back to article Our hero returns home £500 richer thanks to senior dev's appalling security hygiene

Welcome back to On Call, a special corner of The Register where readers can share tales of their cries for help and the deaf ears on which they fall. Today's yarn, which includes a non-Linux-based solution to Active Directory woes, comes from a reader we shall call "Clive", who was struck with a run of bad luck at the hands of …

  1. TonyJ Silver badge

    Ahhh passwords...

    My brother-in-law worked at the same company as I had.

    Literally 10 years after I'd left, the Domain Admininistrator password was the same. And weirdly as I type this, I remember it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ahhh passwords...

      > And weirdly as I type this, I remember it.

      Password1 is really easy to remember, that is why I use it for everything. ;)

      1. Anonymous Coward Silver badge
        Holmes

        Re: Ahhh passwords...

        Unfortunately Password1 doen't meet many complexity requirements. That's why I use P@ssword1 instead

        1. Tigra 07 Silver badge
          Coffee/keyboard

          Re: Ahhh passwords...

          Unfortunately P@ssword1 doesn't meet my password length requirements. That's why i use P@ssword123 instead

          1. DougS Silver badge

            Re: Ahhh passwords...

            I've used a lot of <my favorite password>1234 type passwords at places where they need to changed often. They usually require it be different by several characters, so then 1234 becomes 2345 and so on, and I've never had a contract long enough to be on 6789 and find out if it will let me use 1234 again.

            1. PerlyKing Bronze badge
              WTF?

              Re: Ahhh passwords...

              One place I worked had password management which detected whether or not a password was too similar to a previous one. Not identical, similar. The only way I can think of making that work is to store the passwords in plain text somewhere....

              1. big_D Silver badge

                Re: Ahhh passwords...

                Plaintext or encrypted. Hashing, as you rightly surmise wouldn't work.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Ahhh passwords...

                  It depends on the hashing algorithm. There are non-cryptographic hashes, too.

              2. xeroks

                Re: Ahhh passwords...

                They *could* have taken your password and applied maybe some kind of a standardisation algorithm to it. Maybe lowercasing it, and/or removing numbers and nonalpha chars, then saving the hash of that? (obviously they'd store the hash of your actual password too.)

                But they probably didn't.

              3. This post has been deleted by its author

                1. Daedalus Silver badge

                  Re: Ahhh passwords...

                  But they would have to know the original password to do that. If the password is encrypted at source, they cannot know that. The only way they could know it is to store the password in plain text somewhere.

                  1. Remy Redert

                    Re: Ahhh passwords...

                    No, you take the new password which hasn't been hashed and the original forgotten yet and compute a whole bunch of likely variations and run those against the hashed old password. If any of them match, the new password is too similar to the old one.

                    If you don't get any matches, create the hashed password and get rid of the plaintext.

                  2. tiggity Silver badge

                    Re: Ahhh passwords...

                    If you want to be scared, try lots of online banking where they ask for specific numbered characters from your PIN and password

                    e.g. digits 1 and 3 of PIN, characters 3, 6 and 7 of password

                    Which, would either mean plain text password storage

                    Or (not much better) password is encrypted but in a format that can be easily decrypted to some degree (and so IMHO just security theatre, )

                    Which is why other half does online banking and I avoid it.

                    1. Kiwi Silver badge

                      Re: Ahhh passwords...

                      If you want to be scared, try lots of online banking where they ask for specific numbered characters from your PIN and password

                      Kiwibank does it a little better.

                      First, you have your user number and long password/pass phrase (the number is NOT your account number). Then you get a system where a couple of characters have to be entered from your security questions. The nice thing is you can set your own questions OR choose the normal suggested ones (the latter being the sort of thing many people spaff all over social media - mum's maiden name, first school etc etc - keep trying to get through to dimwits that those are NOT security, same as a gubbermint department that I often deal with that, for 'security reasons', I have to speak my ID code into their system rather than typing numbers.. In a public place, anyone with a recorder (not like anyone has voice recorders in their pocket today...) has my details. Of course, in all likelihood their voice match system does a poor job anyway.. And I later have to give DOB etc also over voice.

                      But anyway.. Yes I see your point that the 'security questions' or 'select which number of your pin/pass' could have them stored in clear text, and I suspect the way you describe it the password field would give any shoulder-surfer the length of your password. They could keep an encrypted system that stores individual characters and total length (the latter having to be clear but the former shouldn't)..

                      I wonder... [buggers off, checks things, contact's banks site team and leaves a few suggestions] Ok, you can use numbers with Kiwibank but they only show the relevant part of the keyboard, IE if you only use letters you only see letters. Dunno how they handle allowed spaces (will try sometime maybe). Have suggested a few changes including always having the full character set displayed, otherwise a shoulder surfer could get insights you might not want them having. Damn, forgot to mention the default security questions are commonly on people's farcebork profiles, or known by family (eg mom's maiden name). Ok, so I deliberately used ones my family would know, but not outsiders, but that's beside the point...

                    2. Michael Wojcik Silver badge

                      Re: Ahhh passwords...

                      There are other problems with these "partial password" schemes. They're really not a good idea.

                    3. Anonymous Coward
                      Anonymous Coward

                      Re: Ahhh passwords...

                      Yup, I emailed Santander to point out the idiocy of asking for the xth, yth and zth character as I now had to write down the password rather than simply typing the whole thing from memory.

                      (it's now stored in KeePass in its 'expanded' form, so I just need to remember the passphrase for that)

                      What? use your app... the one that remembers everything and just needs a gummy bear to unlock!

                2. baud

                  Re: Ahhh passwords...

                  that's what Facebook do:

                  https://security.stackexchange.com/a/53483/

                  See this answer, with comment from a FB engineer.

              4. Anonymous Coward
                Anonymous Coward

                Re: Ahhh passwords...

                That is why there is sticky adhesive on the backs of sticky notes... and of course, why there is flat space on the under side of keyboards!!!

                1. Dave314159ggggdffsdds

                  Re: Ahhh passwords...

                  Stickynotes aren't an urban myth, but anywhere that doesn't have hotdesking, 8/10 passwords are guessable within three tries based on the desk furniture so it doesn't make much difference. Once you have physical access, you have access. Engineer the users, fiddle with the hardware, or just ask nicely. Hacking is for people too far from their target to do things properly.

              5. JimboSmith Silver badge

                Re: Ahhh passwords...

                A prog in the pre email days used by a few people at an ex employers was password protected. It was an in house prog giving you access to a company directory which included home phone numbers. The person that had written it obviously thought of security. Users were not allowed to keep the same password and were forced to change it every so often. Sadly he'd set it up to require changing after x* number of logins. One user exceeded this after two days. People wouldn't keep it open though and exceeded the login limit very quickly. A revised version was released quite quickly which used a date rather than number of logins.

                *I think it was 60.

              6. the spectacularly refined chap

                Re: Ahhh passwords...

                One place I worked had password management which detected whether or not a password was too similar to a previous one. Not identical, similar. The only way I can think of making that work is to store the passwords in plain text somewhere....

                It can be done without plain text storage, you can learn a lot by playing with what they will accept. When I've seen that in the past the underlying logic hashed the first and second halves of the password separately, rejecting the new password if either half matches. That catches e.g. Password1 -> Password2 but fails on Password1 -> 1Password.

          2. rcp27

            Re: Ahhh passwords...

            place I work cottoned on to -1, -2, -3 suffix incrementation, and added a rule that the final character could not be a number. I had to break out of routine and switch to -a -b -c suffixes instead.

