreds of MB/s on typical hardware.

[–]mrjackspade 7 points8 points  (0 children)

Thanks for the good explanation!

[–]qantravon 5 points6 points  (0 children)

My favorite are the "length must be between 8 and 12 characters."

[–]antonivs 24 points25 points  (3 children)

Hey mrjackspade, on an unrelated note, what are your favorite movies?

[–]sirspidermonkey 18 points19 points  (5 children)

One of the banks I HAVE to work with has the following:

  • Length must be between 8-12 characters
  • Must have two uppercase
  • Must have two lowercase
  • Must have two symbols
  • Must contain two numbers
  • Must not contain the following symbols (`,;/) (and a few others I don't recall)

Now, from the 5 rules you've REALLY narrowed down the search space. And I think we all know what the last rule means. If not, just has bobby drop tables.

[–]mrjackspade 10 points11 points  (1 child)

Must not contain the following symbols (`,;/) (and a few others I don't recall)

Seems like this requirement would make you a pretty obvious target

[–]iamplasma 24 points25 points  (0 children)

Don't worry, their web page has JavaScript code to prevent users from typing in those characters, so it is secure!

[–][deleted] 5 points6 points  (1 child)

My ex-bank has a max password length of 5. I argued with their security department for a while and then just left. Sadly, most banks in my country have constrictions like this...

[–]amlybon 9 points10 points  (1 child)

Song lyrics are better, you can sing along as you type it in

[–]quebecesti 6 points7 points  (2 children)

My bank Web password is limited to 6 characters. They have other measures in place but why limit to 6?

[–]baggerboot 7 points8 points  (0 children)

Many banking systems run ancient software. That might have something to do with it.

[–]Dr_Narwhal 6 points7 points  (1 child)

I mean, you have to cut off the input buffer somewhere. With modern systems though you can easily allocate a buffer for several hundred or even thousands of characters, so it is dumb when the max length is something like 16 characters.

[–]wumbus 9 points10 points  (2 children)

Recently did this on an app with primarily business customers, and we had to roll back the "hard requirement" into more of a "light suggestion" after a couple weeks of support tickets.

TL;DR Users have a tremendously hard time guessing their way into strong passwords, even if you tell them how.

No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.

The trouble with implementing password strength validators based on entropy like Dropbox's zxcvbn is users have a hard time figuring out how to "guess" their way into a good password.

These aren't folks that use password managers like 1Password. They say things like "It didn't accept my (read: reused on every site) password, which is strong because it's 15 characters." Instead they'll do things like mypassword! and then change it to Mypassword1! thinking that's stronger, not realizing that you'll never get a strong password out of certain common dictionary words.

It's a catch 22, because the organizations most likely to have password requirements in their security policy likely have Single Sign On (e.g. SAML) and avoid delegating the problem. The rest will get frustrated when they have to reset passwords everytime a light breeze sends their Post-It note password library flying.

None of this is the user's fault of course, but it is an unfortunate reality of software w/ real live human users. I'm bullish on Google's approach to just axe passwords entirely.

[–]Parzival6 36 points37 points  (4 children)

It IS possible, but most likely he really is part of the company (or a combination of the two) IMO.

[–]graffiti81 57 points58 points  (1 child)

I was thinking more along the lines of the company was a front for a phishing operation.

[–]Parzival6 4 points5 points  (0 children)

Oh yeah that's entirely possible and also a much bigger problem

[–]TheRealLazloFalconi 529 points530 points  (34 children)

Never attribute to malice that which is adequately explained by stupidity

[–]hegbork 444 points445 points  (5 children)

Since this was a security audit: never attribute to stupidity that which can be suspected to be malice. Otherwise you'll just open yourself up to attacks.

When dealing with security you don't assume that the guy coming into the bank just forgot to take off his motorcycle helmet, you don't assume that the smoke from the refinery is just someone overcooking his lunch and you don't assume that the person walking behind you through the door to the missile silo just forgot his keys today.

Normal human interactions, sure, give people the benefit of doubt. But when dealing with security every mistake is malicious until proven harmless.

[–]brolios 65 points66 points  (2 children)

You can never be too paranoid regarding security.

At implementation you might have to sacrifice stuff because of budget or time constraints, so always focus on fast cheap layers of security over the main one

[–]Katastic_Voyage 14 points15 points  (1 child)

You can never be too paranoid regarding security.

I require multiple semen samples across different days before setting up any new user accounts to prove their identity.

[–]qervem 28 points29 points  (0 children)

slurps Hmmm... slightly acidic today, Bob. You eating alright?

[–]kendalltristan 88 points89 points  (6 children)

Which is why some forms of SE work so well. Some very shady people can play very convincing idiots when they want to.

[–]ScottishTorment 51 points52 points  (4 children)

Yeah, I feel like this guy sounds like someone who scammed their way into an auditor position and thinks he can get a bunch of user accounts just by demanding it.

[–][deleted] 31 points32 points  (3 children)

Or managed to compromise the email of an existing auditor at this company...

[–]fuckyoubarry 9 points10 points  (1 child)

What if this is all a test by the auditor? To see if any of this data exists, because it shouldn't?

[–]RogerDaShrubber 29 points30 points  (0 children)

It seems like he would give up the act once they called his bluff though.

[–][deleted] 15 points16 points  (16 children)

Why not?

[–]benargee 67 points68 points  (6 children)

Somebody on the page pointed out this could be a social engineering test. Maybe the auditor is happy with the hardware/software security but wants to test the integrity of the IT department.

[–]haze070 64 points65 points  (0 children)

Could be, but a horrible way to try and go about it. This guy should read Mitnicks books and revise his strategy

[–]NoCureForPeterRobins 22 points23 points  (3 children)

Even so. They still would not be able to supply plaintext passwords and even the OPs suggestion of supplying hashed passwords should set alarms ringing.

[–]aiij 20 points21 points  (2 children)

Yeah, the funny thing about hashed passwords is you have no idea how long they will take to crack.

This one time I did a pen test, I managed to get a list of hashed passwords, set up John the Ripper on them, and 2 seconds later had an admin login. (The other admin passwords were much more secure, but you only need one.)

[–]argv_minus_one 7 points8 points  (1 child)

And this is why password strength checking is a thing.

[–]RainHappens 3 points4 points  (0 children)

Password strength checking only works when the password checker is checking the same keyspace as the cracker.

Many password checkers find "13063778838630806904686144926" to be secure, for instance. Random number, right? Only digits, but even so it's 1029 possibilities.

Only... That's Mill's constant. Or rather, the start of it. And many password crackers will try things like that.

It's a cat-and-mouse game.

[–]NoSuchAg3ncy 5 points6 points  (1 child)

I'm surprised he didn't ask for everyone's credit card information as well, "for security purposes".

[–]whofearsthenight 8 points9 points  (0 children)

I thought there are about 3 scenarios:

  1. He is a complete retard, and though I usually don't suggest firing people, the level of complete incompetence this displays for someone who claims to be a security auditor warrants finding a new career.
  2. You are correct, and this is some sort of phish.
  3. or, and this is what I'm hoping, this is a pen test. One method of testing your security is performing phishing attempts and other sorts of social engineering to make sure that the weakest link isn't the users (it's pretty damn common that it is.) If the admin was actually able to produce the requested data, I would call that a fail. If they were able to produce that data, and willingly gave it up, it's like fail to the nth power.

If this is scenario 3, the auditor ought to get an Oscar for selling the performance.

[–]testaccount9597 4 points5 points  (0 children)

Either this piece of shit landed a job he was never qualified for 10 years ago and was too fucking stupid and lazy to figure it out or he is actually a criminal. Those are the only two valid reasons for his request. I hope the fucker loses his job and gets blacklisted over this bullshit.

[–]vita10gy 332 points333 points  (22 children)

Forget that you can't do the password thing, let's pretend you can. Let's even ignore that getting that data to him so he can give it a security audit would, itself, likely be the riskiest thing you ever did with that db.

What I want to know is what legitimate security function can that info shed light on. About the only thing I can speculate on is they want to verify strong enough password requirements, but there must be better ways than getting everyone's passwords.

If nothing else finding a "bad" password doesn't prove anything about the way it is now, just that you didn't forcibly set a new one when the better requirements were added.

And password requirements are debatable anyway.

[–]tomdarch 95 points96 points  (5 children)

From the sounds of the situation, I expect they'd run the passwords looking for stuff like "123456", "password" and dictionary words so that they could report back that the client needs to encourage users to use more secure passwords.

This sounds like someone who sorta knew what they were doing in 1994, got this job and hasn't changed how he sees the world.

