Sep 18, 2019 7:38 AM
stone30
704394
3064
73
password
access_control
user
iso27001
no_limits
SaltyInternetPirate
I find this relevant, because I've been configuring a server (mostly compiling stuff) for the past two days. It's all abandonware on it.
DJudy
Ass holes will get through anything.
cujo67
As a fat man, can relate
brianterrel
You want Shadow IT? This is how you get Shadow IT.
Raecracy123abc
As a data scientist my arch nemesis are network security people. For all you assholes out there from the bottom of heart FU <3
chrisawhitmore
I'm currently using a home device tethered through my phone to work because my employers didn't consider 'getting anything done' a priority.
activedirectory
HerrBisch
I have no idea what the video is meant to illustrate, but I enjoyed watching it nonetheless.
gilliamv
AStupidWeeb
Shit, we should just use cats to illustrate everything.
jelladelta
So if you have a small pussy you can break into the internet? Cool!
karateninjazombie
SO MUCH YES! THIS is why I left the IT admin world after about 7 years. That and it's a thankless job with shit pay
limeburner
What’s a DLP?
flash71491
C h O n K y B o I
TrowelAndError
That’s one heckin’ chonk!
Chloesaurus
Got a pet gate to keep my cat out of a room. He knocked it over. I secured it. MFW he jumped over it...
Hotyr
This is EA's DRM isn't it?
puppyflips
HelplessRomantic
Maru is too patient ;)
Novuake
OH god this speaks to me.
Magus25
Do security people realize the harsher the security the more likely people will look for exploits, to make it usable again?
TheFastpaws
We just had an email compromised this morning sending out the usual click this crap.
bkcantthinkofanythingclever
I work at an MSP and we've had a couple of clients get there emails hacked and forwarded to someone else with bank info, etc. 1/2
yeah, those hackers got some money out of it, bunch of bitches
PhillFan
goflyblind
tonchandailvert
this user is getting tired of your shit
serepta
I’m not sure what this is about but my computer guru husband will explain it to me. Really funny tho!
imnotyourmum
I couldn‘t give you more than one upvote so i upvoted all comments.
madrush
*cries in IT*
michealangleo
Are you saying these policys arnt effective or that users will try work around them?
Sciema
Yes
swedishpancakeswithlingonberries
No matter what checks you put in place, a user will always try to find a shortcut to get around them.
Bystandr
The authors' point is eventually it was cause the user to abandon the platform entirely, like I did to fucking pinterest just for making me
login.
SomeGrayFox
"Stop using Netflix, we're trying to gain trusted status with our new parent company." -IT Manager Circa 2012
Xedi22
We had similar at one point. Except we had to point it many of the services they had issue with were our customers. (including porn) ...we
...in sales & support needed to access, some that we had in house. After Corp HR/Legal’s heads exploded...we all got new consent forms. :)
MyNameIsJesusAndIStealHubcapsFromCars
stronger security makes it more difficult for the user to use the intended services. if you go too far the user will try to circumvent.
Ferrumkit
Not gonna lie ... when we integrated an active token system it helped a ton.
I don’t mind these as long as I can keep my yubikey for it...
That's the worst part, it's great but requires people to not be idiots, a timed lockout helps but ultimately tokens rely on user to secure.
Yeah. We basically require they be kept on your keychain. (I know one guy that has it on a USB extension taped underneath his desk though.)
...but eventually that will go away because of the people the don’t remove them when the leave for the day...
zorban99
Our cyber-environment is dangerous. It's too easy to defeat necessary security measures by using unsecured devices.
AydenBeeson
Not if it's carefully designed to prevent those devices getting to anything secure without going through something that adds protection
AreYouSuggestingThatCoconutsMigrate
Ya’ll should give Darknet Diaries a listen. Cracking podcast about IT security, social engineering and how stupid people are.
ImOPsMom
Any defense mechanism can be defeated given enough time and expertise. It's about slowing things down in order to detect and stop the action
NoYolo4Jesus
Exactly, make it time-consuming and/or expensive to compromise.
HowAboutTheBSharps
Not like that they aren't!
OldManDjohn
He is saying that cats are liquids
necroticon
Cats do not abide by the laws of physics, okay?
BigFatBobbie
I am glad someone has the courafe to stand up and speak out sbout the real issues.
Numb3rThr33
You take that back!
[deleted]
Even worse, some very good employees eventually “give up” when their job becomes to annoying to just do, and became a clock puncher...
DonnaNobleInTheLibrary
Also, having four services the user needs to log into, which check that you don't use the same password for all. What's single-sign-on?
boevis
.... i do.
NotAgainRichard
Year? You mean 85 days.
