Most active commenters
  • IncRnd(3)

←back to thread

Six months into tariffs, businesses have no idea how to price anything

(www.wsj.com)
462 points JumpCrisscross | 24 comments | 30 Aug 25 20:56 UTC | HN request time: 0.199s | source | bottom
1. sirnonw ◴[30 Aug 25 21:28 UTC] No.45078160[source]
Funny how there is a post-it with a password glued to the screen of the computer in the lede image, now in plain sight for thousands of readers.
replies(8): >>45078197 #>>45078255 #>>45078281 #>>45078369 #>>45078562 #>>45078571 #>>45078637 #>>45082736 #
2. ashton314 ◴[30 Aug 25 21:35 UTC] No.45078197[source]
Looks like there's a year at the end; might be to facilitate suckurity requirements such as yearly password rotation.
replies(1): >>45078362 #
3. ◴[30 Aug 25 21:44 UTC] No.45078255[source]
4. ronsor ◴[30 Aug 25 22:00 UTC] No.45078362[source]
Some places do 3 months! It's amazing
replies(3): >>45078494 #>>45079442 #>>45079964 #
5. downrightmike ◴[30 Aug 25 22:01 UTC] No.45078369[source]
My guess: Ccjacs 2004

Odds are it hasn't been updated for 20+ years

6. mystraline ◴[30 Aug 25 22:20 UTC] No.45078494{3}[source]
PasswordAugust2025!
7. IncRnd ◴[30 Aug 25 22:31 UTC] No.45078562[source]
I think this is Ccjaas2004. I'm not 100% sure on the letters, but the year is easy to see. Hopefully, they've changed their password sometime in the past 21 years.
replies(5): >>45078616 #>>45078633 #>>45078710 #>>45078974 #>>45079568 #
8. alephnerd ◴[30 Aug 25 22:32 UTC] No.45078571[source]
@Dang can you please delete this comment

OP might not be wrong, but let's at least follow SOP for disclosing security failures (30 days pre-disclosure)

replies(1): >>45079258 #
9. ◴[30 Aug 25 22:42 UTC] No.45078616[source]
10. jchw ◴[30 Aug 25 22:45 UTC] No.45078633[source]
That's true. Now it is most likely Ccjaas2025.
replies(1): >>45078806 #
11. idiotsecant ◴[30 Aug 25 22:46 UTC] No.45078637[source]
You'd be surprised (or probably not) how much incredibly critical infrastructure has one ancient lynchpin PC doing some weird essential thing with a post-it note password like NameOfCompanyYear! where it's clear based on the year that the password hasn't been reset in a quarter century
12. pmontra ◴[30 Aug 25 22:55 UTC] No.45078710[source]
That's CCJ who married AAS in 2004. The password is still the same. But what's the username and what's the service?
replies(1): >>45078813 #
13. IncRnd ◴[30 Aug 25 23:08 UTC] No.45078806{3}[source]
I think you're correct. They probably use it as the password "format" and haven't updated the post-it in order to trick anyone trying to steal the password! What could go wrong?
14. IncRnd ◴[30 Aug 25 23:10 UTC] No.45078813{3}[source]
Everybody logs-in with the same username into the only app. It's a kiosk computer without a surviving vendor to support it.
15. netsharc ◴[30 Aug 25 23:37 UTC] No.45078974[source]
The image URL contains a parameter for size in pixel, and it's modifiable...
16. tomhow ◴[31 Aug 25 00:30 UTC] No.45079258[source]
We don't delete things unless the poster asks us to, and really I doubt this comment is creating any more risk than the picture itself on the WSJ.
replies(1): >>45079472 #
17. Izkata ◴[31 Aug 25 01:08 UTC] No.45079442{3}[source]
I keep a list of every time I change one of my work passwords with the date it would have expired, and it seems to fluctuate between 2.5 and 3.5 months with little consistency. Some of us used to have it locked so we didn't need to keep changing it, but they reenabled it some time ago and we got confirmation it was for some sort of external security requirements.
18. alephnerd ◴[31 Aug 25 01:16 UTC] No.45079472{3}[source]
Fair enough!
19. Retr0id ◴[31 Aug 25 01:38 UTC] No.45079568[source]
It's ok, comes back clean on https://haveibeenpwned.com/Passwords, probably a few more years of life left in it!
replies(1): >>45081723 #
20. bongodongobob ◴[31 Aug 25 02:58 UTC] No.45079964{3}[source]
That was best practice until maybe 10 years ago. Point the people in charge of that to the NIST standards.
replies(1): >>45081664 #
21. hdgvhicv ◴[31 Aug 25 09:05 UTC] No.45081664{4}[source]
I hear cyber insurance companies (ransomware cover etc) still require outdated standards.
replies(1): >>45086587 #
22. austinjp ◴[31 Aug 25 09:14 UTC] No.45081723{3}[source]
Ah thanks for that. I've been meaning to change my password for a while, looks like this is a strong choice then.
23. conorcleary ◴[31 Aug 25 12:40 UTC] No.45082736[source]
Sorta how those Fox Raw livestreams on YouTube Live consistently show the inner workings of room-to-room shuffles and background whispers INSIDE the White House for the entire online world to dissect; it's definitely a security flaw but maybe not considered so by either Fox or the admin.
24. bongodongobob ◴[31 Aug 25 20:06 UTC] No.45086587{5}[source]
People think cyber insurance requirements are hard rules, but they aren't. For the most part, you just need to show effort as it's completely impossible to be 100% compliant with all standards. For example, if you weren't rotating passwords but had proper MFA on your accounts, you're fine. Hell they even have conflicting standards sometimes. I've been through this multiple times when I worked at an MSP. For the most part, leadership just pushes to meet those standards to cya, which makes sense, but as long as you don't demonstrate gross negligence, they'll pay out.