Close

Page 1 of 2 12 LastLast
Results 1 to 20 of 27
  1. #1
    DF Jedi Argyll's Avatar
    Join Date
    Jun 2006
    Location
    Paradise
    Posts
    2,878
    Thanks
    101
    Thanked:        23
    Karma Level
    328

    Default Passwords on work PC

    I work for a local authority. I received an email last week from our IT department. They informed us that some of us were using really obvious passwords relating to our local authority .i.e. Glasgow1 etc and asked us to change them.

    It made me wonder how they knew this?

    I understand perfectly well that they have the right to monitor our incoming and outgoing traffic but I thought they would use their own admin passwords to access our accounts. I wasn't aware they can see our passwords. I thought our passwords were strictly confidential and only known to each individual.

    I ask myself if they know our passwords then surely this is a breach of security in itself.
    I understand and accept that some people hold opinions that are different to my own. Living in a free and democratic society, I fully embrace and respect their right to be wrong.

  2. #2
    DF Super Moderator Teajunkie's Avatar
    Join Date
    Dec 2009
    Location
    Devon
    Posts
    4,338
    Thanks
    1,938
    Thanked:        1,956
    Karma Level
    552

    Default Re: Passwords on work PC

    Well it’s their data and their machines your accessing.
    i would assume it’s more of a work computer so they are more than entitled to monitor users and passwords.
    if it was say a laptop you use for your own home computer as well as a work computer agreed between the two parties then that would be different.

    Its a government machine so I would also assume you are not allowed to use this machine for personal reasons e.g. eBay or Ann summers butt plug shopping sprees.
    Instagram and twitter @mrteajunkie.

  3. #3
    DF Jedi Argyll's Avatar
    Join Date
    Jun 2006
    Location
    Paradise
    Posts
    2,878
    Thanks
    101
    Thanked:        23
    Karma Level
    328

    Default Re: Passwords on work PC

    Ok so here's a scenario for you.

    I've accessed something dodgy at work. IT finds out. The police are called and I'm arrested. I'm also suspended from work.

    My defence is that it wasn't me as I'm not the only person who has access to my PC and other unknown people have access to my password.

    Case closed!
    I understand and accept that some people hold opinions that are different to my own. Living in a free and democratic society, I fully embrace and respect their right to be wrong.

  4. #4
    DF Super Moderator Teajunkie's Avatar
    Join Date
    Dec 2009
    Location
    Devon
    Posts
    4,338
    Thanks
    1,938
    Thanked:        1,956
    Karma Level
    552

    Default Re: Passwords on work PC

    Quote Originally Posted by Argyll View Post
    Ok so here's a scenario for you.

    I've accessed something dodgy at work. IT finds out. The police are called and I'm arrested. I'm also suspended from work.
    Then you deserve whatever comes your way!
    if it’s dodgy enough for police to be called and you have already admitted it it’s your own fault.
    Instagram and twitter @mrteajunkie.

  5. #5
    DF Jedi Argyll's Avatar
    Join Date
    Jun 2006
    Location
    Paradise
    Posts
    2,878
    Thanks
    101
    Thanked:        23
    Karma Level
    328

    Default Re: Passwords on work PC

    It was a scenario. I haven't done anything.

    My point is should they have access to your passwords when they can access your network traffic without it using their administrator password. The fact they also have your password makes it difficult to take any action against the employee I would have thought.
    I understand and accept that some people hold opinions that are different to my own. Living in a free and democratic society, I fully embrace and respect their right to be wrong.

  6. #6
    DF Super Moderator Teajunkie's Avatar
    Join Date
    Dec 2009
    Location
    Devon
    Posts
    4,338
    Thanks
    1,938
    Thanked:        1,956
    Karma Level
    552

    Default Re: Passwords on work PC

    I know fella I was winding you up.
    Have you asked the IT why they have your password?
    Instagram and twitter @mrteajunkie.

  7. #7
    DF PlaYa grrrd's Avatar
    Join Date
    Nov 2006
    Location
    portsmouth
    Posts
    894
    Thanks
    328
    Thanked:        265
    Karma Level
    220

    Default Re: Passwords on work PC

    Is it possible that the system matches it against know easy passwords - Like when you try to set a password and it doesn't meet the requirements. Maybe the system is able to perform that retrospectively against a known list of simple passwords - almost a internal brute force attempt against a library they created themselves.
    Maybe it was highlighted via a Pen test that they had arranged.