85 days? I think you mean 60 day with lockout of the last 16 passwords used and minimum of special characters and numerals nlt 16 char long
ForcedToRegisterForPorn
That’s the policy at my work. Everyone just increments a number in the password, but it’s still a pain in the ass. I’m up to 45 now.
mouseasw
Here I am, a chump generating a new random password with LastPass every 90 days and then forcing myself to memorize it.
instanoodles
Set strong password requirements and you will probably find the passwords written on sticky notes stuck to monitors across the office.
PedanticGonkDroid
If you set "strong" password requirements, yes. The more stuff I have to include in my password, the easier it gets to crack.
Let me do whatever I want and I'll have a 40-character string of nonsense that I don't need to write down.
This...max password lengths are super frustrating.
AknottheMangalore
They are effective until you use a home device improperly.
DestRoyals89
Both
bound4doom
Some actually make your environment even less secure. Most security people don't think in large scale computing and put pieces together...
My favorite one where I work is we log every user name success or failure. Good. We set policy where computers don't store user names....
Most people screw up type password into username field, hit enter, fails they realize it log in with user name. We now have a log of..
passwords followed by successful log ins of user name. These policies by themselves. Good. Combined, Bad. More security = Less sometimes.
Larandar
True
FoxyEllie
I've personally always hated passwords requirements, such as "must have a symbol". That kind of stuff actually *reduces* the possibilities!
strcmdman
It's the ones with the super arbitrary requirements or lock you out and don't tell you looking at you Apple.
DnDInsanity
It reduces the number of possible passwords to a still insanely large number while eliminating dictionary attacks.
Just top hammer the point: https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
I would say simple attempt/timed lock-out has largely derailed true brute-force methods but they aren't something to be ignored.
Telruin
People are lazy though. So I suspect it it made passwords over all more varied.
BewaretheDevineTaco
It does not reduce the posibilites of the passwords you create, and when done right it makes your pw stronger.
Only if you use a password manager. My aunt's mail password for example is , because she can remember that.
scribethemad
Only makes it stronger against brute force attacks, complexity is irrelevant against phished and stolen passwords though, which seems to be>
That is true, but most stolen passwords are stolen as a hash and not as plain text. This means that complexity does make a difference.
one of the larger problems these days.
That's not how math works.
If you *have to* put a symbol in, most people will have it either at the beginning or the end. So for a first run, only look for them there.
Similar with numbers, they'll either be at the end or as leetspeak-replacement in a word.
Sure, the usage is pretty predictable, but you still have to account for those possibilities, password and passw0rd and p@ssword, that >
does increase the possibilities you have to try, even if not by a ton, I'm only pointing out it's not a reduction, I am very familiar with >
Contundo
It sort of does. If there are too many rules passwords get predictable.
Sure, people tend to use them really predictably, but simply speaking of possibilities just adding a single digit at the end means >
trying every combination you would have tried all over again with 0 through 9, assuming a brute force. It multiplies
the number of possibilities by 10. Sure a brute force is likely going to start with dictionary first so a simple word + 1 digit is worthless
Bunhyung
+1 for Maru
tugboatcaptain
I love Maru so much
jdasler
...that.....?
kizthewiz
It's honestly the most normal looking, but recognisable, cat in my life
shesblindingmewithscience
onepinksheep
Is that Hana when she was still a kitten?
xRAINxOFxBLOODx
Yes : )
mormacil
Ah yes rotating passwords, gotta love having 3 sets of routinely changing passwords. No way people are gonna use incremental changes.
pleaseconsiderthatImightbejoking
This is the shit that turns Grandma'sOatmealRaisinCookies into Password!2019.
therdin
Img4r12. Time to change password... img4r13
malachitekell
1qaz2wsx
gamesthatiplay
No way spyware from ads here on cat websites can ever collect your password as you type it.
Why would I be enter my password to login my system while I'm logged into the system to check on cat memes?
It's not this password they harvest. They want your other passwords. Some people keep 10 - 100 browsers open and key loggers can sit in ads.
Staddi
Thats why MS is dropping the password expiration policies. At work our passwords are viable for 1 1/2 years. Otherwise its just unsecure
BunnyBooBear69
Yeah, but thats if its combined with other features, like 15 characters and 2FA.
And 2FA should always be active tbh if its a business / critical system, and thats often the case.
15 characters is not really a problem, I remember my 14 characters password easily. Not even a dictionary and has symbol/numbers.
SaltyInternetPirate
I find this relevant, because I've been configuring a server (mostly compiling stuff) for the past two days. It's all abandonware on it.
DJudy
Ass holes will get through anything.
cujo67
brianterrel
You want Shadow IT? This is how you get Shadow IT.
Raecracy123abc
As a data scientist my arch nemesis are network security people. For all you assholes out there from the bottom of heart FU <3
chrisawhitmore
I'm currently using a home device tethered through my phone to work because my employers didn't consider 'getting anything done' a priority.
activedirectory
HerrBisch
I have no idea what the video is meant to illustrate, but I enjoyed watching it nonetheless.
gilliamv
AStupidWeeb
Shit, we should just use cats to illustrate everything.
jelladelta
So if you have a small pussy you can break into the internet? Cool!
karateninjazombie
SO MUCH YES! THIS is why I left the IT admin world after about 7 years. That and it's a thankless job with shit pay
limeburner
What’s a DLP?
flash71491
C h O n K y B o I
TrowelAndError
That’s one heckin’ chonk!
Chloesaurus
Got a pet gate to keep my cat out of a room. He knocked it over. I secured it. MFW he jumped over it...
Hotyr
This is EA's DRM isn't it?
puppyflips
HelplessRomantic
Maru is too patient ;)
Novuake
OH god this speaks to me.
Magus25
Do security people realize the harsher the security the more likely people will look for exploits, to make it usable again?
TheFastpaws
We just had an email compromised this morning sending out the usual click this crap.
bkcantthinkofanythingclever
I work at an MSP and we've had a couple of clients get there emails hacked and forwarded to someone else with bank info, etc. 1/2
bkcantthinkofanythingclever
yeah, those hackers got some money out of it, bunch of bitches
PhillFan
goflyblind
tonchandailvert
this user is getting tired of your shit
serepta
I’m not sure what this is about but my computer guru husband will explain it to me. Really funny tho!
imnotyourmum
I couldn‘t give you more than one upvote so i upvoted all comments.
madrush
*cries in IT*
michealangleo
Are you saying these policys arnt effective or that users will try work around them?
Sciema
Yes
swedishpancakeswithlingonberries
No matter what checks you put in place, a user will always try to find a shortcut to get around them.
Bystandr
The authors' point is eventually it was cause the user to abandon the platform entirely, like I did to fucking pinterest just for making me
Bystandr
login.
SomeGrayFox
"Stop using Netflix, we're trying to gain trusted status with our new parent company." -IT Manager Circa 2012
Xedi22
We had similar at one point. Except we had to point it many of the services they had issue with were our customers. (including porn) ...we
Xedi22
...in sales & support needed to access, some that we had in house. After Corp HR/Legal’s heads exploded...we all got new consent forms. :)
MyNameIsJesusAndIStealHubcapsFromCars
stronger security makes it more difficult for the user to use the intended services. if you go too far the user will try to circumvent.
Ferrumkit
Not gonna lie ... when we integrated an active token system it helped a ton.
Xedi22
I don’t mind these as long as I can keep my yubikey for it...
Ferrumkit
That's the worst part, it's great but requires people to not be idiots, a timed lockout helps but ultimately tokens rely on user to secure.
Xedi22
Yeah. We basically require they be kept on your keychain. (I know one guy that has it on a USB extension taped underneath his desk though.)
Xedi22
...but eventually that will go away because of the people the don’t remove them when the leave for the day...
zorban99
Our cyber-environment is dangerous. It's too easy to defeat necessary security measures by using unsecured devices.
AydenBeeson
Not if it's carefully designed to prevent those devices getting to anything secure without going through something that adds protection
AreYouSuggestingThatCoconutsMigrate
Ya’ll should give Darknet Diaries a listen. Cracking podcast about IT security, social engineering and how stupid people are.
AydenBeeson
Not if it's carefully designed to prevent those devices getting to anything secure without going through something that adds protection
ImOPsMom
Any defense mechanism can be defeated given enough time and expertise. It's about slowing things down in order to detect and stop the action
NoYolo4Jesus
Exactly, make it time-consuming and/or expensive to compromise.
HowAboutTheBSharps
Not like that they aren't!
OldManDjohn
He is saying that cats are liquids
necroticon
Cats do not abide by the laws of physics, okay?
BigFatBobbie
I am glad someone has the courafe to stand up and speak out sbout the real issues.
Numb3rThr33
You take that back!
[deleted]
[deleted]
Xedi22
Even worse, some very good employees eventually “give up” when their job becomes to annoying to just do, and became a clock puncher...
DonnaNobleInTheLibrary
Also, having four services the user needs to log into, which check that you don't use the same password for all. What's single-sign-on?
[deleted]
[deleted]
boevis
.... i do.
NotAgainRichard
Year? You mean 85 days.
