this post was submitted on 09 Jul 2023
1348 points (98.9% liked)

Ask Lemmy

27258 readers
1523 users here now

A Fediverse community for open-ended, thought provoking questions


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected]. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.


6) No US Politics.
Please don't post about current US Politics. If you need to do this, try [email protected] or [email protected]


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 74 points 1 year ago* (last edited 1 year ago) (7 children)

The building, used by several hundred employees, had a security systems with 4-digit codes. I've been part of group of people who liked to work late times, and the building would lock at midnight -- the box by the door would start beeping and you would need to unlock it within a minute or so, or "proper alarm" would ensue.

However, to unlock the alarm you did not need your card -- all you needed to do was to enter any valid code. Guess what was the chance that, say, 1234 was someone's valid code? Yes.

We've been all using some poor guy's code 1234, and after several years, when he left the company we just guessed some other obvious code (4321) and kept using that.

By the way, after entering the code to the box by the door, it would shortly display name of the person whom the code "belonged" to. One of our colleagues took it as a personal secret project to slowly go through all 10000 possible codes and collect the names of the people, just for the kick of it.

(By the way, I don't work for that company anymore, and more importantly, the company does not use that building anymore, so don't get any ideas! ๐Ÿ™ƒ )

[โ€“] [email protected] 19 points 1 year ago

Speaking about security codes, a little story about a tiny hotel I've been in.

When we arrived, there was no reception, the agreement was that once we arrived we would call the receptionist/owner. So we did, and turned out the rooms were prepared in advance, and they would just need to give us code to unlock the main door, code to unlock our room door and some basic instructions -- all of that could be done over the phone. Fine.

So they gave us the code, it was, say, 1234, and our room was 33. So we opened the main door -- worked fine, went to the lobby and tried to open our room. The code 1234 did not work. So we called back and after some checking they apologized and told us that the correct code was--you guessed it---1233.

Luckily there was also a proper metal key in the room--only one though (we were a group of 6), so if we wanted to actually protect our valuables we had to share the metal key.

(Overall, the hotel was great, and all, the owners were nice, all was fine -- it's just that they were apparently not exactly security nerds... ๐Ÿค“ )

[โ€“] [email protected] 12 points 1 year ago (1 children)

One of our colleagues took it as a personal secret project to slowly go through all 1000 possible codes and collect the names of the people, just for the kick of it.

Just an FYI it's 10,000 codes, not 1,000. 0000-9999

[โ€“] [email protected] 6 points 1 year ago (2 children)

Was it possible for multiple people to have the same code?

[โ€“] [email protected] 13 points 1 year ago

It was not. I vaguely recall that during my onboarding (which was long before I needed to use the code) I was asked to pick a code and I needed several attempts.

Funny that If it was possible, codes like 1234 would still be almost guaranteed to be valid, but because the code needed to be unique, there were far more valid codes, which made the guess even easier.

Plus when trying to pick my own code during onboarding I could note all the failed attempts as also valid codes.

So much fun! :D

[โ€“] WardenDrew 6 points 1 year ago (1 children)

Having worked on a system like this, typically no. DMP systems for example, require every user's 4 digit pin number to be unique.

[โ€“] [email protected] 3 points 1 year ago (1 children)

Doesn't that make the numeric code their username? There is no 'password' here.

[โ€“] WardenDrew 3 points 1 year ago

Sure in theory, but in the UI for these systems it is always called a PIN number or a Passcode.

[โ€“] [email protected] 4 points 1 year ago (2 children)

I have worked for several companies with door codes and they're always easy to guess. Like 1-2-3-4 or 2-4-6-8. And they only change if someone gets fired.

[โ€“] [email protected] 7 points 1 year ago

The door codes at the hospital I worked at was 1 2 3, until they got in trouble for people walking in.

They changed it to 2 1 3

[โ€“] [email protected] 4 points 1 year ago

Some really cheap locks don't even require a specific order, just the correct 4 digits in any combination.

[โ€“] [email protected] 4 points 1 year ago

That's what you get when your key space is too small for the problem you're trying to solve.

I remember a Defcon talk I saw on YouTube where the guy said "remember everything is either broken or using default credentials"

[โ€“] [email protected] 2 points 1 year ago

"Man, this guy just be pretty dedicated if he's coming in to work at all hours of the day and night."