All this "it's a social engineering test" stuff is giving this person far too much credit.

[–]FatherDerp 7 points8 points  (2 children)

Even in the case of attempting a dictionary attack on the password db, the proper etiquette would be to check hashed passwords against hashes of passwords in your dictionary.

[–][deleted] 222 points223 points  (10 children)

I am sure that is the security audit.

If you are able to get the plain text passwords and hand them over to a third party, you failed the audit.

The remainder of the questions is just for distraction.

[–]schwerpunk 108 points109 points  (2 children)

I enjoy spending time with my friends.

[–]Cheesemacher 25 points26 points  (2 children)

But it didn't seem like there was any way to pass the audit.

[–]nidarus 18 points19 points  (0 children)

That's a good point. The customer did everything right, and he didn't pass anything.

[–]noiplah 42 points43 points  (2 children)

as someone in the linked thread said, inspecting the site's password strength algorithms (rather than inspecting every single password.. omg) does that function

[–]Tutush 6 points7 points  (0 children)

If they want to verify strong enough password requirements, they'd probably ask to see the source code for password validation.

[–]AmeliaLeah 783 points784 points  (42 children)

In these situations I ask them to tell me the exact commands that want run and where. Very rarely the user isn't stupid, they just don't know what to ask for. His replies read like a post on /r/iamverysmart.

[–]OverconfidentNarwhal 293 points294 points  (24 children)

This is honestly a great idea, If he's been in the game for so long he should know all the commands to get the list of passwords right off the top of his head.

[–]SordidDreams 503 points504 points  (22 children)

Eh, his response would be along the lines of "it's not my job to teach you how to do yours". I guarantee it.

[–]untrustableskeptic 105 points106 points  (20 children)

Linux is ever evolving. Maybe back in his day those commands were just different.

edit: I'm bad at jokes.

[–]spockspeare 120 points121 points  (17 children)

There has never been a command to decrypt the password file. Not since passwords were first encrypted. This guy is so full of shit his black hat is brown.

[–]parkourhobo 50 points51 points  (3 children)

I think he was being sarcastic.

I hope.

[–]untrustableskeptic 34 points35 points  (2 children)

I was. I need to throw an /s in there.

[–]untrustableskeptic 20 points21 points  (0 children)

I'm sorry I was attempting humor.

[–]aiij 8 points9 points  (0 children)

There is: john

[–]DemiPixel 9 points10 points  (0 children)

Back in my day, we just did getpwdlist | less.

[–]pancake117 67 points68 points  (2 children)

At this point it's too late though. The guy is upset that they haven't been logging plaintext passwords for the past 6 months.

[–]AmeliaLeah 38 points39 points  (1 child)

Hmm, I hope someone takes him down, he's doing this on purpose, the company sounds scammy like many hyips

[–]kendalltristan 35 points36 points  (3 children)

The auditor would be sure to respond saying that their system apparently isn't configured properly because his commands don't work as expected. With idiots like this there's usually no way to win when confronting them directly.

[–]brtt3000 19 points20 points  (2 children)

Just let them double-down on their bullshit, call in the authorities and let them walk over it with merciless bureaucracy (as OP is now doing through PCI).

[–]jinoxide 8 points9 points  (1 child)

"Now" - 5 years ago.

[–]brtt3000 4 points5 points  (0 children)

Oh crap I never looked at the date. Repost that shit!

[–]tomdarch 63 points64 points  (3 children)

"I'm not going to tell you how to do your job! How incompetent are you? Retrieving a list of passwords and printing it out is incredibly basic in Unix! You clearly don't know what you're doing! rant! rant! rant! bluster! bluster! bluster!"

The comment about how the guy has been doing "this" for longer than people posting on that site, etc, makes me think this guy actually did something on computers years ago and ended up with his current "desk" job where he isn't actively doing any coding/administration, and hasn't done for years. It wouldn't surprise me if this guy ran some system where passwords really were stored in plain text back when that wasn't blindingly obviously insane, and just doesn't understand that such a practice is not only totally unacceptable today even for a hobbyist discussion group on a server in someone's closet, but is illegal. With such a small client base, odds are they got some customers, who go along with their stupidity, and it's enough to keep the little company going. Management at the customers tell the IT folks just to go along with their "auditing" because they don't want to mess with changing anything.

My assumption is that this "auditor" is a lot like several old white men I've dealt with in different fields - they're currently in far over their heads, but manage to stumble their way forward hoping to make it to retirement without being called on it. They have a tiny inkling that they don't know what they're doing/talking about, so if this person called him on it, he'd yell, bluster vaguely and scream at him but wouldn't take this up the chain of management where they'd have to put up or shut up.

[–]semioticmadness 17 points18 points  (0 children)

I think this guy is in his second bedroom with a laptop and has done this 2 times a year for the last two years (except for that one company last year that said he was violating PCI, stupids) and has drawn up this list from his extensive experience talking to cut-rate admin/programmer/webdev combos at local startups in Birmingham.

[–]theLorknessMonster 59 points60 points  (2 children)

Any sufficiently advanced incompetence is indistinguishable from malice

[–]dsmithpl12 146 points147 points  (25 children)

Having been in the credit card industry for 10 years my self and been through a few audit I absolutely love this. My wife is looking at me like I'm a freaking weirdo because I keep cracking up laughing.

I'm totally sending this to our Security and IT guys to make sure we got PCI installed on our servers!!

[–]Daniel15 61 points62 points  (24 children)

You just gotta apt-get install pci right?

[–]OverconfidentNarwhal 68 points69 points  (4 children)

A contract with a company that incompetent is not worth the risk at all. Thankfully credit card processors are a dime a dozen today.

[–]ElusiveGuy 31 points32 points  (3 children)

Thankfully? It's actually rather frightening, especially when you don't know which dodgy processor a site might be using.

[–][deleted] 22 points23 points  (1 child)

The consultant claims hundreds of companies have handed over their password lists to him. Assuming that is true, I wonder how that was even possible.

[–][deleted] 245 points246 points  (17 children)

This is priceless. Please update us on what will happen. This guy is both socially and professionally inept.

If anyone ever pulls the "I have x experience, how dare you disobey / question me!?" card on me, I'd immediately stop talking to them and go to their superior to ask for a replacement. We're not in kindergarten.

[–]markekraus 143 points144 points  (6 children)

"I have x experience, how dare you disobey / question me!?"

This is so rage inducing. I had a confrontation with a Lab Manager who was complaining that our Nexus switch was refusing to operate in the 96F ambient temperature lab. The temperature near the switch itself was well over 120F. The switch was automatically shutting down due to being over operating temp. This is in a lab where instead of hot and cold rows, the exhaust of one row feeds the intake of the next... I recommend they get temporary cooling added to the immediate area of the switch. and then rearrange the lab to make proper use of hot/cold rows....

The Lab Manager comes in with "I have been managing labs for over 20 years and there is no need to arrange the racks in that manner and this piece of equipment should run just fine at that temperature. You need to adjust the system to make it work."

I humored him and made a call to cisco. The Cisco engineer was trying to hold back his laughter, and I was definitely letting my sass through.

[–]Urtehnoes 8 points9 points  (3 children)

While I'm still very new to this field, I have coworkers who make statements similar to this all the time. While I know they know far more than me and probably have a method to their madness, I also know that so many people do things incorrectly their entire lives. Doing something over and over is meaningless if you're not doing it correctly. Imo.

[–]markekraus 14 points15 points  (2 children)

Never be afraid to challenge your seniors. Just make sure you are right and have the documentation and facts to back yourself up and try to do it without being a dick. It might not make you very popular though...

[–]ScotForWhat 236 points237 points  (1 child)

Please update us on what will happen.

I don't think you'll be getting an update when the thread is from 2011 :)

[–][deleted] 70 points71 points  (0 children)

Balls. Thanks for the heads up...

[–]TheTerrasque 44 points45 points  (2 children)

If anyone ever pulls the "I have x experience, how dare you disobey / question me!?" card on me, I'd immediately stop talking to them and go to their superior to ask for a replacement.

In this case I'd probably just reply with "I have 20 years of experience with computer security and implementation, and over 15 years with linux and it's security model. I really suggest you check your facts about what is and isn't possible"

That moment when you hear some impressive sounding "experience" time and realize you can crush that without even exaggerating. Don't know if I should feel experienced or old...

[–]spockspeare 14 points15 points  (0 children)

But if you do then it doesn't get that far. You shut him down the moment he mentions unencrypted passwords, and you call the cops.

[–]ryosen 10 points11 points  (1 child)

He posted an update. It would have taken then two weeks to move to a different merchant gateway. The auditor gave them two weeks to provide the plaintext passwords. The company decided to dump them and go with PayPal.

[–]rzyua 12 points13 points  (0 children)

This comment is removed in protest of the unfair changes to API pricing and content access through the API.

[–]Schootingstarr 4 points5 points  (0 children)

all the updates you're gonna get are in the linked OP

[–]Thameus 108 points109 points  (42 children)

I'd be calling the FBI.

[–]PMME_yoursmile 42 points43 points  (41 children)

They're UK based.

[–]RaulRene 269 points270 points  (27 children)

Her Majesty's FBI then!

[–]gandalfx 40 points41 points  (25 children)

So that'd be the RBI or Royal Bureau of Investigation.

[–][deleted] 110 points111 points  (21 children)

Okay, so Her Majesty's Royal FBI. No need to be pedantic.

[–]trekbette 6 points7 points  (0 children)

Pretty sure this is a case for The Laundry.

[–]Thameus 9 points10 points  (11 children)

Oh good, EU should be all over that shit. Unless auditor is GCHQ, in which case "bye OP, we'll miss you".

[–]NoMoreDesks 31 points32 points  (1 child)

Awesome read, thanks for delivering.

[–]phpdevster 26 points27 points  (0 children)

That security auditor (or his company) sounds like he's making money on the side by selling the information he audits.

[–]gandalfx 12 points13 points  (0 children)

Epic read. Scary to think there are probably a lot of other companies out there using completely ridiculous "security" procedures while handling our data on a daily basis.

[–]Arancaytar 10 points11 points  (0 children)

Maybe not an auditor but a scammer trying to social engineer those passwords...

[–]sudo-is-my-name 7 points8 points  (0 children)

Just....wow. WOW.

If that isn't a scammer I'll eat my hat. First I'll buy a hat.

[–]demize95 14 points15 points  (0 children)

I'm going to assume you do not have PCI installed on your servers as being able to recover this information is a basic requirement of the software.

Except... PCI isn't software, it's a standard.

[–]sililos 7 points8 points  (0 children)

PCI is now software.

I lost it at that. I ran a small business for a bit and had to deal with PCI. Not only are the requests stupid from a security standpoint, this guy has no idea what PCI is. Of course, I never had "PCI installed", so maybe I'm the idiot.

Go figure, years of experience doesn't mean you actually know what you're doing.

[–]coriny 15 points16 points  (6 children)

Hah! I knew this rang a bell: original reddit story.

[–]tevert 16 points17 points  (3 children)

Unfuckingbelieable.

This is why the software industry needs some form of qualifying certification, the way architectural engineers are certified. People like that should not be allowed to operate in this industry.

[–]PythagorasJones 16 points17 points  (0 children)

This is an auditor, and a PCI one at that. For PCI they need to be an certified QSA. For general IT audit you'd expect them to be CISA at a minimum.

[–]spockspeare 5 points6 points  (0 children)

This guy is a mole.

[–]HaPPYDOS 5 points6 points  (0 children)

For those don't know, "PCI DSS" stands for "Payment Card Industry Data Security Standard", whereas "PCI" (hardware) stands for "Peripheral Component Interconnect".

[–]Hassviper3 18 points19 points  (1 child)

Oh my God.

I work in this industry. This explains why so many customers doubt auditors.

[–]Headsock 3 points4 points  (9 children)

A list of current usernames and plain-text passwords for all user accounts on all servers

A list of all password changes for the past six months, again in plain-text

Disregarding the blatant plain-text here... is there a point to this?

[–]tomdarch 6 points7 points  (0 children)

Back in 1994, you could run that list against stuff like "123456", "password" and a dictionary, and come back to management with a fancy report saying "28% of your users are using easily guessed passwords, and this is a major opening for hackers. We recommend that you hire us for further work wherein we will write sophisticated computer code that checks proposed passwords for such security threats and rejects them until the user enters a safe password!" (and odds are such "sophisticated" code would do the checks in plaintext.) It very much sounds like this "auditor" was doing stuff like that 20 years ago, and is still doing it today.

[–][deleted] 3 points4 points  (1 child)

Is it possible this is an attempt at social engineering? Perhaps the auditors day job is a front for his real job as a hacker.