Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
graph
Nov 22, 2006

aaag peanuts



Shame Boy posted:

but their "security guy" said it was fine, so it's fine!

security guy aka the ceo's nephew

Adbot
ADBOT LOVES YOU

pseudorandom
Jun 16, 2010





Yam Slacker

Shame Boy posted:

that reminds me, we once had a customer that demanded the ability to log in (over the network!) using just their badges and no password or anything else. no problem, they must be smart card badges and we can just use PKI right?

lol no, they're laminated cardstock from a laser printer with a barcode on them, and the barcode encodes the username and nothing else. they'd been using these for years and couldn't understand why we had such a problem with the whole thing. :thumbsup:


That's fine, just implement Two-Factor Authentication on top of it. Give everyone a second badge with a password barcode, problem solved.

flakeloaf
Feb 26, 2003

Still better than android clock



"but our guy said it was fine"

well i've got root and i've never heard of your guy so tell him i said he needs to be quiet

SuppressdPuberty93
Nov 11, 2013


Looks like someone hosed up. LOL

power botton
Nov 2, 2011



In a similar vein we had some eval company freak out because we flagged like all their admin accounts and service accounts having PASSWORD_NOT_REQD being set (and a bunch of them not having passwords) as an issue.

he couldn't show our product to his boss cause it definitely is not an issue and we're dumb and stupid for thinking it is!!!

It was something about smart cards. "best practices" was thrown around a bunch. Either its the same company or this is a more popular way of solving login/lockout problems than I thought.

mystes
May 31, 2006



power botton posted:

In a similar vein we had some eval company freak out because we flagged like all their admin accounts and service accounts having PASSWORD_NOT_REQD being set (and a bunch of them not having passwords) as an issue.

he couldn't show our product to his boss cause it definitely is not an issue and we're dumb and stupid for thinking it is!!!

It was something about smart cards. "best practices" was thrown around a bunch. Either its the same company or this is a more popular way of solving login/lockout problems than I thought.
I don't know how these active directory settings work specifically, but if you're saying the accounts were set to require smartcard authentication for login but no password, that seems a bit different from trying to use a barcode of the username for authentication.

Shame Boy
Mar 2, 2010

THE HORROR
THE HORROR





yeah if the password was not only not required but not allowed and you could only use (actual) smart cards that's fine, if it was just not required that's... different

i doubt it's the same company because the system in question isn't using active directory and was a custom thing they had patched into the particular (cash register! :stonk:) software they were using

but it's fine because if you tried to log in manually (in the UI, not in the actual network endpoints they made of course) it would require the password, the only way to log in without the password was to scan your barcode and it's not like just anyone can generate a barcode right? i bet it requires some special machine

or, you know, take a picture of the manager wearing their ID on a lanyard with the barcode prominently displayed and just zoom in on the barcode and hold your phone up to the scanner

god the more i think about it the stupider it gets

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

pos software is aptly named

Volmarias
Dec 31, 2002

I'm sure I'll think of something.

You're Operating System is a Point Of Sale

Wiggly Wayne DDS
Sep 11, 2010





Shame Boy posted:

yeah if the password was not only not required but not allowed and you could only use (actual) smart cards that's fine, if it was just not required that's... different

i doubt it's the same company because the system in question isn't using active directory and was a custom thing they had patched into the particular (cash register! :stonk:) software they were using

but it's fine because if you tried to log in manually (in the UI, not in the actual network endpoints they made of course) it would require the password, the only way to log in without the password was to scan your barcode and it's not like just anyone can generate a barcode right? i bet it requires some special machine

or, you know, take a picture of the manager wearing their ID on a lanyard with the barcode prominently displayed and just zoom in on the barcode and hold your phone up to the scanner

god the more i think about it the stupider it gets
that's why you have a barcode on the front and back for 2fa

Farmer Crack-Ass
Jan 2, 2001

~this is me posting irl~


Jabor posted:

pos software is aptly named

pos my terminal

champagne posting
Apr 5, 2006

YOU ARE A BRAIN
IN A BUNKER


pos my neg balance

abigserve
Sep 13, 2009

this is a better avatar than what I had before



VD100

Powerful Two-Hander
Mar 9, 2004

Mods please change my name to "Tooter Skeleton" TIA.



