Hacker News new | past | comments | ask | show | jobs | submit login

Brute forcing weak passwords? Someone is doing something horribly wrong here on several levels. At the very least anything online of any importance should have rate limits if not locking for repeated password attempts. For servers themselves allowing password logins is inexcusably bad.

It is considered a bit overzealous by most but I believe that passwords should have been done away with a long time ago in favor of cryptographic keypair logins - we have already found the "2FA" in practice like emails and cellphone text messages not an adequate replacement. I'm aware there are other problems with storing your keys and loss but I believe that is a better approach for anything that needs security. I wish I could get my bank accounts to use key based logins.

Could be to avoid liability?

> Why were you hacked

> Weak passwords

> What are you going to do about it

> We've forced all systems and employees to regenerate passwords and service keys

Now lets try this again without an honest answer

> How were you hacked

> No idea

> What are you going to do? Are you still vulnerable?

> No idea. We'll have to do an extensive audit. No one knows how long this will take. There's not even an inventory of systems or data flow

> Could they have installed backdoors

> No idea

Same tactic as what's used on Twitter accounts.

And same as I said previously: If the bad actors can brute force weak passwords, the company itself should be able to do it too and force those with weak passwords to update them.

Interestingly enough, Citrix ShareFile forced password resets for everyone in January.

I suspect some places still only use passwords for server logins because they can simply use active directory for user management and then have servers use ad/ldap for credential checking.

I think businesses with critical infrastructure should use hardware keys (e.g. yubikeys) to provide at least one of the factors needed to log in to a server. Using a yubikey as an authentication key for ssh is not that difficult and I do it for my own hobby stuff.

For web based stuff one can now use webauthn to provide key based authentication (in addition to whatever other factors one would like). This requires the enterprise to run up to date browser however.

> This requires the enterprise to run up to date browser however.

Why is this so hard?!? I agree with you, but this sentence rang so true it was sad. I've been forced to work with/around unbelievably out-of-date browsers in order to install current firmware updates on systems at almost every place I've worked.


Because large corporations have teams in charge of users desktops that still assume this is the 90s, and most users are idiots. Also, there are a ton of bad internal web applications targetting outdated browsers

Totally agree. My guess — and it’s obviously nothing more than that — is that they don’t fully know yet, but it might seem better and easier to solve than the alternative that there’s very little organizations in this position can ever actually do to prevent sophisticated attacks.

The fact they were unaware about the breach until FBI told them says much. It's not that easy to exfiltrate 6TB of data unnoticed if you have any IDS (automated or just manual) in place.

Having an IDS in place means jack shit if you don’t have skilled personnel managing it.

Depressingly often, these things are installed as part of a box ticking exercise to pass an audit or meet another form of compliance. however they never get set up right from the outset or the security professionals who were there leave and never get replaced.

In this case, if they’re talking about infrastructure available on the public internet with password only authentication then I’d wager any skilled professionals they may or may not have had, had already left. Because no security minded engineer would have okayed that practice. Which means even if they did have an IDS, I’m highly doubtful that would have been managed properly either.

Citrix's secure document delivery product, ShareFile, sent emails to all its document recipients forcing a password reset with stricter requirements in January.

We aren't getting the whole story from Citrix.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact