Reply
 
Thread Tools Display Modes
  #1  
Old 11-13-2019, 11:17 AM
Llama Llogophile is offline
Guest
 
Join Date: Apr 2002
Location: 50% chord point
Posts: 4,094

Our "security" is so good, nothing fucking works anymore


I've spent two hours today trying to do two things: Renew a security credential at work, and sign up for an online service provided by the USPS.

Denied. Neither works.

Here are the myriad problems I've had:

- Incorrect instructions posted on the web site
- Click on the link, it logs you out
- Having just signed up for an account, now we need to verify your identity by sending a code to your cel phone. Haha, no... Your phone number doesn't work for that, and we won't tell you why.
- Help desk person asks if can send screenshots. Sure... The address they gave me bounced them back, possibly because their system thought it was spam.
- After setting new passwords (and struggling with all the nonsense: a capital letter, a number, a special fucking character and not more than two characters repeated consecutively), now there's a CAPTCHA to complete. When it fails, there's no way to tell if it was a problem with the password or the CAPTCHA.
- And to have any chance of any of this working, I have to disable all the security features on my browser, which I'm told are absolutely necessary to prevent viruses and hacking.

How have we let it get to this point? What I've attempted today was an onerous process at the least, and literally impossible at the worst. And I'm experiencing this crap more and more often. But here's what really bothers me. In my job, which is flying airplanes, I'm expected to be... perfect. I can't make any mistakes, even minor ones without filing a report of some kind (for which I need endless fucking login credentials, security questions and passwords too!).

I am so fed up of having precision demanded from me, and yet there's all this sloppiness and Catch-22s in web site coding and security.
  #2  
Old 11-13-2019, 11:30 AM
Czarcasm's Avatar
Czarcasm is offline
Champion Chili Chef
Charter Member
 
Join Date: Apr 1999
Location: Portland, OR
Posts: 63,117
There is no system more secure than one that is inaccessible.
  #3  
Old 11-13-2019, 11:43 AM
Joey P is offline
Charter Member
 
Join Date: Jun 1999
Location: Milwaukee, WI
Posts: 29,492
Quote:
Originally Posted by Czarcasm View Post
There is no system more secure than one that is inaccessible.
I have to have my internal network and (externally hosted) website scanned once a month for PCI Compliance. For years, everything went smoothly, passed every scan and never gave it a second thought. Then a few years back, the people that do the scan (PCI Rapid Comply, I think) changed one of their requirements such that it's an automatic fail if they can't get past your firewall. Their reasoning is if they can't scan your network, they can't pass it.
The entire rest of the industry (end users) tried to explain that if they can't get past the firewall, then the network is safe, right?
Then, to 'help' us out, they gave us a list of IP address that the scan would originate from and the ports it would use. Perfect, we thought, we'll whitelist those IPs, open those ports or set up port forwards to watch for those IP/ports and send them to the parts of the network they need to see.
Nope, we're explicitly told we can't do any of that. So, last I checked, we're all sort of stuck trying to find a balance between blocking everything and letting their scanners in. I think a lot of people just found ways to whitelist them/what they need to do and just don't tell them.


And, on top of all that, if you fail, they'll give you reasons. For many of those reasons, you can dispute them and explain the issue and then you'll pass. Lather, rinse, repeat next month. I eventually learned that once I could write everything they need to know to successfully dispute something in one try, to save it so I can C&P it each month.
  #4  
Old 11-13-2019, 11:54 AM
Sailboat's Avatar
Sailboat is offline
Guest
 
Join Date: Aug 2005
Posts: 12,026
I posted this little nonsense just the other day:

https://boards.straightdope.com/sdmb...3&postcount=65

For some reason, when the security people disabled our working reporting system, they didn't tell anyone. So for a while we wondered why no one was replying.
  #5  
Old 11-13-2019, 12:35 PM
Lightray's Avatar
Lightray is offline
Guest
 
Join Date: Oct 2005
Location: St. Louis MO
Posts: 6,044
I recently tried to arrange a Hold Mail with USPS, which I have done many times before. Denied. New security measures in place require you to register (i.e., give them your valuable data), and be verified. You can be verified via cell phone... but it wouldn't accept my cell# as acceptable for verification, and there was no available information to be found on why a cell# might be unacceptable.

As an alternative, you can request a code be mailed to you within 10 working days, with which you can set up your Hold Mail. Of course, I was out of town by the time it arrived, so that was a big help.

Couple weeks after I got the code in the mail, USPS sent me a helpful email because I'd used Hold Mail before, explaining that they were changing how it works. :eyeroll:
  #6  
Old 11-13-2019, 01:19 PM
slumtrimpet is online now
Guest
 
Join Date: Dec 2003
Location: Canukistan
Posts: 656
My husband is a physician. As such he needs to access patient records. The local nursing home instituted a new 'security' system for their inmates medical records. Those records are available to the attending doctors, the nurses and the pharmacist. I suppose the inmates could break into the office and mess about but... really? So he does a drug review at this home every week. Last week he entered the wrong password on the authorization screen three times and was locked out until... whothefuckknows (until IT support from new security company could physically drive down to reset the password - did I mention the nursing home is in southeast bumfuck?). So... no drug review. Too bad, so sad.