    Security speaking i doubt they have access to a list of username and passwords in plain text - i would guess there would be major GDPR implications if they did.

  8. #8
    DF Jedi Argyll's Avatar
    Join Date
    Jun 2006
    Location
    Paradise
    Posts
    2,878
    Thanks
    101
    Thanked:        23
    Karma Level
    328

    Default Re: Passwords on work PC

    I don't know how these things work hence why I asked.

    The GDPR thing did cross my mind but when I asked IT the question if they had access to our passwords they've gone quiet.
    I understand and accept that some people hold opinions that are different to my own. Living in a free and democratic society, I fully embrace and respect their right to be wrong.

  9. #9
    DF Jedi Argyll's Avatar
    Join Date
    Jun 2006
    Location
    Paradise
    Posts
    2,878
    Thanks
    101
    Thanked:        23
    Karma Level
    328

    Default Re: Passwords on work PC

    Quote Originally Posted by Teajunkie View Post
    I know fella I was winding you up.
    Have you asked the IT why they have your password?
    Yes but they've gone quiet ��
    I understand and accept that some people hold opinions that are different to my own. Living in a free and democratic society, I fully embrace and respect their right to be wrong.

  10. #10
    DF Super Moderator
    evilsatan's Avatar
    Join Date
    Jul 2004
    Location
    Essex
    Posts
    20,201
    Thanks
    1,146
    Thanked:        3,349
    Karma Level
    1571

    Default Re: Passwords on work PC

    How do you set your passwords? I may be wrong but I don't think it is possible to reveal users passwords once set, if you press CTRL+ALT+DEL and change your password from there I can't see how they would uncover it. They may be aware of a user who has a poor password and sent the message based on that?


  11. #11
    DF Jedi DavidF's Avatar
    Join Date
    Apr 2005
    Location
    GLASGOW
    Posts
    1,070
    Thanks
    406
    Thanked:        801
    Karma Level
    269

    Default Re: Passwords on work PC

    It might be that it has come to their attention whether through some employee having their password cracked. It could be that they done a sample test to see if users were using the password "password" or pass lol. Then they just send a diplomatic company wide email reminding everyone to use decent passwords. Although the days of passwords being any sort of good defence against hackers are way gone. 2FA and the likes should be the 1st step in ensuring a secure user laptop ect. Passwords are not much good when a hacker just downloads the company database and has everyone's passwords including admin lol.

  12. #12
    DF Super Moderator BertRoot's Avatar
    Join Date
    Sep 2004
    Location
    Poppy Fields
    Posts
    23,958
    Thanks
    1,146
    Thanked:        2,189
    Karma Level
    2677

    Default Re: Passwords on work PC

    There are tons of ways of storing passwords and users within organisations. LDAP, AD, etc. You can use tools such as Johntheripper to unhash password databases and check but in reality I would be surprised if they weren't really just trying it on and see who they spook into changing to womething that fits with whatever their policy is. Also smells of lazy admins who can't be arsed enforcing this via Group Policy or other means.


  13. #13
    DF PiMP Copex's Avatar
    Join Date
    Nov 2000
    Location
    the net
    Posts
    437
    Thanks
    36
    Thanked:        72
    Karma Level
    275

    Default Re: Passwords on work PC

    they can not see the password, but what they can do is audit the password hashes :-) the basics are they create a long list of easy password hash them and then compare the hashes against users password hash.... ezy :-)

    Passwords stored in Active Directory are hashed – meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as, you guessed it, a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters, and are designed to be a one-way encryption, so that once they are coded, no one should be able to break that code (theoretically).
    stolen from [Only registered and activated users can see links. ]

  14. #14
    DF Super Moderator piggzy's Avatar
    Join Date
    Jul 2014
    Location
    UK
    Posts
    3,950
    Thanks
    3,490
    Thanked:        1,719
    Karma Level
    341

    Default Re: Passwords on work PC

    Tell them if they are storing your passwords unencrypted or the encryption is so piss poor they can easily unhash them that your password isnt the issue, their security is.

