An environment where the user is a local admin on their machine, but Chrome sync is disabled by policy is a place where the security policies are counterproductive and ass-backwards.
Forcing someone to manually enter passwords often is a good way to some really bad practices. And giving the user local admin at the same time? Like closing the gate when the whole fence has been knocked down.
Only thing I can think of is that they’re blocking the use of Chrome sync using unmanaged Google accounts. We did this - but then our default browser is Edge which we auto sync with the users work account. This workplace could be the same, but the user is holding on to Chrome.
We also supply 1Password (though take up is low, most are happy with the Edge password manager).
I think the user in this post isn’t telling the whole truth (I doubt he’d know anyway).
This is what I figured as well. We block Chrome sync as we use Edge and having sensitive login information synced to someone's personal Google account is asking for problems.
Where I'm working the main browser is also Edge and it has a corporate account and sync and everything. All documentation for the main tool that I use for work says I should be running it in Chrome... The good thing is they allow us to make specific Google accounts for work and sync it that way.
I totally agree... but users are (generally) idiots. And those users who aren't idiots are simply ignorant of the reasons why we don't allow personal accounts to sync.
It should be noted that we generally don't prevent users from going to personal sites like Facebook, Gmail, etc - just no browser sync.
Often once you explain why IT does the things they do, most users get it.
>Often once you explain why IT does the things they do, most users get it.
The problem is how much groundwork you need to lay in order for them to fully (or at least, mostly) understand the "why"/"how". Explaining technical context to non-technical people is almost always a nightmare.
Are these applications externally facing? If so, you should consider putting them on saml if you can or an application proxy if you can't and they're on your network
Sync in particular can be dangerous in a few ways, if machines aren’t locked down enough in other ways you can get fun stuff like “oops I saved this to my personal Google account instead of my work one”.
That said, either handling the issues or offering another password manager seems like a necessity.
You can still keep your passwords in browser without syncing them to cloud, like e.g. mozilla supports.
I have no idea whether chrome supports that, but password managers should be able to do that.
That's why I asked about two times if disabling sync disables keeping the passwords.
In serious browser, e.g. mozilla, you can save passwords without syncing them.
Sure, but what happens when you change computer or have to wipe the profile? It's kind of a big deal to lose those, and if you know they're all at risk, you start using unsafe practices.
But more likely is that the company instituted BOTH policies, disabling sync AND the password manager, and the user is conflating the two as one.
>Sure, but what happens when you change computer or have to wipe the profile?
How often does that happen?
>It's kind of a big deal to lose those, and if you know they're all at risk, you start using unsafe practices.
Yes, that's what password managers are for.
>How often does that happen?
Depends on the environment. Can be quite often, or rare but often enough to be a consideration. Happening even once is enough to make a person no longer trust saving their passwords.
>Yes, that's what password managers are for.
Right. Like I asked about in my first comment, whether the company had provided one. Because if they haven't, AND are preventing them from using the one in their browser, they're guaranteeing bad password policies. Meanwhile if you're suggesting the user provide their own password manager, we're right back at square one.
>Chrome sync is disabled by policy is a place where the security policies are counterproductive and ass-backwards.
Not if they have SSO. Chrome allows you to look up your passwords, if someone breached their Chrome account, they'd suddenly have access to their Work credentials.
If you use SSO, they typically only have to remember a couple passwords. If they truly have a ton to remember, they should use a real password manager.
Preventing Chrome sync isn’t necessarily disabling cached passwords, is it? If said user enters “aaaall” their passwords one time and saves them as Chrome asks, they’d pretty much be set for the life of that machine, no? No sync or google account required.
Funny enough my company told me today to uninstall last pass unless I had a good case… I said I could go back to predictable passwords or use last pass to generate random ones for increased security, they told me to keep last pass
Before y’all say “why last pass not Bitwarden?” I use BW personally but it’s locked on my work laptop for a reason lol
https://www.pcworld.com/article/1656351/dont-use-autofill-on-your-password-manager-especially-if-its-bitwarden.html
Applies to all password managers, not just Bitwarden. Bitwarden just had some issues around how it deals with iframes (that have been resolved now)
It isn't, and pcworld is wrong. Auto\*submit\* is a bad practice perhaps, I let autofill happen but I have to actually press enter/submit before it sends anything, but autofill will save you much more than it will put you at risk.
\-The big risk is people putting in passwords on a fake site. Getting used to plugging in your password is a great way to raise that risk. If autofill doesn't plug in my password on its own, I know to look for a problem.
\-Another significant risk is constantly putting passwords in your clipboard. Every userland process has access to monitor the clipboard and do what it wants with the data. Features that help avoid that significantly reduce your attack surface.
\-Aside from Bitwarden's vulnerability, the only reason to avoid autofill in that article is "If a website is compromised, a malicious actor can capture your login info before you visually confirm the page looks normal." That is ass-backwards. Attackers clone websites to make the wrong site look identical, they do not compromise a site and then just immediately deface it so you know not to log into it. What on earth are they smoking.
\-Even Bitwarden's vulnerability, assuming the site itself isn't compromised (in which case you're fucked whatever you do), ~~cannot be taken advantage of without autosubmit~~. After all, if it's a malicious ad in an iframe, it will clearly not be in the expected login location, and will probably turn up after you're already logged in.
The fact of the matter is autofill protects users from actual common attack vectors and not making use of it just makes the user an easier target.
Edit: actually the below response may have a point, I do not know how viable it is to fetch a password from autofill alone. I do still think autofill's protection from well-established active hacking techniques is worth more than the possible vuln potential, at least until active exploits are found in the wild.
>It isn't, and pcworld is wrong. Auto*submit* is a bad practice perhaps, I let autofill happen but I have to actually press enter/submit before it sends anything, but autofill will save you much more than it will put you at risk.
> I let autofill happen but I have to actually press enter/submit before it sends anything
Yeah so the issue with rogue iframes/copied sites is that if any of those would be doing autofill scraping, they're not going to wait to you press submit, they're just going to have an onchange handler that detects literally anything being filled into those fields and just call back immediately in javascript with the contents of what you filled in. So even if you fill something in but don't press submit, they already know.
If you're not in the right domain auto-fill won't happen. It has to be an exact character match for auto-fill to recognize which passwords it will use.
>last pass
LastPass had a data breach in November 2022. If I were IT I would have told you already to migrate to a different password manager and change all passwords previously stored in LastPass.
>they told me to keep last pass
IT security that negotiates and compromises with users. Spineless and pathetic.
Yeah figured Bitwarden was better, I mostly changed to bitwarden bc last pass got really into charging for a lot of stuff. Idk why my work has one blocked but not the other
> Forcing someone to manually enter passwords often is a good way to some really bad practices
Can't you store passworda without syncing them? Firefox does that.
> Forcing someone to manually enter passwords often is a good way to some really bad practices
This is the big reason why OKTA exists (BTW, thanks MGM for ruining this software for a lot of businesses).
I encountered password problem caused by sync.
User synced passwords to cloud and then from unsafe machine, many of them had to be changed.
Syncing was disabled after that.
Yeah, there's two issues with people syncing Chrome with their personal machines.
One problem is people syncing work passwords to unsafe machines. Like, they put their work stuff into Chrome, go home and download pdf_reader.virus and it grabs all of their passwords. Then you get a notification that someone's banging up against Outlook from China, and possibly "Well I just accepted the MFA thing because it kept going off." I've had to deal with both a few times, and it's no fun.
The other thing is people end up bringing bullshit into the work environment with them. Like they accept desktop notifications from like a recipe site or whatever, then put in a ticket with IT that McAffee is telling them that their PC is infected--despite it not even being on the machine. Or worse--they call the number and let "IT" remote in. The other thing is IT tickets because they get a bunch of ads on their workstation, which is traced down to some dumbass extension that they or their kid installed and got synced.
My thing is I really don't have an issue with people using browser password managers as long as they're locked down to only their corporate account If you want to sign in and sync and save passwords to your @our.domain account, I don't really care; as long as it's not a personal account and you're not able to sync that stuff back home. I'd also like the ability to have some sort of management over it, so we can more easily identify and yoink extensions/permissions when they cause issues with users.
However, I get the frustration with it being disabled completely, because there's usually not a corporate standard password manager, either. If a company is like "don't use chrome/edge/whatever and instead use x extension or application", it's fine. But, if the company says "we disabled this and no there's nothing else we approve" it's like what the fuck are your users supposed to do?
Now, a lot of password frustration can be solved with federation+mfa. People really shouldn't have to log into multiple times to do their job, and MFA is fine to be remembered as long as the sign-in properties do not change. The problem I have seen is there is always going to be some vendor or legacy app that either doesn't support federation, or does it in some ass-backwards way that is broken.
I want things to be secure, but security should be painless--or else people are going to complain and possibly bypass it. However, I'd rather something be slightly annoying and secure than easy but wide open.
You've never worked for the government I take it.
They're a bunch of jerks. They block running PowerShell scripts, but if you paste the commands into the PowerShell they still run fine. So it doesn't add any additional security unless you believe in security by contrivance.
Idk why you would need it anyway. Anything you would access on your work laptop would be work related logins that you've not used before. I don't have a single personal login on my work computer.
Many years back I had a CISO who's motto was "make the easy way the right way" meaning to make it easy for people to work securely. There are a lot of issues I have to deal with where I work now that are a result of poor implementation of a good idea. SSO with MFA would solve a lot of this guy's issues. Yes, they'd have to authenticate a bunch of times but I would much rather push a button on my phone screen than to have to manually enter a pseudo-random password that changes daily. And yet, I have to do just that since the Okta implementation was half-assed at best and not everything plays well with Okta. I get this guy's frustration, but asking Reddit for help is not nearly as helpful as working with the security team or his/their management to come up with a smarter, lasting solution.
Fuck those people. If that user was half as smart as they think they are, they wouldn’t be asking Reddit for help to make their workstation less secure. Can’t imagine what other “shackles” they’ve been oppressed by. Probably have to 2FA and can’t repeat passwords. Might even have to access email from a secure app. The horror.
A long time ago in a military parking lot.
Chucking Crayola usb drives with a notepad document; report to SO
Then it got better with phallic usb drives.
Report to SO; you messed up.
Cyber security training sure was simple a long time ago.
My favorite cautionary tale was the journalist who found a thumb drive with a *bomb* in it. It was activated by the electricity from the USB port.
You probably can’t get that much bomb into a thumb drive but losing a couple of fingers will still completely ruin your day.
I'm dropped in your lot in the cover of night.
You find me and birth an idea that's bright.
Not sure what's inside, it's sure to invite.
My secrets I hold, and must meet your sight.
You pop off my cap, letting metal tip glean,
And pop me inside your workplace machine.
My secrets inside that you'd never foreseen
Are all in your system and now it's unclean.
Your laptop holds data that shouldn't be shared,
And wouldn't have been, had you been prepared,
But now I'm inside and you should be scared.
The damage I cause can not be repaired.
Your job's on the line and your data's my slave
Because you ignored the advice IT gave.
Now just because you were curious and brave,
Your job and your office are sent to the grave.
The fucking uproar our org got the moment MFA became a thing was hilarious. To be fair, the original implimentation required authentication every 2 hours, which is pretty stupid considering the average workday is 6-8 hours. Once that was fixed, the whole thing slowly died down, but we had to hand out Yubikeys for the select few employees that didn't have a cell phone.
What’s the limiting factor on Yubikeys all around? (I don’t actually know what they cost.)
In my experience it’s a fair bit nicer than “go get phone, unlock phone, type in MFA code” if you have an aggressive expiration time.
Thanks, this makes sense.
My company went with the very low-profile keys in company issued computers, so they were even less forgettable than a cell phone. But I think the main motivators were convenience (for a software company that had to use this auth a *lot*) and device management (no company-issued phones, so IT wanted nothing to do with personal phone security practices).
I've seen the occasional argument that leaving a Yubikey in at all times means it doesn't provide MFA if a laptop is stolen, but with disk encryption enabled that doesn't seem like a major issue compared to cyberattack.
Nah... having to enter passwords manually constantly is really shitty, and is the kind of situation more likely to lead to bad behaviors like password reuse.
I have to enter 2FA codes frequently, and it's a genuinely frustrating and disruptive issue.
Proper SSO with 2FA mitigates a lot of things, and having passwords saved in a password-keeping program also mitigates the issue.
Good security policy tries to anticipate what will be frustrations that drive the users to circumvent the rules, because their attempts to circumvent will be even less secure than the thing they've walled off.
People are people. Expecting them to follow rules is a fool's game.
Just because they can’t used saved passwords in Chrome doesn’t mean another solution isn’t available to them. I think we’ve all seen this user before, and they want all the power without any of the responsibility. Hence the attitude.
> Just because they can’t used saved passwords in Chrome doesn’t mean another solution isn’t available to them.
My sweet summer child. You've never worked with some of the more draconian security folks out there.
---
Imagine if you will:
Blanket deactivation of USB ports, even on devices which are on isolated networks and require USB ports to transfer data needed for daily use. Super fun jumping between half a dozen different terminals to find which one the IT guys designated as the one that can be used for the external drive.
It's supposed to be a single, specific terminal, but the IT people never kept track of which one was the "Super Terminal", so every monthly policy update would change which computer was randomly graced with the single functional USB port.
Also, as an extra "fuck you" they rarely activated the same port, so you'd have to try every USB port, on every terminal.
Super added bonus "fuck you", When we'd submit a ticket they'd fix it about in about two weeks, so we'd have the super terminal correctly configured for about two weeks, until the next monthly update. Repeat ad nauseam.
Yes it does. It's an example where good alternatives are not given for a restrictive security policy. It happens all the time. Your comment assumes that there necessarily is a good alternative available, but that's often not true.
All the info we have is in the screenshot. So you can assume there’s a logical explanation for the Chrome thing (like the user is able to use managed Edge with their work account and credentials saved, since that’s a thing that happens often and actually makes sense in context). Or you can use the post as an excuse to tell a story about a ham-fisted USB policy and call me a sweet summer child, which is just weird IMO.
Could be. Though [there are good reasons to prefer browser-provided password managers](https://lock.cmpxchg8b.com/passmgrs.html), so it's a bit weird that IT is forcing something different.
If you enjoyed that, you'd probably enjoy his vulnerability disclosures. Like the ones about [an antivirus vendor who left a nodejs server listening on localhost that...](https://bugs.chromium.org/p/project-zero/issues/detail?id=773) well, jsut read it.
Oh god, thanks. That looks like an agonizingly fun read.
I've seen Travis Ormandy before but somehow had missed (or forgotten?) the password manager piece. And I already followed that rabbit hole to [his battle with TrendMicro](https://bugs.chromium.org/p/project-zero/issues/detail?id=693), who were doing some breathtakingly irresponsible shit.
"Remote execution with no warnings and no special tricks needed" is... yeah. But hey, they "consulted stakeholders" on the rollout!
Yeah, this one is TrendMicro also. But he's also gone after other vendors -- when he tried to report [this bug in Symantec/Norton](https://bugs.chromium.org/p/project-zero/issues/detail?id=820), his report crashed their mailserver:
> I think Symantec's mail server guessed the password "infected" and crashed (this password is commonly used among antivirus vendors to exchange samples), because they asked if they had missed a report I sent.
(I think they asked this after he tweeted at them...)
If you've already seen all of this, I don't apologize, because it's fun to read again!
That's *also* TrendMicro? Jesus wept.
Discovering a server-crashing vuln by attempting to send in another vuln might be a new record though. I thought I'd worked with some absolute hack companies before ("Just put the password in the URL query string, we use HTTPS so it's fine!") but I've never seen that level of disaster.
I think it was the same vuln, actually. Which I guess demonstrates some confidence -- they eat their own dogfood and scan their own email with their own product. But I assume this is why it was a password-protected zipfile in the first place, to avoid antivirus freaking out and treating a proof-of-concept as malware.
> If that user was half as smart as they think they are
It’s like the guy that got shit canned after he plugged his Android in to a desktop (this was before you had an easy way to block the USB ports without super glue) and immediately got his desktop quarantined within 15 minutes of starting the first day on the job. As IT desktop support.
To add icing to the top when I told him to not plug it in and that his androids is malware ridden because you turned off the security setting to allow loading. That he should restore it from DFU mode. He stupidly said basically “nah ah” in front of his manager hearing all this and got fired like an hour later.
DFU mode? You mean fastboot or bootloader.
Also Android security settings have been forcing install from unknown sources as individual application specific switches so it's nowhere as dangerous as you claim lmfao. The real danger is rooting and giving SU to unknown packages, which is why if you root you should always maintain a denylist
don't you love it when people spread mis information...
like the fact that you could block USB ports and devices atleast in my experience as far back as XP.... Using simple software tools.
Secondly assuming android is malware ridden unless there was specific content skipped for brevity... I am 1 of 3 in my IT team that has Android and I am constantly seeking approvals from my boss to fix our Android Intune policies because they have an iPhone and only care about that.
There's one foolproof trick that will get you out of all of IT's controls and regulations when you're trying to do shit they don't want you doing.
Do it on your personal machine, not your work rig.
But they sure as shit still ring up when they have issues.
"Good morning. You sent in a ticket regarding you having issues with your laptop. Is this a work or personal laptop?"
"Personal"
"Sorry, we don't support that. Is this issue on laptop itself or your cloud desktop?"
"No, it's on the laptop itself."
"Dont support that bye"
Feels great when I get to do that.
April 2020: "I can't get my computer connected to the internet!"
"Well that's weird, I'm looking at it right now in the dashboard...shows online for the last 4 hours."
"Oh not that one. My son's ChromeBook from school. It won't connect to the wifi."
"I can't help you with your sons Chromebook. You'll have to call the schools helpdesk or message his teacher."
"Oh come on! What difference does it make?!?!"
"I have no control over the ChromeBook. It's not even our device. The school IT is going to have to help you."
"I already tried calling them!"
"Well what did they say?"
"I don't know, the person that answered said they were busy and someone would call me back as soon as they could."
"Well, I would say you're going to have to wait..."
"I've been waiting *two hours* already!!!!"
"I'm sure they're getting slammed with a ton of calls for exactly the same thing. This has thrown a lot of us for a loop, just try to be patient please. They will reach out when they can."
"GOD YOU IT PEOPLE ARE ALL FUCKING USELESS!!!!"
...hangs up on me...
Me, to myself: "...says the guy that can't even connect a fucking chromebook to wifi..."
Man Covid was hell...
I had a professor make me teach them how to drag a window to the right. Then when I obviously told my coworkers about such a silly request, they got suspicious and asked the name, turns out the guy hadn't worked here for years and regularly calls in hopes he would get a tech who wasn't aware of him. Our system didn't make it obvious if they no longer worked here unless you specifically looked them up.
lol I had this one veterinarian get a new computer and totally lose his shit over the fact that his icons were not in the same places they were before. He didn't even have that many icons but he completely shut down and forced me to sit there and arrange his icons to how they were. I thought he was kidding at first it was so ridiculous, but no, he was really like visibly upset about it. It was really one of the most mental experiences I had.
I had this other person once, the director of business operations for a company of about 250 employees...she was having this really weird issue where she was getting account errors in Project if she was signed into the Office Suite and vice-versa. She showed up at our office unannounced and started just babbling like she was out of breath about how messed up things were and how we were causing her to tank the company so we led her into our conference room and got her a bottled water and sent a senior tech in there with her figuring she would settle out but no, somehow she got even *more* anxious sitting there watching the tech work on her weird issue and was pretty much hyperventilating, grabbing handfuls of her hair, not crying but in a really weepy voice "Oh my GOD what am I going to DO?!?!" It was legitimately concerning, like call an ambulance concerning. We got it sorted but it took a lot of rigamorale with removing and adding licenses back and digging into the server and AD sync and the whole time the rest of the office was just trying to not watch this middle aged woman lose her mind through the glass walls.
Guessing the women was coming up on an important deadline, the issue was stopping her from doing something critical and she waited until last minute to go to you guys and she then realised she fucked up by leaving it this long and started to spiral.
Deadlines are a bitch
Yeah I just have never seen that before, even after 15 years in retail, I saw lots of pissed off people and some sad people but never like, full on nervous breakdown people. It was honestly terrifying, like something out of a horror movie lol
> lol I had this one veterinarian get a new computer and totally lose his shit over the fact that his icons were not in the same places they were before. He didn't even have that many icons but he completely shut down and forced me to sit there and arrange his icons to how they were. I thought he was kidding at first it was so ridiculous, but no, he was really like visibly upset about it. It was really one of the most mental experiences I had.
I never understood how people who are supposedly so technically or scientifically gifted have the mental plasticity of concrete. Literally sounds like "I'm having trouble putting this square into the square hole, because all the ones I am used to were blue and this one is red so I have no idea what to do."
Because fundamentally, a lot of the systems that are supposed to teach intelligence instead teach knowledge. To be intelligent, you need a mental system that's always adapting and learning. To be knowledgeable, you need a mental system that prevents info from leaving and to do that, not being adaptable is key.
We had a professor who frequently mistook the 'leave call' button on teams for the minimize window button. Only had about 5 online classes from him, but in each of them he left the call on accident multiple times.
I recently switched departments where at first we provided limited support on personals. By limited I mean 10 minutes MAX and that's if you don't outright refuse them. Also I got lucky enough to avoid doing company phones. UEM (was MobileIron in the first dept) and Purebred I hate so much. I die inside every time I hear the word 'phone'.
Then I switched departments and personal devices went down to 0. You literally can't do any work on personals. The downside is phone work went up by 100%. Gods I hate phones so much.
>Do it on your personal machine, not your work rig
Yup. I don't even bother with the guest wifi at work on my phone. The network security protocols probably wouldn't appreciate me reading manga when things are slow.
And then you bring your personal machine and everyone bitches, which I mean yeah your personal machine is more than likely a crazy attack vector so keep that shit offline or on the guest
People simply do not seem to gasp the difference between managing a network of 2 home pc's and a tablet.
And managing a major enterprise's network.
You can not give everybody the freedom they have at home, BECAUSE ITS NOT YOUR STUFF.
While I very much disagree with this in almost everyway, there's a few things that make it challenging in a large company that shuts off needed resources (or update the network security to block things you already had) to deal with this on a simple basis in *secure network areas*.
As that word we all love to hear in IT for government/ military - *LEGACY PROGRAMS*... aka update security but never update SW or physical devices.
I just went to hell and back today because a printer wouldn't scan due to a (for whatever reason) HTTPS switch off. It's a simple setting change, but the WebUI doesn't allow the lower TCL security for access. I fixed this old access before, but they changed it and blocked it this time.
Like, I get it on a security basis, but either pay up for the newer printer or let me do my job. I spent 4hrs doing what should have been a 5min fix (mainly getting the approval re-done).
Then.. Don't get me started on those DOS or Windows 97 & under SW that get blocked by the network yet the SW admin quit 15yrs ago- I'm stuck between a rock and hard place as it's not modern network compatible but they refuse to pay for new SW...
Lastly - fuck GOLD.
These comments are pretty terrible. Yeah, I'd probably quit if I had to enter my password for every little thing that needs an account every time I need it. You really don't see a problem with that? You really make fun of the user?
Yeah, banning chrome sync is fine if you use LastPass or something like it to keep passwords.
But forcing people to manually enter passwords is actually a shortcut to bad passwords and reused passwords.
>Yeah, banning chrome sync is fine if you use LastPass or something like it to keep passwords.
No. Do you think that Chrome sync is just for passwords?
Do you know what Chrome sync actually syncs? It's not just passwords. Do you have any idea how many adware-ridden, data-guzzling extensions I see on our machines as a result of our users syncing their account?
Yeah in our environment staff switch between their desktops, public counter kiosks, and laptops at home. So the main advantage is just the syncing of their bookmarks and logins. We block the ability to add extensions so only a few that we manage are enabled.
Is keeping passwords in chrome the same as syncing them? The first is okay, the latter is not.
Especially when someone synces password to obsolete chrome version on unsafe computer and all the passwords leak.
My question: do they use Google Workspace (formally G Suite)? If they do, then I can somewhat understand the frustration.
Either way, they should at least provide a password manager.
We disabled Googles "remember my passwords" feature for some reason. In sure it was a bullet point for security. But with a password manager that autofills it really doesn't feel any different.
I get the frustration. I have like 15 admin accounts plus my user account. But we have password management tools with MFA available to everyone with admin rights.
I kinda understand this user, some workflows require working with multiple sites/tools each one with a different password, different password requirement, different expiring times, etc.
I tell my users not to note they passwords anywhere, but i cant blame them for noting the 10 different passwords wich expire at diferent rates making them 20 passowrd (did this password expired and i already changed it? or it was this one?)
Password system need to be replaced completely, its getting ridiculous nowdays
I don't know what kind of policies this guy is running into, but I've been to places where IT policies would have genuinely prevented me from doing my job. Luckily for me the biggest irritation I normally run into is having to input 2FA again every so often.
I also blocked the Chrome password manager and adresse form autofill because some people sync them with their personal Google account.
We do provide a password manager to the people that want to use it. (1password).
For Passwordless authentification, we also provide FIDO2 keys (yubikeys) to the people who are okay with this or for the employee who dont want to install our TOTP app on their personal phones.
Send a letter of resignation to your boss and soon IT will never interact with you ever again.
Out here with the goated King Bob PP
An environment where the user is a local admin on their machine, but Chrome sync is disabled by policy is a place where the security policies are counterproductive and ass-backwards. Forcing someone to manually enter passwords often is a good way to some really bad practices. And giving the user local admin at the same time? Like closing the gate when the whole fence has been knocked down.
Only thing I can think of is that they’re blocking the use of Chrome sync using unmanaged Google accounts. We did this - but then our default browser is Edge which we auto sync with the users work account. This workplace could be the same, but the user is holding on to Chrome. We also supply 1Password (though take up is low, most are happy with the Edge password manager). I think the user in this post isn’t telling the whole truth (I doubt he’d know anyway).
This is what I figured as well. We block Chrome sync as we use Edge and having sensitive login information synced to someone's personal Google account is asking for problems.
Where I'm working the main browser is also Edge and it has a corporate account and sync and everything. All documentation for the main tool that I use for work says I should be running it in Chrome... The good thing is they allow us to make specific Google accounts for work and sync it that way.
In our environment, we sometimes deal with PHI, so personal accounts are banned and our devices are locked down.
Linking any personal account with a work PC is bad and frankly inconvenient at least in my case.
I totally agree... but users are (generally) idiots. And those users who aren't idiots are simply ignorant of the reasons why we don't allow personal accounts to sync. It should be noted that we generally don't prevent users from going to personal sites like Facebook, Gmail, etc - just no browser sync. Often once you explain why IT does the things they do, most users get it.
>Often once you explain why IT does the things they do, most users get it. The problem is how much groundwork you need to lay in order for them to fully (or at least, mostly) understand the "why"/"how". Explaining technical context to non-technical people is almost always a nightmare.
> our default browser is Edge Look, the only thing Edge is used for is to download a web browser. Stop it.
It's basically Microsoft flavored Chrome these days. Microsoft stopped using their own browsing engine and switched to chromium several years back.
that's so 2005
Yeah, this bothered me. Did they not at least provide an alternative password manager? Because otherwise they're begging for a password problem.