He is also on-call at the hospital for his (and a number of other patients in his on-call group) every couple of weeks. He used to have a beeper which morphed into an automated call to his cell phone over the years. Or if the call didn't go through, the switchboard would call the home phone and transfer the call to whomever. No problem. Call the hospital switchboard back or a direct line to the ER or the nurse's station and deal with whatever; med change for a patient, a new admission, request to call in a specialist... New system sends him a text. Whereupon he has to enter his password to access it. Yep, not him but one of his colleagues did the 'three times and you're out' thing while he was on-call. Locked out until he presented himself at the hospital with multiple forms of ID. To bad, so sad for any calls from nurses or doctors until he did that.

Oh, and due to the whole 'southeast bumfuck' issue the cell service here sucks. So texts often can take hours to sometimes a day to arrive.
"you have 5 urgent messages from xyz123 - date/time: 6 hours ago"

Thank og it's secure though.
  #7  
Old 11-13-2019, 01:41 PM
Colibri's Avatar
Colibri is online now
SD Curator of Critters
Moderator
 
Join Date: Oct 2000
Location: Panama
Posts: 43,586
Quote:
Originally Posted by Llama Llogophile View Post
- Having just signed up for an account, now we need to verify your identity by sending a code to your cel phone. Haha, no... Your phone number doesn't work for that, and we won't tell you why.
One of my pet peeves is security systems that only work via a text sent to your cell phone. In Panama, cell phones have eight numbers instead of seven, so most US automatic systems don't seem to be able to dial them.

When I want to post a travel notice for my credit cards to my banks, most of them have an option to send a code to your email rather than your phone. One doesn't, and can't call my phone, so I always have to call them, which can take 20 minutes of going through phone trees and answering verbal security questions instead of literally 1 minute on the other sites. And once I was required to punch in my date of birth on Skype, but their system wouldn't accept it. I was told that I couldn't file a travel notice even though I was speaking directly to an agent. I'm actually not so much worried about the security risk of using my card overseas, but having my card blocked if I try to use it overseas, and then having to go through the same rigmarole to get it unblocked.

I used to be able to access my work email remotely, but now they've started requiring an authentication code sent to my phone. So I just ended up having all my mail forwarded to my Gmail account and never log into my work account at all.

It used to be simple to buy a new data package from my cell phone provided here in Panama. Then they started sending an authentication text message, which is good for maybe a minute or two. But it takes so long for them to send it and key it in that it's usually expired before I can use it. Sometimes it's taken four or five tries before I get the code fast enough to use it.

Last edited by Colibri; 11-13-2019 at 01:42 PM.
  #8  
Old 11-13-2019, 02:09 PM
muldoonthief's Avatar
muldoonthief is offline
Member
 
Join Date: Jul 2003
Location: North of Boston
Posts: 11,171
At my last job, I would send weekly status reports to my boss via email. Suddenly he stopped receiving them - I was naming them "Myname_status_date.doc", and it turned out IT had added an anti-phishing filter that blocked any email with an attachment with the word "status" in the name. No email back to the sender, no notice to the recipient that an email had been blocked. Nothing to check sender address and let through emails that originated from within the company. I complained to IT, and their only suggestion was to not use the word "status". I wonder how many messages from vendors or customers were lost to this stupidity.

And I've decided that I refuse to work with any phone app which requires me to enter a password, but refuses to give me a way to actually see what i entered. Yes, password security is important, but please credit me with the intelligence to know if I'm in a place where I have to worry about shoulder surfing.
  #9  
Old 11-13-2019, 09:45 PM
Kobal2's Avatar
Kobal2 is offline
Guest
 
Join Date: Mar 2008
Location: Paris, France
Posts: 19,111
Quote:
Originally Posted by Llama Llogophile View Post
- After setting new passwords (and struggling with all the nonsense: a capital letter, a number, a special fucking character and not more than two characters repeated consecutively)
I can help there at least. Instead of thinking about a password, it's more helpful to think of a passphrase that is easy to remember (or hard to forget), such as 1953MarilynMonroewasdeadgorgeous! or 4:20Isweedo'clockeverywhere

Longer passwords are more difficult to brute force so the length of a short phrase is better security although of course it'll take a bit longer to type in which might become annoying if you have to log in and out often. In case your security system has a max pwd length and your preferred passphrase doesn't fit, or if you simply don't want to type more than strictly necessary you can use initial or final letters : 1953MMwdg! and 4:20Sdke are both relatively secure passwords that will at the very least resist any dictionary attack while still being much easier to remember than e.g. a random chain of letters and characters provided by a pwd generator, since you know the simple algo behind their generation.
  #10  
Old 11-13-2019, 10:09 PM
Colibri's Avatar
Colibri is online now
SD Curator of Critters
Moderator
 
Join Date: Oct 2000
Location: Panama
Posts: 43,586
Quote:
Originally Posted by Kobal2 View Post
I can help there at least. Instead of thinking about a password, it's more helpful to think of a passphrase that is easy to remember (or hard to forget), such as 1953MarilynMonroewasdeadgorgeous! or 4:20Isweedo'clockeverywhere
I used to use hummingbird genera that started with the same letter as the website (with prefixes and suffixes that satisfied the other criteria), but pretty soon I ran out of genera for the more common letters.

