Years ago, when I was working in-house in a large financial services corporation, I was working on a greed card application for a lovely Chinese woman whose last name was Dong. One day I tried to send an email to outside counsel about her case, and got a sternly worded auto-response that I had violated the company’s profanity policy, and that action would be taken up to and including termination. When I realized what had happened, I called the help desk and told them they had tweaked their filters a bit too hard - it was her name, for chrissakes! They were laughing and told me that there was a Thai women whose name included the letters “porn” who was unable to get any email at all, among other things.
Then, since my function was part of the employment law department, I marched down the hall to my boss’ boss, who was married to a Chinese woman (my immediate boss was on maternity leave, and this issue would have been more his department anyway) and told him what had just happened in case IT contacted him to inform him of my horrible policy violation. We both had a good laugh about it.
I’ve also been to my post office to fill out a slip of cardstock. They say that there is a glitch and no one can get authorized on line right now. Oh, how we laughed.
Not that the hoops aren’t ridiculous (if they even worked), but if I’m a hacker looking for laughs, I could presumably fairly easily code up something to randomly put a hold on the mail for an entire city if there aren’t at least some checks on the online form.
I recently went through the same thing, except that somewhere I found a phone number that allowed me to register the hold request just by going through an automated phone tree. At the end of the call I was given a confirmation number. Just to double-check I then went to the USPS website and called up the hold request to verify it. Good thing I did, because they had the wrong date delivery was supposed to resume. They also had my name (which I had been required to give during the phone call) as something like “baba wawa”. I had also requested that they mail me a registration number, which I got three days later and was able to post to my account before I left.
Log-in client A and log-in client B clipping the inputted password to different lengths. Passwords should never be clipped at any length a person is likely to type anyway (because it reduced the number of possible passwords), but at least do it consistently.
Password restrictions on the characters typed like: after three lower-case letters you have to have a number or upper-case letter. Which greatly reduces the possible number of passwords.
System-wide lock-outs. If a username is tried and fails to log-in after five tries, that user cannot log-in anywhere on the network for 30 minutes. That got fixed quickly when pranksters (it wasn’t me!) repeatedly failed to log in with the CEO’s username, thereby locking the CEO out of everything. Multiple times.
Requiring files to be encrypted to each user and with an admin master keyfile, but then encrypting the master keyfile. No one noticed until a user forgot their password and the admin couldn’t reset with the master key, because they needed the unencrypted master key to do it. Analogous to locking yourself out of the car. Fortunately they had also added some Microsoft OS key (which brings up more questions) into the encryption, so after a day or so on the phone with MS support, they were able to get things unlocked.
Brute forcing is a concern because of this attack: someone gets access to the system and manages to copy the password table to their own system. The passwords should be salted and hashed, so the table doesn’t immediately help the attackers. But, they can then try the most common passwords against each entry in the table at their own leisure. This is why anything that reduces the possible number of passwords is a security flaw.
If I were you, I’d report my manager to HR. And unionize to fight against discriminatory hiring practices. And then fire myself for spreading that dangerous union talk.
A few months ago I got locked out of all systems at work including my email. The IT “Help” Desk kept insisting they had to send me a password reset email and that it was the only way to reset my password. :smack: They were very insistent that it was impossible to reset it any other way. To be fair he did offer to send it to my personal email; which is blocked on company computers, we have no wifi for ordinary employees, and data service in our building sucks. Eventually I had to escalate 2 management levels to get it resolved. And our parent company is a global technology company to boot.
Sounds like there may have been an old mainframe in there somewhere. Until just a couple of years ago, our mainframes running CA Top Secret would cheerfully ignore the ninth and any further characters typed into the password field at login. You couldn’t create a password longer than eight characters, but if your password was password you could enter passwordsarethetoolofthedevilandadda#anda7forthehellofit and you’d get in. That’s been fixed and users can use anything from 6 to 128 characters.
Got assigned an online course for company training. I’ve used this system before but can’t find my credentials. I get on the site and the only way to recover a password is if you already know your user name. I call them up, they readily acknowledge that I am, in fact me, because I can spell my complex last name, and I know the email and phone number associated with the account.
But… no. They won’t give me my user name, which would enable me to reset my password. Because “security”. I have to contact some damn administrator at my company. We are truly living in Terry Gilliam’s Brazil.
What’s really laughable about this is the training and tests I’m supposed to do are very industry specific and esoteric information. They even give you the answers as part of the course! What am I going to do, hire a 15-year old Asian kid to take it for me like it’s the SAT? This is absurd.
I don’t understand this one. They shouldn’t just give you your username over the phone. And you have to call someone to get it? So what? It’s for your own protection.
Security is not there for your convenience. It’s for your protection. Read some of Mitnick’s books about what he could accomplish simply because people told him stuff over the phone.
As I said in the last paragraph of my post, it’s more because the stakes are so low that I find this ridiculous.
But even so, the information I gave them (on the phone because there was no other method provided) should pretty well establish my identity. Counting the email address, I gave them about 5 factors of authentication. My own protection? Maybe in theory. But in actuality here’s what was accomplished today - they prevented an authentic user from accessing the system legitimately.
Sometimes that happens. Perhaps the system also prevented 25 malicious users from accessing the system illegitimately?
I’m curious though, did you give them all your 5 factors of authentication before or after they told you that you had to call someone else to get your username?
I seriously doubt that, again because this a very esoteric undertaking with not very much at stake. There would be no reason to hack it. The only thing I can imagine their precautions would guard against would be someone else logging in as me to take the tests for me. But if I were going to do that, I’d just give my credentials to that person. Or, if physically present, log in and let them have at it.
More to the overall point though, when we design security systems that are meant to thwart the .0000whatever percentage of people with nefarious intentions and inconvenience the vast majority of people who aren’t up to no good… well, that’s bad. I grant you, sometimes it’s necessary when the stakes are high. But even then, we see things go awry (hello TSA!) and have good reason to question how we do things.
I see a lot of creep on this, both online and in the physical world and I’m getting a bit fed up. Hence the title of this thread. I’m not up to no good, never have been, never will be and I’m tired of being thwarted from doing what I need to do by security that is poorly designed, overly aggressive and sometimes of questionable necessity in the first place.
I spoke with two people and gave them both some information to identify myself. They seemed about to help, then put me on hold, came back and said no.
Seems to me to only inconvenience those who forget their username, and don’t know the policy on who to call to get it. Clear instructions on what to do to get your username should be on the web site. If they are not, that’s not security’s fault.
Those two people wasted your time because they didn’t know the policy. Again, not security’s fault.
I did science for a Federal agency. I worked on a campus with several federal buildings. The building next to mine was a different branch of our agency, but we collaborated a lot. Also, this campus was a loong way from Washington DC.
We had a project the required the regular transfer of many many GB back and forth (but a high-speed network was still faster than carrying a hard drive back and forth). Unfortunately, the two agency branches had their own separate IT security divisions headquartered in DC. So the setup meant every byte had to go from our campus to DC, be inspected by one branch’s security outbound, go to the other branch in DC, be inspected inbound, then sent back to the other building on our campus. This was incredibly slow AND kept breaking/timing out. After many many tickets and lots of head-scratching, and many many refusals from national IT to bypass, someone in DC (and I got this in writing) said: there’s no policy we can find against just running a stealth cable between buildings and treating one computer in building A as if it was located in building B. So that’s what we did.