Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

75% Positive

Analyzed from 551 words in the discussion.

Trending Topics

#password#access#network#should#passwords#machine#phishing#attack#company#special

Discussion (17 Comments)Read Original on HackerNews

mikestewabout 2 hours ago
”Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password.”

Capitalize that “w”, and you’ve got a password that will pass most PWD policies. Why do they think it was “winter2023!” to begin with? In 90 days when the PWD expires, well, it will be spring of the next year, so…

The better idea is to require passwords with some real entropy, and get rid of expiring passwords. It’s not 1999 anymore.

James_K11 minutes ago
Letting users pick their own passwords has always been a mistake. If passwords are needed, the system should choose them.
NopIdoN2 minutes ago
just directly give them a post-it for their monitor
Xeoncrossabout 2 hours ago
1. Open a web browser and do a search

2. Read until you find a sentence that you like.

3. Use it as your password

raffraffraffabout 1 hour ago
How about mixing up band names? Take the end of "Florence and the machine" and mix it with the start of "Rage against the machine" and you now have the totally unguessable "Rage sharing the machine". It's a different machine see?! Nobody would know that!
ChrisRRabout 1 hour ago
I like the last line of your comment

My password is now password

daredoes18 minutes ago
Should have been "use it as your password"
hnthrow10282910about 1 hour ago
Hacked
glitchcabout 1 hour ago
Not enough numbers or special characters usually.
lukan23 minutes ago
Use one specific special character/number as word separator.
chopin43 minutes ago
I loathe two things in password requirements: special characters and not allowing spaces. C'mon, it's 2026. Require 20 characters and call it a day.
samrusabout 1 hour ago
I swear if the ghouls running things had abit more decency and allowed people to actually access and controll their passkeys then that would be the future, everyone would adopt it. The experience is so nice with key pair exchange for ssh. Its just that there i have thr security of knowing exactly where my secret is and how i can manage it, its just a file and i can move it like a file

Nobody wants the risk of getting locked out because of apple and googles walled garden bullshit

mannyv18 minutes ago
Maintenance employees are the weakest link. They aren't paid much and don't believe anything is important.

Be nice to them and they'll be nice to you back.

limaabout 1 hour ago
The company also should have restricted network access to the port in the conference room so that an unknown device like a Raspberry Pi could not make an Ethernet connection from that spot

Bad take - the actual problem is that there was a trusted network in the first place. This kind of network access control is trivial to bypass, and trusted devices can get compromised.

Symbiote18 minutes ago
It's not my field, but at least at my work the network can somehow tell the difference between an authorized user and not. It is not simply using the MAC address.

A guest device connected to the ethernet port in the conference room has the same access as a device connected to the guest wifi, a staff laptop has it's usual access.

z3ugmaabout 1 hour ago
What always gets me about these red team attacks is the same thing that gets me about internal phishing test emails.

My company sent an internal phishing test last week. Several people immediately reported it to a cybersecurity engineer, posted about it in Slack, saying they were surprised that such a sophisticated phishing attack was happening.

I too was surprised - Google is usually much better about catching these kinds of things in the GMail filter before they get through. Oh well, sometimes one slips though. Reported it and moved on

Come to learn that the only reason it made it through is because we let it through _on purpose_.

By analogy to these red team attacks: _theoretically_ someone could rent a car, pose as an employee, and set up a Raspberry Pi in the network.

But who would go to all that trouble?

Theoretically, someone could craft a perfect phishing attack, but who would go to all that trouble? Spray-and-pray, low precision, high surface area, attacks are the ones I end up reading about.

The only reason this attack vector was open is because the red team stood to gain a massive benefit from succeeding in the attack. What real-world actor would go to the trouble and stand to benefit as much?