Last edited by Colibri; 11-13-2019 at 10:10 PM.
  #11  
Old 11-13-2019, 10:11 PM
susan's Avatar
susan is offline
Guest
 
Join Date: Jul 2002
Location: Coastal USA
Posts: 9,671
Hit the same USPS problem today.
  #12  
Old 11-14-2019, 02:31 AM
gotpasswords is offline
Charter Member
 
Join Date: Mar 1999
Location: San Francisco area
Posts: 16,432
The post office seems to be quite enthusiastic about the new change to mail holding as they’ve emailed me three times about it so far. Fortunately, as a user of Informed Delivery (inbound logistics for your mailbox) I’m already vetted and registered.

As for all of these bone-headed security schemes, the dorks who concocted them have all forgotten that the foundational tenet of information security is something called the CIA Triad: Confidentiality - Integrity - Availability. By blocking proper users, they’re screwing up on availability. Deep-sixing emails with “status”? Insane. Although... I probably get ten emails a day with references to status, so that would lighten up my work a bit.
  #13  
Old 11-14-2019, 08:53 AM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,739
I’m IT support at my work. We’re a state government agency. At one point we started getting reports that file sharing sites were tripping our web filters. We have auditors and investigators and consultants that need to get documents from the public on a regular basis, sometimes huge documents. We can’t accept them via email because they often exceed the size limit.

I am spending a lot of time troubleshooting the issue, sending tickets to other parts of our agency including the security office. Finally after a few weeks the security office appears at one of our agency-wide IT meetings and informs us that they’ve intentionally blocked all cloud file sharing sites. Google Docs, Dropbox, you name it, it’s blocked. They hadn’t gotten around to telling us yet. Those shitheads. It wasn’t even anything written into our policies, they’d decided on their own to do that and cause massive work stoppages across the agency.

I tell people at work all the time that as IT support my job is to do all I can to ensure that you can do your job, and the security office’s job is to ensure you can’t. I’m quite vocal about that. They have no concept of anything outside their paranoid little bubble. I keep waiting for the day that I go to work and find that we have no internet connection because the outside world is too scary.

I recall one time that we got a report that a computer on one of our field office’s network was infected with some kind of malware that was sending info to a remote site. It was only connected for an hour or so. The computer’s name did not even come close to our naming conventions so it’s obvious to me that it wasn’t one of ours. We have a guest WiFi for the public to use so the computer was probably hooked up to it. The security office calls me up to grill me about what this machine is and where it came from. It had connected to our network briefly a few weeks prior. I told them that it wasn’t an agency machine and there is no way to know what it was and they’ll never know, plus it didn’t do damage, so why are they hunting it? Then they asked about a person in the office about an hour after it closed who was on security footage, they could only describe him as a male who walked across the lobby with dark clothes and light hair. I asked if I could see the footage to see for myself and they refused. So I told them that was generic enough to describe me. It took them days to drop it.

Seriously, I don’t know how my agency functions at all with people in security who are probably insane.
  #14  
Old 11-14-2019, 09:42 AM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,571
Quote:
Originally Posted by Joey P View Post
I have to have my internal network and (externally hosted) website scanned once a month for PCI Compliance. For years, everything went smoothly, passed every scan and never gave it a second thought. Then a few years back, the people that do the scan (PCI Rapid Comply, I think) changed one of their requirements such that it's an automatic fail if they can't get past your firewall. Their reasoning is if they can't scan your network, they can't pass it.
The entire rest of the industry (end users) tried to explain that if they can't get past the firewall, then the network is safe, right?
Then, to 'help' us out, they gave us a list of IP address that the scan would originate from and the ports it would use. Perfect, we thought, we'll whitelist those IPs, open those ports or set up port forwards to watch for those IP/ports and send them to the parts of the network they need to see.
Nope, we're explicitly told we can't do any of that. So, last I checked, we're all sort of stuck trying to find a balance between blocking everything and letting their scanners in. I think a lot of people just found ways to whitelist them/what they need to do and just don't tell them.


And, on top of all that, if you fail, they'll give you reasons. For many of those reasons, you can dispute them and explain the issue and then you'll pass. Lather, rinse, repeat next month. I eventually learned that once I could write everything they need to know to successfully dispute something in one try, to save it so I can C&P it each month.
Why keep using the same company? And who "explicitly told" you that you can't whitelist the scanning IPs?

Also, all these stories confirm that cybersecurity jobs will never be going away. That's good for me!
  #15  
Old 11-14-2019, 10:09 AM
septimus's Avatar
septimus is offline
Guest
 
Join Date: Dec 2009
Location: The Land of Smiles
Posts: 20,137
I support this Pitting! Especially annoying is that some of the most stringent password/captcha stuff is for entries of little value, e.g. to join a free library. Some captcha images are impossible — only a computer might guess them! Others are easy, but fail inexplicably. On occasion I've failed 8 consecutive captchas before giving up.

Just two days ago I needed a password for some worthless account. I used one of my standard passwords: lower-case AND upper-case AND digit AND special symbol AND 12 characters long. It was rejected as too easy to guess! (Well yeah, I made it very easy to remember.)

