3 Ways to Lose a Secure Password

At the skankworks.net we’ve worked in a lot of places including banks and telecoms. We’ve seen with our own eyes the kind of passwords people use. Many of them – of you – still use easy-to-guess passwords or words from a dictionary. Even those who do make the effort to use a strong password are frequently undermined by faulty thinking elsewhere.

At work you are supposed to use secure passwords and IT system managers are supposed to enforce it. Many workplaces do enforce regular password changes and will lock accounts after a small number of failed logins. Unfortunately, this can weaken security. In this article we’ll show you three ways your passwords can be revealed in the clear, and how it can be avoided.

a thick black line

In chat
People using chat at work tend to leave the chat window open. Some of them will attempt to login to another system forgetting that the chat window has the focus. Bingo, everybody on chat knows their password. What’s the betting this person also uses the same password everywhere?

Root cause: These people have to look at the keyboard while they type.
Remedial Action: Typing lessons.

a thick black line

In the process list
Many users and system adminstrators choose to save time by scripting logins both for user and application accounts. Badly-written scripts put the password on the command line (as opposed to looking it up from an access-controlled location). Databases are notorious for this. A quick look at the process list whenever there’s a database involved will frequently reveal all the passwords one will ever need. Should one be so inclined.

Root cause: Bad programming
Remedial Action: Retrain programmers

a thick black line

Password Update
Most application developers now mask passwords sent over the network or written to logfiles. Alas, not because they have finally become security concious, but because that’s what they’ve been told to do. In regulated or secure environments password protection is part of the application’s specification. Nevertheless, this does not prevent developers from finding novel and innovative new ways to introduce security holes you can drive buses through. With just a smidgeon of administrative privileges we frequently find ourselves cringing as we bear witness to schoolboy-howlers such as this:

bad xml login message

Good work guys. You’ve got a user that actually knows what she’s doing, whose chosen a really strong password, and you’ve bungled it. Even if she hasn’t changed her password recently, if we can see this then all we have to do is make three failed login attempts to her account ourself, and we’ll have her new password in a jiffy. Berks.

Root cause:You’ve hired cowboys
Remedial actions:Fire the hiring manager

a thick black line

Feel free to cite these examples if you see similar things in your own place of employment. Your manager will probably tell you to keep quiet about it and not to tell anybody, like some managers have tried to do to us. If that’s the case, just remember that your diligence and your manager’s lack thereof means you should be their boss.

This entry was posted in Антиработа, General IT and tagged . Bookmark the permalink.