THWACK Monthly Mission - October 2019

Free account?  Are you talking about mission shortcut?

From yesterday's and today's hint (Product Blog: Introducing Solarwinds Idnetity Monitor), you will find a link to sign up for free.

knucklebusted​, the information has been obtained on from the web from public sources and private hacking databases. Solarwinds is not making any previously private data available. They are letting us know about personal data that is no longer private. You can sign-up for the free account in the hint announcing SIM, and check it out. When I did, I added my personal e-mail account. I needed to login to my personal e-mail and verify my ownership of the account before it displayed the information in SIM. This means that you can not put someone else's e-mail address in there to get their passwords (unless they unwittingly verify the verification e-mail for you, LOL).

Some of the same info is on haveibeepwned.com -- but not as much info, and not as good a representation of the information.

Regards.

As someone with chronic hypertension that gets exacerbated by work stress (amongst other things), it may not be in your best interests to effectively skew your results... Nothing wrong with the doctors knowing what's representative.

Password reuse is the mirror problem of password reset policies that require users to create long, complicated passwords on multiple unconnected systems with different password creation rules, and which have to be significantly changed every X weeks or months, and therefore inevitably end up on Post-it notes on the user's desk.  It has become impossible to remember all the passwords I need to do my job, and that doesn't include the myriad passwords I have for my personal accounts.

I know there are software packages that promise to remember them for you, but then what happens if one of them is compromised?  Every account you have is out there in one fell swoop.

On the other hand they usually double what you tell them anyway.  I was once asked how many units of alcohol I drank per week.  I told the truth and the doc nearly fell of her chair.  I didn't think it was that much but she had assumed I was lying and doubled it.  If I really did drink that much I'd probably fall off MY chair.

I did exactly the same thing - and got a red X as well!

I can't deny your logic, Simeon.  You're making good sense to me, too.  I make a specific point of noting the lower BP readings when I'm at annual checkups, and report why I suspect they're better when I've not improved my diet or added more exercise to my week.  The doctors/nurses aren't making their decisions in a vacuum--at least not in my case.

Historically they have been less likely to record my blood pressure when it's high at the beginning of the appointment due to my rushing to get there on time.  They actually suggest arriving early so a person isn't stressed by the simple act of getting to the appointment on time.  Which is what I've been doing, and enjoying the better results.

When the reading is high at an exam they read it a second time later in the exam.  If it's still high they read it again at the end of the exam, giving a person more time to calm down.  They record the lower of the three readings.  Thu they avoid artificially high readings caused by short-term travel stress.

Ideally they'd also find a way to measure BP randomly during the day when I'm at my cube/desk working on network projects & challenges.  And then also when I'm in meetings, or discussing progress with my supervisor.  And taking information from all of those settings and making decisions about what my actual real-time and long-term BP is, for better diagnostics.

While we're at it, it probably would be interesting to also generate unobtrusive and random BP monitoring while a person is driving, stuck in traffic, interacting with spouse or children or parents or siblings or in-laws.  And also taking readings during the holiday season.  And during exercise and after sitting in a cube staring at screens for a few hours.

I don't know how that could happen today, but I've read Futurists predicting that people will have two-way wifi-like communication equipment (micro-chips) installed inside their bodies within the next fifteen years.  The assumption is we'd be able to think "Call Fred's brain" or "call the police" or "Receive Fred's brain call to my brain" and then we'd be able to carry on a two-way conversation.  I sort of doubt that.  Folks also dream/hope  that they'd be able to watch videos inside their own heads anywhere they have wireless reception.  I rather hope that's not a possibility ever.

But such an implant MIGHT be able to send medical information anytime, anywhere, including BP. 

I bet we'd all be amazed at the results.

It seems the answer to your question focuses on restricted access to a password manager.  For example, my organization provides password management apps to all of us, but requires us to store them in the network instead of on PC's or laptops or smartphones.  Access to my own, or my team's, password database is restricted by source address, AD account, and requires MFA.  All we need remember is one password and to have our cell phone; it gives us access to however many passwords / accounts we choose to store.

It's not as convenient as having only one password for everything (or using post-it notes), but it's reliable and highly available, and secure enough to pass PCI and HIPAA audits.

I watch videos inside my head now.  No wait, that's daydreaming.     

By now I should know to read the comments first. Got Q3 wrong.

Ya.. the correct answer box is my favorite...

I read the comments and still got Q3 wrong.

I agree with rschroeder​'s statement. And to add to this for those that are unaware, many of the password vaults that are web based can be used for free if intended for personal use. These services do all the work for you, even generating desired length and complexity of passwords so you don't have to come up with your own. When you update a password, it even throws it in your vault if you have the add-on enabled in chrome. Easy peazy.

I have over 100 password between work and personal. Without these vaults I would be lost. I do not have to have a password that is the same for any of them. 🙂

LastPass and Keeper Security are a few that work really well.

Having a hard time making out what the screenshots show in today's hint. The resolution is very low.

Same.  I'm waiting for some discussion on this one.....or more coffee.

Agreed, hints are hopelessly out of focus even on a 27" monitor and enlarged.

That's a relief.  I thought my eyesight had finally gone.

