Comments on: Why I don’t scan networks with my own credentials https://dfarq.homeip.net/why-i-dont-scan-networks-with-my-own-credentials/?utm_source=rss&utm_medium=rss&utm_campaign=why-i-dont-scan-networks-with-my-own-credentials David L. Farquhar on technology old and new, computer security, and more Wed, 04 Mar 2015 12:58:00 +0000 hourly 1 By: Dave Farquhar https://dfarq.homeip.net/why-i-dont-scan-networks-with-my-own-credentials/#comment-41651 Wed, 04 Mar 2015 12:58:00 +0000 https://dfarq.homeip.net/?p=7611#comment-41651 Scanning passwords to see which ones are weak and easy to guess is fairly common practice–it’s especially fun when the red team pen tester finds one of the AD admins is using “12345678”–but that’s very different from having HR review them. If they don’t want obscenities in passwords, there are technical means to block them (the Department of Defense does) without HR being able to see them.

Nobody should be able to see them.

Then there are the people who e-mail me their passwords from time to time. Yes, someone did that a week or two ago. That’s another matter entirely…

]]>
By: Brig C. McCoy https://dfarq.homeip.net/why-i-dont-scan-networks-with-my-own-credentials/#comment-41643 Tue, 03 Mar 2015 14:30:02 +0000 https://dfarq.homeip.net/?p=7611#comment-41643 On similar lines, when working for a large multi-national conglomerate a few years ago, we were given access to an online training system. I set my password to a default password that I use for systems I don’t care about. A couple weeks later, I get a rocket from HR about using obscenities in my passwords! We then had a long conversation about how inappropriate it was that HR could see my password. I left a few months later. The company has since “ceased North American operations”. 🙂

]]>