            1. Robert Moore
              Pint

              Re: Ahhh passwords...

              Just put the number at the beginning.

              1P@ssword

              2P@ssword

              3P@ssword

              These will never be guessed. :)

          3. AZump
            IT Angle

            Re: Ahhh passwords...

            Sadly, this is the password used to secure IT and Staff systems at my College.

        2. Anonymous Coward
          Anonymous Coward

          Re: Ahhh passwords...

          It works in most places, but yes there are some places where I need to use a higher security password containing a symbol... I wasn't going to tell you which symbol I add to the end... for security reasons?

          1. Anonymous Coward
            Anonymous Coward

            Re: Ahhh passwords...

            >It works in most places, but yes there are some places where I need to use a higher security password containing a symbol... I wasn't going to tell you which symbol I add to the end... for security reasons?

            My password contains the "@" symbol, which was great until the latest Windows 10 FR release reset my keyboard mapping from ENG-UK to ENG-US and I didn't notice. Took me a good couple of hours with the helpdesk to sort that one out!

            1. Captain Scarlet Silver badge
              Mushroom

              Re: Ahhh passwords...

              Alt and Shift is a bloody stupid shortcut, always catches me out at the logon screen and last month whilst logged in.

              Every time I realise to late ENG appearing in the taskbar and then having to make the phone call to Helldesk to get unlocked.

            2. Manolo
              Flame

              Re: Ahhh passwords...

              Hah! I don't need no steenkin Windows 10 update for that! The Windows boxen at work do that spontaneously by themselves without an update.

              1. doublelayer Silver badge

                Re: Ahhh passwords...

                This can happen on Mac OS and Linux as well. I remember the occasion rather painfully when I had been working on an important recording (an audio project requiring a lot of editing and long-running operations) when I waited a bit too long and my machine locked. Only then did I realize that A) I had been writing notes on this project in Spanish, B) I was still set to the Spanish keyboard layout, C) my login window did not have a method to change the keyboard layout, and D) my password contained characters that were on the English keyboard but not the Spanish keyboard. Fun times, having to think about forcing a shutdown knowing that a lot of my work which I hadn't yet saved was going to be lost. It's fun when we first learn that saving should be done as often as possible and somewhat less fun when we forget to even though we've learned we should.

                1. JulieM Silver badge

                  Re: Ahhh passwords...

                  But at least with a Mac or Linux machine, you can usually ssh in from somewhere else and then find a way to fix things.

                2. ShadowDragon8685

                  Re: Ahhh passwords...

                  And this is why paranoid autosaves should be a thing. "Oh, the user has typed something? Let me save that, along with the last 2,000 other things they did, so they can undo/redo to their heart's content."

                  1. Kiwi Silver badge
                    Paris Hilton

                    Re: Ahhh passwords...

                    And this is why paranoid autosaves should be a thing. "Oh, the user has typed something? Let me save that, along with the last 2,000 other things they did, so they can undo/redo to their heart's content."

                    That can sometimes be a very bad thing in it's own right.

                    Client's kid thought they'd make the computer faster by a 'factory reset'. Mom and Dad's tax documents and other stuff were there and not backed up. They brought it to me to do a recovery, and I ran a basic tool (possible "GetDataBack" - nice tool to have!).

                    The problem is, there were a lot of documents recovered, and no obvious way to tell which was the latest. Autosaves every 5 minutes or less, meaning a new copy, where they might have the document open pretty much all day every day..... They were a bit upset that I didn't just recover the latest ones.

                    I tried to explain how much was there and how much time would be involved, and suggested they could pay me to NOT work on any one else's machine for a few days to trawl through it all, OR they could give me some information that'd narrow it down (like a very recent cheque or other transaction).. But being clients - very much like another word that is just missing the E - (CLINTS - if you connect the dots...), well... I should've handled that better but I was all out of quicklime :(

                    HP's easy 'factory reset' and people's inability to read and comprehend stuff like "THIS WILL DELETE ALL OF YOUR DATA" gave me a lot of work at times.

          2. WonkoTheSane Silver badge
            Trollface

            Re: Ahhh passwords...

            The "middle finger" emoji?

            1. Glen 1 Bronze badge

              Re: Ahhh passwords...

              I do wonder how many places accept unicode in the password field. Certainly would make brute forcing less probable.

              1. Kiwi Silver badge
                Black Helicopters

                Re: Ahhh passwords...

                I do wonder how many places accept unicode in the password field. Certainly would make brute forcing less probable.

                I'd love to see a couple of things...

                The ability to use numeric keypad and surrounding keys as separate to the other number keys. Left or right shift use being different codes could also be nice - of course I don't think USB keyboards do the same scan codes like the older ones did do they? Never looked.

                And a separate login with the same username but different passwords. I've been in a could of places where that could be useful for various things, including being able to have higher/lower level accounts but use the same everything else (same desktop, same browser/email profiles etc).

                Years back the alarm company that fitted out a friend's home gave them a main code as well as a "duress code" in case someone forced them to disarm. It wasn't appreciated by the sales person (aka "installer") when I asked if the duress code can be changed, and when I was told 'no' I pointed out that all of us in the room, if we were so inclined, could force someone to disarm and point out if we saw that code entered (think it was "1 3 9 7") we'd know what it was and do whatever threatened harm... But I did always like the idea of a 'duress password' and as most home computer OSs list the user accounts on screen and it'd often be obvious which belonged to who - having a 'duress' password that opened a different or similar-but-crippled profile (faked an internet fault or...) would be useful... Even if it does eventually risk coming under the same knowledge of it's existence I mentioned above.

      2. Olivier2553 Silver badge

        Re: Ahhh passwords...

        Woah! You are very unsecure. You know you should use correcthorsebatterystaple. I use it everywhere now that I know about it and I am very secure.

        1. Fruit and Nutcase Silver badge
          Coat

          Re: Ahhh passwords...

          Shirley... horsebarnstabledoorclose

          1. GnuTzu Silver badge

            Re: Ahhh passwords...

            If that's an Airplane reference, than surely somebody should respond "don't call me Shirley."

            1. Glen 1 Bronze badge

              Re: Ahhh passwords...

              Yes they should, and don't call me Shirley

            2. lesession

              Re: Ahhh passwords...

              Not Airplane (Looks like I picked the wrong day to give up correcting references) but XKCD ...

              https://www.xkcd.com/936/

              1. A.P. Veening Silver badge

                Re: Ahhh passwords...

                Whooosh!

        2. Dave314159ggggdffsdds

          Re: Ahhh passwords...

          I use ******** most places.

      3. red floyd

        Re: Ahhh passwords...

        Are you sure it wasn't 12345?

        1. Jayce and the Wheeled Chairs
          Coat

          Re: Ahhh passwords...

          That's amazing I have the same combination on my luggage

          1. J. Cook Silver badge

            Re: Ahhh passwords...

            Was waiting for the Spaceballs reference, was not disappointed. A+++ would upvote again..

      4. Efer Brick

        Re: Ahhh passwords...

        what's the password recovery hint? "Rhymes with assword"?

        1. TSM
          Trollface

          Re: Ahhh passwords...

          At home, on the kids' computers, I use the same password on each for my account (which is the only admin account on their machines).

          The password hint for my account on computer A is "Same as on computer B" and the password hint for my account on computer B is "Same as on computer A".

    2. big_D Silver badge

      Re: Ahhh passwords...

      I started work at one company, as their first IT Manager. Until that point, they had had external contractors running their IT. This was a company with a couple of hundred employee, working on 3 sites.

      When I started, the first thing to do, was to change the administrator password - but the accountant didn't want that, because all the wanna-be admins wouldn't then be able to log on! Then there was the user passwords. The consultant had set everybody's passwords to "12345" and they couldn't change them "for ease of support."

      I then checked around the server configurations and the first thing I spotted was, that all of these user accounts with password 12345 also had Exchange mail, with OWA exposed and mobile device access open... So anybody, anywhere in the world, with the email address of an employee of the firm could log onto the web portal and give the password 12345 and they were in...

      A hectic morning of going through all accounts and disabling OWA and mobile access and setting the "change password at logon" flag... Followed by wailing and gnashing of teeth and a stern word from the CEO for "disrupting" his business...

      Curiously, the company went into receivership shortly thereafter...

      1. Hey Nonny Nonny Mouse

        Re: Ahhh passwords...

        I've mentioned it here before, an estate agency where the MD and accounts direct refused to allow me to set password complexity and re-use rules, they had two passwords each and rotated them.

        Idiots, they also went the same way, after they took over the business they managed to take a thriving city letting agency and drive it into the ground, after 2 years of their 'management' it was sold off for around a hundredth of the amount they got it for.

      2. JimboSmith Silver badge

        Re: Ahhh passwords...

        One company who we used for a software prog had very lax password rule. It could be just one character if you wanted but not blank. Another security hole was that your password was used to access the program. Then once in you could access any of the databases in the correct folder. So you could purloin a database from a rival company and access it from your copy of the program. I pointed this out and was told it would be hard to replicate in the real world.

        Conversely the code to authenticate and license the damn thing was about twenty characters. It required reading your code down the phone to the lady at head office.She'd input that into her machine and give you a code to input (this was at the dawn of the internet). All this had to be done quite quickly as your machine would generate a new code every minute or two. If that happened you had to start again. Painful wasn't the word for it.

        1. J.G.Harston Silver badge

          Re: Ahhh passwords...

          That rings a (forboding) bell. Wise Old Accounting Software? Or Flying Reptile Scribing Software?

        2. Rol Silver badge

          Re: Ahhh passwords...

          ".....so you see Mr Smith, anyone could have accessed our systems and changed or deleted anything"

          "Oh, I never had any idea things were so bad. Excellent work. Excellent work Steve"

          ....

          "Hi Monty."

          "Yes"

          "That new IT manager. He's gotta go"

          "Why what's the problem?"

          "He's only gone and smashed up our escape helicopter"

          "Eh?"

          "The plausible deniability thingy, that it wasn't us that wiped the servers just before the cops turned up"

          "How?"

          "He's implemented a proper password and login system. No way could we hide behind a lax security system. We need him gone. Your dimwitted nephew back, and password1234 reinstated across the entire company"

          "I'm on it!"

      3. Mark 85 Silver badge

        Re: Ahhh passwords...

        Followed by wailing and gnashing of teeth and a stern word from the CEO for "disrupting" his business...

        Curiously, the company went into receivership shortly thereafter...

        I'm surprised that they didn't blame you for going out of business. The old saying "a scapegoat must be found" applies.

        1. shedied

          Re: Ahhh passwords...

          They just didn't stick around long enough to have that blamestorming meeting

      4. herman Silver badge

        Re: Ahhh passwords...

        'receivership' - Obviously it was all your fault, since people could not get their work done.

    3. Anonymous Coward
      Anonymous Coward

      Re: Ahhh passwords...

      I had set up a network (WinNT) some years ago, did all the documentation etc then left.

      Came back several years later, but at a lower level - wasn't allowed access to the network. Until it went wrong, "AC can you have a look at it?" and gave me the folder with the details.

      Errr.... that's my handwriting!!!!

      1. big_D Silver badge
        Angel

        Re: Ahhh passwords...

        When I left one of my jobs, my replacement Skyped me a couple of months later, thanking me for the thorough documentation I had produced...

    4. ColinPa

      Re: Ahhh passwords...

      I went on site to a major Asian bank who had a performance problem with a >huge< application on z/OS that was going live in 4 weeks.

      The standard password was "qw", every one had admin access to everything, and the code taking up 80% of the CPU was the "printf" function.

      Being an Asian country you have to be aware of loss of face.

      I raised my concerns that they were not ready to go live, and was told to keep my head down, the battle was between the bank and the implementor - both sides knew there problems, and both sides blamed each other. If I had raised a concern, they would have blamed me for every thing!

      1. Alan Brown Silver badge

        Re: Ahhh passwords...

        "If I had raised a concern, they would have blamed me for every thing!"

        At that point I'd have not touched anything and found a good reason to not be there - reason being that the blamestorming was about to kick off.

    5. Anonymous Coward
      Anonymous Coward

      Re: Ahhh passwords...

      Last place I worked at never changed any of the passwords for the whole duration I was there... but I'm told they changed all of them the day I left

    6. swm Bronze badge

      Re: Ahhh passwords...

      At Xerox we hat ALTO computers. There was one person who zealously guarded his password. We took great delight in annoying him by writing his password on his screen every time he changed it. There were several ways to get the password.

    7. pirxhh

      Re: Ahhh passwords...

      I once had a project for a major hosting provider, which involved forest admin access. This was way more than I really needed for the actual project, but it got the job done with late-night support calls.

      When the project was finished, I handed over the documentation and asked for my account to be terminated or disabled.

      It turned out that so large a client had strict processes to follow, which meant that half a year later, my account was still live. I actually had to threaten them I'd write to corporate compliance to get the access revoked.

    8. david 12 Bronze badge

      Re: Ahhh passwords...

      One of my friends married an admin/helpdesk type who's secret super power was remembering passwords: <type type type> -- 'hey how did you know the password?' <type type type> You told me the password. When I was here 3 years ago'

      1. Kiwi Silver badge
        Pint

        Re: Ahhh passwords...

        One of my friends married an admin/helpdesk type who's secret super power was remembering passwords: <type type type> -- 'hey how did you know the password?' <type type type> You told me the password. When I was here 3 years ago'

        I have that same ability.

        I won't call it a gift. I'll call it a burden.

        Do you know how much of a pain it is to remember people's passwords from 5 years ago? To find out they still work? And, when you still know their password, to get those 'special looks' reserved only for certain classes of person - looks that do not convey feelings of trust or security in your abilities?

        There is so much in this industry I wish I could forget. Passwords are up there with photo screen savers... (When you get clients who use those.. Who are nudists.. And when you realise (very quickly) that most nudists are older and much much heavier people... Then you'll know why I dread other people's screen savers... There are things you cannot unsee...)

        --> I shall be ordering mindbleach by the truckload tonight. This is the closest icon we have!

  2. Dave K Silver badge

    With glorious security such as that, no wonder the company was in trouble!

    Note: Not saying they'd folded due to crap security, but it does give you great insight into at least one complete muppet that they'd hired. If the dev was that crap at security arrangements, you wonder what else he's probably crap at as well...

    1. Pascal Monett Silver badge

      Seems that he was too busy to do security.

      And by putting his passwords into his source code, he also demonstrates how disorganized he was, which probably made him all the more busy.

      1. LDS Silver badge

        The problem wasn't the developer only - you may ask why he had domain admin credentials (local admin may be needed, for debugging and other stuff), and why PC didn't automatically lock after some time.

