Hashed Passwords

Something making a lot of news in the papers recently is compromised usernames and passwords. This has been seen from companies such as LinkedIn, Yahoo and DropBox. In some of these cases they are storing passwords unencrypted, so that once someone captures the data, they know you actual password. And since many people share passwords among accounts (using the same password for LinkedIn and Facebook) it opens your account to be compromised on multiple systems. This is made worse when more sensitive logins, for back accounts or your work e-mail is the same password you used on Facebook.

One common technology used by web developers and programmers in general is to NOT store your actual password but rather to use a hashed version of your password. Hashing is a form of one-way encryption where once has been hashed it cannot be reversed out (hence the one way part). It also is specifically designed so that there is no two inputs which can create the same output. In fact, even a single character difference usually results in radically different outputs. So this often used so that nobody, not even the database needs to know your real password. All that they do is when you enter your password at login, it will run the password through the same hashing algorithm and then make sure the output matches what is stored in the database for your password.

To make this more secure, many web developers will also add “salt” to the hashing process. That is, they add some extra information to your input before it is hashed. Then benefit of this is that as long as the salt is kept secret, it makes it significantly more difficult for your actual password to be discovered.

What brings this to mind was something I recently encountered today. I forgot the password for a specific online portal that I rarely use, and since I never document passwords, it is really all left up to my memory to recall. Typically when you go to a website and click “forgot password” they will e-mail you a new password or a link to create a new password. However in this case, they e-mailed me my password. What this illustrates to me is that they don’t actually hash their passwords, and don’t likely encrypt them either. With this, I can know, for certain, that it is possible for someone at that company (or someone with malicious intent) can access my passwords. This is very concerning.

In the day that we live in, it is very important that we ask our vendors to be using more secure methods for storing our passwords. If they can tell us what our passwords are, this is concerning.

Also, since we cannot always force a vendor to do something, please remember to be vigilant in how you handle passwords. Avoid using the same passwords online, and ensure that you are changing them periodically. If one of the services you use (such as LinkedIn) has a data breach, be sure to change all passwords for places which you used that password at.


Offline NT Password & Registry Editor

What is it?

  • This is a utility to reset the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista/Win7 etc system.
  • You do not need to know the old password to set a new one.
  • It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD or another system.
  • Will detect and offer to unlock locked or disabled out user accounts!
  • There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.

Continue reading “Offline NT Password & Registry Editor”

Technology Policies/User Passwords

It is the general policy that the IT staff does not need to know the individual user passwords and will take every effort to ensure that we do not keep this information. As a result, whenever we need access to a users account, we will generally choose one of two options:

  1. Have the user (if available) enter in their password; or
  2. Change their password on the server, and when completed, set the password to “require change on reboot”.

It is important that after a users password has been reset, that the following process be followed to notify them of their new password:

  • A note (preferably type written) explaining that work has been completed on their system and to check their voicemail for their new password.
  • On their voicemail, leave them their password (repeat slowly twice) and inform them that they will be prompted to change it when they next log on. Additionally, if they have questions to contact the office.

Recovery procedure to recover from a lost Password or User Name for an APC UPS

Recovery procedure to recover from a lost Password or User Name for an APC UPS system

1. Select a serial port at the computer to be used for a terminal-emulation connection with the Management Card.

2. Disable any service that currently uses the selected serial port, such as PowerChute plus or UNIX Respond.

3. Disconnect any cable from the selected serial port and connect the smart-signaling cable (940-0024) that came with the Management Card to the selected serial port and to the serial port on the UPS or chassis.
Note: If the computer uses smart-signaling PowerChute plus, omit Step 3: A smart-signaling cable (940-0024 or 940-1524) is already installed.

4. Run a terminal program (such as HyperTerminal).

5. Configure the serial port for 2400 bps, 8 data bits, no parity, 1 stop bit, and no flow control, and save the changes.

6. Press ENTER to display the User Name prompt (you may need to press ENTER two or three times).

7. Press the reset button on the Management Card.
(This will reboot the card but will not reboot the UPS.)
***For cards with the most recent firmware (2.5.0 or higher), you will need to press the reset button an additional time.
Once the status light on the card starts flashing rapidly between orange and green, press the reset button again.
You will see the light on the card go off for roughly 30-45 seconds. Once the light comes on, proceed to step 8.***

8. Press ENTER to redisplay the User Name prompt.

9. Use apc for both the User Name and Password to log in.
Note: If you take longer than 30 seconds to log in, you will need to repeat Step 6 through Step 8.

10. Select System from the Control Console menu.

11. Select User Manager from the System menu.

12. Select Administrator from the User Manager menu, and follow the on-screen instructions to change the User Name
and Password settings to the new values.
***Please note that your password is only limited to 10 characters or less.***

13. Escape out to the main menu

14. Log out (4) to save the changes.

15. If necessary, reconnect any cable disconnected from the computer’s serial port in Step 3.

16. Restart any service disabled in Step 2.

Microsoft Strong Passwords

Just a reminder about passwords for clients where we have enabled “Passwords must meet complexity requirements”. I received a call today from another tech needing help, and here are the specific criteria:

When this setting is enabled user passwords will have the following requirements:

• The password is at least six characters long.

• The password contains characters from three of the following five categories: English uppercase characters (A ” Z); English lowercase characters (a ” z); base 10 digits (0 ” 9); non ” alphanumeric (For example: !, $, #, or %); Unicode characters.

• The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long then this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound-signs and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Since the second token is only one character long it would be ignored. Therefore, this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. All of these checks are case insensitive.

In this specific instance, the problem was that the user was trying to use part of their name in their password.

Checking for strength:

Continue reading “Microsoft Strong Passwords”

Wyse terminal running VNC

notebook, and two persons on white backgroundThe majority of Wyse Thin Clients run a version of VNC to permit remote administrators to interact with the otherwise Thin operating system. This is important since traditional remote control tools such as RDP or perhaps a remote access too such as Kayesa or N-Able cannot install an agent.

You can perform a “shadow” operation while using the Wyse Device Manager (WDM), however the underlying access is VNC. All you need to know is the IP address and password. The following is the default passwords. Obviously, it should be on your priority list to change this:

1 series terminals (WTOS/Blazer) password or Password
3 Series terminals (Windows CE) password or Password
5 Series terminals (Linux) winterm, password or Password
8 Series terminals (Windows NTe) Administrator
9 Series terminals (Windows XPe) Wyse

Powered by WordPress.com.

Up ↑