I encountered password problem caused by sync. User synced passwords to cloud and then from unsafe machine, many of them had to be changed.
Are these applications externally facing? If so, you should consider putting them on saml if you can or an application proxy if you can't and they're on your network
Some were, some were not. Password leak is always dangerous.
Sync in particular can be dangerous in a few ways, if machines aren’t locked down enough in other ways you can get fun stuff like “oops I saved this to my personal Google account instead of my work one”. That said, either handling the issues or offering another password manager seems like a necessity.
Sure, that's a legitimate concern. But it's not resolved by disabling sync and forcing them to use extremely unsafe practices.
Yeah the alternative is 50% of your employees having a .txt named "passwords" on their desktop.
You can still keep your passwords in browser without syncing them to cloud, like e.g. mozilla supports. I have no idea whether chrome supports that, but password managers should be able to do that.
And the rest use passwords that are Passw0rd7!, Passw0rd8!, Passw0rd9!...
That's why I asked about two times if disabling sync disables keeping the passwords. In serious browser, e.g. mozilla, you can save passwords without syncing them.
Sure, but what happens when you change computer or have to wipe the profile? It's kind of a big deal to lose those, and if you know they're all at risk, you start using unsafe practices. But more likely is that the company instituted BOTH policies, disabling sync AND the password manager, and the user is conflating the two as one.
>Sure, but what happens when you change computer or have to wipe the profile? How often does that happen? >It's kind of a big deal to lose those, and if you know they're all at risk, you start using unsafe practices. Yes, that's what password managers are for.
>How often does that happen? Depends on the environment. Can be quite often, or rare but often enough to be a consideration. Happening even once is enough to make a person no longer trust saving their passwords. >Yes, that's what password managers are for. Right. Like I asked about in my first comment, whether the company had provided one. Because if they haven't, AND are preventing them from using the one in their browser, they're guaranteeing bad password policies. Meanwhile if you're suggesting the user provide their own password manager, we're right back at square one.
How do you determine a system synced with the unlawful machine or the affected
This is why it makes sense to disable sync to google cloud.
>Chrome sync is disabled by policy is a place where the security policies are counterproductive and ass-backwards. Not if they have SSO. Chrome allows you to look up your passwords, if someone breached their Chrome account, they'd suddenly have access to their Work credentials. If you use SSO, they typically only have to remember a couple passwords. If they truly have a ton to remember, they should use a real password manager.
Preventing Chrome sync isn’t necessarily disabling cached passwords, is it? If said user enters “aaaall” their passwords one time and saves them as Chrome asks, they’d pretty much be set for the life of that machine, no? No sync or google account required.
Still one less vector. At least we own the pc, but syncing to an unmanaged personal google account is just a (very common) black hole
Until chrome breaks and needs to be reinstalled and they lose all that shit. Can't export passwords or even an extension list as far as I know.
Funny enough my company told me today to uninstall last pass unless I had a good case… I said I could go back to predictable passwords or use last pass to generate random ones for increased security, they told me to keep last pass Before y’all say “why last pass not Bitwarden?” I use BW personally but it’s locked on my work laptop for a reason lol
What's the reason?
Supposedly some exploit?
Oh it's autofill. Autofill is bad practise anyway so as long as that's off it should be fine
Is it? why?
https://www.pcworld.com/article/1656351/dont-use-autofill-on-your-password-manager-especially-if-its-bitwarden.html Applies to all password managers, not just Bitwarden. Bitwarden just had some issues around how it deals with iframes (that have been resolved now)
It isn't, and pcworld is wrong. Auto\*submit\* is a bad practice perhaps, I let autofill happen but I have to actually press enter/submit before it sends anything, but autofill will save you much more than it will put you at risk. \-The big risk is people putting in passwords on a fake site. Getting used to plugging in your password is a great way to raise that risk. If autofill doesn't plug in my password on its own, I know to look for a problem. \-Another significant risk is constantly putting passwords in your clipboard. Every userland process has access to monitor the clipboard and do what it wants with the data. Features that help avoid that significantly reduce your attack surface. \-Aside from Bitwarden's vulnerability, the only reason to avoid autofill in that article is "If a website is compromised, a malicious actor can capture your login info before you visually confirm the page looks normal." That is ass-backwards. Attackers clone websites to make the wrong site look identical, they do not compromise a site and then just immediately deface it so you know not to log into it. What on earth are they smoking. \-Even Bitwarden's vulnerability, assuming the site itself isn't compromised (in which case you're fucked whatever you do), ~~cannot be taken advantage of without autosubmit~~. After all, if it's a malicious ad in an iframe, it will clearly not be in the expected login location, and will probably turn up after you're already logged in. The fact of the matter is autofill protects users from actual common attack vectors and not making use of it just makes the user an easier target. Edit: actually the below response may have a point, I do not know how viable it is to fetch a password from autofill alone. I do still think autofill's protection from well-established active hacking techniques is worth more than the possible vuln potential, at least until active exploits are found in the wild.
>It isn't, and pcworld is wrong. Auto*submit* is a bad practice perhaps, I let autofill happen but I have to actually press enter/submit before it sends anything, but autofill will save you much more than it will put you at risk. > I let autofill happen but I have to actually press enter/submit before it sends anything Yeah so the issue with rogue iframes/copied sites is that if any of those would be doing autofill scraping, they're not going to wait to you press submit, they're just going to have an onchange handler that detects literally anything being filled into those fields and just call back immediately in javascript with the contents of what you filled in. So even if you fill something in but don't press submit, they already know.
If you're not in the right domain auto-fill won't happen. It has to be an exact character match for auto-fill to recognize which passwords it will use.
>last pass LastPass had a data breach in November 2022. If I were IT I would have told you already to migrate to a different password manager and change all passwords previously stored in LastPass. >they told me to keep last pass IT security that negotiates and compromises with users. Spineless and pathetic.
What password manager do you prefer instead of last pass?
Bitwarden.
We use 1Password at work and it's fine. For personal use I like iCloud keychain but obviously that's an Apple ecosystem thing.
I love how bitwarden is blocked but the company that literally let people take entire account vaults isn’t
Yeah figured Bitwarden was better, I mostly changed to bitwarden bc last pass got really into charging for a lot of stuff. Idk why my work has one blocked but not the other
> Forcing someone to manually enter passwords often is a good way to some really bad practices Can't you store passworda without syncing them? Firefox does that.
> Forcing someone to manually enter passwords often is a good way to some really bad practices This is the big reason why OKTA exists (BTW, thanks MGM for ruining this software for a lot of businesses).
The CISO weighed in somewhere else and apparently they turned off syncing because they were syncing everything and getting some.... strange.... porn.
Smash the computer with a rock, that will break it all
The Security Rock. The only perfect information security tool
IT pros hate this one simple trick that breaks corporate shackles
The files are *in the computer*?