        1. }{amis}{ Silver badge
          Holmes

          you may ask why he had domain admin credentials

          If you are dev in an smb a lot of the time you are both development and support at the same time, there are no excuses for hardcoding passwords though.

          Personally with stuff like that a new account is created with minimal permissions for the code in question and the details dumped into the password database this takes me about 5 minutes to do.

          1. Anonymous Coward
            Anonymous Coward

            Re: you may ask why he had domain admin credentials

            There are plenty of excuses for passwords in code as I keep finding out at my current job (hence AC) whenever I question it.

          2. SImon Hobson Silver badge

            Re: you may ask why he had domain admin credentials

            At a previous job, the web devs needed to change the way they built sites that needed to send mail - which was most of them. Until a few years ago it was simple to setup a basic SMTP service configured to forward everything to the main mail server (using authentication). Apparently at some point the SMTP service was removed, so the site code had to send mail directly.

            So for the first site that needed this new approach, I generated them a suitable account which they promptly coded into the site code. Before long I realised that they'd then gone on and re-used the same credentials for every site - rather than, as I'd told them to do, getting me to give them different credentials for each site (allowing per-site sent mail quota's/rate limits). I was really tempted to find an excuse to need to change the password on that multiply used account :D

            1. Kiwi Silver badge
              Angel

              Re: you may ask why he had domain admin credentials

              So for the first site that needed this new approach, I generated them a suitable account which they promptly coded into the site code.

              I was really tempted to find an excuse to need to change the password on that multiply used account

              One or two apparent 'spam' messages from any of them would've worked well I'm sure but one question - did you clearly document the need for different credentials/clearly note your offer? I know some people can sometimes put these things too deep inside a huge pile of notes/waffle that no one is ever going to sit through, and they get lost in the noise (not that I'd have ever done something like that, honest! ---> )

              If I had done, I'd have had some fun :)

              1. SImon Hobson Silver badge

                Re: you may ask why he had domain admin credentials

                Well the need for different credentials per site was certainly stated - but not in writing as nothing else was either. To say their processed were "informal" would be a bit of an understatement. Change control, design process, source control ? Yeah, I think some of them had heard of them - the ones that now work where their skills are appreciated.

      2. Alex Walsh

        Reminds me of Chris, our IT manager 10 or 15 years ago. He spent most of his time in the office playing WoW, and any time someone had the temerity to ask why he wasn't doing IT stuff instead, he waspishly told them that he was managing the systems so well, it didn't need constant firefighting or troubleshooting, freeing him up to play games.

        1. Anonymous Coward
          Anonymous Coward

          I've automated myself out of a job before. My last job, I'd reduced the daily workload so much, they didn't bother replacing me, and just kept on one person.

          I've done similar in my current job, replacing 50-something individually managed machines with puppet, so now I have time to read elReg proactively research upcoming technologies.

    2. Jonathon Green

      Yes, it is a bit half assed. If an IT manager (or anyone else for that matter) referred to me as a code monkey (to my face or otherwise) I’d have come up with a much more imaginative, effective, and reliable way of putting him/her in his/her place than just leaving my login credentials around. At the very least I’d be arranging for them to be broadcast on a skiddie IRC channel rather than just leaving them visible in the office...

      1. jake Silver badge

        So instead of "getting back at them" by leaving your own credentials around, you'd arrange to broadcast your own credentials on a skiddy IRC channel? Now THAT is some incredibly logical thinking. You sound an awful lot like a typical code monkey to me ...

        1. Jonathon Green

          It is absolutely logical thinking. If you treat people in an unprofessional manner then you shouldn’t be surprised if/when they start to behave in an unprofessional manner too.

          Since there’s no fucking way I’d ever work for a company where anybody behaved disrespectfully towards me (and when it turned out I had been suckered into a company where such attitudes were common I was back out the door faster than you could say “probationary periods work both ways”) the situation has never arisen...

  3. phy445

    Low quality coding

    I had to write some quick and dirty, single use (after debugging), code that needed login credentials recently – I couldn't bring myself to hardwire in said credentials. You have to wonder what other corners were cut and whether poor quality code contributed to the downfall of the company...

    1. Olivier2553 Silver badge

      Re: Low quality coding

      People, management, often have the wrong idea that it is important to get something working, that security is not important and can easily be added after.

      It is ignoring the fact that one has no more free time after than he had at the beginning of the project, so security concerns are always delayed. And also that adding security after is way more complicated than envisioning security from the get go. If some cutting corners choices had been made, the very architecture of the project has to be changed, with all the risks associated and because of the risk, security is not been implemented.

      1. SImon Hobson Silver badge

        Re: Low quality coding

        At a previous job, we had a few incidents where customer sites (some of them online shopping, some of them business processes) were compromised. The devs, or at least, the ones calling the shots*, really didn't understand security.

        Eventually the managed to hire someone who did understand security - he lasted longer than I expected before he got fed up and left. He is now doing "quite well". Why was he fed up ? Obvious really, they were still writing insecure sites and then expecting him to bolt on security as an afterthought - and ignoring his "suggestions" that security is something you have to build in from the start. AFAIK they are still building "dodgy" sites.

        * I have to say, there were a couple of the devs (it was a small team) who did actually understand these things - they've also left for places where their skills are appreciated.

    2. Anonymous Coward
      Anonymous Coward

      Re: Low quality coding

      In my somewhat recent experience it is a two-way street.

      My team was frustrated because we felt we never were allotted the necessary time to close some rather glaring security holes.

      After GDPR was in the news we re-raised the issue, and finally explained, in detail, potential consequences and told them how much time we needed.

      At that point it was easy to get a go-ahead for what became a very fat patch. (more or less: "This hole causes X to happen, and when it does, then Y will have to pay a big fine")

      For us it is painful to speak to management. When we struggled with the DBMS our predecessors had chosen, we got nowhere until we finally spelled it out for management: "You want big customers? You give us big DBMS. Ugh."

      I find it difficult to explain such obvious things to manglement. After I had kids I imagine I have to explain things to my three year old and then everything flows easier between manglement and me.

      1. Olivier2553 Silver badge

        Re: Low quality coding

        You mean your manglement is about as stupid as a 3yo (not that three years old are stupid, but they have a limited understanding of the world).

        I am glad I work in education and research, people usually listen when they are told something they don't know, because they know they cannot know everything.

        1. Doctor Syntax Silver badge

          Re: Low quality coding

          "people usually listen when they are told something they don't know, because they know they cannot know everything."

          You obviously never had to deal with people who know they know everything.

        2. not.known@this.address

          Re: Low quality coding

          <quote> I am glad I work in education and research, people usually listen when they are told something they don't know, because they know they cannot know everything. </quote>

          This explains why my nephew and his wife, both recent college graduates, seem to believe they know everything - they have finished their education therefore they MUST know everything !! It's a shame that some establishments seem to foster the idea that, once you graduate, they will have taught you everything you need to know. After all, it's not like the 200+ *years* of real-world experience possessed by their various uncles, aunts and grandparents could compare to the 6 years of college between them, is it?

          (Actually it's far worse than that - they may have started college three years ago, but I think they averaged about 3 days a week between them of actual class time, "personal study" and whatever they call the college equivalent of homework... so about 8 months actual 'learning' between them... 4 months each. And that's probably being generous!)

          1. Rol Silver badge

            Re: Low quality coding

            I think the crux of a good education that you can bank on, lies not in the depth of understanding, but the confidence with which you hold yourself.

            Many bright students came out of polytechnics lacking the confidence to lord it over the distinctly average minds that tumbled out of universities into senior posts.

            Although polys are no more, the UK still has an annoying educational hierarchy that elevates some quite unworthy individuals into prominent positions, because they truly believe it is their birthright.

            Meritocracy my arse.

            1. Terry 6 Silver badge

              Re: Low quality coding

              Yeah, confidence sells. An over-confident applicant will always get a job over a sensibly cautious one.

              And an Old Etonian..........

          2. swm Bronze badge

            Re: Low quality coding

            We had a job applicant who was asked (on a form), "What are your plans for more education?" He answered, "I don't think this question is appropriate for a Ph.D." We trashed the application immediately.

            1. JJKing Silver badge

              Re: Low quality coding

              I don't think this question is appropriate for a Ph.D.

              If he was a newly frocked PhD then his answer was totally appropriate. Have you any idea of what is required to gain a PhD?

              1. Tom 7 Silver badge

                Re: Low quality coding

                JJ - quite a lot of work goes into getting a Ph.D. I used to have to read about a dozen dissertations a year when I was in chip design. And implement them!

              2. MadDrFrank

                Re: Low quality coding

                A PhD is intended to be an apprenticeship in research. In other words, it is a simple piece of supervised research just to demonstrate you might eventually have the capacity to work independently.

                Most serious bodies granting professional qualifications insist on CPD (Continuous Professional Development) as a condition for retaining registered professional status.

                I have a PhD and, before retirement, held a professional qualification. I have always been acutely aware that attainment of either is the start of one's serious education.

                1. Terry 6 Silver badge

                  Re: Low quality coding

                  I was thinking this. I don't have many postgrad qualifications ( a few certificates and diplomas as required) because that wasn't the learning that I needed in any part of my work. I didn't even bother to do the dissertation in some of the courses I took- I'd got what I needed in the studying.

                  But for 40 years I never, not from day 1, stopped looking for more training and study. There's always something to get better at or some new aspect to discover.

                  Over the decades there's been education management ( twice, the first one was useful- but no certificate the second was a pile of shit, but with a required bit of paper.) various educational computing courses ( though I was providing thee before I'd taken any myself- when I started they didn't exist). And continuously in my teaching roles.

                2. tiggity Silver badge

                  Re: Low quality coding

                  A lot of people are doing "later in life" PhD these days, I know a few who, having taken early retirement, are pursuing research that their employment never allowed them the time to do (plenty of quite "practical" subjects where teaching does not always demand a PhD (but does require various business / commercial experience) so plenty of staff teaching at uni level without a PhD).

                  1. ICPurvis47 Bronze badge
                    Headmaster

                    Re: PhD

                    When I was nearing the end of my MSc. I was invited by my University Tutor to take a PhD. as he knew of a perfect project for me. I went with him to visit a well known Nuclear Engineering company to investigate their problem and take back with us a representative sample of their data. I spent the last three months of the term polishing my MSc. thesis and at the same time, developing a FORTRAN three dimensional finite element analysis program to run on our Elliot 1603 computer (mid seventies). In early July we went back to show them what progress I had made, and they said that they were satisfied that I had identified the problem, and that their own engineers would take it from there. I had given them the entire solution, including the 3D FE program, and that was that. I never got to do the research, nor did I get either payment or the actual Doctorate. I spent that summer fitting tyres at a well known tyre company, before getting a 'real' job on the drawing board at a local engineering company.

            2. rskurat

              Re: Low quality coding

              He appears not to understand the distinction between education and credential.

        3. Stevie Silver badge

          in education and research, people usually listen when they are told something they don't know

          Two words: "Climate Change"

        4. swm Bronze badge

          Re: Low quality coding

          My 3-year old granddaughter never forgets anything. She is very smart (I'm not prejudiced or anything). I'll bet I could teach her to be a code monkey if I could hold her interest.

          1. Alan Brown Silver badge

            Re: Low quality coding

            3 years olds are like a sponge - they willingly soak up every piece of information you throw in their direction and want more.

            Treating management like 3 year olds is an unkind comparison to 3 year olds (Seagull management in any case)

            Seagull managers don't WANT new information and they certainly don't want more after you've given them the bare essentials they didn't want, but did need.

  4. Admiral Grace Hopper

    It's the same the whole world over

    After a 10 year foray into Windows development I took a short engagement supporting systems I'd worked on some five years before I left. Jokingly I asked, "Is the root password still 'XXXXXX123'?". Of course it was.

    1. disgruntled yank Silver badge

      Re: It's the same the whole world over

      Back in the 1990s, I worked for a government contractor, and was talking to a government techie about a new shiny system from another agency. He spoke of a conversation with someone he'd worked with years before, who had been explaining the wonders of that agency's new system that would allow an authorized user to log in from anywhere with an internet connection. The guy I knew said, Is your password still [whatever it had been]? There was silence on the line for a minute or two.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's the same the whole world over

        I'm reminded of a story I heard years ago. A family bought a house in a gated community. They enjoyed the extra feeling of security knowing that only residents could come in. Some time later, they ordered a pizza and asked for it to be delivered. The pizza guy asked "Is your gate code still xxxx?"

        1. Anonymous Coward
          Anonymous Coward

          Re: It's the same the whole world over

          I will always make exceptions for the pizza guy - they are always trustworthy!

          1. Kiwi Silver badge
            Happy

            Re: It's the same the whole world over

            I will always make exceptions for the pizza guy - they are always trustworthy!

            Doesn't matter a damn if they're trustworthy or not. They have Pizza! I'll give you my bosses credentials for a slice!

            --> Round like a pizza, yellow like the cheese on a pizza, and makes me smile like a pizza!

    2. Anonymous Coward
      Anonymous Coward

      Re: It's the same the whole world over

      When I was managing the Xerox DTP system for a large electrical manufacturer, I needed access to some of the higher functions that weren't usually available in order to fix a problem on one workstation. I applied for and was granted a Temporary password, that would only be valid for that day, and used it to solve the problem I was encountering. Some months later I was in on a Saturday morning, when the old problem reared its head again, but on a different workstation. No telephone helldesk at weekends, so I fiddled about a bit until I came up with a solution. I disconnected the Thick Ethernet cable, thus isolating the workstation from the server, set the date back to the date on which I had been granted temporary access, fixed the problem, reset the correct date, and reconnected to the server. Over the next three years, while I was in that position, I must have used that trick several times on every one of the workstations.

    3. Kiwi Silver badge
      Coat

      Re: It's the same the whole world over

      "Is the root password still 'XXXXXX123'?". Of course it was.

      Well, a couple of my machines still have the same root password I set on them some 15 years ago... It's even written on a note on the case.

      (I'm sure the fact they haven't been powered on for at least 13 years doesn't matter :) )

      1. Mark Solaris

        Re: It's the same the whole world over

        I think you'll find your CR2032 BIOS battery is cactus, and your machine boot loops. Ask me how I know.

        1. Kiwi Silver badge

          Re: It's the same the whole world over

          I think you'll find your CR2032 BIOS battery is cactus, and your machine boot loops. Ask me how I know.

          The bios settings that matter would be written on the note on the case, but they don't actually matter. With luck I wrote down the date it was last started, although that probably doesn't matter (but I have the option of setting it to that date or the day after before it boots - assuming the RTC has stopped)

          IIRC the mobo is one that'd moan about the date/time being out before trying to boot (or throw a CMOS checksum error), and I'd hopefully have the presence of mind to look at things closely first.

          Someone else I know recently lost a bit of legacy kit because an old FDD drive gave up the smoke, somehow taking the mobo with it (and maybe the PSU - I don't have a tester/sacrificial mobo to hand) - I'd get rid of as much hardware as I can, perhaps image the drive (if it spins), and give the machine a decent clean or at least good inspection before firing it up. I hope. Otherwise, maybe a spider got in and maybe it's carcass is somewhere sensitive and maybe when I turn it on there's a pop and a smell and no more whirring sounds... (I sometimes love "I told ya so!" when suggested he remove any hardware he doesn't need! At least now there's some more old crap destined for the recyclers, where it damned well should be !)

  5. Terry 6 Silver badge

    what other corners were cut

    If corners were cut in those sections you can assume with reason that there was snipping at vertices elsewhere too.

  6. Anonymous Coward Silver badge
    Paris Hilton

    Something smells here

    Why look for the dev's credentials and then log in as them elsewhere rather than firing up the AD panel from the dev's computer? That way you don't even need to know their credentials.

    1. Anonymous Coward
      Anonymous Coward

      Re: Something smells here

      Maybe the Windows Administrator tools weren't installed on the Dev machine, maybe there was IP address restriction on access to the AD, maybe he enjoyed working at his old desk better, maybe his seat was more comfortable than the Dev's seat, maybe the administrator was still sat up by his PC waiting for him, maybe there was a better view from the window of his seat....

      Does it matter, the Dev's credentials were in the code, he didn't need to use the Dev's machine?

  7. Anonymous Coward
    Anonymous Coward

    Unfortunately all too often where I work I come across the attitude that security “isn’t my job”, I get that from Developers, testers, project leads and even management. The attitude is the business risk of not getting feature X out the door is higher than the risk of not paying attention to either security within the software or security within the organisations own environment. So it ends up the security and IT teams are trying their hardest to keep things secure with toddlers trying to actively destroy and progress made! So when the breach comes, I’m going to smile, a lot.

    1. RobinCM

      This is why security needs to be made a legal requirement. Or at least something which is routinely required to be tested for.

      If that software product was instead a car, and it drove fine , and they'd just implemented some kind of fancy ai feature, but the car got zero in the euro ncap, or couldn't pass an MOT, few people would buy it.

      Things like cyber essentials being required are a step in the right direction.

      1. Alan Brown Silver badge

        "This is why security needs to be made a legal requirement"

        GDPR laws and insurance companies refusing to pay out in cases where security was lax have that effect.

        The memo is finally starting to trickle up to management. Personal liabilities would help.

    2. Chairman of the Bored Silver badge

      "security isn't my job" attitude

      ...I understand what you mean, and it's a good point. The rub is that in many large orgs - particularly government in my experience - your sensible position morphs into a management mantra that "Security is Everyones' Job"

      What does that mean in practice? When the inevitable problems occur, the set {everyone} is searched until some poor bastard without any political clout or protection is identified, "investigated", and eliminated.

      In environments like that I will use weasel words such as, 'While I employed best known practices, I'm a hardware guy. For the security angle you need to consult with Joe Blow...' It's a long sentence, but it must cover my entire arse.

    3. Terry 6 Silver badge

      My experience, working between users and devs, has been that security and ease of use are both way down the priority train behind getting in the features that the top brass want to see (often for no sensible reason) and then getting the product out. Result, complex insecure systems that users will simplify if they can, and avoid if they can't. Which can be anything from the post-it note p/w to a complete non-use of the poxy software.

    4. Anonymous Coward
      Anonymous Coward

      IT security and management mandated that all Windows machines were to have BitLocker encryption implemented on the hard drives...

      I found a bunch of laptops helpfully dymo labelled with 'BitLocker nnnnnnnn'!

      (I pointed out they all had a list of 'handy numbers', phone nos and acct nos, on the wall... pick a number, any number... just don't write it down on the machine!!!)

  8. sitta_europea Bronze badge

    I have some interesting tidbits for Oncall. One of them is even about The Register.

    But I can't relate them, because Google rejects all the mail I send to The Register with

    "The account [sender email address] is disabled."

    Of course I've never had an account [sender email address] with Google, so that might, er, account for it.

    1. David Given
      Trollface

      Are square brackets even _valid_ in email addresses?

      1. Vincent Ballard

        Yes, but the local-part has to be quoted.

  9. chuBb.

    Ahhh the longevity developer

    Yet to work any where where the title of senior dev didnt mean anything more than longevity, generally they have been the worst culprits of poor sec practices and due to longevity are trusted by higher ups, generally just leave them to hang them selves unless its something totally arse backwards. Worst one i have encountered was a walking disaster of apathy and a teflon like attitude to responsibility, doing stuff like dir browsing enabled on a webserver with a share mounted to it of sensitive docs, like you know customer lists and account details, the look on the CEO's face when all the companies "secrets" were browseable was a nasty shock for him, the longevity dev at that place had some explaining to do after that one, his excuse was basically it "wouldnt be found" (server logs said otherwise), it made his job easier when he was working from home because he didnt like the vpn software (because it forced all traffic via the companies gateway/net filter and blocked his torrent access), he got to keep his title but the trust the higherups put in his technical chops was forever gone, he left 6 months later when the jnr dev brought up equally stupid coding practices to do with passwords, turning open relay on the smtp service because he thought the code was inellegant to do smtp auth and unfiltered file uploads to a folder where he had set execute permissions on because chmod 777 was the only way to make his arse backwards code work (it wasnt he just couldnt grasp that the folder was owned by root and his code executed under a different user account that wasnt root)

    After the senior left they scrapped that title and replaced with lead, small name change but one where people actually took some responsibility on with the title...

    1. Vincent Ballard

      Re: Ahhh the longevity developer

      In my very first job, "senior dev" meant projected longevity. I stepped straight out of university into the senior dev post with a 2.5 year contract: the junior devs started on the same day, with something like 3 month contracts, as they were doing a summer job between the second and third year of uni. Since I was the one who would have to maintain their code after they left, I had the deciding vote in disagreements over design.

  10. Will Godfrey Silver badge
    Happy

    Karma is a beautiful thing

    I always like to hear of times when the 'victim' becomes the winner.

  11. a pressbutton

    Passwords with long lives

    ... in my experience, some database passwords have not been changed since the mid 90s

    1. Adrian Midgley 1

      Re: Passwords with long lives

      In my experience some database passwords have not been changed.

  12. K Silver badge

    When my previous long-term employer went TITSUP....

    I got kept on by the liquidation administrators... I made more out of them in 3 weeks, than I did normally in 6 months... In addition, they willingly sold me some of the company assets - half a dozen nearly-new Dell Precision laptops (top spec) for £100 each.

    Whilst I was grateful for the ludicrous low price, it also disgusted me - I'd been with the company since the start, as the IT Manager, I knew the value of all the assets, and the liquidators were selling them at 10-15% of their actual resell value, even second hand, those Dell Precision laptops were worth > £1000 each.. and this was money that was meant to settle what was due to employees and creditors!

    1. Neal L

      Re: When my previous long-term employer went TITSUP....

      So you sold the laptops and got some remuneration for those wronged?

  13. Mk4

    Everyone is the administrator now!