  15. #15
    DF Jedi Argyll's Avatar
    Join Date
    Jun 2006
    Location
    Paradise
    Posts
    2,878
    Thanks
    101
    Thanked:        23
    Karma Level
    328

    Default Re: Passwords on work PC

    This is the email sent. I have amended certain words phrases so as not to identify anyone. Just to be clear this has nothing to do with Glasgow Council. I've just used their name as an example but the wording of the email is correct.

    Dear All

    We are now in preparation for our annual independent IT health check in the run up to applying for our PSN accreditation for 2019.

    An issue raised in the health check last year was the use of insecure passwords including the use of the word Glasgow or an obfuscation of Glasgow like Glasgow10 or Glasg0w used in passwords

    We’ve advised all users twice since last to December to ensure they use strong passwords however a recent audit has revealed that significant numbers of staff are still not doing this.

    We therefore need to be more prescriptive and our intention is advise staff that we will be forcing resets of passwords for anyone who has password that is obvious.

    We will carry out a further audit following this – and if the number of weak passwords don’t reduce significantly then we will lock network accounts and force anyone with a weak password to contact the Service Desk to have their account unlocked.

    If we don’t address this issue then it’s possible that we may not gain our PSN accreditation this year, or our PSN accreditation may be delayed.

    Can you remind all your staff of the advice we have issued previously and indeed make sure you have appropriate passwords yourself.


    How else can they know anyone's password?
    I understand and accept that some people hold opinions that are different to my own. Living in a free and democratic society, I fully embrace and respect their right to be wrong.

  16. #16
    DF Jedi ss30's Avatar
    Join Date
    Mar 2001
    Location
    Oxford
    Posts
    4,989
    Thanks
    374
    Thanked:        609
    Karma Level
    528

    Default Re: Passwords on work PC

    If they know your passwords change it to something really offensive or derogatory to the I.T department and see if they get in touch with you

    Thanks to ss30

    4me2 (22nd June 2019) 


  17. #17
    DF Jedi satzzz's Avatar
    Join Date
    Oct 2000
    Location
    Here
    Posts
    2,778
    Thanks
    166
    Thanked:        633
    Karma Level
    438

    Default Re: Passwords on work PC

    Quote Originally Posted by ss30 View Post
    If they know your passwords change it to something really offensive or derogatory to the I.T department and see if they get in touch with you
    Was about to suggest the same. Great minds.......

    Sent from my Philips Diga via BT Cellnet
    Just use enough water to cover your vegetables,the same goes for when you're having a bath....

    Thanks to satzzz

    4me2 (22nd June 2019) 


  18. #18
    DF PiMP Copex's Avatar
    Join Date
    Nov 2000
    Location
    the net
    Posts
    437
    Thanks
    36
    Thanked:        72
    Karma Level
    275

    Default Re: Passwords on work PC

    Quote Originally Posted by ss30 View Post
    If they know your passwords change it to something really offensive or derogatory to the I.T department and see if they get in touch with you
    totally pointless, they can not see your password !!!!

  19. #19
    DF Jedi c0axial's Avatar
    Join Date
    Feb 2002
    Location
    M44
    Posts
    1,549
    Thanks
    198
    Thanked:        222
    Karma Level
    354

    Default Re: Passwords on work PC

    Maybe running a Vulnerability Assessment Tool on your OS Build or ?

  20. #20
    DF Jedi reverend's Avatar
    Join Date
    Feb 2006
    Location
    On the couch
    Posts
    2,626
    Thanks
    183
    Thanked:        463
    Karma Level
    377

    Default Re: Passwords on work PC

    It'll just have been a password audit against AD - a lot of companies do these nowadays (all should).

    As has been mentioned the passwords aren't stored in plain text, everything is hashed. You take a list of basic passwords which you think users may be using, add that onto something like the Rockyou wordlist and then see which users have passwords which match by generating the hashes for the passwords in your list then comparing those against all users in AD.

    I've done this in many companies now and it's surprising how many people use stupidly simple passwords which are low hanging fruit when someone is trying to hack in.

    2 Thanks given to reverend

    Argyll (20th June 2019), evilsatan (16th June 2019) 


Page 1 of 2 12 LastLast

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •