| Author |
 Topic  |
|
Classicmotorcycling
Development Team Leader
Australia
2084 Posts |
 Posted - 12 December 2002 : 15:20:36
|
I currently work in one of the largest banks in Australia, in their IT area doing the eCommerce Platform Development, whereas before I was in the eCommerce support area for over 3 years. There was no way where we ever able to get passwords to users accounts and it should stay that way. All passwords are encrypted and it would take more time than I would like to imagine cracking, and by then the user should change their password. 
We had ways to go in to accounts for testing purposes, but this would be recorded. So when we needed to test something, we would just check our own accounts. There was no need to have a password via that way. They now require full documentation, as to why you are going in to the account (even if it is yours), and what you did when you did go in to it via the Customer Service Operators function or you loose you job. 
There are ways around it, but you need to code correctly and there is no need to have others passwords. The admin can do their work with out the need to have passwords to other accounts.  |
Cheers,
David Greening |
 |
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 12 December 2002 : 17:39:30
|
| NAB ? |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
2b3
Starting Member
5 Posts |
Posted - 12 December 2002 : 21:08:13
|
Hey, I would guess that the admin password was sniffed at some stage because someone used it across the internet whilst someone was packet filtering.
For example : If I have a hub in my office (not a switch), I load some packet filtering software, then I can watch all traffic going in and out of all connected PC's to the Hub. If a password is transmitted not encrypted (not https), then I could capture that password.
If someone placed in between the admin client browser and the web server sniffed the network at the right time, then they could get the password.
Another thing is brute force.
How may password attempts are allowed before lockout, or another measure to stop the attempted crack?
Im asking : Can I write a script to testing 1 billion different logins for admin and sit there and let it happen.
I would love to know if anyone has written a mod to log all attempts at login.
|
|
|
|
OneWayMule
Dev. Team Member & Support Moderator
Austria
4969 Posts |
|
|
snaayk
Senior Member
USA
1061 Posts |
Posted - 14 December 2002 : 15:53:23
|
I know I'm a bit late in the argument, but one of the things to consider is the following: Although it is said that you should have unique passwords for all logins, in the real world that is not usually the case. So, imagine, if anyone were able to get a password for a particular account, it is possible that they may have your password for any number of accounts that require logins. I usually have a super-secretive password (lots of numerics,alphas, sybols) and a not so important for normal logins. For example, anytime I create an account at a snitz forum prior to encryption, I always used a different password. Because I knew that the admin, a person I don't know, could look at the db and see my password.
In my experience, no department ever knows your password. They can only reset it. And in the case of banks usually they cannot reset it over the phone, they must mail you a new computer generated one. |
|
|
|
Topic |
|
|
|
Topic Locked