Quote:
Originally Posted by Colibri View Post
One of my pet peeves is security systems that only work via a text sent to your cell phone. In Panama, cell phones have eight numbers instead of seven, so most US automatic systems don't seem to be able to dial them.
Fortunately I've had no trouble getting text codes from 3 or 4 U.S. sites. Thailand cell-phone numbers are 9* digits (11 counting the country code). [* 10 digits counting leading 0]

Quote:
Originally Posted by muldoonthief View Post
... I was naming them "Myname_status_date.doc", and it turned out IT had added an anti-phishing filter that blocked any email with an attachment with the word "status" in the name....
I remember reading about a "specialist" who was losing email. Filters caught it as "spe CIALIS t"

Last edited by septimus; 11-14-2019 at 10:12 AM.
  #16  
Old 11-14-2019, 10:19 AM
Pork Rind's Avatar
Pork Rind is offline
Charter Member
 
Join Date: Jan 2001
Location: Santa Barbara
Posts: 2,648
Quote:
Originally Posted by septimus View Post
I remember reading about a "specialist" who was losing email. Filters caught it as "spe CIALIS t"
Ah, the good ol' Scunthorpe Problem. How is that still an issue 23 years later?
  #17  
Old 11-14-2019, 11:08 AM
Tatterdemalion is offline
Member
 
Join Date: Apr 2009
Posts: 655
Quote:
Originally Posted by septimus View Post
I support this Pitting! Especially annoying is that some of the most stringent password/captcha stuff is for entries of little value, e.g. to join a free library. Some captcha images are impossible — only a computer might guess them! Others are easy, but fail inexplicably. On occasion I've failed 8 consecutive captchas before giving up.
Don't you just hate it when you fail a Turing test?
  #18  
Old 11-14-2019, 11:34 AM
Broomstick's Avatar
Broomstick is online now
Charter Member
 
Join Date: Mar 2001
Location: NW Indiana
Posts: 29,261
This isn't entirely new - back in the 1990's when the company I worked at was using the internet more and more the IT department put a porn filter on the web brower/e-mail/etc.

The problem? My department was medical research doing a project on breast cancer. Yep, EVERYTHING blocked. Howls from the researchers. Management meetings.

The IT department's answer? "Can't you use words other than "breast" and "mammary"?"

Uh, no, not really, not when you're searching for information on breast cancer in the published literature where literally all the titles and keywords were things like "breast" and "mammary".

Eventually something was sorted out so our department, at least, could search on terms like "breast" (and other "naughty" body parts).

But I suspect it's only gotten worse.

Last edited by Broomstick; 11-14-2019 at 11:34 AM.
  #19  
Old 11-14-2019, 11:44 AM
Hermitian's Avatar
Hermitian is offline
Guest
 
Join Date: Jan 2004
Posts: 2,630
Quote:
Originally Posted by Kobal2 View Post
I can help there at least. Instead of thinking about a password, it's more helpful to think of a passphrase that is easy to remember (or hard to forget), such as 1953MarilynMonroewasdeadgorgeous! or 4:20Isweedo'clockeverywhere

Longer passwords are more difficult to brute force so the length of a short phrase is better security although of course it'll take a bit longer to type in which might become annoying if you have to log in and out often. In case your security system has a max pwd length and your preferred passphrase doesn't fit, or if you simply don't want to type more than strictly necessary you can use initial or final letters : 1953MMwdg! and 4:20Sdke are both relatively secure passwords that will at the very least resist any dictionary attack while still being much easier to remember than e.g. a random chain of letters and characters provided by a pwd generator, since you know the simple algo behind their generation.
But doesn't just about every system lock you out after about 5 tries anyway? So why is brute-forcing even a concern?

On another topic, I was once singing into a government system and one of the requirements was that your password had to be EXACTLY 12 characters. I can sort of understand a minimum, but making an exact requirement seems counterproductive. At least the hacker knows what length he needs to guess!
  #20  
Old 11-14-2019, 12:36 PM
Czarcasm's Avatar
Czarcasm is offline
Champion Chili Chef
Charter Member
 
Join Date: Apr 1999
Location: Portland, OR
Posts: 63,117
Quote:
Originally Posted by Hermitian View Post
On another topic, I was once singing into a government system and one of the requirements was that your password had to be EXACTLY 12 characters.
...and on-key, to boot!
  #21  
Old 11-14-2019, 01:01 PM
Kobal2's Avatar
Kobal2 is offline
Guest
 
Join Date: Mar 2008
Location: Paris, France
Posts: 19,111
Quote:
Originally Posted by Hermitian View Post
But doesn't just about every system lock you out after about 5 tries anyway? So why is brute-forcing even a concern?
I'm not super versed in cybersec or password breaking methods, but from what I understand many automated methods are based on attempting millions of log ins in parallel at the exact same time, thus pre-empting the "consecutive tries" locks.

Quote:
On another topic, I was once singing into a government system and one of the requirements was that your password had to be EXACTLY 12 characters. I can sort of understand a minimum, but making an exact requirement seems counterproductive. At least the hacker knows what length he needs to guess!
Yeah, that doesn't intuitively feel very helpful. Can actual experts weigh in ? Manson, you seemed to indicate that was your line of work ?
  #22  
Old 11-14-2019, 01:17 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,571
Quote:
Originally Posted by Hermitian View Post
On another topic, I was once singing into a government system and one of the requirements was that your password had to be EXACTLY 12 characters.
I love singing passwords! My favorite is 1877kars4kids

Quote:
Originally Posted by Kobal2 View Post
Yeah, that doesn't intuitively feel very helpful. Can actual experts weigh in ? Manson, you seemed to indicate that was your line of work ?
My guess is the person reading the requirements during development screwed up, or the person making the policy screwed up.