"why are you asking me for my username and password to logon instead of using SSO, that's bad security practice as it's training people to enter credentials into random sites when prompted by a link they get emailed"

"it's an oracle product it does not support SSO"

really? really? i mean oracle are awful but they don't support any SSO in tyool 2019? or is it more likely that you just don't know how to set it up?


bonus points: the email says "please click this link and logon as there is an invoice awaiting payment". no standard branding/formatting at all, not even a name of recipient or detail on what the invoice is and the link is a garbled mess pointing to a server instance with no internal cname. it's like they're trying to train people to get phished.

abigserve
Sep 13, 2009

this is a better avatar than what I had before


I had one guy laugh at me for failing to configure LDAP login on some enterprise app once and when I asked him how he did it at his he sent me the config but, logically, omitted the password

jokes lol his ldap server supported anonymous binds and the app couldn't handle using a password for binding which is why his worked and mine didn't

champagne posting
Apr 5, 2006

YOU ARE A BRAIN
IN A BUNKER


Powerful Two-Hander posted:

really? really? i mean oracle are awful but they don't support any SSO in tyool 2019? or is it more likely that you just don't know how to set it up?

either is equally likely

ewiley
Jul 9, 2003

More trash for the trash fire

Powerful Two-Hander posted:


really? really? i mean oracle are awful but they don't support any SSO in tyool 2019? or is it more likely that you just don't know how to set it up?


I once had the privilege of briefly administering oracle identity manager and i wanted to promptly kill myself afterwards. This was 10 years ago so I'm sure it's improved since then :rolleyes:

Shame Boy
Mar 2, 2010

THE HORROR
THE HORROR





Boiled Water posted:

either is equally likely

or it costs extra, or better yet changes how you have to license the thing so every SSO user requires a seat, or something like that, because oracle

geonetix
Mar 6, 2011




doesnt every Oracle agreement disallow any posts or comparison about their products? be careful before their army of lawyers take all of lowtax’s spine cash

Winkle-Daddy
Mar 10, 2007


geonetix posted:

doesnt every Oracle agreement disallow any posts or comparison about their products? be careful before their army of lawyers take all of lowtax’s spine cash

I'd tell you about how they're trying to be hip and cool and cloudy and embrace open source but I'd probably get sued for that too ¯\_(ツ)_/¯

CmdrRiker
Apr 8, 2016

You dismally untalented little creep!

I've never been satisfied with organization password management at any place I've worked. The more intuitive rules are 1) secure storage 2) limited access and 3) backups and documented escalation practices when it needs to be changed or revoked immediately. It's easier for applications and services, but I'm not sure about "application user accounts" that belong to a 3rd party service and are used by many individuals. (Used by many individuals.. another red flag, I know.) Is there any OWASP best practices on this crap?

Carthag Tuek
Oct 15, 2005

Tider skal komme,
tider skal henrulle,
slægt skal følge slægters gang




yeah just call support and ask to have your password reset

Celexi
Nov 25, 2006

tehehe



just open mysql workbench and change the password on the db

Powerful Two-Hander
Mar 9, 2004

Mods please change my name to "Tooter Skeleton" TIA.



ewiley posted:

I once had the privilege of briefly administering oracle identity manager and i wanted to promptly kill myself afterwards. This was 10 years ago so I'm sure it's improved since then :rolleyes:

the copyright tag on the app says "2017" but I'm gonna assume the deployment is at least 5 years older than that

CmdrRiker
Apr 8, 2016

You dismally untalented little creep!

Celexi posted:

just open mysql workbench and change the password on the db

Krankenstyle posted:

yeah just call support and ask to have your password reset

lol, thanks assholes. I was mistaking OWASP with IASME. I don't work in infosec, but I like to size up what is generally recommended against what people actually end up doing.

abigserve
Sep 13, 2009

this is a better avatar than what I had before


CmdrRiker posted:

I've never been satisfied with organization password management at any place I've worked. The more intuitive rules are 1) secure storage 2) limited access and 3) backups and documented escalation practices when it needs to be changed or revoked immediately. It's easier for applications and services, but I'm not sure about "application user accounts" that belong to a 3rd party service and are used by many individuals. (Used by many individuals.. another red flag, I know.) Is there any OWASP best practices on this crap?

4) auditing enabled and actually looked at for whatever your password manager is, ideally notifications whenever someone accesses a high-value password
5) RBAC obviously
6) automation driven from the password system to update all the poo poo if you need to change the password for whatever reason
7) systems do not use passwords directly but reference a password layer w/ the only access to the layer secured by an actually good mechanism like PKI (and RBAC so the systems only access the passwords they need)

take a look at Vault, it's not as simple as they present it as in terms of building it in a secure and reliable way but it gives you an idea.

pseudorandom
Jun 16, 2010





Yam Slacker

CmdrRiker posted:

I've never been satisfied with organization password management at any place I've worked. The more intuitive rules are 1) secure storage 2) limited access and 3) backups and documented escalation practices when it needs to be changed or revoked immediately. It's easier for applications and services, but I'm not sure about "application user accounts" that belong to a 3rd party service and are used by many individuals. (Used by many individuals.. another red flag, I know.) Is there any OWASP best practices on this crap?


If it's for shared free for 1 user but paid for multi-user account, and the account doesn't have long term sessions (read: people need to copy and paste a password every day or so already), then I'd say the best option would be any decent, shared, password manager, with regularly changed (eg: monthly) passwords.

That is to say, if people are already used to regularly looking up a shared password, and if the password changing won't significantly disrupt normal operations, then frequently changing the password would be a great option. This way, if the password were to be leaked, it would hopefully already be changed before a malicious party could use it, and if people are used to just looking up the password, then it changing won't be such an inconvenience that people do dumb things that otherwise reduce security.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

changing the password regularly (e.g. daily) is also a good way to make people actually look it up in the appropriate system every time, instead of writing it on a post-it or something

Powerful Two-Hander
Mar 9, 2004

Mods please change my name to "Tooter Skeleton" TIA.



Jabor posted:

changing the password regularly (e.g. daily) is also a good way to make people actually look it up in the appropriate system every time, instead of writing it on a post-it or something

just get one of those old flip calendars and write the password for that day on each page, ez

Pile Of Garbage
May 28, 2007





abigserve posted:

take a look at Vault, it's not as simple as they present it as in terms of building it in a secure and reliable way but it gives you an idea.

seconding Vault (assuming you mean HashiCorp Vault and not one of the other n solutions named Vault). if you're in a legacy environment it's going to be an uphill battle getting it integrated with your processes and convincing your end-users to use it but imo it's worth it. being able to do JIT access and auth with expiring credentials is pretty sw8 and mitigates a lot of risks.

ofc it's only as good as its configuration. if the root token is just being handed out willy-nilly then any possible benefits will be nixed. the same goes if you don't implement a good schema for storing secrets and configuring policies.

edit: oh and there's also the unseal requirements which may not be acceptable. whenever the Vault instance comes back up you have to manually unseal it. if you follow best-practice you generate 5 shards and distribute them to 5 people. unsealing requires 3 of the 5 shards so if you need to be able to handle it outside of business hours then you'll need to wake-up 3 people. there are ways to avoid this with HA using Consul but still a cold-start would require manual intervention to become operational.

Pile Of Garbage fucked around with this message at 12:31 on Apr 27, 2019

Jewel
May 2, 2009



lmfao https://twitter.com/realJamesClick/status/1121995264649072640

Midjack
Dec 24, 2007





Powerful Two-Hander posted:

just get one of those old flip calendars and write the password for that day on each page, ez

toilet paper with a new password on each square.

brb, filing a patent for one time roll cryptography

Proteus Jones
Feb 28, 2013





Midjack posted:

toilet paper with a new password on each square.

brb, filing a patent for one time roll cryptography

OTTP

Brute Squad
Dec 20, 2006

Laughter is the sun that drives winter from the human race



Midjack posted:

toilet paper with a new password on each square.

brb, filing a patent for one time roll cryptography

book cipher passwords.

haveblue
Aug 15, 2005




Toilet Rascal

microsoft assport

jeffery
Jan 1, 2013


nazi punks gently caress off

Soricidus
Oct 20, 2010
freedom-hating statist shill


i like the guy in the comments who's adamant that there is no purpose whatsoever in code signing without an always-on internet connection. because obviously if you can't have a perfect way to revoke your certificate if the private key is ever compromised then you may as well just throw up your hands and give up completely, there is definitely no useful point in between these extremes

Volmarias
Dec 31, 2002

I'm sure I'll think of something.

haveblue posted:

microsoft assport

My rear end is my passport, wipe me

Shaggar
Apr 26, 2006


Nap Ghost

Soricidus posted:

i like the guy in the comments who's adamant that there is no purpose whatsoever in code signing without an always-on internet connection. because obviously if you can't have a perfect way to revoke your certificate if the private key is ever compromised then you may as well just throw up your hands and give up completely, there is definitely no useful point in between these extremes

theres a weird subset of "security" people who just absolutely hate code signing/message signing for some reason. its totally bizarre.

Adbot
ADBOT LOVES YOU

motoh
Oct 16, 2012

The clack of a light autocannon going off is just how you know everything's alright.

Midjack posted:

toilet paper with a new password on each square.

brb, filing a patent for one time roll cryptography

#2 factor auth

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply