Hacker News new | ask | show | jobs
by bpchaps 2525 days ago
At my last job, I wrote a little tool to download hipchat chat logs and scrape them for anything that looks like a password. There were tons!! I raised it to the CTO/CIO, and while they sounded interested in it, they never enacted any policies, etc, to prevent the sort of password sharing that anyone can apparently easily take advantage of.

In fact, the CIO asked me to send him a spreadsheet of when/where passwords were shared -- and then never did anything with it, despite the file essentially being a password map of the infrastructure. When I asked him if he deleted it, he told me he couldn't because the company's lawyers wouldn't allow him to. Lol.

It's insane out there.
2 comments
tnorthcutt 2525 days ago
What did you use for "looks like a password"?
link
bpchaps 2525 days ago
I use a python library called 'passwordmeter' to check the password 'strength' of tokens. If the token's password strength is high, it's either going to be a password, a hash, a key, or perl (half joking). It's then just a matter of ignoring the false positives - about 95% - but that's not as time consuming as it sounds considering the reward.

The precursor to the hipchat scraper: https://github.com/red-bin/password_finder

link
tnorthcutt 2525 days ago
Cool, thanks!
link
bmurphy1976 2525 days ago
The correct answer is routine password rotation, but of course that's stupidly hard to do.
link
eeeeeeeeeeeee 2525 days ago
I don’t agree with that. Regular password rotation increases the opportunity for phishing attacks because people become used to sleep walking through it. And users are generally just adding one or two characters to the password anyway.

Instead, that energy is better spent on requiring strong passwords and people using password managers and two-factor.

link
pmh 2525 days ago
Password rotation in this context is for the infrastructure, not normal user accounts.

There are other options for securing/managing infrastructure access (e.g. PKI, Hashicorp Vault), but if you're using passwords, it's a good idea to rotate them if only to encourage good practices around automation.

link
bmurphy1976 2524 days ago
I'm not referring to user accounts, I'm referring to password management for things such as database and/or internal APIs.
link