Making a point to office manager about username/passwords

What's the best way to setup a home network? Why should I care about BGP?

Making a point to office manager about username/passwords

Post by CharlesStaal on Fri Jun 07, 2013 8:52 am
([msg=75983]see Making a point to office manager about username/passwords[/msg])

Hey all I'm wondering if anyone can refer me to any paper that outlines the negative effects and security concerns about usernames on a win xp network having static/nonchanging passwords that the office manager sets, and he has a paper list of all the username/passwords. He won't listen to me really because the "top IT guy he uses" says to do it that way. I'm telling him its a big security hole and that the passwords he sets are easily crackable. So does anyone have literature on this subject? I told him the passwords should never be stored anywhere and that they should be dynamic, mandatory changes every 3 weeks or so.
CharlesStaal
New User
New User
 
Posts: 5
Joined: Fri Jun 07, 2013 8:48 am
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by hellow533 on Fri Jun 07, 2013 10:21 am
([msg=75984]see Re: Making a point to office manager about username/passwords[/msg])

So you're on a Windows XP network, everybody has usernames and passwords, and he has a list of them being the office manager? Tell him to put them in a save, I don't see a problem. If you are worried about security tell him not to use software that was outdated a decade ago.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 506
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by CharlesStaal on Fri Jun 07, 2013 10:39 am
([msg=75986]see Re: Making a point to office manager about username/passwords[/msg])

hellow533 wrote:So you're on a Windows XP network, everybody has usernames and passwords, and he has a list of them being the office manager? Tell him to put them in a save, I don't see a problem. If you are worried about security tell him not to use software that was outdated a decade ago.

Yes, windows XP network, yes I know its deprecated lol. and in my opinion no one, not even the managers should have the actual password to other accounts. There are administrative tools built in to windows that will allow him to get in to accounts if need be. Also, you don't agree that passwords should not be set by a different person, and not be able to be changed?
CharlesStaal
New User
New User
 
Posts: 5
Joined: Fri Jun 07, 2013 8:48 am
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by -Ninjex- on Fri Jun 07, 2013 11:03 am
([msg=75987]see Re: Making a point to office manager about username/passwords[/msg])

Windowx XP, that's a hazard in itself, and I wouldn't be surprised if the network has not already been compromised. If he wants to store those passwords somewhere, tell him to place it on a USB drive that is heavily encrypted. Also, as a side note, heavy encryption is illegal in some countries, so please check before telling him so.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1184
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by CharlesStaal on Fri Jun 07, 2013 11:43 am
([msg=75991]see Re: Making a point to office manager about username/passwords[/msg])

-Ninjex- wrote:Windowx XP, that's a hazard in itself, and I wouldn't be surprised if the network has not already been compromised. If he wants to store those passwords somewhere, tell him to place it on a USB drive that is heavily encrypted. Also, as a side note, heavy encryption is illegal in some countries, so please check before telling him so.

I live in the US of A, so encryption is legal. He has it in a plaintext file as well as printed out by his desk. He doesn't take any of my concerns seriously at all.
CharlesStaal
New User
New User
 
Posts: 5
Joined: Fri Jun 07, 2013 8:48 am
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by hellow533 on Fri Jun 07, 2013 11:51 am
([msg=75992]see Re: Making a point to office manager about username/passwords[/msg])

CharlesStaal wrote:
-Ninjex- wrote:Windowx XP, that's a hazard in itself, and I wouldn't be surprised if the network has not already been compromised. If he wants to store those passwords somewhere, tell him to place it on a USB drive that is heavily encrypted. Also, as a side note, heavy encryption is illegal in some countries, so please check before telling him so.

I live in the US of A, so encryption is legal. He has it in a plaintext file as well as printed out by his desk. He doesn't take any of my concerns seriously at all.

It depends on what you're able to do with those accounts. Access to emails and banking information? Alright, let's keep them in a safe or on an encrypted flash drive.

Accounts that have access to go to the same predetermined websites all other accounts can, with no valuable information? Sorry bud, no reason to bother.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 506
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by -Ninjex- on Fri Jun 07, 2013 1:33 pm
([msg=75997]see Re: Making a point to office manager about username/passwords[/msg])

hellow533 wrote:It depends on what you're able to do with those accounts. Access to emails and banking information? Alright, let's keep them in a safe or on an encrypted flash drive.

Accounts that have access to go to the same predetermined websites all other accounts can, with no valuable information? Sorry bud, no reason to bother.


I have to disagree here, because of the simple fact that any user could log into the network as any other user to attack the network. The blame would look like that of another employee.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1184
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by CharlesStaal on Fri Jun 07, 2013 1:46 pm
([msg=76000]see Re: Making a point to office manager about username/passwords[/msg])

-Ninjex- wrote:
hellow533 wrote:It depends on what you're able to do with those accounts. Access to emails and banking information? Alright, let's keep them in a safe or on an encrypted flash drive.

Accounts that have access to go to the same predetermined websites all other accounts can, with no valuable information? Sorry bud, no reason to bother.


I have to disagree here, because of the simple fact that any user could log into the network as any other user to attack the network. The blame would look like that of another employee.

Thank you, exactly my point. Not only that though-- but if someone was to gain remote access with a "useless" account, they can still use a local exploit after that to increase credentials to administrative, so it's important to lock up everything as tight as possible using good habits in every dimension of the network and user experience.
CharlesStaal
New User
New User
 
Posts: 5
Joined: Fri Jun 07, 2013 8:48 am
Blog: View Blog (0)


Re: Making a point to office manager about username/passwords

Post by limdis on Fri Jun 07, 2013 3:19 pm
([msg=76004]see Re: Making a point to office manager about username/passwords[/msg])

If the network is loaded up to SP3 and configured properly it can be a pretty secure setup to use. There is a reason it's still used in many larger networks today, such as for businesses and schools. Think of network security like a lock. Locks don't keep thieves out, they keep honest people honest. A printed out sheet of passwords is fine as long as it's locked up and secured. No piece of paper has ever been hacked into. Now, the issue here is not having to renew passwords. The problem isn't having them cracked, its user complacency. Sooner or later one of those accounts login credentials will be shared. Once access is gained it is really only a matter of time before something serious happens. However, and I hate to say it like this mate, but unless you are in a position in which your word on network security is credible there isn't a lot you can do. Nor should it be of huge concern to you. You've done the right thing by bringing it up. Do some additional research if you like but don't lose your job over it trying to pentest the network to prove a point.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1311
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests