Yep, the whole idea of a password should be thrown out the window. It should be called a passphrase. Cracking as well as brute forcing are terribly difficulty if you just make the password longer.
The most secure networks I have dealt with involved multilayer password protection setup. It was a lab that some super secret stuff was going on and only a few people had access to it. The entire building was sectioned off by keyfab scanners. A user would swipe into certain areas to physical access to certain rooms and labs. When they logged into the PC, their credentials were authenticated not only to the domain controller, but also to the keyfab database which linked swipes, location, and usernames together. This way, someone from the outside trying to access a PC as a lab tech that never swiped into the building would get denied. The theory was if someone was never physically swiping into the lab, why would they be logging in with the username.
Just a small part of what went on but THAT is password security.
That’s a hell of a setup
One of the reasons why I really like it (aside from that it’s very secure) is that it’s easy on the user. Swiping to get in is easy, and most times expected.
There is a datacenter with similar security you use RFID fobs to unlock racks they also hang sensors from the ceiling to detect location of RFID fobs on the people in the datacenter lol
It’s always about layers of security
Normally places that don’t want remote access just air gap the two networks
Ya it was pretty awesome. Users were already required to each swipe in and out of doors. You enter a room/lab/section, you were already swiping yourself in and out even if you walked in with a group. As soon as you swiped,database was updated that was tied to the network and user access control. Swipe out and the system knew you were gone. Also protected against people leaving their account logged in.
I am always cracked up about people who have servers or network equipment and ask “Well what if the user plugs cable into it, what info can they get?” or “Can i access the device from its serial port and only have to use one password?”. LOCK YOUR DAMN DOORS IDIOT!
sadly, at some large institutions COUGHUNIVERSITIESCOUGH it’s WAY too easy to get physical access to a device on the network. Hell, sometimes it’s as easy as walking in and plugging a device into a jack with DHCP or just hijacking a workstation. Workstations with USB booting enabled can be a quick in. Super easy to either boot an OS from it, or just use a boot disc to hack the Admin password. Linux boxes are stupid easy if their isn’t a GRUB password.
Haha ya. I have done consulting for companies and just talked to users and within 30 seconds, they give me their work station, go to get coffee, and even will give me a postit note with their password on it with out even asking. Gotta educate your users, limit the general population, and secure the equipment you deem critical. A router or server in a remote building that just is a proxy for something simple doesn’t need its own locking rack but your schools student databases may not want to be in a room the part time maintenance guy has access to.
Sadly, there are places where sensitive devices are in switch closets where it’s questionable who has the keys to it.
It’s just the nature of the beast. People who don’t know what they are doing just stand these servers up wherever they feel like it and nobody even knows it’s there, let alone physically and remotely vulnerable.
Unfortuantely it’s not always the decision of the IT department to layout things that way. Budgets, CIOs, VPs all come into play when architecting (<-not a word? huh…) a network. ESPECIALLY if you are understaffed…ask me how I know :).
Oh trust me, I know all about it
actually? it isn’t.
anyway, you’re more likely for some careless 'tard barge to let someone in like in the RSA scenario than to have someone crack your MEGA PASSWORD, so why bother remembering something retarded when anything better than “password1234” is going to make you account more secure than 90% of them out there?
---------- Post added at 11:38 PM ---------- Previous post was at 11:36 PM ----------
I can count the people with DoD clearances on this site on one hand.
The number of people however that have ridiculously complex passwords far exceeds that, which was my point. Most people have retardedly long passwords for their gmail account so their girlfriend doesn’t figure out they are in to a CP ring, which, while a good secret to protect, is moderately worthless. The likelyhood that any single account is going to be the victim of a brute force attack I’d also say is relatively low (but thats just a guess)
---------- Post added at 11:39 PM ---------- Previous post was at 11:38 PM ----------
Protip: Nope.
---------- Post added at 11:41 PM ---------- Previous post was at 11:39 PM ----------
The other thing is, last I checked, we didn’t live in the movie hackers.
Gaining access to my email address is hardly going to allow you to take over my company.
Sorry, not quoting that mess. Remembering a 3 word phrase that you type 20-30 times per day isn’t difficult.
As a system administrator working now in the realm of security, my opinions are understandably different. However, I think if you’ve seen things from my perspective, your opinions might be more aligned with mine.
Well im one of them and regardless my gmail password is decently long and I use googles 2 factory authentication :lol:
Nothing worse then bitching about security and getting pwned
Well that’s kinda like saying, why bother with a WEP/WPA key on my router…the chances of someone hacking YOUR WiFi and stealing all your travel information, blah blah blah is slim. Why bother locking your car, if someone can just smash the window.
A number of very real possibilities.
You may use the same password structure
You may email funny things to people at work could be exploited to send attacks
Banking info?
Facebook info? possible links to coworker info
Send and email back to you based on similar emails in your inbox and gain access to your PC where you might VPN into work or login to corp email etc
And you guys think I have too much time on my hands.
Ya people now have the same passwords for things. Single email account can get a users general password. Typically, the non dod clearance user has the same password for a lot of accounts and you can work from there to really cause problems for the user. Lots of places, their email/ad/vpn password are all the same so you can gain access to the network and start attacking internal things pretty easily from the outside.
I hope no one hacks my NYSpeed account…
I’m working on getting access to a poorly secured traffic signal control system…
Then I will have full access to all other databases used for national security and I can blow stuff up with my PC.
(Maybe I’ll disguise myself as a state trooper from Alabama)
You security noobs clearly do not understand how the worlds databases are interconnected.
Are you serious? Clearly I know more than you. They are connected by tubes!!!
Biometrics FTW! Err, wait… :tinfoilhat: