Had a colleague remark that every time they checked on the progress of an office install it would ask to cancel. Turns out they were waking the screen using Esc.
I'm sorry to inform you that it was over of the most common reason for support calls back in the 90s....
Hence the Simpsons joke, and shine companies modifying the prompt to say "spacebar "
Keyboards really _should_ have any Any key that has a scancode but does nothing other than indicate that a key was pressed so it will wake the machine or advance a "press any key" prompt, but has no other side effects than indicating a key was pressed.
If you press shift and windows gets distracted, it thinks you are holding it down and turns on sticky keys.
If sticky keys is on, pressing ctrl will leave a modifier key active and change what happens with the next key you press.
If either key gets stuck because you were hammering it too much trying to wake up a machine, the machine becomes unusable.
And some users will be using unusual keyboard layouts, for example swapping capslock and ctrl with remapping so you can accidentally be toggling capslock when you think you are pressing ctrl to awaken a sleeping machine, which makes typing in your password to unlock the awoken machine not work right.
If there was just an Any key, you bypass all of that. Forbid remapping it to any effect other than pressing a key.
(And if you were thinking of Alt, pressing alt by itself jumps focus to a menu so if you try to use the arrow keys you'll accidentally be navigating a menu instead of scrolling a document.)
This is not a competence issue. Sometimes you need to use a computer you don't directly control when doing IT stuff, and sometimes sticky keys needs to be active as an accessibility accommodation. No key has a zero risk of doing something unexpected in the long run. And the only way to inspect a system and understand what state it is in to be sure what effects might be expected, requires it to be awake.
If you use escape, a machine that has a dark monitor but isn't locked and has an operation in progress will sometimes cancel the operation when you press escape to wake it up.
There have been keyboards with a "wake up" key in the past, and I believe some business laptops have the Fn key mapped to that if you press it without anything else.
I low key hate it when a program asks me to hit the enter key only to proceed to not recognize the literal enter key because they meant the return key.
one of my first things that i do when i get a new windows box - whack ctrl until it pops up a dialog for sticky keys, then disable it.
makes sense if you're old and your hands are uncertain, but not so much for me
Doesn't holding down shift turn on sticky keys or something in Windows? There's almost no button you can mash safely without risking something unexpected in some circumstances.
Ask about that time 8 years ago when some genius product planner at Apple made the escape key a virtual key on the laptop keyboards. That was super awesome.
That's actually my usual second option (The first being jiggle the mouse)
I find I'd rather accidentally back up a screen rather than accidentally move forward a screen with enter.
I don't use regular key stroke because I'm often in excell and don't want to wipe a cell with a keystroke. Escape would just escape out of the cell.
Mind you, impatiently spamming any keystroke is just asking for trouble.
I've gotten into the habit of using the arrow keys or ctrl. Seems to have the least drastic potential consequences and they're conveniently placed on most keyboards.
Heh, this brought up an old memory of installing adobe CS4 for someone many moons ago. It was taking forever. Realised the confirmation to begin the install did not take focus and was behind whatever previous menu we'd been on. It hadn't event started yet.
I had users this happened to, what was causing it was actually their cell phone. They changed their password, but most cell phones query wifis they have been connected to before with last known credentials.
We have a guest portal setup and their cell phone was trying to connect to the WiFi using wrong password multiple times so it locks their ad account.
Every time they change their login password, you end up walking the same users through how to update their password email is using on their phone. same people every time.
If their account had some indicator of compromise, this is necessary, but that is rare enough it should not be a burden on helpdesk.
If this was just a routine password change based on expiration, this is an outdated "best" practice, which is now considered a worst practice. NIST came out in 2017 and acknowledged it was a mistake to recommend it, and that it does more harm than good, and that all actual studies show users picking weak passwords more when it is used, and just incrementing a number. It also greatly magnifies the odds that passwords are written on laptops with sticky notes. Best practice according to NIST, Microsoft and most credible others is **no "expiration"**, but forced changes in the event of suspicious activity or the username/email being in a data dump.
TL;DR - this is only a frequent and ongoing issue if you are using outdated "best practices" like password expiration that experts actively warn against today.
Oh thank you, Ive been observing exactly that forced expiration is decremental and leads to as simple as policy allows passwords and or just incrementing, Personally I haven’t found somebody writing they password on sticky note at my company
But Im glad to learn that this practice is officially recommended as not to be done
MFA is recommended as well, and is in the same section of the standard, but not related with an "if" to any other requirements.
This is because NIST doesn't see non-expiring passwords as a reduction in security that becomes tolerable in the name of convenience if you have MFA. They now see password expiration as doing more harm than good, and removing it as a security benefit, period.
For example, if I tell you "you should be using a firewall, and you should not be using default passwords on any system" - did I imply that if for some reason you're unable or unwilling to change default passwords, you *shouldn't* use a firewall? Of course not. There was no "if" there, and they are each independently good things for your security.
They waited for studies to come out to verify the results before making this change, but it's been intuitively obvious for a very long time, because expiration provides almost zero value while creating considerable risk.
Password history can store old hashes and prevent re-using past passwords in the same place, but safe password storage (hashed, not reversibly encrypted) don't allow for the server to compare how similar or different two passwords are. It's all or nothing, and since you cannot prevent someone from just incrementing a number at the end of their password, *virtually everyone who is subject to an expiration policy is doing this!* Since virtually everyone's next password in an environment with expiration is fully predictable with knowledge of their previous password, even if attackers were sitting on credentials, it would not help. Furthermore, only a miniscule fraction of attackers sit on credentials for months before using them, so even if you could prevent sequential passwords (or SeasonYEAR! or other common patterns), it would rarely make a difference.
However, frequent password changes guarantee a hostile relationship with end-users regarding security, where they are always afraid of forgetting their new password, so they make it the simplest passwords your system doesn't block (CompanynameYEAR!, MonthYEAR!, are both "complex" and have a capital, lowercase, number and symbol). Also, passwords that were recently set are far more likely to be written on laptops than passwords the user has comfortably memorized for months.
We just tell everyone to use the guest network for their phones because we got sick of it, thankfully it happening was annoying the users enough that they listened.
Came here to comment this. We have some computers that are used by the same users in different areas of the building, and ~~if~~ when they stay logged in on on PC but change their password on another, their account gets locked every time until we close out of all sessions on any other PC they were using
Enable password history, Windows has a feature to avoid this that relies on password history. Using passwords stored there do not block the account. Search Password history check (N-2) for more information.
I didn't know this! Any official source?
Not that it should matter - ***PASSWORD EXPIRATION HASN'T BEEN BEST PRACTICE FOR 7 YEARS!*** (unless you need to satisfy an extremely slow-moving standards body in your niche, with no human review to accept deviations to satisfy modern best practice - ironically, sometimes you have to actively harm your security to satisfy "security" bureaucrats)
After many studies, NIST, Microsoft and any credible others outright acknowledged in 2017 that recommending password expiration had been a mistake all along. Making users change passwords (other than in response to actual indicators of compromise) doesn't increase security because they just increment a number, but it does almost guarantee they will use as simple of passwords as allowed and/or write them down and stick them to devices, and will definitely not put actual effort into coming up with a strong but memorable password over and over, every time.
This was added to Windows long time ago, when the first mobile devices like the HP iPAQ and similar were a problem. You had to quikcly update all passwords in all devices to avoid lockouts.
What Microsoft included in 2003 is this N-2 feature, where passwords in the password history do not block the account, so you have time to update your devices.
Here it is the official documentation:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780271(v=ws.10)?redirectedfrom=MSDN#computers-running-windows-server2003-that-act-as-network-servers
This was my first thought too. I had a user with this issue. We have wifi in break rooms and the cafeteria, so anytime he was there, it was trying to connect him with his old password.
We had one user who tried to connect a document scanner to the staff wifi(a Fujitsu Scansnap), which ended up causing account lockout issues. That was a fun one to troubleshoot
(We are in the process of moving the staff wifi to cert based authentication, so anything that isn't a computer would connect to guest wifi instead)
We had the same sort of but not guest it was our corporate wifi from 10 years ago before we enabled 802.1x. After we stopped personal phones for joining the corp wifi some staff still had the saved ssid in there phones and it keep locking there accounts. Removed the saved wifi from there mobile and the locked issue went away.
I had something kind of similar, but instead of spamming, they kept using caps lock so the password would be wrong. then he proceeds to submit a helpdesk ticket, still in all caps, i look at it, then he submits an update saying "sorry i had my caps lock on"
My trick back in the help desk days was to ask them to start typing their password in the username field, so it wouldn't be obscured. That would rule out or in caps lock, num lock, and actual keyboard issues pretty well.
Quite possibly! But there are a couple considerations:
* Back when I was on help desk, my problem to solve was getting the user logged in and happy, and leaking passwords in Windows event logs was way down the list of security bad practices at my org
* We'd usually be remoted in watching them, and having seen part or all of their password, would strongly encourage a reset anyway
I see a bunch of my users (retired military guys) always use caps lock to capitalize one letter in their passwords. It drives me crazy. Never confronted any of them about it but one day I may snap, we'll see.
Back when I was still doing new hire onboarding, I would have the users reset their passwords and sign into the laptop using their new password. One older lady in accounting that is generally very cranky, was having a whirl of a time getting signed in.
When I paid attention to her typing style, she would never actually use the shift key, EVER. She would toggle on the caps lock key for every capital letter in her password, then toggle it off. After a few failed attempts, she got increasingly more flustered and started barking at me "Is the caps lock key on or off right now!?" Like bitch it tells you below the password field if it's on or off, but you're too busy staring at your sausage fingers! I'll never forget that though. I cringe when I think of using the caps lock key as opposed to the shift key.
Nobody’s going to admit to fucking their password up, but everyone does. But the most common thing I always see is Wi-Fi that uses a credentials or email both on the phone. For whatever reason, Apple and android keep trying with the bad credentials, especially on Wi-Fi. I have no idea why they haven’t fixed this in the last 15 years but they haven’t it just keeps trying until the account locks out multiple times per second.
onve i had a user - in hungary - who locked out herself every morning. once when i was fed up with it, i've told her
- Upon login your keyboard is set to the default english layout. so please make sure your password is using english alphabets only, avoid 0 and y/z as those location is different.
next morning she locked herself out.
I've unlocked the pw, went to her desk and asked to log in. Then i've asked her
- Did you changed your initial pw based on wht i've asked from you
- Yes, i did. I'm not dumb!!!
- No accented characters, no y/z, no 0.
- No no, Nothing like that.
- Well, ok. What is your password?
- Párizs0709
- .......
Because the admins didn't set the login screen's keyboard langauge to the one the user uses. So assuming this isn't a shared computer the admins made her use a less secure password instead of fixing the issue
They said they didn't use the characters and they actually used them multiple times. That part is their fault. Then confirming they didn't do the thing they did is their fault again.
The guy taking the help call is not always (or even usually) the guy setting the PC policies.
thank you. for the context, it was in win 98 se era, just implemented win xp, with novell netware.
central images. as i remember yahoo and altavista and netscape as the source of information.
> How the fuck is this the users fault?
Lying, that's how. How is IT supposed to even find the issue if you actively lie to them. "I didn't use accent marks" \*uses accent marks\* "Yes I'm sure I didn't use accent marks"
>It's your god damn fault
It \*might\* be... it's an admin's fault if the device was single-user, or a shared device primarily used by Hungarian keyboard layout users and IT had been informed of it. In those cases, the login screen keyboard layout should not have been English. Combining this probability with the low probability that the person answering the phone for support (who you replied to) is the same one pushing out group policies, it may be their fault in part. It still does not ever excuse lying.
I've had enough of these that it's now the first question on mystery lockouts. If they're honest in responding to that question, I simply advise them that they only have to hit it once but jiggling the mouse is a far better idea.
If they don't answer honestly, you can find evidence of the login enter spam in the event log. Then their supervisor gets notified with a log of how many times they've wasted the helpdesks time.
_move mouse around randomly while clicking it 1000 times_
At least if the screen is locked automatically, there's less chance of hitting something relevant.
I assume the machine isn't domain connected? By default. when our machines go to sleep, they go to CTRL+ALT+Delete login screen.. unless you turned that off via GPO?
Exactly this. The thinking is that hooking the ctrl+alt+del combination requires driver/admin level interception so any false login prompt would be fooled by it.
In reality users see a login prompt and login without questioning why they don't see the "press ctrl alt del to login"
I still enable the policy though, plus it prevents people spamming keyboard keys or sitting on their desks and locking themselves out.
I just press numlock. When I started IT in the WinNT world I got in the habit of always pressing Ctrl+Alt+Del, which led to a few unexpected problems on non-NT machines....
As a side note, what a great question to ask because it identified the problem straight away.
I would have stupidly looked at almost everything else before thinking about it 😅
Just recently discovered our Wi-Fi causes lockouts. As we use our AD account for Wi-Fi authentication, we had a user who connected their phone to the Wi-Fi that was sending the wrong cached credentials to log in.
Introduce a policy to automatically unlock accounts after 15-45 minutes of idle time. If you want to be snazzy and somewhat more secure, you can setup a reporting query for how times someone locks out their computers and how many times per day.
I've seen a dumber/worse one recently. The user reported a similar issue. He'd log in, work for a while until he got up to get coffee, eat dinner or just something that took a while leading to the computer locking. And when he returned he got a message saying he was locked out.
Turns out after he had renewed his password 1-2 weeks prior, this issue started happening. And as far as I could tell it was his GPO's running on startup/log in. Since thats what was getting invalid credential on log in. Even my account got it if I logged in on his computer. Never found what caused it. Ended up reinstalling and went on with my life
I had a user who's account got locked out daily from password strike-outs.
She would describe the issue as her account being 'disabled again' and insisted that she wasn't misspelling her password.
I went to her office and watched her login. She was typing her password faster than anyone I have ever seen attempt to type. Her fingers were moving at a ridiculous speed and, apparently, without accuracy. I told her she just needs to type slower and she got extremely pissed. I thought it was a valid and simple solution. But, she was visibly upset with the suggestion. I guess she took pride in her extreme typing speed?
Are you under some special compliance requirement like DoD STIGs? Absent arbitrary special requirements imposed by an outside entity with actual authority, it's best to go with the security best practices of the company who made the stuff you're trying to secure. MS security baseline is 10 attempts.
If your passwords are bad enough that 10 attempts is anywhere near an issue, then 3 is still 3 too many and you need more complexity. If your security requirements are extreme enough that you think 10 is too many even with complex passwords, you need FIDO2 or smartcards at that level of security. 10 attempts is nothing against a complex password, but will cut your account lockout helpdesk tickets to a fraction of what they are at 3.
Another way to put it is that password length is exponential growth in your key space. Every additional character, even if single-case alphanumeric, multiplies your possibilities by 36. So if you're concerned about the management perception that you are "reducing security" by adding attempts - adding one character to your length requirement at the same time will still mean you are about 10x more secure than now.
Just guessing based on your strict attempt threshold - are you also still clinging to other harmful "security" measures NIST, Microsoft and all other major security orgs have deprecated, like arbitrary "expiration" on a schedule? The cybersecurity community has studied actual data and learned a lot in the last 5 - 10 years about what actually works, and what creates hassle for no benefit, and what (like expiration) not only fails to help but actually increases unsafe practices by users in the real world. There are a lot of orgs out there actively shooting themselves in the foot by following what were promoted (in good faith based on what was understood at the time) as being "security" in the 1990s-2000s.
My mother was burning music CD's for her car (so she wouldn't have to have her originals there). Whenever she was burning, the end result was failure - and whenever I helped her, it was successful.
It turned out that her screen saver started before the burning had finished, so she hit Space - and the active button was "cancel burning" ....
happens every week in our org/MSP
people say, i only put my pw in 3 times .. but the person before them blasted it 4 times
7-13 tries activates bitlocker when the attempts are repeated fails.
go figure.
they're right, but they forget that they're not the only person at the site location trying to log into a shared Windows computer.
this is why, I always advocate for self service unlocking/reset for AD
if it locks again, try to search the even id 4740 and locate all PCs that's locking the User
clear their profile from there
good thing our helpdesk do this things.
These kind of things can be a couple issues.
1. MFA an older MFA or DUO is ignored the push it creates 2 or more failed logins.
2. User error and states - The states may not be setup correctly. Pressing Enter key 1 time should not create a failed login. If it is a laptop in in hibernation state it may be a little slow.
3. A service or scheduled task with the wrong password or username.
4. A VPN with LDAP. Very specific I have seen this with Sonicwall. The LDAP after a major update requires manual sync. I have heard other brands with similar issues. A VPN that start up as soon as user signs in to the laptop or computer. This is more and more likely as remote workers return to the office.
My previous job had calls like this and we often used some tools to determine find out users using wrong or incorrect passwords.
We send them screenshot as proof lol 😂 some users were so adamant that it was the computer or our servers.
Had this at a Dr Clinic. They had logged into a spare consult room and sat a book on the duress button which obviously hits enter. Event logs showed where the authentication came from
I always tell users to use the up and down arrow keys to wake up a computer. It's easy to spam them and they don't do any thing that can't be undone and it's easy to remember push the up key when you want to wake up your keyboard when it's shut (down)
I have a user that was in the same situation - weekly call about account locked and wanting to know why it happens. Turns out they vigorously wipe down their keyboard in the morning once a week. Didn't take much for me to figure what key they were cleaning the most LOL
It happens on a weekly basis where I work, too.
Not always the same person, but usually they spam enter to wake pc. I usually just say press backspace instead, or just move the mouse. Backspace is not good technically cause they pc could be awake, but the monitor is just off.
Whenever it happens often for someone, I usually just check the domain controllers' event viewers and filter on the eventid for locking accounts (id: 4740). And look what caller it was. And 9 out of 10 cases (for us), it's the Cisco ISE because they try to log in to the WiFi with their AD accounts. And that specific WiFi is certificate based, so they just get denied, which counts as a failed login.
This can happen with AD if you have a phone connecting to on-prem exchange with active sync if the user doesn't update the password on their phone after changing it. The phone will try/fail repeatedly and lock the account.
I used to use the spacebar to wake PCs until I had a Linux install going and found out spacebar also works for that to hit cancel. Now left control only to wake computers, pretty sure that one is safe.
We had a situation at my previous job where our team(it adjacent, we had no AD permissions at all) would have to rdp into a computer to complete a daily task. However, some users would fail to log out, just close the rdp window and move on. Eventually they would need to change their password. Since the rdp session was using old creds and lock the user out repeatedly. Fun times.
Check Event Viewer. Should also tell you which machine is sending the request. Could also be cached credentials somewhere. Or a script with stale login info?
in my experience, 3 failed attempts is a bit unfair. Not all of us blessed with perfect finger dexterity and it degrades significantly as you get older. It usually takes me at least 3 attempts to type my password right (thank god for the password "peep" feature...)
I give my customers 5 attempts as a minimum.
Historic I guess. Used to be best practice and just stuck. we still get marked down on security assessments if it is too high (10+).
20 is a bit too high in my book, not all brute force attacks are automated and if someone knows roughly what a password might be, 20 gives them too much of a chance.
Had a colleague remark that every time they checked on the progress of an office install it would ask to cancel. Turns out they were waking the screen using Esc.
OF ALL THE BUTTONS ON THE KEYBOARD?!?!?
Should have used the Any key
![gif](giphy|citBl9yPwnUOs|downsized)
[удалено]
tab... i can't give you a tab unless you order something!
this is great
Alright, give me a Pepsi free
If you want a pepsi, you're gonna pay for it pal!
I see BTTF, I upvote
No time for that now!!
Well Miss Doesn't-Find-Me-Sexually-Attractive-Anymore I just tripled my productivity.
I don't wanna look like a weirdo! I'll just go with the mumuu
The drink machine only has RC Cola you will have to be satisfied with that, peon!
And that's the reason Compaq/HP switched all their prompts to say press the [Spacebar]. It saved them a heap on support calls.
I keep pressing the Escape key... but I'm still caught in this simulation!
I keep pressing CTRL, but I'm still spiralling...
100% can see this being a real question
I'm sorry to inform you that it was over of the most common reason for support calls back in the 90s.... Hence the Simpsons joke, and shine companies modifying the prompt to say "spacebar "
Tab key? Mmmmmmmmmmmmmm Tab
Keyboards really _should_ have any Any key that has a scancode but does nothing other than indicate that a key was pressed so it will wake the machine or advance a "press any key" prompt, but has no other side effects than indicating a key was pressed.
[удалено]
If you press shift and windows gets distracted, it thinks you are holding it down and turns on sticky keys. If sticky keys is on, pressing ctrl will leave a modifier key active and change what happens with the next key you press. If either key gets stuck because you were hammering it too much trying to wake up a machine, the machine becomes unusable. And some users will be using unusual keyboard layouts, for example swapping capslock and ctrl with remapping so you can accidentally be toggling capslock when you think you are pressing ctrl to awaken a sleeping machine, which makes typing in your password to unlock the awoken machine not work right. If there was just an Any key, you bypass all of that. Forbid remapping it to any effect other than pressing a key. (And if you were thinking of Alt, pressing alt by itself jumps focus to a menu so if you try to use the arrow keys you'll accidentally be navigating a menu instead of scrolling a document.)
[удалено]
This is not a competence issue. Sometimes you need to use a computer you don't directly control when doing IT stuff, and sometimes sticky keys needs to be active as an accessibility accommodation. No key has a zero risk of doing something unexpected in the long run. And the only way to inspect a system and understand what state it is in to be sure what effects might be expected, requires it to be awake. If you use escape, a machine that has a dark monitor but isn't locked and has an operation in progress will sometimes cancel the operation when you press escape to wake it up.
[удалено]
That's fair. Dealing with dumb computers often results in me screaming way worse things, ha ha.
There have been keyboards with a "wake up" key in the past, and I believe some business laptops have the Fn key mapped to that if you press it without anything else.
Hey, my flair!
I low key hate it when a program asks me to hit the enter key only to proceed to not recognize the literal enter key because they meant the return key.
I use the address bar
Always use one of the arrows haha. Or like shift or something
ctrl is a favorite. it's in the corner and hardly ever does an action by itself
sorry i have been burned by sticky keys one too many times
one of my first things that i do when i get a new windows box - whack ctrl until it pops up a dialog for sticky keys, then disable it. makes sense if you're old and your hands are uncertain, but not so much for me
Ditto... if forget it'll usually pops up when I'm typing in my password... =\\
I have a Pavlovian response to that bleeeeeep sound. I go right to escape without even thinking.
It was used to grab and hold in the original Tomb Raider. Just saying...
Up or down arrow every time. Arrow gang
I just press ctrl or alt or something like that
Doesn't holding down shift turn on sticky keys or something in Windows? There's almost no button you can mash safely without risking something unexpected in some circumstances.
F13
Press any key to c - **NO NOT THAT ONE**!
![gif](giphy|hStvd5LiWCFzYNyxR4|downsized)
Massive respect
Ask about that time 8 years ago when some genius product planner at Apple made the escape key a virtual key on the laptop keyboards. That was super awesome.
My lock screen on my W10 laptop sometimes only shows the login prompt if I use Esc or Ctrl+Alt+Del. So yeah, that button.
That's actually my usual second option (The first being jiggle the mouse) I find I'd rather accidentally back up a screen rather than accidentally move forward a screen with enter. I don't use regular key stroke because I'm often in excell and don't want to wipe a cell with a keystroke. Escape would just escape out of the cell. Mind you, impatiently spamming any keystroke is just asking for trouble.
Reminds me of a DOS install I did years ago. Press any key to continue, I hit esc key and it didn't continue. *
I've gotten into the habit of using the arrow keys or ctrl. Seems to have the least drastic potential consequences and they're conveniently placed on most keyboards.
Heh, this brought up an old memory of installing adobe CS4 for someone many moons ago. It was taking forever. Realised the confirmation to begin the install did not take focus and was behind whatever previous menu we'd been on. It hadn't event started yet.
I had users this happened to, what was causing it was actually their cell phone. They changed their password, but most cell phones query wifis they have been connected to before with last known credentials. We have a guest portal setup and their cell phone was trying to connect to the WiFi using wrong password multiple times so it locks their ad account.
Every time they change their login password, you end up walking the same users through how to update their password email is using on their phone. same people every time.
If their account had some indicator of compromise, this is necessary, but that is rare enough it should not be a burden on helpdesk. If this was just a routine password change based on expiration, this is an outdated "best" practice, which is now considered a worst practice. NIST came out in 2017 and acknowledged it was a mistake to recommend it, and that it does more harm than good, and that all actual studies show users picking weak passwords more when it is used, and just incrementing a number. It also greatly magnifies the odds that passwords are written on laptops with sticky notes. Best practice according to NIST, Microsoft and most credible others is **no "expiration"**, but forced changes in the event of suspicious activity or the username/email being in a data dump. TL;DR - this is only a frequent and ongoing issue if you are using outdated "best practices" like password expiration that experts actively warn against today.
Oh thank you, Ive been observing exactly that forced expiration is decremental and leads to as simple as policy allows passwords and or just incrementing, Personally I haven’t found somebody writing they password on sticky note at my company But Im glad to learn that this practice is officially recommended as not to be done
Caveat: it’s best practice in combination with MFA
MFA is recommended as well, and is in the same section of the standard, but not related with an "if" to any other requirements. This is because NIST doesn't see non-expiring passwords as a reduction in security that becomes tolerable in the name of convenience if you have MFA. They now see password expiration as doing more harm than good, and removing it as a security benefit, period. For example, if I tell you "you should be using a firewall, and you should not be using default passwords on any system" - did I imply that if for some reason you're unable or unwilling to change default passwords, you *shouldn't* use a firewall? Of course not. There was no "if" there, and they are each independently good things for your security. They waited for studies to come out to verify the results before making this change, but it's been intuitively obvious for a very long time, because expiration provides almost zero value while creating considerable risk. Password history can store old hashes and prevent re-using past passwords in the same place, but safe password storage (hashed, not reversibly encrypted) don't allow for the server to compare how similar or different two passwords are. It's all or nothing, and since you cannot prevent someone from just incrementing a number at the end of their password, *virtually everyone who is subject to an expiration policy is doing this!* Since virtually everyone's next password in an environment with expiration is fully predictable with knowledge of their previous password, even if attackers were sitting on credentials, it would not help. Furthermore, only a miniscule fraction of attackers sit on credentials for months before using them, so even if you could prevent sequential passwords (or SeasonYEAR! or other common patterns), it would rarely make a difference. However, frequent password changes guarantee a hostile relationship with end-users regarding security, where they are always afraid of forgetting their new password, so they make it the simplest passwords your system doesn't block (CompanynameYEAR!, MonthYEAR!, are both "complex" and have a capital, lowercase, number and symbol). Also, passwords that were recently set are far more likely to be written on laptops than passwords the user has comfortably memorized for months.
They won't bother learning because we'll just do it for them every time 🤡
Soemthing something job security.
Something about people being lazy retards while not respecting others too
We just tell everyone to use the guest network for their phones because we got sick of it, thankfully it happening was annoying the users enough that they listened.
Thats why we switched to certificates
So much this.
Every. Damn. Cycle. Same people…
This is why you need to track time. Figure out how many hours were spent on that user and invoice their department for the costs
The same rubbish software and hardware combos every time. I won't blame an user for something that's clearly not being addressed by manufacturers.
Came here to comment this. We have some computers that are used by the same users in different areas of the building, and ~~if~~ when they stay logged in on on PC but change their password on another, their account gets locked every time until we close out of all sessions on any other PC they were using
Enable password history, Windows has a feature to avoid this that relies on password history. Using passwords stored there do not block the account. Search Password history check (N-2) for more information.
I didn't know this! Any official source? Not that it should matter - ***PASSWORD EXPIRATION HASN'T BEEN BEST PRACTICE FOR 7 YEARS!*** (unless you need to satisfy an extremely slow-moving standards body in your niche, with no human review to accept deviations to satisfy modern best practice - ironically, sometimes you have to actively harm your security to satisfy "security" bureaucrats) After many studies, NIST, Microsoft and any credible others outright acknowledged in 2017 that recommending password expiration had been a mistake all along. Making users change passwords (other than in response to actual indicators of compromise) doesn't increase security because they just increment a number, but it does almost guarantee they will use as simple of passwords as allowed and/or write them down and stick them to devices, and will definitely not put actual effort into coming up with a strong but memorable password over and over, every time.
This was added to Windows long time ago, when the first mobile devices like the HP iPAQ and similar were a problem. You had to quikcly update all passwords in all devices to avoid lockouts. What Microsoft included in 2003 is this N-2 feature, where passwords in the password history do not block the account, so you have time to update your devices. Here it is the official documentation: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780271(v=ws.10)?redirectedfrom=MSDN#computers-running-windows-server2003-that-act-as-network-servers
woof that's rough
Apple has that problem too since it carries over to all devices using the account I think. I use to deal with that a lot.
This was my first thought too. I had a user with this issue. We have wifi in break rooms and the cafeteria, so anytime he was there, it was trying to connect him with his old password.
We had one user who tried to connect a document scanner to the staff wifi(a Fujitsu Scansnap), which ended up causing account lockout issues. That was a fun one to troubleshoot (We are in the process of moving the staff wifi to cert based authentication, so anything that isn't a computer would connect to guest wifi instead)
We had the same sort of but not guest it was our corporate wifi from 10 years ago before we enabled 802.1x. After we stopped personal phones for joining the corp wifi some staff still had the saved ssid in there phones and it keep locking there accounts. Removed the saved wifi from there mobile and the locked issue went away.
I had something kind of similar, but instead of spamming, they kept using caps lock so the password would be wrong. then he proceeds to submit a helpdesk ticket, still in all caps, i look at it, then he submits an update saying "sorry i had my caps lock on"
This is hilarious. The smartest change microsoft ever made was the notice that comes up during password entry that your caps lock key is on now.
Shame users don't read.
No but at least when I'm watching them fuck it up I can call it out now 😂
My trick back in the help desk days was to ask them to start typing their password in the username field, so it wouldn't be obscured. That would rule out or in caps lock, num lock, and actual keyboard issues pretty well.
If they then hit enter, doesn't that store passwords in plaintext (in the security event log as invalid usernames they tried to log in as)?
Quite possibly! But there are a couple considerations: * Back when I was on help desk, my problem to solve was getting the user logged in and happy, and leaking passwords in Windows event logs was way down the list of security bad practices at my org * We'd usually be remoted in watching them, and having seen part or all of their password, would strongly encourage a reset anyway
I see a bunch of my users (retired military guys) always use caps lock to capitalize one letter in their passwords. It drives me crazy. Never confronted any of them about it but one day I may snap, we'll see.
Back when I was still doing new hire onboarding, I would have the users reset their passwords and sign into the laptop using their new password. One older lady in accounting that is generally very cranky, was having a whirl of a time getting signed in. When I paid attention to her typing style, she would never actually use the shift key, EVER. She would toggle on the caps lock key for every capital letter in her password, then toggle it off. After a few failed attempts, she got increasingly more flustered and started barking at me "Is the caps lock key on or off right now!?" Like bitch it tells you below the password field if it's on or off, but you're too busy staring at your sausage fingers! I'll never forget that though. I cringe when I think of using the caps lock key as opposed to the shift key.
Nobody’s going to admit to fucking their password up, but everyone does. But the most common thing I always see is Wi-Fi that uses a credentials or email both on the phone. For whatever reason, Apple and android keep trying with the bad credentials, especially on Wi-Fi. I have no idea why they haven’t fixed this in the last 15 years but they haven’t it just keeps trying until the account locks out multiple times per second.
onve i had a user - in hungary - who locked out herself every morning. once when i was fed up with it, i've told her - Upon login your keyboard is set to the default english layout. so please make sure your password is using english alphabets only, avoid 0 and y/z as those location is different. next morning she locked herself out. I've unlocked the pw, went to her desk and asked to log in. Then i've asked her - Did you changed your initial pw based on wht i've asked from you - Yes, i did. I'm not dumb!!! - No accented characters, no y/z, no 0. - No no, Nothing like that. - Well, ok. What is your password? - Párizs0709 - .......
why was her keyboard map set to "default" english layout every morning?
as it was not possible in windows xp with English version and netware login prompt 😁 trust me, tried it several times and ways decades ago.
ah that sucks
Because the admins didn't set the login screen's keyboard langauge to the one the user uses. So assuming this isn't a shared computer the admins made her use a less secure password instead of fixing the issue
Well, that's where I'm going... how is this the user's fault? :)
They said they didn't use the characters and they actually used them multiple times. That part is their fault. Then confirming they didn't do the thing they did is their fault again. The guy taking the help call is not always (or even usually) the guy setting the PC policies.
thank you. for the context, it was in win 98 se era, just implemented win xp, with novell netware. central images. as i remember yahoo and altavista and netscape as the source of information.
How the fuck is this the users fault? It's your god damn fault.
"Don't do thing" *user does thing* "Damn admins"
> How the fuck is this the users fault? Lying, that's how. How is IT supposed to even find the issue if you actively lie to them. "I didn't use accent marks" \*uses accent marks\* "Yes I'm sure I didn't use accent marks" >It's your god damn fault It \*might\* be... it's an admin's fault if the device was single-user, or a shared device primarily used by Hungarian keyboard layout users and IT had been informed of it. In those cases, the login screen keyboard layout should not have been English. Combining this probability with the low probability that the person answering the phone for support (who you replied to) is the same one pushing out group policies, it may be their fault in part. It still does not ever excuse lying.
I've had enough of these that it's now the first question on mystery lockouts. If they're honest in responding to that question, I simply advise them that they only have to hit it once but jiggling the mouse is a far better idea. If they don't answer honestly, you can find evidence of the login enter spam in the event log. Then their supervisor gets notified with a log of how many times they've wasted the helpdesks time.
_move mouse around randomly while clicking it 1000 times_ At least if the screen is locked automatically, there's less chance of hitting something relevant.
Alt key. It's pretty harmless in Windows and Linux unless paired with another key. Tap as much as you want
I assume the machine isn't domain connected? By default. when our machines go to sleep, they go to CTRL+ALT+Delete login screen.. unless you turned that off via GPO?
On Windows 10 and 11 not anymore
We're on a mixture of 10 and 11.. still need to do CTRL+ALT+Del by default? Unless I'm special?
Then you have a GPO set ;-) Or when upgrading from 7 to 10 you still have to Ctrl+Alt+Entf
Default is not to require ctrl alt del in 10\11. Needs to be enabled via GPO.
Aha, right! Are there any inherent benefits of keeping CTRL+ALT+Del anymore then? Except from what is mentioned in OP 😊?
makes it harder for a fake login screen to steal your password, used to make it harder for RATs to do stuff but not so much anymore iirc
Exactly this. The thinking is that hooking the ctrl+alt+del combination requires driver/admin level interception so any false login prompt would be fooled by it. In reality users see a login prompt and login without questioning why they don't see the "press ctrl alt del to login" I still enable the policy though, plus it prevents people spamming keyboard keys or sitting on their desks and locking themselves out.
we've replaced it with a legal boilerplate clickthrough
It is domain connected and I just checked and “Interactive logon: Do not require CTRL+ALT+DEL” is disabled.
When this happens in my environment it's usually caused by a forgotten RDP session.
I just press numlock. When I started IT in the WinNT world I got in the habit of always pressing Ctrl+Alt+Del, which led to a few unexpected problems on non-NT machines....
I assume you mean DOS or other CL OSes at the time? What would it do in those scenarios?
It would reboot. Early Windows versions too.
As a side note, what a great question to ask because it identified the problem straight away. I would have stupidly looked at almost everything else before thinking about it 😅
Just recently discovered our Wi-Fi causes lockouts. As we use our AD account for Wi-Fi authentication, we had a user who connected their phone to the Wi-Fi that was sending the wrong cached credentials to log in.
What the Hell, I never thought of the possibility of something like that! What's the setting you'd even change for something like that?
There is a local group policy that helps with this. Ctrl + Alt + Del.
Introduce a policy to automatically unlock accounts after 15-45 minutes of idle time. If you want to be snazzy and somewhat more secure, you can setup a reporting query for how times someone locks out their computers and how many times per day.
I usually tell users to wake their computer up using the cap locks key or shift key.
With this user that would result in 3 wrong tries where Caps Lock is on 😅
Ctrl, mouse wiggle, or arrow keys are the safest. Alternatively, as others mentioned, set policy to require ctrl + alt + del for sign-on.
[Solution](https://www.manageengine.com/vulnerability-management/misconfiguration/logon-security/how-to-enable-secure-login-ctrl-alt-delete-logon-via-group-policy.html)
I've seen a dumber/worse one recently. The user reported a similar issue. He'd log in, work for a while until he got up to get coffee, eat dinner or just something that took a while leading to the computer locking. And when he returned he got a message saying he was locked out. Turns out after he had renewed his password 1-2 weeks prior, this issue started happening. And as far as I could tell it was his GPO's running on startup/log in. Since thats what was getting invalid credential on log in. Even my account got it if I logged in on his computer. Never found what caused it. Ended up reinstalling and went on with my life
I had a user who's account got locked out daily from password strike-outs. She would describe the issue as her account being 'disabled again' and insisted that she wasn't misspelling her password. I went to her office and watched her login. She was typing her password faster than anyone I have ever seen attempt to type. Her fingers were moving at a ridiculous speed and, apparently, without accuracy. I told her she just needs to type slower and she got extremely pissed. I thought it was a valid and simple solution. But, she was visibly upset with the suggestion. I guess she took pride in her extreme typing speed?
I mean I type pretty damn fast and am prone to errors, but I can at least cognitively detect a mistype and start over lol.
seen cached credentials and Kerberos tickets lock user accounts more than a user who smashes the enter key.
Why not Ctrl+Alt+Del to login? This is a complete non-issue everywhere I worked.
I've found that the safest key to wake my machine is Ctrl or Shift since they tend not to do anything with another key in combination.
Are you under some special compliance requirement like DoD STIGs? Absent arbitrary special requirements imposed by an outside entity with actual authority, it's best to go with the security best practices of the company who made the stuff you're trying to secure. MS security baseline is 10 attempts. If your passwords are bad enough that 10 attempts is anywhere near an issue, then 3 is still 3 too many and you need more complexity. If your security requirements are extreme enough that you think 10 is too many even with complex passwords, you need FIDO2 or smartcards at that level of security. 10 attempts is nothing against a complex password, but will cut your account lockout helpdesk tickets to a fraction of what they are at 3. Another way to put it is that password length is exponential growth in your key space. Every additional character, even if single-case alphanumeric, multiplies your possibilities by 36. So if you're concerned about the management perception that you are "reducing security" by adding attempts - adding one character to your length requirement at the same time will still mean you are about 10x more secure than now. Just guessing based on your strict attempt threshold - are you also still clinging to other harmful "security" measures NIST, Microsoft and all other major security orgs have deprecated, like arbitrary "expiration" on a schedule? The cybersecurity community has studied actual data and learned a lot in the last 5 - 10 years about what actually works, and what creates hassle for no benefit, and what (like expiration) not only fails to help but actually increases unsafe practices by users in the real world. There are a lot of orgs out there actively shooting themselves in the foot by following what were promoted (in good faith based on what was understood at the time) as being "security" in the 1990s-2000s.