    I did a short stint at a car maker about 20 years ago (the one shortly to leave Swindon...) where the IT director had directed that no-one was to have administrator rights given to their normal user account as this was insecure, which to be fair is quite correct. However, there were about 100 developers working there. It was really not practical (time, people and knowledge all being in short supply) to think that these devs would be able to provide the list of granular rights and permissions they needed for every project, and anyway the necessary rights and permissions changed fairly frequently.

    The IT director said that the devs should submit their request for whatever they wanted to do to the IT support team and they would do what needed to be done. Asking a bunch of basic IT support bods to do developery things just made messes and the overall problem was then even worse as these messes had to be cleaned up. The devs were under massive pressure all the time to release working things and the upshot of this situation was that in the end about 100% of the developers knew the domain admin UID and password. This ensured that all changes on all systems were totally untraceable to whomever had actually made them. Something I pointed out and advised that it would be better to give the devs local admin rights on all servers, then at least we could track those changes against individuals and the devs couldn't bugger up the AD. Did they pay any attention? No, of course not. They changed the domain admin password, which fixed the problem for possibly a whole hour.

    What a nightmare that place was. They also used a Windows PC to do a nightly FTP transfer from a mainframe in the Netherlands, and the downloaded files would periodically and unpredictably be unusable. This mystery had been around for ages before I was asked to take a look and quickly found that they did not know that an EBCDIC to ASCII conversion was taking place during the transfer and even more quickly found that the default conversion in the FTP client was not quite right.

  14. Drew Scriver

    Good ol' gov security. Of the people, by the people, and for the people.

    Back in the 90s I had a summer job as a mail carrier in a European country. We had to do a final sort of the mail at the distribution center (centre) before we loaded everything on our bicycles for delivery. As one might expect, the distribution center had some security, complete with coded door locks. Very fancy for those days. Of course, everyone used the same code, but at least the code lock looked impressive.

    About six months after this summer job I suffered the agony of a flat tire (tyre) on my bicycle. Of course this was the one time I didn't have my repair kit on me and it was after 6 so all the stores were closed.

    Nearing desperation (I had a 1.5 hour bike ride home ahead of me - much longer if I had to walk) I realized (realised) that I was very close to said postal facility. Which, of course, had ample repair kits since all their carriers rode bikes to delivery the mail. I rang the door bell, but this being after hours and all nobody answered.

    The fancy code lock beckoned...

    Nah - probably not a good idea.

    I rang the bell again, with the same result.

    The fancy code lock winked at me...

    Nah - not a good idea. Besides, they would surely have changed the code after giving it to a bunch of snot-nosed students that summer.

    The fancy code lock begged me, pleaded with me, assured me all would be well.

    Considering my plight, I agreed with the fancy code lock and punched in the code I still remembered from my hated summer job.

    I was awarded with a satisfying click and the door swung open...

    PS

    Yes, there was still someone in the building who found me and demanded to know how I got in. And no, he had no idea where the repair kits were kept. And yes, he was happy to walk with me to the manager's office where I showed him in which cabinet the kits were kept. Did I need help fixing my flat? Nah - I'll manage. Thanks, though.

    1. A.P. Veening Silver badge

      Re: Good ol' gov security. Of the people, by the people, and for the people.

      How long did that discussion with the code lock take? Two or three tenths of a second?

      1. Drew Scriver

        Re: Good ol' gov security. Of the people, by the people, and for the people.

        Less. There was an immediate understanding ;-)

  15. Chozo
    Pirate

    Bad habits == hours of fun

    Throughout the eighties and well past Y2K there was an industry wide bad habit of setting the engineers override pin code on all commercial intruder & fire alarms the same as the last 4-6 digits of the installation company's phone number. This doesn't sound too bad till you realise that often the company name and contact number is stuck to the box... Go on push the buttons, you know you want to

  16. Stevie Silver badge

    Bah!

    I worked a contract in a place that printed high security documents. I had to pass through half a dozen security locks, each a booth made of strong wire chainlink-ish stuff with a closed circuit camera to give me a good going over as I progressed nearer and nearer the programming suite (a co-incidence; the computer was not the reason for the security, the piles of printed paper were).

    Once there I could step into the machine room, which was housed in a wooden shed attached to the rest of the building.

    Said shed had a six-inch hole in the outer wall through which the carpark could be clearly seen. Hole gnawed by computer-curious vermin was the best guess.

    A mainframe computer in an open-air conditioned environment was unique in my experience to date.

    But a high security area which could be entered by snapping bits off a wall e.g. by grabbing the edges of said hole and pulling really hard was a pisser.

    Ah, the good old days.

    1. Lilolefrostback

      Re: Bah!

      It's always amusing to see security for tech firms set up by non-technical types.

      Years ago, I landed a job with a tech company in Texas (no names). Not knowing anyone in Texas, I figured I spend some evenings roaming around doing some photography. I didn't want to leave my (film) camera in a HOT car, so I asked the head of security (retired police chief) if I could bring it into the building. No. Could I leave it at the security desk? No. Ah well.

      Now, the interesting bit is that I could bring in a briefcase or backpack and it would never be searched. Never. So I could sneak in a camera. Or I could just print documents out and lug them home. Or I could fax the documents (no PIN needed) anywhere in the world.

      Yes a camera could be used to steal valuable IP. But it would be the least efficient method at my disposal. SMH.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        On the other hand...

        Worked at a site with guns, gates, and guards. Unfortunately the guards' jurisdiction ends at the gate, but at least their eyesight doesn't. Upon observing an individual carefully photographing the gate area, they called local law enforcement. LE couldn't arrest the individual (what's the actual crime?) but did their level best to discourage security tourism

        Good to go? Not yet.

        Both the police department and employer sued for "racial profiling". Some times you cannot win.

  17. Anonymous Coward
    Anonymous Coward

    Passwords changed - almost

    Many moons ago, I was asked to take on the IT management role of a small business. Their system a file and mail server for ~20 NT4 desktops had been set up by an IT professional from one of the parent organisations, but then the ongoing responsibilities were passed to the office manager. This IT malarkey was relatively new to her so she was sent on a week long introductory course. Six months later she left and I was asked to take over (being one of the staff engineers providing the actual, non-IT, services to clients). She’d passed over the admin login details before leaving and I set about diving in to see how the system was set up. I had a fair idea as I’d been pally with the guy who set it up and he’d given me the admin login details when he left (as a backup, just in case management lost their copy).

    I saw that the office manager had reset the password when she took over (as her training course drummed this in as one of the first duties when taking over a system). However, the training hadn’t pointed out that server backup software also needed the password updated. A quick look at the backup log showed error messages regarding no access authorisation. For six months, the daily and weekly backup tapes that had been religiously run and securely stored were almost blank. Luckily, there’d not been a need to restore anything in that time, but my first task was to ensure we had three good backup sets. A few months later, the Exchange server fell over (another story) and I was glad I had backups.

  18. Shady

    Password hygiene

    I worked for a small biz where network admin was everybody's responsibility. After a couple of backup woes, they made one of the developers assume full responsibility of the network.

    A month later, sick of fielding password resets, he enforced everyone having the same password - the name of the company.

    I went back there as a contractor, some ten years after I'd left - and my username and password, with full rights, logged me in at the first attempt.

    How they're still in business I'll never know.

