Tell HN: IT guy at my company just did what?
So I got locked out of my account twice today at the aerospace company where I work. I presume someone was entering incorrect passwords for me and I don't think it was me. First time, IT guy said ok "answer these three personal security questions you set and I'll unlock your account". I answered them, account unlocked, good to go.
The second time I called, the same guy answered and said "oh... I think I remember you from a few hours ago. No need to answer any of your security questions, I think I remember them." AND THEN HE SAID THE ANSWERS BACK TO ME OVER THE PHONE. I was dumbfounded. Had to come here to get reactions.
29 comments
[ 3.7 ms ] story [ 82.8 ms ] threadThe whole reason you even have a password is to authenticate to my systems. If I can’t be trusted with it we’ve got bigger problems.
And also I think you were not the first calling with that specific issue and likely it was not external attack - related but rather internal system failure related that he was aware of.
And then they start dealing with people. Many of whom have trouble finding the "enter" key on the keyboard.
And so the IT folks invariably fall into the habit of going the route that's 10x easier and 98% safe.
Security questions are a vector for privacy breaches and much less effective than the above.
I always say, "NO! Don't tell me your password, just type it in."
edit: for clarity's sake; NO, we were not still using Netware in 2007.
My home internet provider recently changed up the IP ranges they have us connected on. I instantly recognized it as being the same subnet that the computers at my high school used to be on 25 years ago. And sure enough, whois confirms that the range is still controlled by the school district.
I.e., pretend every other machine is out on the open internet.
There are new ssh options to keep closer control of credentials.
If they remember you had an issue, they usually watch out for you within some X amount of time period so if there is a follow-up its short and sweet, not drawn out, its all about doing the least amount of effort for the most amount of work.
If you've ever seen the IT crowd, I'm talking mimeograph here.
I used to do random characters, but have switch to a string of random dictionary words. Still not perfect (since "a string of random words" could potentially be accepted as a valid answer), but I feel like having it be human-readable makes it less prone to that kind of fuzzing.
"Three. Like one-two-three." -> they hear "tree" or "123"
"'D'. Like Able Baker Charlie Delta." -> they hear anything ending in "ee", or "abelbakercharlydelta"
And so on, ad nauseum.