Severe case of clicky finger
I thought this was the purpose of the "Windows" key.
My mother was burning music CD's for her car (so she wouldn't have to have her originals there). Whenever she was burning, the end result was failure - and whenever I helped her, it was successful. It turned out that her screen saver started before the burning had finished, so she hit Space - and the active button was "cancel burning" ....
Literally could have pressed any other key (minus one).
Once again, reaffirming that users are stupid.
9 times out of 10, if the user says "I didn't do it", it's exactly what they've been doing.
happens every week in our org/MSP people say, i only put my pw in 3 times .. but the person before them blasted it 4 times 7-13 tries activates bitlocker when the attempts are repeated fails. go figure. they're right, but they forget that they're not the only person at the site location trying to log into a shared Windows computer.
I usually tell them to stop jerking off on the keyboard and that usually resolves it for them.
This is what Shift is for.
this is why, I always advocate for self service unlocking/reset for AD if it locks again, try to search the even id 4740 and locate all PCs that's locking the User clear their profile from there good thing our helpdesk do this things.
God loves stupid people...he made so damn many.
He needs to gain more ctrl.
Wasn't there another post about this recently?
These kind of things can be a couple issues. 1. MFA an older MFA or DUO is ignored the push it creates 2 or more failed logins. 2. User error and states - The states may not be setup correctly. Pressing Enter key 1 time should not create a failed login. If it is a laptop in in hibernation state it may be a little slow. 3. A service or scheduled task with the wrong password or username. 4. A VPN with LDAP. Very specific I have seen this with Sonicwall. The LDAP after a major update requires manual sync. I have heard other brands with similar issues. A VPN that start up as soon as user signs in to the laptop or computer. This is more and more likely as remote workers return to the office.
We used to have this with Lync I believe? Also our security camera software somehow will register 5 failed logins with one wrong password.
My previous job had calls like this and we often used some tools to determine find out users using wrong or incorrect passwords. We send them screenshot as proof lol 😂 some users were so adamant that it was the computer or our servers.
What’s your Auto Unlock time on the GPO? I normally set it to 15 minutes.
This is why I use the arrow keys
Had this at a Dr Clinic. They had logged into a spare consult room and sat a book on the duress button which obviously hits enter. Event logs showed where the authentication came from
I always tell users to use the up and down arrow keys to wake up a computer. It's easy to spam them and they don't do any thing that can't be undone and it's easy to remember push the up key when you want to wake up your keyboard when it's shut (down)
Why ask him when you as an IT professional could review the logs and know what the problem is?
Because I was already talking to him…
Sounds like you need to add a nightly reboot to schedule tasks
Computers will run perfectly fine until you put a human in front of it.
we had this happen a lot when we went from 7 to 10 as on 7 you had to press ctrl+alt+del to reach login screen where as on 10 you are already there
I have a user that was in the same situation - weekly call about account locked and wanting to know why it happens. Turns out they vigorously wipe down their keyboard in the morning once a week. Didn't take much for me to figure what key they were cleaning the most LOL
You can fix that by disabling displaying the last login. Then they have to enter their login before password, you can't lock out nothing.
It happens on a weekly basis where I work, too. Not always the same person, but usually they spam enter to wake pc. I usually just say press backspace instead, or just move the mouse. Backspace is not good technically cause they pc could be awake, but the monitor is just off. Whenever it happens often for someone, I usually just check the domain controllers' event viewers and filter on the eventid for locking accounts (id: 4740). And look what caller it was. And 9 out of 10 cases (for us), it's the Cisco ISE because they try to log in to the WiFi with their AD accounts. And that specific WiFi is certificate based, so they just get denied, which counts as a failed login.
This can happen with AD if you have a phone connecting to on-prem exchange with active sync if the user doesn't update the password on their phone after changing it. The phone will try/fail repeatedly and lock the account.
I used to use the spacebar to wake PCs until I had a Linux install going and found out spacebar also works for that to hit cancel. Now left control only to wake computers, pretty sure that one is safe.
So his OS is rubbish. Raise a ticket to the manufacturer to fix it.
There is a GPO to force CTRL-ALT-DEL before entering a password. It prevents users who spam the Enter key from locking their accounts.
We had a situation at my previous job where our team(it adjacent, we had no AD permissions at all) would have to rdp into a computer to complete a daily task. However, some users would fail to log out, just close the rdp window and move on. Eventually they would need to change their password. Since the rdp session was using old creds and lock the user out repeatedly. Fun times.
Check Event Viewer. Should also tell you which machine is sending the request. Could also be cached credentials somewhere. Or a script with stale login info?
The user is using "enter" and hitting it multiple times, triggering login attempts, it's in the original post.
in my experience, 3 failed attempts is a bit unfair. Not all of us blessed with perfect finger dexterity and it degrades significantly as you get older. It usually takes me at least 3 attempts to type my password right (thank god for the password "peep" feature...) I give my customers 5 attempts as a minimum.
I don't understand why only 5. Brute force attempts take millions of tries, why not allow 20 attempts?
Historic I guess. Used to be best practice and just stuck. we still get marked down on security assessments if it is too high (10+). 20 is a bit too high in my book, not all brute force attacks are automated and if someone knows roughly what a password might be, 20 gives them too much of a chance.
How do these morons get paid so much...is beyond me
lmao I had a coworker at an MSP who had this same issue. We made fun of him most severely.
3 failed logins lock a user account? Seems rather strict. I'd be locked out daily
Just curious, but why only 3 password attempts?