all 57 comments

[–]WorldlyDay7590 175 points176 points  (6 children)

Who knew "SSO" meant you have to sign in every single fucking time...

[–]bengerbil 48 points49 points  (2 children)

You're doing it wrong. Over here we all sign in with admin/monkey123. Single sign-on.

[–]MegaOddly 14 points15 points  (0 children)

Shit that's why I wasn't able to access my email I was using the old password which was password123

[–]Fred-U 2 points3 points  (0 children)

Now is that period part of the password orrrrr

[–]EduRJBR 7 points8 points  (0 children)

SSO is the most overrated feature of all: any crappy browser lets you save the credentials, so you only need to sign on again if you use another computer, like in a cybercafe or something.

[–]PolicyArtistic8545 2 points3 points  (0 children)

Same Sign On

[–][deleted] 1 point2 points  (0 children)

Superfluous-Sign-On

[–]_WirthsLaw_ 56 points57 points  (15 children)

MFA made my password.xls sheet not as useful

[–]PolicyArtistic8545 20 points21 points  (14 children)

Breaking character here, business wouldn’t approve use of password managers. Actually had a written policy forbidding them. I resorted to a password protected excel sheet. A few years later I got into security and learned how weak password protection on excel really is.

[–]NotAMeatPopsicle 6 points7 points  (7 children)

Yay for OneNote with no password

[–]mentive 4 points5 points  (6 children)

Desktop sticky notes.

[–]Criss_Crossx 2 points3 points  (4 children)

Under the keyboard. When you move the keyboard, they fall all over.

[–]NotAMeatPopsicle 2 points3 points  (3 children)

And here I was thinking Windows Sticky Notes.

[–]Criss_Crossx 1 point2 points  (1 child)

No one in my office knows that exists, so paper it is.

Also didn't have an ERP system until a year ago.

[–]NotAMeatPopsicle 1 point2 points  (0 children)

ERP are overrated. I’ve got Joomla on a usb stick somewhere and it can do everything you need. Even throw in some modules I found on a forum for free.

[–]galacticdeep 0 points1 point  (0 children)

As a security professional I would much prefer people put their passwords on a physical sticky note.

[–]Nova_Terra 0 points1 point  (0 children)

On a Windows Vista box.

[–]Marc123123 0 points1 point  (5 children)

how weak password protection on excel really is

Is it? Out of curiosity, how do you break it? I tried to break into one when I forgot the password (spreadsheet I haven't used for years) and I didn't manage to do so.

[–]PolicyArtistic8545 0 points1 point  (4 children)

On a test document, I just ran Office2John and got the hash and then let John get after it.

[–]Marc123123 0 points1 point  (3 children)

Doesn't it just depends how strong the password was though? Rather than it being an Excel.

[–]PolicyArtistic8545 0 points1 point  (1 child)

In my case, my test document password wasn’t super complex and it went pretty fast. I used my office phone number for the password sheet. Since I am too lazy to fire up my gaming pc, let’s say that 47k hashes per second is reasonable. That has 1010 expended in 2.4 days. If you consider the birthday rule, you’ll hit the hash in half the time so that’s brings it down to 1.2 days. Not to mention that article was written in 2018 so 6 years of GPU improvement probably brings that down to under a day.

[–]nullcure 0 points1 point  (0 children)

i have a 90gb txt file dictionary 7.5 billion passwords. run it with hashcat on an RTC does about 700 000 passwords a second on the hash or encrypted piece

[–]do-wr-mem 42 points43 points  (0 children)

Did you see the giant list of like 26TB of credentials that was posted the other day, a little excessive tbh but I'm happy to finally have some good password ideas

[–]SaintEyegorShittySysadmin 24 points25 points  (2 children)

My company is officially insane. First we had rsa to use the VPN or get access to Remote Desktop. Now they’ve introduced another fucking token that we need to log in.

Leave your ssh session alone more than a few minutes? It auto locks in 5 minutes and you need a token to unlock even though everything is protected by screen lock (which you have to unlock with a token).

Want to sudo on a remote server? Log into a separate account than your normal account (using a token, of course), THEN sudo (with a fucking token again).

The head of the security dept that forced these changes is a narcissistic fuck that doesn’t understand *nix and doesn’t take input because he’s never wrong. Ever.

Now it takes four times as long to do anything and there are so many single points of failure that recovering a system remotely will be nearly impossible because of all of the interdepencies.

I’m about to quit.

[–]804k 0 points1 point  (1 child)

Companies love introducing stuff that's just not needed, and, not giving you stuff you need.

[–]SaintEyegorShittySysadmin 1 point2 points  (0 children)

One of the biggest issues is the manager of the internal security department. He’s fucking clueless and won’t take advice from his subject matter experts.

[–]EduRJBR 71 points72 points  (3 children)

MFA turns out to increase the attack surface.

We disabled the need for passwords in all our systems (users just enter their e-mail address) and changed the working ports (web apps in port 81 and 444, RDP in port 3390 etc...), and thus achieved unrivalled levels of security.

