|
Shame Boy posted:but their "security guy" said it was fine, so it's fine! security guy aka the ceo's nephew
|
#
?
Apr 24, 2019 16:53
|
|
|
|
| # ? Apr 16, 2024 21:52 |
|
|
Shame Boy posted:that reminds me, we once had a customer that demanded the ability to log in (over the network!) using just their badges and no password or anything else. no problem, they must be smart card badges and we can just use PKI right? That's fine, just implement Two-Factor Authentication on top of it. Give everyone a second badge with a password barcode, problem solved.
|
|
#
?
Apr 24, 2019 17:38
|
|
|
"but our guy said it was fine" well i've got root and i've never heard of your guy so tell him i said he needs to be quiet
|
|
#
?
Apr 24, 2019 18:21
|
|
|
Looks like someone hosed up. LOL
|
|
#
?
Apr 24, 2019 18:25
|
|
|
In a similar vein we had some eval company freak out because we flagged like all their admin accounts and service accounts having PASSWORD_NOT_REQD being set (and a bunch of them not having passwords) as an issue. he couldn't show our product to his boss cause it definitely is not an issue and we're dumb and stupid for thinking it is!!! It was something about smart cards. "best practices" was thrown around a bunch. Either its the same company or this is a more popular way of solving login/lockout problems than I thought.
|
|
#
?
Apr 25, 2019 10:54
|
|
|
power botton posted:In a similar vein we had some eval company freak out because we flagged like all their admin accounts and service accounts having PASSWORD_NOT_REQD being set (and a bunch of them not having passwords) as an issue.
|
|
#
?
Apr 25, 2019 12:33
|
|
|
yeah if the password was not only not required but not allowed and you could only use (actual) smart cards that's fine, if it was just not required that's... different i doubt it's the same company because the system in question isn't using active directory and was a custom thing they had patched into the particular (cash register!  ) software they were usingbut it's fine because if you tried to log in manually (in the UI, not in the actual network endpoints they made of course) it would require the password, the only way to log in without the password was to scan your barcode and it's not like just anyone can generate a barcode right? i bet it requires some special machine or, you know, take a picture of the manager wearing their ID on a lanyard with the barcode prominently displayed and just zoom in on the barcode and hold your phone up to the scanner god the more i think about it the stupider it gets
|
|
#
?
Apr 25, 2019 14:43
|
|
|
pos software is aptly named
|
|
#
?
Apr 25, 2019 14:46
|
|
|
You're Operating System is a Point Of Sale
|
|
#
?
Apr 25, 2019 15:58
|
|
|
Shame Boy posted:yeah if the password was not only not required but not allowed and you could only use (actual) smart cards that's fine, if it was just not required that's... different
|
|
#
?
Apr 25, 2019 16:59
|
|
|
Jabor posted:pos software is aptly named pos my terminal
|
|
#
?
Apr 25, 2019 22:56
|
|
|
pos my neg balance
|
|
#
?
Apr 26, 2019 06:58
|
|
|
Farmer Crack-rear end posted:pos my terminal VD100
|
|
#
?
Apr 26, 2019 08:04
|
|
|
"why are you asking me for my username and password to logon instead of using SSO, that's bad security practice as it's training people to enter credentials into random sites when prompted by a link they get emailed" "it's an oracle product it does not support SSO" really? really? i mean oracle are awful but they don't support any SSO in tyool 2019? or is it more likely that you just don't know how to set it up? bonus points: the email says "please click this link and logon as there is an invoice awaiting payment". no standard branding/formatting at all, not even a name of recipient or detail on what the invoice is and the link is a garbled mess pointing to a server instance with no internal cname. it's like they're trying to train people to get phished.
|
|
#
?
Apr 26, 2019 10:05
|
|
|
I had one guy laugh at me for failing to configure LDAP login on some enterprise app once and when I asked him how he did it at his he sent me the config but, logically, omitted the password jokes lol his ldap server supported anonymous binds and the app couldn't handle using a password for binding which is why his worked and mine didn't
|
|
#
?
Apr 26, 2019 11:07
|
|
|
Powerful Two-Hander posted:really? really? i mean oracle are awful but they don't support any SSO in tyool 2019? or is it more likely that you just don't know how to set it up? either is equally likely
|
|
#
?
Apr 26, 2019 11:11
|
|
|
Powerful Two-Hander posted:
I once had the privilege of briefly administering oracle identity manager and i wanted to promptly kill myself afterwards. This was 10 years ago so I'm sure it's improved since then 
|
|
#
?
Apr 26, 2019 13:01
|
|
|
Boiled Water posted:either is equally likely or it costs extra, or better yet changes how you have to license the thing so every SSO user requires a seat, or something like that, because oracle
|
|
#
?
Apr 26, 2019 14:57
|
|
|
doesnt every Oracle agreement disallow any posts or comparison about their products? be careful before their army of lawyers take all of lowtax’s spine cash
|
|
#
?
Apr 26, 2019 15:06
|
|
|
geonetix posted:doesnt every Oracle agreement disallow any posts or comparison about their products? be careful before their army of lawyers take all of lowtax’s spine cash I'd tell you about how they're trying to be hip and cool and cloudy and embrace open source but I'd probably get sued for that too ¯\_(ツ)_/¯
|
|
#
?
Apr 26, 2019 16:44
|
|
|
I've never been satisfied with organization password management at any place I've worked. The more intuitive rules are 1) secure storage 2) limited access and 3) backups and documented escalation practices when it needs to be changed or revoked immediately. It's easier for applications and services, but I'm not sure about "application user accounts" that belong to a 3rd party service and are used by many individuals. (Used by many individuals.. another red flag, I know.) Is there any OWASP best practices on this crap?
|
|
#
?
Apr 26, 2019 19:41
|
|
|
yeah just call support and ask to have your password reset
|
|
#
?
Apr 26, 2019 21:59
|
|
|
just open mysql workbench and change the password on the db
|
|
#
?
Apr 26, 2019 22:01
|
|
|
ewiley posted:I once had the privilege of briefly administering oracle identity manager and i wanted to promptly kill myself afterwards. This was 10 years ago so I'm sure it's improved since then the copyright tag on the app says "2017" but I'm gonna assume the deployment is at least 5 years older than that
|
|
#
?
Apr 26, 2019 22:47
|
|
|
Celexi posted:just open mysql workbench and change the password on the db Krankenstyle posted:yeah just call support and ask to have your password reset lol, thanks assholes. I was mistaking OWASP with IASME. I don't work in infosec, but I like to size up what is generally recommended against what people actually end up doing.
|
|
#
?
Apr 26, 2019 23:07
|
|
|
CmdrRiker posted:I've never been satisfied with organization password management at any place I've worked. The more intuitive rules are 1) secure storage 2) limited access and 3) backups and documented escalation practices when it needs to be changed or revoked immediately. It's easier for applications and services, but I'm not sure about "application user accounts" that belong to a 3rd party service and are used by many individuals. (Used by many individuals.. another red flag, I know.) Is there any OWASP best practices on this crap? 4) auditing enabled and actually looked at for whatever your password manager is, ideally notifications whenever someone accesses a high-value password 5) RBAC obviously 6) automation driven from the password system to update all the poo poo if you need to change the password for whatever reason 7) systems do not use passwords directly but reference a password layer w/ the only access to the layer secured by an actually good mechanism like PKI (and RBAC so the systems only access the passwords they need) take a look at Vault, it's not as simple as they present it as in terms of building it in a secure and reliable way but it gives you an idea.
|
|
#
?
Apr 26, 2019 23:22
|
|
|
CmdrRiker posted:I've never been satisfied with organization password management at any place I've worked. The more intuitive rules are 1) secure storage 2) limited access and 3) backups and documented escalation practices when it needs to be changed or revoked immediately. It's easier for applications and services, but I'm not sure about "application user accounts" that belong to a 3rd party service and are used by many individuals. (Used by many individuals.. another red flag, I know.) Is there any OWASP best practices on this crap? If it's for shared That is to say, if people are already used to regularly looking up a shared password, and if the password changing won't significantly disrupt normal operations, then frequently changing the password would be a great option. This way, if the password were to be leaked, it would hopefully already be changed before a malicious party could use it, and if people are used to just looking up the password, then it changing won't be such an inconvenience that people do dumb things that otherwise reduce security.
|
|
#
?
Apr 27, 2019 07:42
|
|
|
changing the password regularly (e.g. daily) is also a good way to make people actually look it up in the appropriate system every time, instead of writing it on a post-it or something
|
|
#
?
Apr 27, 2019 07:47
|
|
|
Jabor posted:changing the password regularly (e.g. daily) is also a good way to make people actually look it up in the appropriate system every time, instead of writing it on a post-it or something just get one of those old flip calendars and write the password for that day on each page, ez
|
|
#
?
Apr 27, 2019 13:17
|
|
|
abigserve posted:take a look at Vault, it's not as simple as they present it as in terms of building it in a secure and reliable way but it gives you an idea. seconding Vault (assuming you mean HashiCorp Vault and not one of the other n solutions named Vault). if you're in a legacy environment it's going to be an uphill battle getting it integrated with your processes and convincing your end-users to use it but imo it's worth it. being able to do JIT access and auth with expiring credentials is pretty sw8 and mitigates a lot of risks. ofc it's only as good as its configuration. if the root token is just being handed out willy-nilly then any possible benefits will be nixed. the same goes if you don't implement a good schema for storing secrets and configuring policies. edit: oh and there's also the unseal requirements which may not be acceptable. whenever the Vault instance comes back up you have to manually unseal it. if you follow best-practice you generate 5 shards and distribute them to 5 people. unsealing requires 3 of the 5 shards so if you need to be able to handle it outside of business hours then you'll need to wake-up 3 people. there are ways to avoid this with HA using Consul but still a cold-start would require manual intervention to become operational. Pile Of Garbage fucked around with this message at 13:31 on Apr 27, 2019 |
|
#
?
Apr 27, 2019 13:26
|
|
|
lmfao https://twitter.com/realJamesClick/status/1121995264649072640
|
|
#
?
Apr 27, 2019 14:54
|
|
|
Powerful Two-Hander posted:just get one of those old flip calendars and write the password for that day on each page, ez toilet paper with a new password on each square. brb, filing a patent for one time roll cryptography
|
|
#
?
Apr 27, 2019 15:22
|
|
|
Midjack posted:toilet paper with a new password on each square. OTTP
|
|
#
?
Apr 27, 2019 15:32
|
|
|
Midjack posted:toilet paper with a new password on each square. book cipher passwords.
|
|
#
?
Apr 27, 2019 15:46
|
|
|
microsoft assport
|
|
#
?
Apr 27, 2019 15:48
|
|
|
nazi punks gently caress off
|
|
#
?
Apr 27, 2019 16:02
|
|
|
i like the guy in the comments who's adamant that there is no purpose whatsoever in code signing without an always-on internet connection. because obviously if you can't have a perfect way to revoke your certificate if the private key is ever compromised then you may as well just throw up your hands and give up completely, there is definitely no useful point in between these extremes
|
|
#
?
Apr 27, 2019 16:13
|
|
|
haveblue posted:microsoft assport My rear end is my passport, wipe me
|
|
#
?
Apr 27, 2019 16:19
|
|
|
Soricidus posted:i like the guy in the comments who's adamant that there is no purpose whatsoever in code signing without an always-on internet connection. because obviously if you can't have a perfect way to revoke your certificate if the private key is ever compromised then you may as well just throw up your hands and give up completely, there is definitely no useful point in between these extremes theres a weird subset of "security" people who just absolutely hate code signing/message signing for some reason. its totally bizarre.
|
|
#
?
Apr 27, 2019 17:37
|
|
|
|
| # ? Apr 16, 2024 21:52 |
|
|
Midjack posted:toilet paper with a new password on each square. #2 factor auth
|
|
#
?
Apr 27, 2019 18:10
|
|
