IT Horror Stories: Password Security

Passwords are great until you realize that they introduce a human element into your cryptographic or authorization scheme. I’m serious, no matter how secure is your system, some genius user will find out a way to totally wreck it on day one. Before you say anything, let me assure you I do not have photographic memory and I do not expect people to use 64 character non-alphanumeric, random pass phrases. I know how this whole password thing works for most people.

Most of us can remember around 5 or 6 passwords at a time. Some people use more, some use less. We tend to reuse these passwords between different services, often tacking some numbers or characters at the end or in the middle somewhere. And that’s ok in most cases. As long as those passwords are not straight dictionary words, this scheme works. It’s not perfect but it is serviceable. What I wanted to share today are some more colorful password related stories.

Lock out after 25 failed attempts

Once upon a time, I was doing my time in the IT purgatory. Wait, actually it might have been hell. I’m not sure anymore. Which one is the one where you are tormented by idiotic questions all they long? I was in that one. I don’t really remember the details (I blocked them out) but at some point someone decided to implement more better SECURITAR on the company laptops. The idea was that having full disk encryption on these machines is nice and all, but it sort of defeats the purpose when half of users have set their password to be the name of their dog or first born child and then never, ever change it. We can tell them to change it every 30 days, but they won’t until we force them. So idea which I think originated somewhere in the upper echelons of the institution, was to do exactly that. Force them to change passwords. Oh, and make the logins more hack proof because someones 16 year old nephew said he could totally brute force into one of our laptops. So we changed our policies to require people to change their passwords every 30 days, and added a rule that would lock out the user if he failed 25 consecutive login within 5 minutes.

I mean, everyone has like 5-6 passwords they use, with some variations. Plus most of them are hunt-and-peck typists, and as we discovered only the members of the IT caste actually know that you can switch between username and password field using tab and then hit enter. Most of our users mouse the fuck out of the log in form like it was fucking Farmville. So if someone is averaging more than 5 attempts per minute for 5 minutes straight then its’ probably that asshole nephew showing his uncle his 1337 hax and we should lock him out.

So we push out the policy to the users, and forget about it for about a month. Exactly 31 days from when we pushed the button, I walk into work (late) only to see that everyone’s faces are white with sheer dread. Every phone in the IT office is ringing on all the possible lines, and everyone is crashing. Apparently around 30 remote users changed their password the other day, forgot about it, and then locked themselves out of the computer via that magical 25 in 5 rule. Don’t ask me how or why it happened, but they did it. One after the other, all the accounts were being locked out. And it’s not like we didn’t test this, or that there was some bug that caused it. Most people didn’t have a problem with the new policy.

After that, the new security rule was to gently remind users to change their passwords at least once every 6 moths via email, and never ever lock anyone out no matter what they do. Yaaay security!

Master Password

One day I’m sitting in my cube, chewing on my cardboard flavored lunch special from the cafeteria, extruding condensed hatred and contempt for the world out of every pore and imagining that I’m somewhere else. Suddenly a recent hire appears in my cubicle and demands that I reset the password on his computer. I look at him then glance at my food, and then back at him again hoping that maybe I can non-verbally communicate that he needs to fuck off while I eat. He doesn’t get it. I try to explain that there is a button for that, but he says he looked all morning, and could not find it. I could probably say something or just ignore this guy, but he has fierce determination in his eyes and I can tell he is not going to give up easily. Resetting a password should be quick and easy. I can get him off my neck, and still have plenty of time left in my lunch hour to wallow in my misery, hate life and all that good stuff. So I tell him to lead on, and we embark on a colorful quest back to his cubicle which is conveniently located in a fucking different hemisphere somewhere.

After waling for what seemed like days, I sit at his desk and point to a large button that says “change password”. Quest completed. Zero experience points awarded. Fuck everything that lives, I’m ready to go home.

“It wasn’t there before” – he explains quite seriously, suggesting it’s probably some bug in our shitty software. Of course it wasn’t there. We hide buttons from our users all the time. We also put proximity detectors in all their computers so that they don’t break or do weird stuff, and show all the missing buttons when an IT person is present. Yep – we are crafty and mischievous bunch.

The guy proceeds to hand me a crumpled up sticky note. “Change it to that” he orders authoritatively. The note has a common female name followed by a two digit number, which I assume belongs to his wife, daughter, underage mistress or perhaps a dog. It’s not a good password, but whatever. I have cardboard flavored sandwich with my name on on the other end of the building – I don’t give a fuck at this point. I change it for him, shake his hand and try to get away as fast as possible. The guy seems pleased so he quips:

“Now, I trust you buddy! That password is like they key to my life. I use it for everything. So don’t go snooping in my bank account or nothing… Har har har… *unwanted shoulder pat*”

That very moment was when the rational part of me committed ritual suicide, and died. Apparently the guy just changed passwords for all his work accounts (save the one I helped him with) to the same one that he uses for his Yahoo, Ebay, his bank account and everything else. You know – the password he is going to be typing into every phishing form on the internet.

I’m not sure what happened next. I am pretty sure an evil which appeared and turned me into a newt. I got better though.

WPA Password

Here is a word of advice: don’t tell anyone you work in IT. In fact don’t tell anyone you work with computers. Or near computers for that matter. I am serious about this. I think there is some sort of memetic wetware virus going around that hacks people’s language centers. When you say “I worked in IT once” the infected hear “I provide free tech support to everyone who asks”. It is quite disturbing.

I tried lying about my profession but people see through it right away. I guess it’s the lack of exposure to the sun, bags under the eyes and caffeine addiction that tips them off. Needless to say I get wrapped up into these “Free Tech Support” scenarios all the time though. One of the biggest requests next to disinfecting machines from their meticulously collected spyware is networking. This is slightly unrelated rant, but most people don’t know how to fucking work a router. They treat it like some arcane boxes full of evil magic that must be coaxed by a specialist. IT person is good, but if they can get a programmer they usually feel better. Cause, you know – programming is like configuring things, but better.

So a router-less acquittance of mine tasks me with setting up wireless network for them. Free of charge of course. And naturally, the implicit part of the deal is that I take personal responsibility for anything going wrong with any computer that anyone brings into their house. Cause you know, I set up their wireless so if shit breaks, it is automatically my fault and I better fucking fix it. I really love how these deals turn out. Don’t you?

To make a long story short, I help them buy a router, dig out their dusty cable modem from the gigantic tangle of cables underneath their “computer desk”. It takes me about half an hour to actually get to the router, because it has been encased by a network of cabling so dense, it almost has it’s own gravity pull. Once I dig it out, I connect the router, power it up and go: “tada!”

Then of course I get a stupid, stupid idea to introduce them to WPA. So I set it all up and ask a simple question: what do you want your pass phrase to be. The answer? “Can we make it the same as SSID?”

Sigh… No.

“Oh, how about 67 Poopersmacker Street – you know, like the address here?”

Facepalm.jpg

“Ok, let’s put Joe – that’s my youngest one’s name”

How do you explain to a proud parent that a 3 letter name is not fucking good enough. Not to mention that the kid runs around the yard like a maniac, so the neighbors and any passers by hear his name being yelled out every 3 seconds on any given day. We go back and forward like this for half an hour, at which point I give up and settle on using the cats name plus someones’ date of birth. I wrap everything up, say my goodbyes and as I’m walking out the door I hear the couple I just helped have this exchange:

Her: “So what’s the password again?”
Him: “I told him to use Fluffy1234″
Her: “Oh, good. That’s what I use for my email, facebook and pretty much everything else”
Him: “Yeah me too…”

Shit! That’s the same combination I have on my luggage! Fuck my life.

TLDR

Passwords suck because people will always find a way to make them as insecure as possible.

ITT

Post your own password related horror stories in the comments. We had some great stories in the previous IT horror thread so I’m counting on you guys to deliver again. Don’t let me down.

This entry was posted in Uncategorized. Bookmark the permalink.



9 Responses to IT Horror Stories: Password Security

  1. k00pa FINLAND Mozilla Firefox Windows Terminalist says:

    Some people just don’t know what is a password and why it is needed….

    Reply  |  Quote
  2. lol luke! One of my friends linked to this article on IRC before I even got to see it in my feed reader. I was like “HEY I KNOW THAT GUY! HES A FRIEND OF MINE!… HE HELPS FIX MY TECH PROBLEMS ;) ;) ;) ”

    This is funny as heck. Funny because its true. I always enjoyed going to school and the teachers had their passwords on sticky notes on the monitor.

    Reply  |  Quote
  3. MrJones GERMANY Mozilla Firefox Linux says:

    I use qwertz and asdasd for accounts that are needless (newspapers etc) and some better stuff for mail and bank account. (like 1ha7eN3rd58500 ;))

    Heres a little tip for you: NEVER ask them any questions, just take the router manual or a piece of paper and write down the password and them tell them, “this is your new password. There is no way you can change it, so keep this one! If you lose it all your data will be lost”

    Ps: This ones exactly like your post!!!
    http://theoatmeal.com/comics/computers

    Reply  |  Quote
  4. Victoria UKRAINE Mozilla Firefox Windows says:

    Once upon a time I spent 7 horrible months of my life working at the IT department of a bank. I was the youngest member, two other guys were my bosses and they had that pattern for employee passwords that you type in a meaningful word in Russian only using English keyboard layout. We had a huge poster saying something like ‘If your password doesn’t match check your keyboard layout and Capslock BEFORE calling for IT help’ but it didn’t work.

