this post was submitted on 07 Sep 2023
305 points (97.8% liked)

Tales from Tech Support

933 readers
1 users here now

founded 1 year ago
MODERATORS
 
all 32 comments
sorted by: hot top controversial new old
[–] [email protected] 117 points 1 year ago (1 children)

Got it,

Username: eauditor

Password: I emailed you

[–] [email protected] 55 points 1 year ago (1 children)

Weird. It's just showing up as ******** for me

[–] [email protected] 39 points 1 year ago (1 children)
[–] surewhynotlem 15 points 1 year ago

Oh Internet. You never change.

[–] hark 46 points 1 year ago (2 children)

The skill of removing as much ambiguity as possible is valuable. This includes ambiguity derived from loopy brain. Prepare to still be amazed by wild interpretations, but minimize what you can. One tip is to reduce message complexity and clearly separate concepts (in this case, the greeting and the actual instructions).

[–] vladmech 29 points 1 year ago (2 children)

I get that, and I've had a reminder of an old failing at explicit communication to end users on my desk for 5+ years to help keep me grounded, but come on... In what interpretation other than Yoda giving instructions would an English as their first language user think 'hey hey!' was the username I was providing? It's out of frame, but the previous three sets of IMs I've sent this user started with hey hey! hey hey! and hello hello! so it's not like this was even a one off weird greeting for them (I should probably mix it up a bit more but what can you do)

[–] hark 20 points 1 year ago (2 children)

That's another useful tip: never underestimate user stupidity.

[–] [email protected] 12 points 1 year ago

I had to screen share with a user yesterday because he couldn't find the print button on the print dialogue.

It was right there. When I remoted onto his computer his cursor was about four pixels away from it. It even said "Print".

No idea how he managed to mess that up.

[–] vladmech 4 points 1 year ago

Haha that’s very true, yeah

[–] Someology 10 points 1 year ago

It is almost as if OP was expecting their customer to have attended elementary school or something.

[–] _bug0ut 36 points 1 year ago* (last edited 1 year ago) (1 children)

An auditor with this level of scrutiny and attention to detail? Say it ain't so.

[–] vladmech 17 points 1 year ago (1 children)

Sadly this was an internal coworker who requested the auditor’s access…

[–] _bug0ut 4 points 1 year ago

Oof, i can relate to that.

What's really sad here, though, is that it was so easy and effortless to assume it was the auditor himself lmao

[–] SpaceNoodle 15 points 1 year ago (2 children)

Ah yes, email, the most secure channel possible

[–] vladmech 16 points 1 year ago (1 children)

Super fair, but it’s at least across two channels for a 3 day login with very limited permissions, not something I’m worried about in this situation.

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (3 children)

Actually it is not. 1:1 and group chats in Teams are stored in each participants mailbox. Ignore this if you're using exchange server or other onprem or cloud solution for email than exchange online :^)

https://learn.microsoft.com/en-us/purview/ediscovery-teams-workflow#where-teams-content-is-stored

Also both are stored in clear text due to compliance reasons.

While SMS is rather insecure protocol, it's still generally the best way of delivering a new password to users as long as the username is delivered in a different way. This is mainly because it's one of the only methods generally available that is completely separate from your other communication methods besides calling (but try delivering password via call haha)

Also the SMS should not contain any context to which system it is meant for, this info should be delivered together with the username. It's sometimes rather easy to guess a username (such as first.lastname or shortened) but gets harder when you need to guess the system as well.

Of course even better way would be to not deliver password at all and let the user reset their passed themselves if there's a system in place for it. SSPR if you're in m365. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

Edit: not sorry for rant these are very interesting topics I love to talk about.

Edit2: formatting + more rant about sms

[–] [email protected] 2 points 1 year ago (1 children)

I've heard of SSBL; Single Sign on Before Log on, but I've never heard of SSPR what's that one do?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Self-Service Password Reset. You can use MFA to verify your identity to reset a password and those MFA methods can be predefined by admins.

So you can allow user to reset their initial passwords using SMS OTP and some another factor such as location (approved public IP ranges at offices for example)

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

I have to admit I have not implemented or even seen SSPR configured for initial password before, but this talk actually made me want investigate it further. Lab project for the weekend!

[–] [email protected] 1 points 1 year ago

Ok, but could you imagine trying to get this user to get a password from SMS? They'd probably get a text from their friend at the same time and not understand.

"I tried every variation of 'miss you ttys' for the password, but nothing is working!"

(Hopefully obvious it's just joking)

[–] SpaceNoodle 1 points 1 year ago

That was a very educational rant, thank you!

[–] Delta_44 4 points 1 year ago

Microsoft Teams 😂

[–] [email protected] 10 points 1 year ago (1 children)

Every day, I grow more convinced that the average person should never be anywhere near a computer.

[–] [email protected] 4 points 1 year ago

I am in the middle of a CRM migration and I feel like I'm having the "emails are IN the computer?!?!" conversation every hour

[–] LowtierComputer 4 points 1 year ago

You work with Yoda?

[–] vvvvv 3 points 1 year ago* (last edited 1 year ago)

Users following instructions:

[–] IrrerPolterer 3 points 1 year ago

The fuck, you emailed a password oO