However, thinking about it, I seem to remember some time in my past that a password had to be exactly 8 characters, but I'm racking my brain as to the reason - there was an actual reason, I just can't remember. It might have been because the app was old, and only had storage for 8 character passwords, and later bolted-on security policy required AT LEAST an 8 character password which only left 8 character passwords as valid. Perhaps the 12 character case was similar.
  #23  
Old 11-14-2019, 01:36 PM
Kobal2's Avatar
Kobal2 is offline
Guest
 
Join Date: Mar 2008
Location: Paris, France
Posts: 19,111
Quote:
Originally Posted by manson1972 View Post
I love singing passwords! My favorite is 1877kars4kids
Well that doesn't seem right, it doesn't have capitals or special chars.

#END totally_missing_the_joke();

ETA : also, earworm now. I'll hurt you IRL.

Last edited by Kobal2; 11-14-2019 at 01:40 PM.
  #24  
Old 11-14-2019, 02:06 PM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,739
Quote:
Originally Posted by manson1972 View Post
I love singing passwords! My favorite is 1877kars4kids
Damn you manson1972.
  #25  
Old 11-14-2019, 02:43 PM
Kobal2's Avatar
Kobal2 is offline
Guest
 
Join Date: Mar 2008
Location: Paris, France
Posts: 19,111
(A propos of nothing, I just realized my preferred method was essentially a reverse-mnemonic. Instead of coming up with a memorable phrase/acronym to help remind yourself of various amounts of arcane information, you're creating arcane information out of a memorable phrase. Neat, huh ?
Y'all carry on.)
  #26  
Old 11-14-2019, 03:23 PM
susan's Avatar
susan is offline
Guest
 
Join Date: Jul 2002
Location: Coastal USA
Posts: 9,671
Quote:
Originally Posted by Broomstick View Post
This isn't entirely new - back in the 1990's when the company I worked at was using the internet more and more the IT department put a porn filter on the web brower/e-mail/etc.

The problem? My department was medical research doing a project on breast cancer. Yep, EVERYTHING blocked. Howls from the researchers. Management meetings.

The IT department's answer? "Can't you use words other than "breast" and "mammary"?"

Uh, no, not really, not when you're searching for information on breast cancer in the published literature where literally all the titles and keywords were things like "breast" and "mammary".

Eventually something was sorted out so our department, at least, could search on terms like "breast" (and other "naughty" body parts).

But I suspect it's only gotten worse.
Indeed. In that era, I was a university coordinator for lesbian, bisexual, gay and transgender students. The university's internet settings blocked "lesbian," "bisexual," and "transgender."
  #27  
Old 11-14-2019, 04:05 PM
Miller's Avatar
Miller is offline
Sith Mod
Moderator
 
Join Date: Dec 2000
Location: Bear Flag Republic
Posts: 44,630
At work, we use a lot of off-the-shelf, 3rd party software. A lot of this software doesn't have great documentation, so our devs often have to go to message boards to get answers to problems they run into during implementation. Often, this is explicitly how your supposed to get software support for this sort of thing.

So, naturally, our security team decided to block posting to any sort of message board, because someone might post proprietary software code, or accidentally reveal details of an upcoming project. Which made it virtually impossible to get support for a lot of these projects, unless you were lucky enough to find someone on a forum who asked exactly the same question you wanted to ask. After about a month of this, security was convinced to allow a whitelist to allow certain devs to post on message boards again, but only those that really, really needed it.

About two months later, the whitelist included very nearly every person in the company, and they finally junked the rule altogether.
  #28  
Old 11-14-2019, 04:18 PM
Shodan is offline
Charter Member
 
Join Date: Jul 2000
Location: Milky Way Galaxy
Posts: 40,193
One of my first jobs in IT was writing an algorithm to prevent people from using obscene words in their passwords. Pro tip: "what the hell difference does it make" is not a question a very junior programmer should ask. Neither is "where do I store the table of obscene words so nobody will see it and be offended".

On a related note, my phone wasn't working, and nobody could call me because it didn't ring, but went straight to voice mail. I IM'ed the helpless desk. Their first question was "what is your call back number?" And they couldn't accept my cell number because it had to be a company-owned device.

A company I worked at used to send out mass voice mails that the phone system was down.

My favorite is still the web address we were supposed to go to if the Internet wasn't working.

Regards,
Shodan
  #29  
Old 11-14-2019, 05:13 PM
Colibri's Avatar
Colibri is online now
SD Curator of Critters
Moderator
 
Join Date: Oct 2000
Location: Panama
Posts: 43,586
Quote:
Originally Posted by Shodan View Post
One of my first jobs in IT was writing an algorithm to prevent people from using obscene words in their passwords. Pro tip: "what the hell difference does it make" is not a question a very junior programmer should ask.
I imagine it was because lot of passwords were variants on "fuckyouitdept123." (I admit to have created passwords like that on particularly intrusive websites.)
  #30  
Old 11-14-2019, 05:19 PM
Colibri's Avatar
Colibri is online now
SD Curator of Critters
Moderator
 
Join Date: Oct 2000
Location: Panama
Posts: 43,586
I'm surprised no one has referenced Mordac, the Preventer of Information Services.
  #31  
Old 11-14-2019, 05:25 PM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,739
Quote:
Originally Posted by Colibri View Post
I imagine it was because lot of passwords were variants on "fuckyouitdept123." (I admit to have created passwords like that on particularly intrusive websites.)
At one job we had a timekeeping system that ran on a platform called “Penta”. (I assume, given how evil the software was, the developers worshipped Satan and it was short for “Pentagram”.) We required a password for that horrid system that was overly restrictive and I hated the software so much that every password was “Pentasux” with a number afterward.

Anyway, who gives a shit what’s in a password? Proper security protocols would have you never sharing your password with anyone else in the organization anyway. Who are you going to offend, the domain controller? As long as it meets complexity requirements does it matter if the password is “J3sus!$L0v3” or “Ibl0wG0@t$”?
  #32  
Old 11-14-2019, 05:26 PM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,739
Quote:
Originally Posted by Colibri View Post
I'm surprised no one has referenced Mordac, the Preventer of Information Services.
Haha, I had that exact same strip on my wall at my first IT support job back in the early 2000s. Especially because my boss would wear suspenders like that.
  #33  
Old 11-14-2019, 06:13 PM
susan's Avatar
susan is offline
Guest
 
Join Date: Jul 2002
Location: Coastal USA
Posts: 9,671
Quote:
Ibl0wG0@t$
Jeez, now I need a new password
  #34  
Old 11-16-2019, 03:09 AM
Die Capacitrix's Avatar
Die Capacitrix is offline
Guest
 
Join Date: May 2019
Location: Switzerland
Posts: 160
Realized that my U.S. Global Entry is getting old, so I looked up how long it should last. 5 years, and it's possible to renew it up to one year before it expires. As of this month, I am 4.5 years from the date I got the green light. So I go to the site. Nope, original Global Entry identification is no longer valid. I have to create a new one. And even though my U.S. Passport has only fields for Name and First Name, which is how I order plane tickets, Global Entry has fields for First, Middle and Last.

I create the new account. Seems they changed something else. The expiration date is even later and now tied to my birthday, even though the original date of validity is no where need my birthday. So now my husband's Global Entry and mine are not renewed on the same date, since our birthdays are not the same. At least they are the same year.

We did have a system that did not recognize an initial 0 (zero) in the password. So anyone who changed their password to include an initial zero could never log in again.

And we also had a system with an interesting feature. People would set their password to password12 and the system would accept it. But when they input the password, it got truncated to password before being sent to the system. They could never log in again.
  #35  
Old 11-16-2019, 04:21 AM
Nava is offline
Member
 
Join Date: Nov 2004
Location: Hey! I'm located! WOOOOW!
Posts: 43,046
Quote:
Originally Posted by Die Capacitrix View Post
And we also had a system with an interesting feature. People would set their password to password12 and the system would accept it. But when they input the password, it got truncated to password before being sent to the system. They could never log in again.
I've had that problem with sites that required me to enter my full name in order to reset my password.

In the inmortal words of my dad: "no, my name is not too long. Your field is too short."
__________________
Some people knew how to kill a conversation. Cura, on the other hand, could make it wish it had never been born.
  #36  
Old 11-16-2019, 04:42 AM
Broomstick's Avatar
Broomstick is online now
Charter Member
 
Join Date: Mar 2001
Location: NW Indiana
Posts: 29,261
I've had problems with sites that require a middle name or initial in the name field. I don't have one. You can see the problem.
  #37  
Old 11-16-2019, 05:35 AM
Aspidistra is offline
Member
 
Join Date: Feb 2001
Location: Melbourne, Australia
Posts: 5,730
Quote:
Originally Posted by Colibri View Post
I imagine it was because lot of passwords were variants on "fuckyouitdept123." (I admit to have created passwords like that on particularly intrusive websites.)
If the IT department can tell that your password is fuckyouitdept123, then they deserve every letter of it
__________________
Science created the modern world. Politics is doing its best to destroy it.
  #38  
Old 11-17-2019, 12:50 AM
DummyGladHands is offline
Guest
 
Join Date: Dec 2010
Posts: 2,191
Quote:
Originally Posted by Nava View Post
I've had that problem with sites that required me to enter my full name in order to reset my password.

In the inmortal words of my dad: "no, my name is not too long. Your field is too short."
I am so terribly sorry my Dad's middle name does not have enough characters. Please suggest a solution. Assholes.
  #39  
Old 11-17-2019, 01:09 AM
Colibri's Avatar
Colibri is online now
SD Curator of Critters
Moderator
 
Join Date: Oct 2000
Location: Panama
Posts: 43,586
Some years ago I had a job that required me to register as an official US government contractor.

Although I'm an individual, I had to register as if I were a small business, and answer 35 pages worth of forms. Although I am the only "employee," and am basically just a science writer, I had to answer questions regarding my policy on disposing of nuclear waste, and on equal opportunity hiring. Since I reside overseas, I had to obtain an ID number from NATO.