  19. Anonymous Coward
    Anonymous Coward

    Password-related horror

    At a prior employer, I was responsible for applications running on quite a few servers (not responsible for the servers themselves, just the applications on them), so I had password access to them. Being paranoid, my AD password is long (> 30 characters; yes, I'm nuts). One day, I was logging into a particular server and mistyped my password. Muscle memory being what it is, I couldn't stop my fingers from finishing the password and hitting enter. To my surprise, I was logged in. Confused, as I was sure I had mistyped the password, I logged out and then logged in again, deliberately mistyping the password. And was logged in. With a bit of experimenting, I found that as long as the first N characters were correct, the rest of the characters did not matter.

    I called the admin who was responsible for the servers themselves. Turns out, one of our servers ran a very old version of its OS and for some reason could not be upgraded, but it could not handle passwords of more than N characters. So rather than single it out, AD passwords had been universally compromised so that only the first N characters (and N was frighteningly small) were relevant.

    Posting anonymously to protect the guilty.

    1. Robert Carnegie Silver badge

      Re: Password-related horror

      This sentence has about one bit of randomness per key stroke. Memorable, ish, but you may as well be typing a binary number.

      For me: alphanumeric with 1 initial capital - but all symbol values are random. Abcdefgh12 - or for a rare system that insists on a symbol, Abcdefgh12! (These aren't the random ones.) To avoid other stupid password filters (parse that carefully), I may exclude repeated letters and all vowels. Because they do.

      Long long long ago, I tried and failed to set a UNIX password to "moscow". That's because SCO UNIX banned passwords containing string "SCO".

      1. A.P. Veening Silver badge

        Re: Password-related horror

        Long long long ago, I tried and failed to set a UNIX password to "moscow". That's because SCO UNIX banned passwords containing string "SCO".

        You should have used "Moskova", would have passed with the additional benefit of it being a correct transliteration of Cyrillic.

        1. Rich 11 Silver badge

          Re: Password-related horror

          a correct transliteration of Cyrillic.

          It isn't. You'd need to drop the second O to correctly transliterate Mockba.

          1. A.P. Veening Silver badge

            Re: Password-related horror

            Thanks, I did it from memory and Russian isn't in my personal top ten of most fluent languages.

  20. Do Not Fold Spindle Mutilate
    Devil

    Password must be politally correct

    When I was hired a god id had the password 'god', without quotes of course. So after a couple of months the password had to be changed and since there was no minimum length another new hire changed the password to 'allah'. A bunch of Evangelist Christians complained verbally. I replied that I would change things and what I actually changed was the title of the standards 'Bible' to 'Policy and Procedures.'

    1. Rich 11 Silver badge

      Re: Password must be politally correct

      A bunch of Evangelist Christians complained

      Complaining is in their job title.

      1. GloomyTrousers

        Re: Password must be politally correct

        > Complaining is in their job title.

        And, counting the downvotes, I see there's three of them (currently) who have been here.

  21. Anonymous Coward
    Anonymous Coward

    angry but trying to be honest and nice

    anonymous for the obvious reasons.

    Years ago the place I worked for was stuck with a vendor's crappy software, one of those long term contracts. I had already reverse-engineered several features of the thing as it was a mess, when I found their main developer's credentials en clair, just like that, in the middle of a goulash of code.

    I immediately ran to my supervisor, as, in the previous months, I had developed quite an adversarial relationship with that bloke and his box, who refused to see any sense, something my supervisor knew about and was starting to get concerned.

    What I wanted was to make sure that he knew that I knew that he knew, etc., that if something happened to the guy on the other end, as he rightfully deserved and it was when rather than if, I had nothing to do with. Supe wasn't overly impressed, but could see some of the twisted logic involved.

    I moved out of such temptation a few months later, and been happier since.

    Wouldn't be surprised that that developer's outfit is gone - I mean, they probably got infected and wiped out at least twice before folding, but I really don't care, and wont't

    Oh what a saint, right?

  22. ShortLegs

    15 years and still active

    Not so much a network password, but my DDI deskphone number, and voicemail, is /still/ active at a telco I left 15 years ago (and has been taken bought out twice over).... I wonder if the seedbox attached to the network in a POP is still there!

    1. swm Bronze badge

      Re: 15 years and still active

      My email still works from a company I haven't paid for at least 15 years.

  23. J27 Bronze badge

    I can confirm that the top-level code monkeys at my employer have domain admin privileges. I know because I'm one of them. It's primarily done because the IT people have no idea how to fix problems with production application servers and databases. Actually, come to think of it our IT people don't actually have access to our production servers. That's weird right? I'm pretty sure that's not normal.

  24. John Tserkezis

    When hacking passwords is the only way.

    Way back about a thousand years ago, our network admin pissed off for a week of something or other, and left an entire department unable to log onto their accounts, due to his Netware 3 admin screwup.

    Since he was the only one with the server passwords, my boss brought it to me to fix it. I informed him without the passwords, I can't do it. The resulting look on his face prompted me to say "if you kinday look the "other way", and give me the keys to the server room, I can "fix" it in several minutes, and said this was the only way, as long as he was happy to look that other way of course.

    Turns out he wasn't keen on that, and instead told the entire department to go home for a week instead.

  25. dnicholas Bronze badge

    Core concept

    My old boss (I was a sysadmin and general IT slave) forgot his new and fancy password and was trying for half a day before fessing up to me. He told me several permutations of what he thought it was while I nonchalantly typed away and I just said "yeah it's the first one with an exclamation mark on the end" as I changed it in AD.

    He was sure I knew all the passwords and was very concerned that I might have been logging in as him and looking at his "photo albums". I did not explain how the file server worked

  26. Thomassmart

    College passwords

    My college used to give all new students a default password at the start of the year with a requirement to change it on first login. The default password was always "Welcome" followed by the year. Login was an incrementing 5 digit student number. Fairly trivial task to then check through this year's series of student numbers to see which ones hadn't logged in yet and use this account to upload a bunch of cracked software, movies, etc to the school network drive, allegedly.

    1. Anonymous Coward
      Anonymous Coward

      Re: College passwords

      Our uni computer dept admin had a text file of every students account with birthdays and default passwords in his home directory, and that was world browseable. We happily used that list to get extra time on systems, or increase our online storage quota. You'd be amazed how many business studies students never signed into the central systems so we essentially had unlimited resources all year long.

      The most ironic part was the admin was on printer desk duty the day we printed out the 300 pages of that list. It took a lot not to flinch when he happily took the reams of paper out of the stack and handed it to us at the pickup desk. One glance at the contents would have made for a somewhat strained conversation.

      1. A.P. Veening Silver badge

        Re: College passwords

        It is a pretty safe bet he knew exactly what you were doing and kept a good eye on it to prevent real problems, but otherwise just let you play.

      2. Roopee
        Headmaster

        Re: College passwords

        A ream is 500 pages so your printout was just 60% of a single ream, not "reams"!

        1. Anonymous Coward
          Anonymous Coward

          Re: College passwords

          Surely that depends on how big you print it?

  27. VikiAi Silver badge
    Facepalm

    I know the BIOS password on the work machines because I worked in the IT section 10 years ago.

    Doesn't do me much good, however, as the last two machines delivered on my desk (3-year refresh cycle) the install-monkey (I can call them that because that was me 10 years ago) had forgotten to set it anyway - I only know because I had to pop in on both machines to disable USB/CD boot as coming back to the machine after hitting the power button and going to get my morning snack while it boots, to find an any-key prompt because of a (non-bootable) USB stick left in the machine is a minor annoyance. !!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019