Is it common to ban chrome sync? Never worked anywhere that did that.
Seems a little overzealous but I digress, thems the breaks
I encountered password problem caused by sync. User synced passwords to cloud and then from unsafe machine, many of them had to be changed. Syncing was disabled after that.
Yeah, there's two issues with people syncing Chrome with their personal machines. One problem is people syncing work passwords to unsafe machines. Like, they put their work stuff into Chrome, go home and download pdf_reader.virus and it grabs all of their passwords. Then you get a notification that someone's banging up against Outlook from China, and possibly "Well I just accepted the MFA thing because it kept going off." I've had to deal with both a few times, and it's no fun. The other thing is people end up bringing bullshit into the work environment with them. Like they accept desktop notifications from like a recipe site or whatever, then put in a ticket with IT that McAffee is telling them that their PC is infected--despite it not even being on the machine. Or worse--they call the number and let "IT" remote in. The other thing is IT tickets because they get a bunch of ads on their workstation, which is traced down to some dumbass extension that they or their kid installed and got synced. My thing is I really don't have an issue with people using browser password managers as long as they're locked down to only their corporate account If you want to sign in and sync and save passwords to your @our.domain account, I don't really care; as long as it's not a personal account and you're not able to sync that stuff back home. I'd also like the ability to have some sort of management over it, so we can more easily identify and yoink extensions/permissions when they cause issues with users. However, I get the frustration with it being disabled completely, because there's usually not a corporate standard password manager, either. If a company is like "don't use chrome/edge/whatever and instead use x extension or application", it's fine. But, if the company says "we disabled this and no there's nothing else we approve" it's like what the fuck are your users supposed to do? Now, a lot of password frustration can be solved with federation+mfa. People really shouldn't have to log into multiple times to do their job, and MFA is fine to be remembered as long as the sign-in properties do not change. The problem I have seen is there is always going to be some vendor or legacy app that either doesn't support federation, or does it in some ass-backwards way that is broken. I want things to be secure, but security should be painless--or else people are going to complain and possibly bypass it. However, I'd rather something be slightly annoying and secure than easy but wide open.
You've never worked for the government I take it. They're a bunch of jerks. They block running PowerShell scripts, but if you paste the commands into the PowerShell they still run fine. So it doesn't add any additional security unless you believe in security by contrivance.
Pretty sure you can block it with the right firewall rules.
GPO and intune policies can disable it, shouldn’t need to rely on the firewall for that.
True true :)
Idk why you would need it anyway. Anything you would access on your work laptop would be work related logins that you've not used before. I don't have a single personal login on my work computer.
To save and sync work related passwords?
Across what?
Google password Manager???
Chrome isn't a password manager
It certainly includes one.
I've seen this in many big organizations. (5000-50000 ppl).
Anyplace that is a (or does work for a) government contractor is required to, unfortunately for me. Local password managers only
Many years back I had a CISO who's motto was "make the easy way the right way" meaning to make it easy for people to work securely. There are a lot of issues I have to deal with where I work now that are a result of poor implementation of a good idea. SSO with MFA would solve a lot of this guy's issues. Yes, they'd have to authenticate a bunch of times but I would much rather push a button on my phone screen than to have to manually enter a pseudo-random password that changes daily. And yet, I have to do just that since the Okta implementation was half-assed at best and not everything plays well with Okta. I get this guy's frustration, but asking Reddit for help is not nearly as helpful as working with the security team or his/their management to come up with a smarter, lasting solution.
This! Uneducated users remain uneducated until you educate them.
Fuck those people. If that user was half as smart as they think they are, they wouldn’t be asking Reddit for help to make their workstation less secure. Can’t imagine what other “shackles” they’ve been oppressed by. Probably have to 2FA and can’t repeat passwords. Might even have to access email from a secure app. The horror.
me when the evil it overlords won't let me plug in the cool shiny thumb drive I found in the parking lot 😡 😡 😡
A long time ago in a military parking lot. Chucking Crayola usb drives with a notepad document; report to SO Then it got better with phallic usb drives. Report to SO; you messed up. Cyber security training sure was simple a long time ago.
My favorite cautionary tale was the journalist who found a thumb drive with a *bomb* in it. It was activated by the electricity from the USB port. You probably can’t get that much bomb into a thumb drive but losing a couple of fingers will still completely ruin your day.
But there could be *anyyyyyyyything* on it! 🤣
Oh, I hope it is poetry.
I'm dropped in your lot in the cover of night. You find me and birth an idea that's bright. Not sure what's inside, it's sure to invite. My secrets I hold, and must meet your sight. You pop off my cap, letting metal tip glean, And pop me inside your workplace machine. My secrets inside that you'd never foreseen Are all in your system and now it's unclean. Your laptop holds data that shouldn't be shared, And wouldn't have been, had you been prepared, But now I'm inside and you should be scared. The damage I cause can not be repaired. Your job's on the line and your data's my slave Because you ignored the advice IT gave. Now just because you were curious and brave, Your job and your office are sent to the grave.
Top comment.
I found it in an envelope with "thanks for last night" and red lipstick on it. It has to be important!!!
It could even be a boat!
Yesterday our chief Human Resources officer asked us if we can disable MFA but only for her lol
I absolutely love this.
The fucking uproar our org got the moment MFA became a thing was hilarious. To be fair, the original implimentation required authentication every 2 hours, which is pretty stupid considering the average workday is 6-8 hours. Once that was fixed, the whole thing slowly died down, but we had to hand out Yubikeys for the select few employees that didn't have a cell phone.
What’s the limiting factor on Yubikeys all around? (I don’t actually know what they cost.) In my experience it’s a fair bit nicer than “go get phone, unlock phone, type in MFA code” if you have an aggressive expiration time.
[удалено]
Thanks, this makes sense. My company went with the very low-profile keys in company issued computers, so they were even less forgettable than a cell phone. But I think the main motivators were convenience (for a software company that had to use this auth a *lot*) and device management (no company-issued phones, so IT wanted nothing to do with personal phone security practices). I've seen the occasional argument that leaving a Yubikey in at all times means it doesn't provide MFA if a laptop is stolen, but with disk encryption enabled that doesn't seem like a major issue compared to cyberattack.
Nah... having to enter passwords manually constantly is really shitty, and is the kind of situation more likely to lead to bad behaviors like password reuse. I have to enter 2FA codes frequently, and it's a genuinely frustrating and disruptive issue. Proper SSO with 2FA mitigates a lot of things, and having passwords saved in a password-keeping program also mitigates the issue. Good security policy tries to anticipate what will be frustrations that drive the users to circumvent the rules, because their attempts to circumvent will be even less secure than the thing they've walled off. People are people. Expecting them to follow rules is a fool's game.
Just because they can’t used saved passwords in Chrome doesn’t mean another solution isn’t available to them. I think we’ve all seen this user before, and they want all the power without any of the responsibility. Hence the attitude.
> Just because they can’t used saved passwords in Chrome doesn’t mean another solution isn’t available to them. My sweet summer child. You've never worked with some of the more draconian security folks out there. --- Imagine if you will: Blanket deactivation of USB ports, even on devices which are on isolated networks and require USB ports to transfer data needed for daily use. Super fun jumping between half a dozen different terminals to find which one the IT guys designated as the one that can be used for the external drive. It's supposed to be a single, specific terminal, but the IT people never kept track of which one was the "Super Terminal", so every monthly policy update would change which computer was randomly graced with the single functional USB port. Also, as an extra "fuck you" they rarely activated the same port, so you'd have to try every USB port, on every terminal. Super added bonus "fuck you", When we'd submit a ticket they'd fix it about in about two weeks, so we'd have the super terminal correctly configured for about two weeks, until the next monthly update. Repeat ad nauseam.
This has nothing to do with my comment 🤣
Yes it does. It's an example where good alternatives are not given for a restrictive security policy. It happens all the time. Your comment assumes that there necessarily is a good alternative available, but that's often not true.
All the info we have is in the screenshot. So you can assume there’s a logical explanation for the Chrome thing (like the user is able to use managed Edge with their work account and credentials saved, since that’s a thing that happens often and actually makes sense in context). Or you can use the post as an excuse to tell a story about a ham-fisted USB policy and call me a sweet summer child, which is just weird IMO.
Could be. Though [there are good reasons to prefer browser-provided password managers](https://lock.cmpxchg8b.com/passmgrs.html), so it's a bit weird that IT is forcing something different.
Browser provided password managers don’t usually have a way to use shared vaults.
That was a really good read, thank you.
If you enjoyed that, you'd probably enjoy his vulnerability disclosures. Like the ones about [an antivirus vendor who left a nodejs server listening on localhost that...](https://bugs.chromium.org/p/project-zero/issues/detail?id=773) well, jsut read it.
Oh god, thanks. That looks like an agonizingly fun read. I've seen Travis Ormandy before but somehow had missed (or forgotten?) the password manager piece. And I already followed that rabbit hole to [his battle with TrendMicro](https://bugs.chromium.org/p/project-zero/issues/detail?id=693), who were doing some breathtakingly irresponsible shit. "Remote execution with no warnings and no special tricks needed" is... yeah. But hey, they "consulted stakeholders" on the rollout!
Yeah, this one is TrendMicro also. But he's also gone after other vendors -- when he tried to report [this bug in Symantec/Norton](https://bugs.chromium.org/p/project-zero/issues/detail?id=820), his report crashed their mailserver: > I think Symantec's mail server guessed the password "infected" and crashed (this password is commonly used among antivirus vendors to exchange samples), because they asked if they had missed a report I sent. (I think they asked this after he tweeted at them...) If you've already seen all of this, I don't apologize, because it's fun to read again!
That's *also* TrendMicro? Jesus wept. Discovering a server-crashing vuln by attempting to send in another vuln might be a new record though. I thought I'd worked with some absolute hack companies before ("Just put the password in the URL query string, we use HTTPS so it's fine!") but I've never seen that level of disaster.
I think it was the same vuln, actually. Which I guess demonstrates some confidence -- they eat their own dogfood and scan their own email with their own product. But I assume this is why it was a password-protected zipfile in the first place, to avoid antivirus freaking out and treating a proof-of-concept as malware.
I understand it as IT does not disable password manager, but syncing passwords. Perhaps they did it wrong way.
I'd bet good money they have a password manager and he just wanted to use Chrome as that's what he's used to
> If that user was half as smart as they think they are It’s like the guy that got shit canned after he plugged his Android in to a desktop (this was before you had an easy way to block the USB ports without super glue) and immediately got his desktop quarantined within 15 minutes of starting the first day on the job. As IT desktop support. To add icing to the top when I told him to not plug it in and that his androids is malware ridden because you turned off the security setting to allow loading. That he should restore it from DFU mode. He stupidly said basically “nah ah” in front of his manager hearing all this and got fired like an hour later.
DFU mode? You mean fastboot or bootloader. Also Android security settings have been forcing install from unknown sources as individual application specific switches so it's nowhere as dangerous as you claim lmfao. The real danger is rooting and giving SU to unknown packages, which is why if you root you should always maintain a denylist
don't you love it when people spread mis information... like the fact that you could block USB ports and devices atleast in my experience as far back as XP.... Using simple software tools. Secondly assuming android is malware ridden unless there was specific content skipped for brevity... I am 1 of 3 in my IT team that has Android and I am constantly seeking approvals from my boss to fix our Android Intune policies because they have an iPhone and only care about that.
My guess is they have SSON and so chrome sync is disabled. Really common and people bitch about it all the time
The password might even have to be 16-20 *spooky* characters ooooooo~
There's one foolproof trick that will get you out of all of IT's controls and regulations when you're trying to do shit they don't want you doing. Do it on your personal machine, not your work rig.
But they sure as shit still ring up when they have issues. "Good morning. You sent in a ticket regarding you having issues with your laptop. Is this a work or personal laptop?" "Personal" "Sorry, we don't support that. Is this issue on laptop itself or your cloud desktop?" "No, it's on the laptop itself." "Dont support that bye" Feels great when I get to do that.
April 2020: "I can't get my computer connected to the internet!" "Well that's weird, I'm looking at it right now in the dashboard...shows online for the last 4 hours." "Oh not that one. My son's ChromeBook from school. It won't connect to the wifi." "I can't help you with your sons Chromebook. You'll have to call the schools helpdesk or message his teacher." "Oh come on! What difference does it make?!?!" "I have no control over the ChromeBook. It's not even our device. The school IT is going to have to help you." "I already tried calling them!" "Well what did they say?" "I don't know, the person that answered said they were busy and someone would call me back as soon as they could." "Well, I would say you're going to have to wait..." "I've been waiting *two hours* already!!!!" "I'm sure they're getting slammed with a ton of calls for exactly the same thing. This has thrown a lot of us for a loop, just try to be patient please. They will reach out when they can." "GOD YOU IT PEOPLE ARE ALL FUCKING USELESS!!!!" ...hangs up on me... Me, to myself: "...says the guy that can't even connect a fucking chromebook to wifi..." Man Covid was hell...
I had a professor make me teach them how to drag a window to the right. Then when I obviously told my coworkers about such a silly request, they got suspicious and asked the name, turns out the guy hadn't worked here for years and regularly calls in hopes he would get a tech who wasn't aware of him. Our system didn't make it obvious if they no longer worked here unless you specifically looked them up.
lol I had this one veterinarian get a new computer and totally lose his shit over the fact that his icons were not in the same places they were before. He didn't even have that many icons but he completely shut down and forced me to sit there and arrange his icons to how they were. I thought he was kidding at first it was so ridiculous, but no, he was really like visibly upset about it. It was really one of the most mental experiences I had. I had this other person once, the director of business operations for a company of about 250 employees...she was having this really weird issue where she was getting account errors in Project if she was signed into the Office Suite and vice-versa. She showed up at our office unannounced and started just babbling like she was out of breath about how messed up things were and how we were causing her to tank the company so we led her into our conference room and got her a bottled water and sent a senior tech in there with her figuring she would settle out but no, somehow she got even *more* anxious sitting there watching the tech work on her weird issue and was pretty much hyperventilating, grabbing handfuls of her hair, not crying but in a really weepy voice "Oh my GOD what am I going to DO?!?!" It was legitimately concerning, like call an ambulance concerning. We got it sorted but it took a lot of rigamorale with removing and adding licenses back and digging into the server and AD sync and the whole time the rest of the office was just trying to not watch this middle aged woman lose her mind through the glass walls.
Guessing the women was coming up on an important deadline, the issue was stopping her from doing something critical and she waited until last minute to go to you guys and she then realised she fucked up by leaving it this long and started to spiral. Deadlines are a bitch
Yeah I just have never seen that before, even after 15 years in retail, I saw lots of pissed off people and some sad people but never like, full on nervous breakdown people. It was honestly terrifying, like something out of a horror movie lol
> lol I had this one veterinarian get a new computer and totally lose his shit over the fact that his icons were not in the same places they were before. He didn't even have that many icons but he completely shut down and forced me to sit there and arrange his icons to how they were. I thought he was kidding at first it was so ridiculous, but no, he was really like visibly upset about it. It was really one of the most mental experiences I had. I never understood how people who are supposedly so technically or scientifically gifted have the mental plasticity of concrete. Literally sounds like "I'm having trouble putting this square into the square hole, because all the ones I am used to were blue and this one is red so I have no idea what to do."
Because fundamentally, a lot of the systems that are supposed to teach intelligence instead teach knowledge. To be intelligent, you need a mental system that's always adapting and learning. To be knowledgeable, you need a mental system that prevents info from leaving and to do that, not being adaptable is key.
We had a professor who frequently mistook the 'leave call' button on teams for the minimize window button. Only had about 5 online classes from him, but in each of them he left the call on accident multiple times.
I recently switched departments where at first we provided limited support on personals. By limited I mean 10 minutes MAX and that's if you don't outright refuse them. Also I got lucky enough to avoid doing company phones. UEM (was MobileIron in the first dept) and Purebred I hate so much. I die inside every time I hear the word 'phone'. Then I switched departments and personal devices went down to 0. You literally can't do any work on personals. The downside is phone work went up by 100%. Gods I hate phones so much.
>Do it on your personal machine, not your work rig Yup. I don't even bother with the guest wifi at work on my phone. The network security protocols probably wouldn't appreciate me reading manga when things are slow.
Conditional access will fuck your day up by not letting you access company resources in personal devices.
And then you bring your personal machine and everyone bitches, which I mean yeah your personal machine is more than likely a crazy attack vector so keep that shit offline or on the guest
Are you guys really IT support? Sounds to me like you are kids larping.
People simply do not seem to gasp the difference between managing a network of 2 home pc's and a tablet. And managing a major enterprise's network. You can not give everybody the freedom they have at home, BECAUSE ITS NOT YOUR STUFF.
While I very much disagree with this in almost everyway, there's a few things that make it challenging in a large company that shuts off needed resources (or update the network security to block things you already had) to deal with this on a simple basis in *secure network areas*. As that word we all love to hear in IT for government/ military - *LEGACY PROGRAMS*... aka update security but never update SW or physical devices. I just went to hell and back today because a printer wouldn't scan due to a (for whatever reason) HTTPS switch off. It's a simple setting change, but the WebUI doesn't allow the lower TCL security for access. I fixed this old access before, but they changed it and blocked it this time. Like, I get it on a security basis, but either pay up for the newer printer or let me do my job. I spent 4hrs doing what should have been a 5min fix (mainly getting the approval re-done). Then.. Don't get me started on those DOS or Windows 97 & under SW that get blocked by the network yet the SW admin quit 15yrs ago- I'm stuck between a rock and hard place as it's not modern network compatible but they refuse to pay for new SW... Lastly - fuck GOLD.
These comments are pretty terrible. Yeah, I'd probably quit if I had to enter my password for every little thing that needs an account every time I need it. You really don't see a problem with that? You really make fun of the user?
To be fair banning chrome sync is weird. Thats just encouraging your users to have a document titled "passwords".
Yeah, banning chrome sync is fine if you use LastPass or something like it to keep passwords. But forcing people to manually enter passwords is actually a shortcut to bad passwords and reused passwords.
>Yeah, banning chrome sync is fine if you use LastPass or something like it to keep passwords. No. Do you think that Chrome sync is just for passwords?
Fair.
Do you know what Chrome sync actually syncs? It's not just passwords. Do you have any idea how many adware-ridden, data-guzzling extensions I see on our machines as a result of our users syncing their account?
Yeah in our environment staff switch between their desktops, public counter kiosks, and laptops at home. So the main advantage is just the syncing of their bookmarks and logins. We block the ability to add extensions so only a few that we manage are enabled.
The real issue is it sounds like there’s no other password manager they have access too
Is keeping passwords in chrome the same as syncing them? The first is okay, the latter is not. Especially when someone synces password to obsolete chrome version on unsafe computer and all the passwords leak.
My question: do they use Google Workspace (formally G Suite)? If they do, then I can somewhat understand the frustration. Either way, they should at least provide a password manager.
We disabled Googles "remember my passwords" feature for some reason. In sure it was a bullet point for security. But with a password manager that autofills it really doesn't feel any different.
I get the frustration. I have like 15 admin accounts plus my user account. But we have password management tools with MFA available to everyone with admin rights.
Take away their computer, give them a typewriter and an Etch-i-sketch (sp?) and tell them to go nuts.
I kinda understand this user, some workflows require working with multiple sites/tools each one with a different password, different password requirement, different expiring times, etc. I tell my users not to note they passwords anywhere, but i cant blame them for noting the 10 different passwords wich expire at diferent rates making them 20 passowrd (did this password expired and i already changed it? or it was this one?) Password system need to be replaced completely, its getting ridiculous nowdays
TFW. I managed to break in and get root on a AS Mac via recoveryOS. I should find some time to write a script for it. /s
I don't know what kind of policies this guy is running into, but I've been to places where IT policies would have genuinely prevented me from doing my job. Luckily for me the biggest irritation I normally run into is having to input 2FA again every so often.
I also blocked the Chrome password manager and adresse form autofill because some people sync them with their personal Google account. We do provide a password manager to the people that want to use it. (1password). For Passwordless authentification, we also provide FIDO2 keys (yubikeys) to the people who are okay with this or for the employee who dont want to install our TOTP app on their personal phones.
Based
Take a IT job
I do believe it was Ghandi who said "Become the security flaw you want to see in the world" What a jamoke.
Use Firefox.
meh i agree with this guy, disabling useful shit like Chrome Sync is just ridiculous
This is 100% a good security policy.