After a couple of years, they informed me my registration had expired, and I had to renew my registration. However, I had registered under my name without my middle initial, while I had obtained my NATO number using my middle initial. Although I tried repeatedly to reconcile the registrations, and called the help center, it proved utterly impossible to renew my registration. Fortunately I haven't had any new government contracts. In the event I do, I'm sure I'll be better off starting all over rather than trying to renew my former one.
  #40  
Old 11-17-2019, 09:30 AM
Bayaker is offline
Guest
 
Join Date: Dec 2016
Location: A town on Galveston Bay
Posts: 4,271
Quote:
Originally Posted by Lightray View Post
I recently tried to arrange a Hold Mail with USPS, which I have done many times before. Denied. New security measures in place require you to register (i.e., give them your valuable data), and be verified. You can be verified via cell phone... but it wouldn't accept my cell# as acceptable for verification, and there was no available information to be found on why a cell# might be unacceptable.

As an alternative, you can request a code be mailed to you within 10 working days, with which you can set up your Hold Mail. Of course, I was out of town by the time it arrived, so that was a big help.

Couple weeks after I got the code in the mail, USPS sent me a helpful email because I'd used Hold Mail before, explaining that they were changing how it works. :eyeroll:
The same thing happened to me about a week ago. An additional tidbit is that on the registration screen "phone number" is a required field, but below that is a box for "cell(maybe it was mobile) number" which is not a required field. I didn't fill that out because my cell is turned off most of the time and don't want the USPS calling it anyway. I got to the Hold Mail screen and was informed about the necessity of my cell number for "verification", and had to go back and update my profile to include it. Of course then my cell number was unacceptable to them for no given reason. Apart from getting a letter in ten days (I was going out of town in three days) the only other option is that I do it in person at the Post Office. I suppose there has been a problem with evildoers who have someone else's mail held for shits and giggles while they twirl their mustache, otherwise they wouldn't require all this crap, right?

Off I go to the Post Office. The nice lady at the counter gives me a short form, which I fill out while we chat pleasantly about the weather and my upcoming fishing trip. I hand her back the form and go on my way.

No ID or any "verification" was requested, much less required. Aaargh!
  #41  
Old 11-17-2019, 10:54 AM
Eva Luna is offline
Charter Member
 
Join Date: Oct 2001
Location: Chicago-ish, IL
Posts: 10,841
Quote:
Originally Posted by Broomstick View Post
This isn't entirely new - back in the 1990's when the company I worked at was using the internet more and more the IT department put a porn filter on the web brower/e-mail/etc.

The problem? My department was medical research doing a project on breast cancer. Yep, EVERYTHING blocked. Howls from the researchers. Management meetings.

The IT department's answer? "Can't you use words other than "breast" and "mammary"?"

Uh, no, not really, not when you're searching for information on breast cancer in the published literature where literally all the titles and keywords were things like "breast" and "mammary".

Eventually something was sorted out so our department, at least, could search on terms like "breast" (and other "naughty" body parts).

But I suspect it's only gotten worse.
Years ago, when I was working in-house in a large financial services corporation, I was working on a greed card application for a lovely Chinese woman whose last name was Dong. One day I tried to send an email to outside counsel about her case, and got a sternly worded auto-response that I had violated the company's profanity policy, and that action would be taken up to and including termination. When I realized what had happened, I called the help desk and told them they had tweaked their filters a bit too hard - it was her name, for chrissakes! They were laughing and told me that there was a Thai women whose name included the letters "porn" who was unable to get any email at all, among other things.

Then, since my function was part of the employment law department, I marched down the hall to my boss' boss, who was married to a Chinese woman (my immediate boss was on maternity leave, and this issue would have been more his department anyway) and told him what had just happened in case IT contacted him to inform him of my horrible policy violation. We both had a good laugh about it.

Last edited by Eva Luna; 11-17-2019 at 10:55 AM.
  #42  
Old 11-17-2019, 11:27 AM
MEBuckner's Avatar
MEBuckner is offline
Charter Member
 
Join Date: Aug 2000
Location: Atlanta, Georgia, USA
Posts: 12,223
Quote:
Originally Posted by Colibri View Post
Although I am the only "employee," and am basically just a science writer, I had to answer questions regarding my policy on disposing of nuclear waste, and on equal opportunity hiring.
So, what is your policy on disposing of nuclear waste?
  #43  
Old 11-17-2019, 12:13 PM
susan's Avatar
susan is offline
Guest
 
Join Date: Jul 2002
Location: Coastal USA
Posts: 9,671
I've also been to my post office to fill out a slip of cardstock. They say that there is a glitch and no one can get authorized on line right now. Oh, how we laughed.
  #44  
Old 11-17-2019, 01:26 PM
Folacin is offline
Guest
 
Join Date: Oct 2008
Location: North of the River
Posts: 3,698
Quote:
Originally Posted by Bayaker View Post
Off I go to the Post Office. The nice lady at the counter gives me a short form, which I fill out while we chat pleasantly about the weather and my upcoming fishing trip. I hand her back the form and go on my way.

No ID or any "verification" was requested, much less required. Aaargh!
Not that the hoops aren't ridiculous (if they even worked), but if I'm a hacker looking for laughs, I could presumably fairly easily code up something to randomly put a hold on the mail for an entire city if there aren't at least some checks on the online form.

