back to article Sysadmin tells user CSI-style password guessing never w– wait WTF?! It's 'PASSWORD1'!

Can you feel it? The weekend's just over the horizon, so it's time for On-Call, The Register's Friday column in which we share readers' tales of literally incredible jobs that produced improbable feats of sysadminnery. This week, meet “Ron” who told us he used to work for a government agency and sent us a story about how, on “ …

  1. Pascal Monett Silver badge

    "They looked for the password on the CD . . ."

    Dear God. Look, I understand that it was a Friday evening but come on, if you send a password-protected file and the password in the same package, it really totally defeats the purpose of the password.

    The last time I had to send protected data I arranged with the recipient to send said data via email, and the password via SMS. Might not be a perfect solution, but it fits the purpose. I'm sure most people would do the same.

    Of course, the password I chose was a tad more complex - which means that, had the data been sent by me, this story would have ended quite differently.

    1. David 132 Silver badge
      Pint

      Re: "They looked for the password on the CD . . ."

      You forget, this is government we're talking about. Crapita were almost certainly involved.

      Getting them to encrypt the data at all was a minor miracle; sending the password separately (or encrypting the data with the recipient's public key) would never ever have occurred to them.

      It's Friday, and I find myself explaining the meaning of the term "POETS day" to my American colleagues once again --->

      1. mr_souter_Working

        Re: "They looked for the password on the CD . . ."

        the certificate wasn't encrypted - it merely required a password to install it

        Totally bog standard, and when you generate that type of certificate you MUST enter a password - admittedly the password can be a single character, but you do have to provide one......

        I think it's a miracle that it was as complex as PASSWORD1 - I would have assumed password1 as a first guess, or even just 1. Of course, there are no limits on the number of times you can guess the password, so it does make it kind of pointless.

        1. Phil W

          Re: "They looked for the password on the CD . . ."

          Yeah, my biggest criticism of the password being PASSWORD1 would be the 1.

          This password was clearly there because the certificate export process required it, not because security concerns mandated it.

          Given that it would have been better to go with "password" "Password" or "PASSWORD" so that it was easier to guess in circumstances like this.

          Given that this certificate was sent on a CD, probably by courier or recorded mail, no extra security was required, if by some chance it didn't make it to the recipient the certificate could be revoked.

          It's up to the recipient to physically secure the CD i.e. lock it in a safe.

          Security is important to get right, where it is needed, but also important to remove and/or simplify where it isn't.

          1. PassingStrange

            Re: "They looked for the password on the CD . . ."

            It's quite possible that the actual password was simply "PASSWORD". I've worked with more than one system where anything typed beyond the maximum password length was ignored.

        2. Anonymous Coward
          Anonymous Coward

          Re: "They looked for the password on the CD . . ."

          "Totally bog standard, and when you generate that type of certificate you MUST enter a password - admittedly the password can be a single character, but you do have to provide one......"

          No you don't *have* to specify a password. Needing a password means that the certificate is encrypted and that can be removed or not even added in the first place. The -nodes in this command avoids encryption and generates a self signed certificate

          $ openssl req -x509 -new -out cert.crt -keyout cert.key -nodes -days 365

          I suspect that the implementation you use enforces passwords.

          1. really_adf

            Re: "They looked for the password on the CD . . ."

            Needing a password means that the certificate is encrypted and that can be removed or not even added in the first place. The -nodes in this command avoids encryption and generates a self signed certificate

            $ openssl req -x509 -new -out cert.crt -keyout cert.key -nodes -days 365

            No, it avoids encryption of the private key (cert.key). This will show you the certificate with requiring any password, even after doing the above without -nodes:

            $ openssl x509 -noout -text -in cert.crt

            Certificates do not contain sensitive data and so do not need encryption. Just ask (for instance) any HTTPS server, it'll happily send you its certificate.

            Private keys are sensitive, of course. Some file formats, eg PKCS#12, include both certificate(s) and private key(s). In PKCS#12 files, the private key(s) are encrypted, and the file itself has a checksum that uses a password to allow validation of the file's integrity. But IIRC the certificate(s) are still not encrypted in this case.

      2. jake Silver badge

        Re: "They looked for the password on the CD . . ."

        David 123, take it from a Yank: POETS day is well known here.

        1. David 132 Silver badge

          Re: "They looked for the password on the CD . . ."

          @jake: not consistently, it seems! In this corner of Oregon I get blank stares. The funniest was a colleague of mine who tracked me down the following Monday and regaled me with how he'd told his son the meaning of the term, and his son had found it hilarious even though Dad couldn't remember what the P, the E or the T stood for...

        2. Mark York 3 Silver badge
          Coat

          Re: "They looked for the password on the CD . . ."

          Scheduling in Canada......

          OK so I'll do your deployment on Friday afternoon, by the time it's finished you'll be able to celebrate Poets Day, but I guess I'll now have to explain what Poets Day is (again)!

          Don't you come that with me, I know perfectly well what Poets Day is (Shes dropped into a thick Bristol accent) & from the sound of your voice, your not too far removed from where I grew up.

      3. Chris Tierney

        Re: "They looked for the password on the CD . . ."

        @David123 I suspect your perfect Thumbs up score on this comment will end around 12:30pm BST

    2. My-Handle

      Re: "They looked for the password on the CD . . ."

      While I agree with the principle outlined here and would endeavour to follow it myself, real life has taught me otherwise.

      Need to log in to a user's workstation? The password is 1: Under the keyboard, 2: On a post-it stuck to the monitor or, if you're very lucky, written on a notepad in the top drawer under the desk. Number 4, the desired situation of "the user remembering the password" very rarely happens unless somehow enforced.

      I have only once received a password-protected file, a pdf via email, and the password was written in the same email. That's probably a little better than the password for a CD being written on said disc (in that the pdf and the email are separable), but only just.

      1. jake Silver badge

        Re: "They looked for the password on the CD . . ."

        I once found a comprehensive list of login/password pairs written in sharpie on the underside of the leaves of a faux ficus in the office of the secretary of a VP. They included complete access to the corporate mainframes (including R&D). Quite a few people got reamed, and I'm absolutely certain that Amdahl's internal security culture was much better by the time Fujitsu bought them ...

        1. Doctor Syntax Silver badge

          Re: "They looked for the password on the CD . . ."

          "I once found a comprehensive list of login/password pairs written in sharpie on the underside of the leaves of a faux ficus"

          Why were you looking there?

          1. jake Silver badge

            Re: "They looked for the password on the CD . . ."

            I was an consultant doing a security audit. I have no idea why I looked, other than the fact that the fake tree was at arm's length from the secretary's keyboard. I found many other security problems, but that particular one was the worst overall.

          2. Rustbucket

            Re: "They looked for the password on the CD . . ."

            Because they weren't pasted under the keyboard where you'd normally expect them to be.

          3. Alan Brown Silver badge

            Re: "They looked for the password on the CD . . ."

            "Why were you looking there?"

            If your job includes making sure security is managed, you look for such things - including under the keyboard/back of the monitor/in-out trays/top drawer (which is slightly excusable if it can be and is habitually left locked) or on the inside cover of a book on the nearest reachable shelf (usually the one that looks the most handled, surprise surprise)

            Our standard policy is to lock all the accounts and replace the postit or whatever with one that says "Come and see security. NOW"

        2. anothercynic Silver badge

          Re: "They looked for the password on the CD . . ."

          @jake, that's actually impressive... using the leaves of a faux ficus as password list... That they gave full access to the company mainframe is... unfortunate. But the use of the plant shows some thought process. ;-)

      2. HandleAlreadyTaken

        Re: "They looked for the password on the CD . . ."

        >Need to log in to a user's workstation? The password is 1: Under the keyboard, 2: On a post-it stuck to the monitor or, if you're very lucky, written on a notepad in the top drawer under the desk.

        And this can be fine, if you understand your security threat; if your attacker has physical access to your office, you have bigger problems. Passwords under keyboards can't be read by hackers in Russia or China, which are in most cases the bigger risk.

        Add the fact that many companies with bad understanding of security require passwords to be at least 75 characters long, contain mixed case letters, digits, and at least two wingdings, and be changed every full moon and you can't reasonably expect users to memorize them.

        1. Alan Brown Silver badge

          Re: "They looked for the password on the CD . . ."

          "if your attacker has physical access to your office, you have bigger problems. "

          When was the last time you vetted your cleaning contractor's staff?

    3. Lee D Silver badge

      Re: "They looked for the password on the CD . . ."

      Teacher's Pensions will happily send out certificates without passwords, by unencrypted email, to anyone who happens to work at a school.

      If you make a fuss about not being able to install it on more than one computer, they include the private key in the certificate too, so you can export it and move it around multiple computers.

      But then, those certs are client certs used to authenticate to their website which itselfs score an F- on the Qualsys SSL Labs tests and has done for years. Literally everything from SSL1 to vulnerability to everything under the sun. Nobody seems to notice or care.

      P.S. They charge something ludicrous like £80 for each person you need a certificate for, and for re-issues etc.