    But the story is not about those stupid users who couldn’t keep their Capslock at bay. The story is about one of my bosses, an actual IT guy with CS Master’s, Java programmer and ‘The head of bank informational security’. One day he came to work and realised his ICQ didn’t work, the password was wrong. He tried retrieving the password to email, didn’t work, he sadly created a new account and scanned his computer for trojans with negative results. He spent 3 days finding some of his ICQ contacts building the list back. 3 days later… guess what… his ICQ stopped working again. Ouch! He was furious – he checked for keyboard spies, malware, viruses – nothing. He got another account and it stayed intact. It all was a mistery.

    After getting the hell out of that bank I kept contact with some of teller girls. One of them (she got fired before I left) told me a story. She was very angry with that boss of mine – he was very rude to her, talked behind her back calling her names and never did things she asked – like setting up new templates in old DOS-like banking system we had. So, after she got fired she told about all that her husband who was a programmer also. And about the password pattern (see above). He went to ICQ site and tried the first password he came up with. It matched. He killed the contact list, changed the email and the password and left. Each consequent day he and his wife checked ICQ for the same user they hacked. They found the new account 3 days after. And they tried to log in using the same data. It let them in. They destroyed the account info again and kept waiting for that user to pop up again. When he did, they tried the old password. FINALLY, it didn’t work. They stopped at that. What is the funniest part? The password was that IT boss’ first name and last name in Russian using the English layout.

    Reply  |  Quote
  5. The biggest thing to keep from having to be tech support for all your acquaintances is to deny knowing anything about Windows. This even works for networks. People that use Macs have few problems and people that run Linux are smart enough to fix it themselves. The best thing I ever did was buy my parents a Mac Mini. I had questions the first few weeks, right up to the point when I introduced them the the Apple Store Genius bar.

    When it comes to password resetting, I am quite the BOFH. I let them squirm for at least a day. When their manager comes to my desk, I prompty reset it while showing the fact that it was the user’s fault for being a dumb enough to forget it to begin with. This is usually accomplished by saying something like, “Man, he can’t remember his password here but has no problem logging into his Facebook account every day at work”.

    Reply  |  Quote
  6. Luke Maciak UNITED STATES Mozilla Firefox Windows Terminalist says:

    @ Travis McCrea:

    That happened to me before too. Someone sends me a link and I’m like – hey, I know this person! :)

    Also, sticky notes for passwords are just so cliche. I mean it’s 2010 – ie. the future. People should stick RSA tokens to their monitors now since in the future two factor authentication finally catches on… Oh wait… Never mind.

    @ MrJones:

    Yeah, I tried that. It ends up with them leaving panicked messages in my voice mail at 3am on Sunday night. It goes like this.

    “Ummmm… Luke…. I know it’s late but I forgot the password. I had it on that sticky note but I can’t find it. Do you think you could reset it remotely or something? Like today? I have a big report I have to finish before 8am on Monday. So… I mean, I’m not going to sleep so maybe you can stop by if you get this… I really, really need to get this thing out on time. So call me back. Like today. Hold on, I’ll try your house phone…”

    Oh, and the Oatmeal comics are awesome. There is one for every occasion.

    @ Victoria:

    I wonder if he figured out that someone guessed his password or simply forgot it and created a new one. I’d bet he forgot it. :)

    @ Craig A. Betts:

    Does that really work for you? Because most people I know think that “Software Engineer” stands for “Master of all devices electronic and mechanical”. People asked me to help them set up their audio systems, help them plug in their kids xbox to the TV (cause, you know – it can’t possibly be as easy to hook it up as it is to hook up a DVD, help people fix an electrical outlet, replace a battery in their phone, program their DVR and million other things. Usually people don’t believe me when I say that I know no more than they do about half of these things.

    The only difference is that I seem to have some common sense, and I can sometimes follow the pictures in the manual (reading it is usually out of question since half the time it is google translated from Chinese into Korean before someone runs it through babblefish to produce the English text).

    Reply  |  Quote
  7. Aaron UNITED STATES Mozilla Firefox Windows says:

    I work in the IT department of a certain university, and before a few months ago, there were no restrictions on passwords for the domain, now it’s draconian, has to be alphanumeric with special keys, cannot form a real word, yada yada yada. Before this, a professor dropped off their laptop with me because it was infected with viruses. Awesome. As he walked out of my cubicle I asked him what his password was. “My password? What do you need that for?” he asked. I said, “To log into your computer and work on it.” Now sure, I could have cracked the password or used my own domain, but I didn’t give a damn. So the professor leans over, and very quietly whispers “It’s poop.” He wasn’t kidding.

    Reply  |  Quote
  8. @ Luke Maciak:It works as long as you stick to your guns. I am quite persistent in stating that I am a UNIX admin. Yeah, I work on Windows a lot at work but I refuse to let that become the norm on my time.

    Reply  |  Quote
  9. Luke Maciak UNITED STATES Mozilla Firefox Linux Terminalist says:

    @ Aaron:

    LOL! That is actually quite priceless.

    @ Craig A. Betts:

    I shall remember that for the future. To bad it doesn’t work with pre-existing relationships. Most of the people who ask me for free support already know I can “fix things”.

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>