Doing it in person would be a tad more difficult.
  #45  
Old 11-17-2019, 01:38 PM
Colibri's Avatar
Colibri is online now
SD Curator of Critters
Moderator
 
Join Date: Oct 2000
Location: Panama
Posts: 43,586
Quote:
Originally Posted by MEBuckner View Post
So, what is your policy on disposing of nuclear waste?
Put it in dumpster next door and run like hell before anyone sees me.

As much as I might be in favor of diversity in the workplace, unfortunately at the moment my staff consists of a single white male (me).
  #46  
Old 11-17-2019, 03:02 PM
LurkMeister is offline
Charter Member
 
Join Date: Mar 2002
Location: Central NC
Posts: 4,684
Quote:
Originally Posted by Bayaker View Post
The same thing happened to me about a week ago. An additional tidbit is that on the registration screen "phone number" is a required field, but below that is a box for "cell(maybe it was mobile) number" which is not a required field. I didn't fill that out because my cell is turned off most of the time and don't want the USPS calling it anyway. I got to the Hold Mail screen and was informed about the necessity of my cell number for "verification", and had to go back and update my profile to include it. Of course then my cell number was unacceptable to them for no given reason. Apart from getting a letter in ten days (I was going out of town in three days) the only other option is that I do it in person at the Post Office. I suppose there has been a problem with evildoers who have someone else's mail held for shits and giggles while they twirl their mustache, otherwise they wouldn't require all this crap, right?

Off I go to the Post Office. The nice lady at the counter gives me a short form, which I fill out while we chat pleasantly about the weather and my upcoming fishing trip. I hand her back the form and go on my way.

No ID or any "verification" was requested, much less required. Aaargh!
I recently went through the same thing, except that somewhere I found a phone number that allowed me to register the hold request just by going through an automated phone tree. At the end of the call I was given a confirmation number. Just to double-check I then went to the USPS website and called up the hold request to verify it. Good thing I did, because they had the wrong date delivery was supposed to resume. They also had my name (which I had been required to give during the phone call) as something like "baba wawa". I had also requested that they mail me a registration number, which I got three days later and was able to post to my account before I left.
  #47  
Old 11-18-2019, 11:24 AM
Pleonast's Avatar
Pleonast is offline
Charter Member
 
Join Date: Aug 1999
Location: Los 'Kamala'ngeles
Posts: 7,326
I've seen plenty of security "successes".

1. Log-in client A and log-in client B clipping the inputted password to different lengths. Passwords should never be clipped at any length a person is likely to type anyway (because it reduced the number of possible passwords), but at least do it consistently.

2. Password restrictions on the characters typed like: after three lower-case letters you have to have a number or upper-case letter. Which greatly reduces the possible number of passwords.

3. System-wide lock-outs. If a username is tried and fails to log-in after five tries, that user cannot log-in anywhere on the network for 30 minutes. That got fixed quickly when pranksters (it wasn't me!) repeatedly failed to log in with the CEO's username, thereby locking the CEO out of everything. Multiple times.

4. Requiring files to be encrypted to each user and with an admin master keyfile, but then encrypting the master keyfile. No one noticed until a user forgot their password and the admin couldn't reset with the master key, because they needed the unencrypted master key to do it. Analogous to locking yourself out of the car. Fortunately they had also added some Microsoft OS key (which brings up more questions) into the encryption, so after a day or so on the phone with MS support, they were able to get things unlocked.

Quote:
Originally Posted by Hermitian View Post
But doesn't just about every system lock you out after about 5 tries anyway? So why is brute-forcing even a concern?
Brute forcing is a concern because of this attack: someone gets access to the system and manages to copy the password table to their own system. The passwords should be salted and hashed, so the table doesn't immediately help the attackers. But, they can then try the most common passwords against each entry in the table at their own leisure. This is why anything that reduces the possible number of passwords is a security flaw.
  #48  
Old 11-18-2019, 11:55 AM
Kobal2's Avatar
Kobal2 is offline
Guest
 
Join Date: Mar 2008
Location: Paris, France
Posts: 19,111
Quote:
Originally Posted by Colibri View Post
As much as I might be in favor of diversity in the workplace, unfortunately at the moment my staff consists of a single white male (me).
If I were you, I'd report my manager to HR. And unionize to fight against discriminatory hiring practices. And then fire myself for spreading that dangerous union talk.
  #49  
Old 11-18-2019, 01:18 PM
Rysto is online now
Guest
 
Join Date: Jun 2002
Posts: 7,207
Then sue yourself for labour law violations and you'll be rich!
  #50  
Old 11-18-2019, 02:50 PM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,739
Quote:
Originally Posted by Bayaker View Post
I suppose there has been a problem with evildoers who have someone else's mail held for shits and giggles while they twirl their mustache, otherwise they wouldn't require all this crap, right?

Off I go to the Post Office. The nice lady at the counter gives me a short form, which I fill out while we chat pleasantly about the weather and my upcoming fishing trip. I hand her back the form and go on my way.

No ID or any "verification" was requested, much less required. Aaargh!
Since you weren’t twirling your mustache in the post office they knew you were okay.
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:39 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright © 2019 STM Reader, LLC.

 
Copyright © 2017