PDA

View Full Version : Passwords



bel.plews
5th November 2007, 12:27 PM
Can anyone outline why generic passwords for access to servers are BAD NEWS ... :mad:

MrJesseRoss
5th November 2007, 12:28 PM
Because people can guess them way too easily, or use programs to guess for them that will crack them in one pass of a dictionary?

bel.plews
5th November 2007, 12:32 PM
Need a reason to tell boss why his idea is a bad idea,
to strip everyone of there own passwords and put one password in for all?

... even if the server is behind a firewall and connected to the net!

MrJesseRoss
5th November 2007, 12:37 PM
How about 'If someone gains access to one guy's computer, they gain access to your private files'?

I'm sure your boss has some dirt in there that he doesn't want people to find. If he knows someone might get in, well, he might change his mind. :)

Disko
5th November 2007, 12:38 PM
Link him to this forum. Explain to him that there's a chap here called 'Disko' who will start a random word generator on trying to access said share starting tomorrow.

Thank him for making internet goblin's jobs easier. :)

bel.plews
5th November 2007, 12:47 PM
I keep smacking my head ... when he mentions he wants it changed!

no server is an island

Lutze
5th November 2007, 12:51 PM
Simple answer is - it's extremely unprofessional. If the server holds any private files, or customer records you are duty bound to make it as secure and most importantly accountable.

Having everyone using the same password to a server means that you can't tell who accessed it to give away all the info.

MrJesseRoss
5th November 2007, 12:53 PM
I keep smacking my head ... when he mentions he wants it changed!

no server is an island

You're smacking the wrong head.;)

decryption
5th November 2007, 12:54 PM
Brute force/dictionary attacks - no matter how tight your plugging of vulnerabilities are, how locked down your firewall is or what OS you are using - anyone can get in via brute force.

Only one or two people should have administrator access to the server anyways - as long as that one is complicated and will not be forgotten, it should be fine.

Lutze
5th November 2007, 12:57 PM
It actually sounds to me like the "boss" is paranoid about something - or maybe the I.T. dept. is about to get the bullet and he needs to be able to had over to someone else?? ^-^

kim jong il
5th November 2007, 01:07 PM
Need a reason to tell boss why his idea is a bad idea,
to strip everyone of there own passwords and put one password in for all?

... even if the server is behind a firewall and connected to the net!

I'd like to suggest you just tell him it is idiotic but I'll try to be more constructive. How about: can you imagine how much damage just one disgruntled employee could do in that kind of environment?

Silver
5th November 2007, 01:15 PM
Actually, I think the bigger problem in this instance is everyone having the same password. That's fine if the data is unimportant, but if you need traceability, then everyone needs their own username/password.

That's the easiest way to work out whether employee 7 is responsible for deleting all references to customer 342. Especially with remote access, where you'd otherwise have to go through ISPs to work out who own which IP address. It also makes it easier to track leaks.

bel.plews
5th November 2007, 01:34 PM
It actually sounds to me like the "boss" is paranoid about something - or maybe the I.T. dept. is about to get the bullet and he needs to be able to had over to someone else?? ^-^

i am the IT dept. - i ain't getting any bullet! LOL

enzoweb
5th November 2007, 01:40 PM
Do a Google for "password best practices", "it security best practices" etc and show him how many articles mention poor password choices / security as one of, if not the, most common way hackers get in. Also mention the fact that most breaches of security or malicious activity is performed by staff (LEAP database anyone?).

I work in IT and refuse to use other people's login ids or passwords where ever possible - I (mostly) know what I'm doing, but if someone stuffs up with a shared id/password it's easy to get accused. With my own id I can prove it wasn't me, or they can prove it was (even if it wasn't, if I gave my user/pass to someone it's my responsibility).

Currawong
5th November 2007, 02:03 PM
99.999% of intrusion attempts on the internet nowadays are against known exploits. Generic passwords are a known exploit. These intrusion attempts are merely to break into systems to use them to send spam. I'm sure your company's reputation with customers would be fantastic if you couldn't send them email because your network had been blacklisted as a spam sender.

bel.plews
5th November 2007, 02:11 PM
Do a Google for "password best practices", "it security best practices" etc and show him how many articles mention poor password choices / security as one of, if not the, most common way hackers get in. Also mention the fact that most breaches of security or malicious activity is performed by staff (LEAP database anyone?).

I work in IT and refuse to use other people's login ids or passwords where ever possible - I (mostly) know what I'm doing, but if someone stuffs up with a shared id/password it's easy to get accused. With my own id I can prove it wasn't me, or they can prove it was (even if it wasn't, if I gave my user/pass to someone it's my responsibility).

thanks ... thats great ammo!!! :D