I work for a company that employs a lot of folks who are not computer savvy.  They know enough to do their job and not much else, nor do they WANT to know much else.  We recently implemented a password policy that looks something like this:

1. Minimum password length: 16 characters

2. No more than three (3) repeating characters

3. Must contain 3 of the following:

    A. Upper-case Letters

    B. Lower-case Letters

    C. Base-10 Numbers (0-9)

    D. Special characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

4. Password age: 6 months

There are a few other quirks but you get the gist.  So, how do folks who don't like computers to begin with deal with said policy?  well, there's nothing that says that you can't use simple phrases (and spaces, for that matter), so you get things like:

Idontlikemondays2019

or

1967Chevycamarosrule!

Again, you get the picture.  And yes, Joe, in the field, I see sticky notes, labels, all sort of things with passwords on them.

To dovetail onto the password manager discussion, I've been using PasswdSafe for almost 20 years now and it's been amazing.  I still have things in there from the early 21st century (that reminds me, probably should clean it out one of these decades!) but it's easy to use, can make suggestions for strong ciphers and you can set it to follow your organization's password security policy.  The one that the company has available is LastPass, and I've seen that a lot lately.  have not tried it but I hear it's decent.  I'm just old and set and my ways, that's all.. 😄

We use LastPass in the IT department as somewhere that isn't an Excel spreadsheet to store the multitude of passwords for the thousands of systems and devices we look after.  It's OK for that and is accessible externally with 2FA authentication which is useful if we are off site and need to retrieve a password.  It also generates really complex passwords which are useful for service accounts.  We are looking to move away from this and implement a Privilaged Access Management solution.  We are currently evaluating.  CyberArk and Thycotic are leading contenders at present.  We are also implementing Okta Single Sign On for the users.  They just have to remember one password, Okta does the rest.  If they are in any of our sites worldwide they just sign on as normal.  Off site they get 2FA as part of the sign on.  Stressful times.

Actually, in today's (10/14) case, I found that the verb(atim)iage on the hint page is sufficient for answering the question.  Did not even look at the screenshots.

The only issue I had was whether they were looking for the "All of the above" answer.  Always get a bit nervous when that appears.

Thanks!  I always want to look at screenshots since I've been burned in the past.

I know that this is going to be 74 or later, but it just goes to show that you never know from whence inspiration will come...

It's time once again ladies and gentlemens, boys and girls, Damen und Herren, Mister and Misses America and all the ships at sea, for another...

EARWORM ALERT!

Now, you're probably saying to yourself "Alex, have you lost your bloody mind?  What could the number '73' possibly have to do with music?"  Ah, listen to the great words of The Blues Image on this very esoteric ditty from the '70s:

The Blues Image - Ride Captain Ride - YouTube

Happy Birthday to me! Don't overthink it.

Here's to hoping I win this week's prize hehehe

Q6 14th Oct

That was nerve wrecking. Is it? Isn't it? This one? or That one? or was it All of them?

I see now that chayden18 said "Don't over-think it". Ooops - too late.

This is great feedback, thanks ebradford​. Similarly found some of my credentials floating around there, in plaintext...

My thoughts exactly!

oh yea I am sending this to all the people named Dave that I know. 

Congrats jdawger765​ - learning makes this valuable, winning makes it fun!

When I worked in Vermont there was a series of radio commercials with the ending tag line of "Don't be a Dave." The Dave in the office never heard the end of it. I just sent the image to the team leader up there to show in their next meeting.

Just a heads-up for Week 2 Q.9 - read the hint answers carefully to match up with the correct answers in the question. It would be easy to scan the alphabetical list and miss an answer.

I nearly did, but double-check saved the day.

Oh that is Cheating!

Writting SQL Server Audit on the question and Microsoft SQL Server Audit on the page

Oh no fair!

Should have read the comments before i answered, big red X for me today

Fell for it, I hate these damn trick questions.

I should have read the comments first.  I rushed it and got a big red X.

Got me as well...

They got me today too.  These "gotcha" questions are so annoying because they're based on technicalities that have no value whatsoever.  I learned nothing about the SW tools and features in the question, only that I need to pay closer attention to get the thwack points.  Woe is me. 

I concur with the above comments. It is almost cheating to give an alphabetical list and then have the question worded differently. I don't like missing an answer on a technicality.

Yeah that was just cheap, I get that we should have read a little better. But that's unfortunate overall.

wow. got the curve when expecting the fastball.

So, is MS SQL more specific than generic SQL for the context of the question. My gut says SQL is NOT MS SQL in the same way that all rectangles are not necessarily squares.

Filthy stuff.

Same, I want a reset. The question says SQL but they only added MS SQL. I'm sure that connector doesn't work with MySQL, PostgreSQL, etc

Note to self: read the comments first, and SQL starts with an M.

Today's question seemed so easy.  Nope!

Wow, glad I read these blog comments! Thanks!!!

Normally I agree with the mistakes I get, and think the questions aren't a problem.  But todays is just wrong.

SQL Server Audit is not the same as Microsoft SQL Server Audit.

SQL Server Audit means it could be used on any system that supports SQL of different flavors.  PostgreSQL, SQLite, MySQL and Microsoft SQL server.  Just to mention a few.