[Computer Security Thread] CVEs, or "Crap! Vulnerabilities! Eughhhhh..."

Inquisitor77

Theoretically there isn't really an issue with using spaces in passwords. The password string is being hashed, and the input for the hashing function accepts spaces just fine. A space is a character that is represented by bytes. Therefore it can be hashed. The issue in the past has been one of technical limitations, but assuming a modern implementation with modern standards, there are no technical issues with supporting spaces anymore.

However, I will say that in today's world the primary reason you may not want to support spaces in a password is because of user error. If someone tries to copy/paste a password, for example, they may add an inadvertent space or carriage return to the beginning or end of the string. From a user experience perspective, the easiest way to address this is to trim any inputs or to prevent such characters from being used in the password input field.

It's also worth noting that given password managers have to support the widest possible range of password implementations, it makes sense for them to have a default configuration which does not support spaces. (However, a password manager you are paying for which doesn't let you toggle that functionality is probably not worth paying for.) Similarly, many password managers default to a generator configuration which forces a lowercase, uppercase, number, and symbol, but also allow corresponding toggles when you do want them included.

Honestly it's an argument that is really only relevant to pedants. If you want a space in your password and the system in question supports it, then great. If not, then don't use one. Either way the inclusion or exclusion in the vast majority of cases, particularly the ones relevant to you and your personal security, is equivalent to the relevance of a single grain of sand in the beach. And if you are a system administrator looking to implement standards, then per above the real question you need to be asking yourself is one of user experience and how that impacts user/system security.

furlion

Inquisitor77 wrote: »

Theoretically there isn't really an issue with using spaces in passwords. The password string is being hashed, and the input for the hashing function accepts spaces just fine. A space is a character that is represented by bytes. Therefore it can be hashed. The issue in the past has been one of technical limitations, but assuming a modern implementation with modern standards, there are no technical issues with supporting spaces anymore.

However, I will say that in today's world the primary reason you may not want to support spaces in a password is because of user error. If someone tries to copy/paste a password, for example, they may add an inadvertent space or carriage return to the beginning or end of the string. From a user experience perspective, the easiest way to address this is to trim any inputs or to prevent such characters from being used in the password input field.

It's also worth noting that given password managers have to support the widest possible range of password implementations, it makes sense for them to have a default configuration which does not support spaces. (However, a password manager you are paying for which doesn't let you toggle that functionality is probably not worth paying for.) Similarly, many password managers default to a generator configuration which forces a lowercase, uppercase, number, and symbol, but also allow corresponding toggles when you do want them included.

Honestly it's an argument that is really only relevant to pedants. If you want a space in your password and the system in question supports it, then great. If not, then don't use one. Either way the inclusion or exclusion in the vast majority of cases, particularly the ones relevant to you and your personal security, is equivalent to the relevance of a single grain of sand in the beach. And if you are a system administrator looking to implement standards, then per above the real question you need to be asking yourself is one of user experience and how that impacts user/system security.

That is a great response and i appreciate you taking the time to write it up. I use KeePass which does indeed have a toggle for spaces and other lesser used characters. I knew about hashing and salting which is why i couldn't really think of a good reason not to allow them, but your explanation about the potential user error put that into perspective. Using spaces might make a password more secure if i was trying to memorize it but given that my average password length is at least 12 characters, unless forced to use fewer, and stored in my vault, it is probably moot in actual practice.

Inquisitor77

Glad you found it helpful!

syndalis

another reasonto argue on the side of spaces is that it allows for the use of strong passwords that are inherently human-friendly; the passphrase.

Being able to recall "That one time in Paris, 1989" is waaaaaay easier than trying to remember s!25%Pp_3 and actually more secure, due to length of phrase and no need for you to write it down somewhere.

DisruptedCapitalist

The problem I've been having with pass phrases is that it's still hard to remember them when I need to have a unique one for every website. Generally I try to limit them for stuff that I really need to keep secure but still need to have memorized but inevitably it's still too many and I forget which one I used for this website.

Mr_Rose

That’s why you have one passphrase – the master key to your password generator.

Drovek

syndalis wrote: »

another reasonto argue on the side of spaces is that it allows for the use of strong passwords that are inherently human-friendly; the passphrase.

Being able to recall "That one time in Paris, 1989" is waaaaaay easier than trying to remember s!25%Pp_3 and actually more secure, due to length of phrase and no need for you to write it down somewhere.

You can still have that passphrase but without spaces.

It's far more likely these days to run into "maximum 14 characters!" types of limits for some Lorb forsaken reason.

Shadowfire

Drovek wrote: »

syndalis wrote: »

another reasonto argue on the side of spaces is that it allows for the use of strong passwords that are inherently human-friendly; the passphrase.

Being able to recall "That one time in Paris, 1989" is waaaaaay easier than trying to remember s!25%Pp_3 and actually more secure, due to length of phrase and no need for you to write it down somewhere.

You can still have that passphrase but without spaces.

It's far more likely these days to run into "maximum 14 characters!" types of limits for some Lorb forsaken reason.

Those sites with tight limits on character usage are trying to avoid a visit from Little Bobby Tables, change my mind.

LD50

So uh, World of Warcraft doesn't differentiate between upper and lower case characters, so that's cool.

Mugsley

LD50 wrote: »

So uh, World of Warcraft doesn't differentiate between upper and lower case characters, so that's cool.

It has always been this way, unfortunately. The Authenticator app does add a layer of security.

Echo

LD50 wrote: »

So uh, World of Warcraft doesn't differentiate between upper and lower case characters, so that's cool.

Oh, does it still silently cap the password length too? :rotate:

TetraNitroCubane

The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

this is fine dot png

nexuscrawler

TetraNitroCubane wrote: »

The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

this is fine dot png

Wonder what they'll do when MS drops support for SMS and Call MFA. they're talking about doing ti soon.

LD50

nexuscrawler wrote: »

TetraNitroCubane wrote: »

The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

this is fine dot png

Wonder what they'll do when MS drops support for SMS and Call MFA. they're talking about doing ti soon.

I wonder if they're even using azure for their MFA configuration.

Shadowfire

nexuscrawler wrote: »

TetraNitroCubane wrote: »

The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

this is fine dot png

Wonder what they'll do when MS drops support for SMS and Call MFA. they're talking about doing ti soon.

They used to support voice lines for MFA but got rid of it without telling anyone. I've had a few clients who lost access to their Microsoft accounts because the 2fa was linked to a landline phone so it couldn't send texts to the phone.

Frem

So, laptop fingerprint readers have a special encrypted protocol they’re supposed to use to communicate authentication information with Windows. It prevents an attacker from trivially spoofing the fingerprint reader. But using the encrypted protocol isn’t mandatory for some reason. So vendors aren’t turning it on. Vendors like Microsoft.

https://arstechnica.com/gadgets/2023/11/researchers-beat-windows-hello-fingerprint-sensors-with-raspberry-pi-and-linux/

Carpy

The dell attack portion of the write up is pretty interesting https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/

Shadowfire

Yep, gotta love that clear text communication!

Mr_Rose

Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

SiliconStew

Mr_Rose wrote: »

Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

nexuscrawler

SiliconStew wrote: »

Mr_Rose wrote: »

Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

So someone finds a lost or stolen machine and they can get access to your account? thats a massive security hole.

SiliconStew

nexuscrawler wrote: »

SiliconStew wrote: »

Mr_Rose wrote: »

Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

So someone finds a lost or stolen machine and they can get access to your account? thats a massive security hole.

Yes it is. But as a general rule if an attacker has physical access to your machine it will be compromised.

schuss

nexuscrawler wrote: »

SiliconStew wrote: »

Mr_Rose wrote: »

Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

So someone finds a lost or stolen machine and they can get access to your account? thats a massive security hole.

Anytime someone has physical access to a machine, it's just a matter of time until they're able to access the data. More security = longer time period and more complexity. This is why many organizations are switching to more zero trust frameworks with less data sitting on the edge (IE on the laptop), as in that scenario you've scored yourself a sweet laptop but no data or intrusion channels as it's flagged as invalid to access the network/accounts once reported stolen.

nexuscrawler

There's still a significant difference between a unsecured thumbprint scanner and someone taking the time to crack full disk encryption.

Donnicton

Speaking of Microsoft, there are reports of the HP Smart App automatically installing on computers that access the Windows Store whether or not the computer is an HP.

https://www.techspot.com/news/101024-hp-smart-app-mysteriously-appears-non-hp-windows.html

Reports of the HP Smart app appearing in the new apps section of the Windows Start menu have been popping up on Reddit. "Checking the event log for the Microsoft Store shows that it installed earlier today, but I definitely did request or initiate it because I do not have any devices from HP," wrote one user. "No HP printers or other devices have been connected to my computer or network, ever."

The HP Smart app allows users to manage HP printers and is usually installed on HP PCs. It's certainly not supposed to appear on PCs that aren't connected to an HP device such as a printer.

While only some users are finding the app has mysteriously appeared, it seems to be automatically installing on all versions of Windows that use the Microsoft Store. Windows Latest reports that it auto-installed on a Lenovo Legion laptop running Windows 10 and on a virtual machine running Windows 11 using a different Microsoft account. Again, this was despite neither system ever being connected to an HP product.

Microsoft has confirmed that it is aware of the reports of these automatic installations of the HP Smart app and will share more details soon. It's speculated that this could be an error linked to the Windows Update feature, though we won't know for certain until Microsoft confirms what's going on.

The good news is that uninstalling the HP Smart app is as simple as removing any other application from Windows – this is still an official piece of software and not something shady. Nevertheless, it's another annoyance for users and has been worrying those who feared the app's appearance was related to a sinister event.

Mugsley

HP pulling more HP bullshit

LD50

Yeah, it showed up on my custom rig, and I don't have any HP printers.

Donnicton

lmao so they figured out why it was happening.

https://www.xda-developers.com/windows-update-bug-renaming-printers-m101-m106/

A few days ago, we spotted that the HP Smart App was being installed on people's PCs without their consent. Even worse, the app would reappear if users tried to uninstall it or clean-installed Windows. Now, the cause has finally been identified: a recent Windows 10 and 11 update is renaming everyone's printers to "HP LaserJet M101-M106" regardless of what model it actually is.

As reported on Windows Latest, the latest update for Windows 10 and 11 seems to think that people's printers are an HP LaserJet model, regardless of their actual brand. It's believed that the bug appeared after HP pushed its latest metadata to Windows Update, but something went awry in the code and caused other printers to be labeled as HP LaserJet printers.

This explains why the HP Smart App has been sneaking onto people's computers without their consent. A key part of Windows Update is keeping third-party drivers and devices updated, including downloading any apps that the devices depend on. After the printer metadata incorrectly identified everyone's printers as HP LaserJet printers, Windows installed all the software needed for an HP printer to work smoothly, including the HP Smart App.

Fortunately, the bug only affects the metadata for the printer. While the printer may show up with a different name on your system, you should still be able to send print jobs to it. Microsoft has since removed the fault metadata from Windows Update, so anyone performing a clean install from now on should get their original printer's name back and stop the HP Smart App from re-downloading.

If you're not keen on performing a clean install just to reset a printer's name, Microsoft should be releasing an update in the future that corrects this problem.

SiliconStew

Changing the model metadata on the built in Microsoft print to PDF printer explains why it was showing up on systems without any real printers installed, including clean installs.

Phoenix-D

CVEs for SSH? Oh this has the potential to be real chaos inducing

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

Fortunately it's a little limited (required a man in the middle attack) but yeah that's not great

DisruptedCapitalist

Mitm attacks are just the sort of thing governments can do...

Trajan45

Have any of the password managers makers added a 'phrase' option for their password generators? Sometimes I still have to type in manually and it might be nice if they could auto generate something like PlaceSymbolObjectSymbolColorNumber.

Inquisitor77

Trajan45 wrote: »

Have any of the password managers makers added a 'phrase' option for their password generators? Sometimes I still have to type in manually and it might be nice if they could auto generate something like PlaceSymbolObjectSymbolColorNumber.

1Password has a setting called "Memorable Password" that is similar.

Unknown

This content has been removed.

Tomanta

Bitwarden has one too, but every time I try to use it the site I'm creating a password for says "lol, no, try these obscure rules. Also use a symbol but not these symbols we picked at random".

TetraNitroCubane

Today in examples of isolated but extremely "Excuse Me, What the Actual FUCK" security audit interactions.

A security auditor for our servers has demanded the following within two weeks:

• A list of current usernames and plain-text passwords for all user accounts on all servers
• A list of all password changes for the past six months, again in plain-text
• A list of "every file added to the server from remote devices" in the past six months
• The public and private keys of any SSH keys
• An email sent to him every time a user changes their password, containing the plain text password

Wow. Wow.

Knowing that people like this are out there auditing IT security really makes it clear why we have a new high-profile breach every other week.

DisruptedCapitalist

Also shows why its so hard to get a job in security. Companies don't want to spend the money on prevention, so instead they shell out the big bucks to elite disaster response firms every few years whenever they get caught with their pants down

EDIT: can I also say I'm glad I put a freeze on my credit. There were at least five separate companies that notified me of breaches last year and I just got a notice from fucking Mr. Cooper yesterday that they fucked up too. (I haven't even had a loan with them in years but of course they still keep all my data just waiting to get stolen. Fuckers.)

TetraNitroCubane

DisruptedCapitalist wrote: »

Also shows why its so hard to get a job in security. Companies don't want to spend the money on prevention, so instead they shell out the big bucks to elite disaster response firms every few years whenever they get caught with their pants down

For sure.

It's been said before, but security is every company's lowest priority - until it very suddenly becomes their highest priority.

BlazeFire

TetraNitroCubane wrote: »

Today in examples of isolated but extremely "Excuse Me, What the Actual FUCK" security audit interactions.

A security auditor for our servers has demanded the following within two weeks:

• A list of current usernames and plain-text passwords for all user accounts on all servers
• A list of all password changes for the past six months, again in plain-text
• A list of "every file added to the server from remote devices" in the past six months
• The public and private keys of any SSH keys
• An email sent to him every time a user changes their password, containing the plain text password

Wow. Wow.

Knowing that people like this are out there auditing IT security really makes it clear why we have a new high-profile breach every other week.

Today but 12 years ago, based on the date?

Naphtali

BlazeFire wrote: »

TetraNitroCubane wrote: »

Today in examples of isolated but extremely "Excuse Me, What the Actual FUCK" security audit interactions.

A security auditor for our servers has demanded the following within two weeks:

• A list of current usernames and plain-text passwords for all user accounts on all servers
• A list of all password changes for the past six months, again in plain-text
• A list of "every file added to the server from remote devices" in the past six months
• The public and private keys of any SSH keys
• An email sent to him every time a user changes their password, containing the plain text password

Wow. Wow.

Knowing that people like this are out there auditing IT security really makes it clear why we have a new high-profile breach every other week.

Today but 12 years ago, based on the date?

uh yeah, dude was talking about running red hat 5 servers. this is oooold