Ferrumkit
85 days? I think you mean 60 day with lockout of the last 16 passwords used and minimum of special characters and numerals nlt 16 char long
ForcedToRegisterForPorn
That’s the policy at my work. Everyone just increments a number in the password, but it’s still a pain in the ass. I’m up to 45 now.
mouseasw
Here I am, a chump generating a new random password with LastPass every 90 days and then forcing myself to memorize it.
instanoodles
Set strong password requirements and you will probably find the passwords written on sticky notes stuck to monitors across the office.
PedanticGonkDroid
If you set "strong" password requirements, yes. The more stuff I have to include in my password, the easier it gets to crack.
PedanticGonkDroid
Let me do whatever I want and I'll have a 40-character string of nonsense that I don't need to write down.
Xedi22
This...max password lengths are super frustrating.
AknottheMangalore
They are effective until you use a home device improperly.
DestRoyals89
Both
bound4doom
Some actually make your environment even less secure. Most security people don't think in large scale computing and put pieces together...
bound4doom
My favorite one where I work is we log every user name success or failure. Good. We set policy where computers don't store user names....
bound4doom
Most people screw up type password into username field, hit enter, fails they realize it log in with user name. We now have a log of..
bound4doom
passwords followed by successful log ins of user name. These policies by themselves. Good. Combined, Bad. More security = Less sometimes.
Larandar
True
FoxyEllie
I've personally always hated passwords requirements, such as "must have a symbol". That kind of stuff actually *reduces* the possibilities!
strcmdman
It's the ones with the super arbitrary requirements or lock you out and don't tell you looking at you Apple.
DnDInsanity
It reduces the number of possible passwords to a still insanely large number while eliminating dictionary attacks.
Ferrumkit
Just top hammer the point: https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Ferrumkit
I would say simple attempt/timed lock-out has largely derailed true brute-force methods but they aren't something to be ignored.
Telruin
People are lazy though. So I suspect it it made passwords over all more varied.
BewaretheDevineTaco
It does not reduce the posibilites of the passwords you create, and when done right it makes your pw stronger.
DonnaNobleInTheLibrary
Only if you use a password manager. My aunt's mail password for example is , because she can remember that.
scribethemad
Only makes it stronger against brute force attacks, complexity is irrelevant against phished and stolen passwords though, which seems to be>
BewaretheDevineTaco
That is true, but most stolen passwords are stolen as a hash and not as plain text. This means that complexity does make a difference.
scribethemad
one of the larger problems these days.
scribethemad
That's not how math works.
DonnaNobleInTheLibrary
If you *have to* put a symbol in, most people will have it either at the beginning or the end. So for a first run, only look for them there.
DonnaNobleInTheLibrary
Similar with numbers, they'll either be at the end or as leetspeak-replacement in a word.
scribethemad
Sure, the usage is pretty predictable, but you still have to account for those possibilities, password and passw0rd and p@ssword, that >
scribethemad
does increase the possibilities you have to try, even if not by a ton, I'm only pointing out it's not a reduction, I am very familiar with >
Contundo
It sort of does. If there are too many rules passwords get predictable.
scribethemad
Sure, people tend to use them really predictably, but simply speaking of possibilities just adding a single digit at the end means >
scribethemad
trying every combination you would have tried all over again with 0 through 9, assuming a brute force. It multiplies
scribethemad
the number of possibilities by 10. Sure a brute force is likely going to start with dictionary first so a simple word + 1 digit is worthless
Bunhyung
+1 for Maru
tugboatcaptain
I love Maru so much
jdasler
...that.....?
kizthewiz
It's honestly the most normal looking, but recognisable, cat in my life
shesblindingmewithscience
onepinksheep
Is that Hana when she was still a kitten?
xRAINxOFxBLOODx
Yes : )
mormacil
Ah yes rotating passwords, gotta love having 3 sets of routinely changing passwords. No way people are gonna use incremental changes.
pleaseconsiderthatImightbejoking
This is the shit that turns Grandma'sOatmealRaisinCookies into Password!2019.
therdin
Img4r12. Time to change password... img4r13
malachitekell
1qaz2wsx
gamesthatiplay
No way spyware from ads here on cat websites can ever collect your password as you type it.
mormacil
Why would I be enter my password to login my system while I'm logged into the system to check on cat memes?
gamesthatiplay
It's not this password they harvest. They want your other passwords. Some people keep 10 - 100 browsers open and key loggers can sit in ads.
Staddi
Thats why MS is dropping the password expiration policies. At work our passwords are viable for 1 1/2 years. Otherwise its just unsecure
BunnyBooBear69
Yeah, but thats if its combined with other features, like 15 characters and 2FA.
Staddi
And 2FA should always be active tbh if its a business / critical system, and thats often the case.
Staddi
15 characters is not really a problem, I remember my 14 characters password easily. Not even a dictionary and has symbol/numbers.