@gjacobse said in Windows 11 Remove PIN and Only Use Password Instructions:

@scottalanmiller

I may have an account I have forgotten about
But I continue to use local only. I believe they call it an “Offline Account”

On my personal Windows laptop, I use my Microsoft account (MFA'd). It makes things all around that way more convenient for me. To avoid passwords, and because I want that separated, I use Windows Hello (fingerprint or PIN). Then BitLocker (TPM 2.0+), and of course the BitLocker Startup PIN.

On my personal Linux laptop, basically the same thing as above, but SW level encryption.
I'm looking forward to trying Ubuntu's TPM-backed Full Disk Encryption soon! I haven't had time yet.

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

You gotta teach good culture

Good Luck

Sometimes people have to be inconvenienced for security

Don't disagree - but can't stop doing business either.

Managing all these exceptions is an operational nightmare that will create a load of technical debt.

No lie - and no argument there. But resetting the expiry date/time doesn't seem all that different than resetting any password. few clicks and poof.

I can understand your point, but some responsibility for security must fall on the user. Management of course has to buy in on this and/or give full control of IT policies to a CISO/IT manager/generalist (depending on size of business).

Again - no disagreement. Barring this - being able to set a date for the password to expire that isn't to far out of policy seems better and more ideal than some of the options.

I like this too, especially since I've had that graphic (the one they reference on their site) on the wall in our Lab for many years!

@JaredBusch said in Make Simple User Passwords:

@scottalanmiller said in Make Simple User Passwords:

Ever need to make passwords for users and, let's face it, in the real world a lot of customers demand some pretty silly simply passwords. Using password generators often results in passwords that customers will not (and maybe cannot) use. A ridiculous situation, obviously, but it is reality. Passwords are simply difficult to often pass on to someone.

When generating temporary passwords, having something super strong is rarely very important. But avoiding something too hard to be used is needed. But just making up something non-random or even non-unique is really bad.

What's a compromise?

https://www.dinopass.com/

Yup, here is reality. Sometimes children's tools just make more sense when, well, you can draw your own conclusions.

I use CHBS
http://correcthorsebatterystaple.net/

1335539d-360c-48f7-83a1-3e3a03adbf45-image.png

@wrx7m said in PowerShell - Off-boarding Script:

@dafyre said in PowerShell - Off-boarding Script:

@wrx7m said in PowerShell - Off-boarding Script:

@dafyre I think I found where you got it - https://www.powershelladmin.com/wiki/Powershell_prompt_for_password_convert_securestring_to_plain_text

Anyway, I am not sure where, in my script, I should place that function.

You'd put the actual function at the top of your script, and then just

$myPassword=convertFrom-SecureToPlain -securepassword $MySecurePassword

Wherever you need the password in plain text form.

Thanks. It mostly works. The only problem is that it isn't actually using the password I specify at the top. It is somehow generating its own and then writing it at the end. I put in

write-host "Plain Text Says: $plainText"

and it shows the password that I typed in for the secure variable at the beginning, followed by the one that it generated.

Plain Text Says: $#@%4#@177 Jof91348

Works fine for me here.... Check and make sure you don't have an extra write-host or anything somewhere.

4a0db1d0-785c-4771-9ad2-9cec6cb0434a-image.png

@Dashrender said in WebAuthn now a standard:

@stacksofplates said in WebAuthn now a standard:

@Dashrender said in WebAuthn now a standard:

@stacksofplates said in WebAuthn now a standard:

@scottalanmiller said in WebAuthn now a standard:

@Dashrender said in WebAuthn now a standard:

but how do you use a YubiKey on your phone?

Screenshot from 2019-03-05 10-05-44.png

That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.

So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?

Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.

I've never used a YubiKey - I assumed the private code inside the YubiKey was there and no where else.

It depends on the type of authentication.

So this has been changed in their newest release 2.0.0.25 (not sure if it's publically available), and while the credentials are no longer in plain-text there are a few things you lose the ability to do.

Namely to tell if any given used is logged into a device, and secondly to sign in/out as a user on any given device.

I've provided my feedback to Yealink and hope to hear back soon. Neither of the above 2 issues are deal breakers, as the bigger goal is to be able to set configuration options, screensavers, time servers etc and have the user deal with the login.

Especially since the "Web Sign in" functionality is so simple, there is little reason to need the ability to sign in for a user.

Changed, though I already had login verification setup so no way someone else would get in easily.
0_1525401327754_d65c3f50-c905-47c5-b2b5-903e8bb692f5-image.png

Lenovo... giving you the finger.

@emad-r said in Reset MySQL password on Fedora 26:

@dashrender

Correct, without doing any thing. And this was the first time for 2 things:

Autogen password password password.

back in the day, you install you get blank pass, and use mysql_secure_installation

You still do. No idea what you did

@dbeato said in AD User Tool: Bulk AD User:

@Dashrender Then, he needs to force it with Powershell no just a GUI....

Agreed.

@coliver said in GE Power Grid Relays Found with Hard Coded Password and Breached Encryption:

One of the many reasons we need to work to modernize our electrical system.

Or, you know, use competent contractors for the components.

@JaredBusch said in Microsoft Ditches Passwords to Return to One Factor Authentication:

@Reid-Cooper said in Microsoft Ditches Passwords to Return to One Factor Authentication:

@matteo-nunziati said in Microsoft Ditches Passwords to Return to One Factor Authentication:

people at microsoft
alt text

I think that that picture makes it harder to find confidence in the products 🙂

Just the sad state of fashion in the late 70's

The hair styles are the worst part.

Real solution... Stop using outlook and push to OWA.

OH - sigh!

Yeah yeah - fine.

UBTN is username cap sensitive...

yeah I was thinking that was the major draw back.

And systems like Paypal or banking - those allowing a simple email reset just bug me.

@scottalanmiller said:

Stickie notes.

pzv5j7l.jpg

@Jason said in Centralized password manager:

@JaredBusch said in Centralized password manager:

@dafyre said in Centralized password manager:

@JaredBusch said in Centralized password manager:

@fuznutz04 said in Centralized password manager:

@JaredBusch What do you use?

I have been using LastPass since 2007 or so.

The standard $12 subscription lets you share a folder. So I made a
"Company" folder with subfolders for each client. and shared the Company folder out.

For a small consultancy like ours, it works well.

$12 per month, or per year?

Also... how did you handle the LastPass breach?

Per year, and I changed my password. Nothing else needed. I do not have 2FA enabled because I feel getting a text or something to the same damned device I am logging in on defeats the purpose of 2FA. My current LastPass password is a phrase about 30 characters long or so. I have lastpass set to log out automatically when my browsers close, etc.

You can use google authenticator.

That's what I use. I do have it turned off for my phone tho, no point in having the device you get the code from require a code. Don't really use the phone version except to lookup passwords when I'm away from one of my normal computers/browsers.

@Nic said:

And if you have to, at the very least wipe the machine and start from scratch with your own image.

Now, that used to work. 🙂 Now it does not.

LUKS will work great for that. We used it in big finance to deal with stuff like government bank account details.