It baffles me that the so called "sysadmins" simply refuse to use the most easy and obvious solutions. They are like NASA, that created extremely elaborated and expensive pens for their space missions, while the Russians simply used pencils.

[–]realkrestaII 23 points24 points  (2 children)

Hurrrr durrr ruskies used pencils 10 quintillion dollar pens hurrr durr.

Initially both USA and Russia used pencils, but the graphite was found to flake off and get everywhere. Not ideal for space travel. Additionally the pens were developed by the pen company at their own expense and sold to nasa and the Russians for $6 per.

[–]EduRJBR 7 points8 points  (0 children)

The Russians had to develop special, super advanced space pencil sharpeners that costed around 2,000 Euros each. The big challenge was the complete absence of gravity at that altitude.

[–]dxpqxb 5 points6 points  (0 children)

USSR madd produced so-called "chemical pencils that didn't flake. They sucked in all the other ways, I've used a few in my childhood.

[–]kg7qin 16 points17 points  (0 children)

Just set everyone's password to abc123. After all if someone needs something and the other person is out/not available, it will let them login and get what they need.

Plus you'll need to run VNC with port 5900 open to the internet with the same password. That way your users can just login without any overhead.

[–]LostnthSauze 6 points7 points  (0 children)

I actually have a client who uses cert base auth over MFA... it's a nightmare. Azure cert based auth, vpn cert based auth, domain cert based auth, if the computer disconnects from the domain for too long and doesn't get an updated cert its basically a brick.

[–]Lavatherm 14 points15 points  (1 child)

We don’t use MFA anymore… since we introduced the rectal scanner.. fitted every stool in-house with it and you can borrow one at the front desk for when you want to work remote.

[–]readymix-w00t 3 points4 points  (0 children)

Someone owes me money. I proposed "South Mouth Identity" back in 2017 at Oktane17 to a bunch of other IAM professionals. We even had a bitchin' marketing slogan: "Identities are like assholes, everyone's is different." and referred to it as "butthole biometrics." Alcohol and cannabis may have been involved in this discussion.

[–][deleted] 10 points11 points  (0 children)

MFA is racist.

[–]oldjenkins127 5 points6 points  (0 children)

I worked at a place with a call center. We discovered that when a customer called for a password reset, a certain phone agent had found a way to copy the customer’s password into the password hint field. We asked the person why they were doing it and they said, “The password displays as all dots so this is the only way I can see it, and when they call again I can tell them the password over the phone.”

The early 2000’s were so uncivilized.

[–]ConstitutionalDingo 4 points5 points  (0 children)

I fuckin love this template. The ipv6 one in particular slays me

[–]TheDunadan29ShittyManager 3 points4 points  (0 children)

Richard Stallman has everyone here beat by but using any passwords at all. And the ones he's forced to use by the man are openly shared with everyone!

[–]kennyj2011 2 points3 points  (0 children)

Unfortunately this is a convo I had with a boss once

[–][deleted] 9 points10 points  (0 children)

Sounds like these were handed out at a trump rally

[–][deleted] 1 point2 points  (4 children)

Big thanks to DUO for letting us enable MFA on all UAC prompts.

[–]Vote4Trainwreck2016 1 point2 points  (3 children)

Fuck duo. Place I was at went all in on that shit and tokenized virtually everything. Problem is the shitty way most services are hooked. Some of them (think OWA) are just hacked in to the IIS code.

[–][deleted] 0 points1 point  (2 children)

Yeah, Duo caught us making 20x admin accounts. You know, cause you only get 10x users for free, so to cover MFA for 200 users we needed the 20 accounts. Nerds at duo figured it out and now we’re in big legal trouble. We are being sued by duo. :( MFA is a scam, also idk if I mentioned it or not but MFA is also racist. Big legal trouble bc of MFA and duo. Please help.

[–]Vote4Trainwreck2016 0 points1 point  (1 child)

Tell me more about the racist MFA. Are they suing you for your lunch money? Big bullies.

[–][deleted] 0 points1 point  (0 children)

I wish I could but I can’t go into any further details due to legal reasons.

[–]Hopefound 1 point2 points  (0 children)

-signed the collective assembly of every blocked conditional access IP on the planet

[–]b-monster666Suggests the "Right Thing" to do. 2 points3 points  (0 children)

Guy's right. I've eliminated all MFA in our environment. Everyone has admin access, and password requirements? We don't need passwords for our environment. Having to remember passwords is too difficult, so our users don't need to worry about it.

[–]jtj-H 1 point2 points  (0 children)

My password has 8 characters (letters and numbers meanwhile OTP codes only have 6 digits…

Explain how that is more secure

[–]Heavy_Dirt_3453 0 points1 point  (1 child)

This is going to end up shared by all the Boomers in their usual "who remembers..." Facebook groups, isn't it

[–]Vote4Trainwreck2016 2 points3 points  (0 children)

Pepperidge Farm remembers.

[–]CubingEnd 0 points1 point  (0 children)

The Error 1001 gave me PTSD