      1. IrishFella

        Re: "They looked for the password on the CD . . ."

        I thought you were joking, good God how do they get away with this - https://www.ssllabs.com/ssltest/analyze.html?d=www.teacherspensions.co.uk

        1. Lee D Silver badge

          Re: "They looked for the password on the CD . . ."

          @IrishFella:

          Wow... for four years, they've been F-.

          Oh... hold on... that's their website front-page. The ACTUAL submission website is:

          https://www.ssllabs.com/ssltest/analyze.html?d=tp-online.co.uk&latest

          I thought they'd come up too far in the world! Though they have improved, it's still the WORST site I've ever seen officially.

          Not like they handle MILLIONS OF POUNDS of people's ultra-secure pensions, or anything. Or things like List 99 barred teaching staff lists... Oh... hold on...

          1. Throatwobbler Mangrove

            Re: "They looked for the password on the CD . . ."

            I thought List 99 didn't exist since whenever the Criminal Records Bureau was introduced?

            Also; why would the pension fund have a copy of it in the first place?

        2. Alistair
          Windows

          Re: "They looked for the password on the CD . . ."

          "good God how do they get away with this"

          It is a pension fund. The lousy security is there so that the pension fund managers can claim that they were raided by "hackers" when it is found to be bereft of funds, and just before they resign and disappear to a small south pacific islands.

      2. Nick Kew

        Re: "They looked for the password on the CD . . ."

        Teacher's Pensions ...

        Why should anyone there care if they get defrauded? It's public-sector, so the taxpayer will pick up the tab.

        I expect they periodically get some bright young thing proposing to fix it. Lesson in life - and not rocking the boat - when they get shown the door.

    4. alain williams Silver badge

      Re: "They looked for the password on the CD . . ."

      Some 8 years ago I opened a bank account with Santander, they did not understand security:

      * they sent the username for on-line banking in a clear text email; the password was in another email sent 1/2 second later.

      * we went in, took all the documents needed to open a bank account (passport, etc); they took a copy; a month later ''we have lost them, please scan and send the images by email". (I refused to do so)

      * I complained that important, security related documents were lost. They assured me that they were quite safe: but were unable to explain how they knew so since they did not know where they were.

      And so it went on. The account has been closed for many years, final statement showing a NIL balance - but every 6 months I get a letter telling me that there are a couple of quid there (I have checked - there is not).

      Muppets

      1. Anonymous Coward
        Anonymous Coward

        Re: "They looked for the password on the CD . . ."

        Had this with TSB after the de-merger from Lloyds.

        Went in and filled all the forms and gave them all the documents to copy.

        Got nothing back for 2 weeks so went in to ask; and got told they had sent it to the wrong department by mistake.

        Had 2nd set of documents made.

        2 weeks later and nothing, so in we go again; oh sorry, we made a mistake and accidentally shredded them.

        Set no. 3 is duly produced, and again we wait.......

        2 weeks later, sorry, we have no record of your application; would you like to make one??

        Oh PISS OFF!!!!

        1. Anonymous Coward
          Anonymous Coward

          Id verification

          I needed to prove my id and was told scanned copies of documents sere nog acceptable and I needed verified copies. Drove 7 miles to the nearest post office. Had a fight with the counter cler who had never heard of the device. Paid £7.50 for her to stamp and sign each copy.What now I asked.Oh just scan and send them too us was the reply. I felt so much better knowing they took security so seriously and were not just ticking boxes

        2. Alan Brown Silver badge

          Re: "They looked for the password on the CD . . ."

          "Had this with TSB "

          Rule one: Always get everything in writing. If you can't get it in writing, RECORD the meeting/call (because they will if there's anything in it they can use against you, or will mysteriously lose the recording if it's something you can use against them)

      2. peter 45

        Re: "They looked for the password on the CD . . ."

        Santander...Muppets? Tell me is is not so.

        All ID information gone missing a couple of weeks after giving it to them? So when exactly that happened to me and they told me that it had never happened before, they were lying? Who knew?

        How about answering the security question of 'whats your address' and to be told I got it wrong. Then finding out they had mixed up my old address and new address. Then being blamed for giving them the wrong information when they were the ones who copied the (correct) address from the utility bill.

        Finally finding a piece of paper containing another customers account details and address attached to the back of a bunch of photocopying they gave me.

        Santander. Only found in the same sentence with 'Security' and 'Data Protection' with the word 'fuckwits' appended.

        1. anothercynic Silver badge

          Re: "They looked for the password on the CD . . ."

          Call them by their old name, please... Abbey. Abbey bloody National.

      3. ssharwood

        Re: "They looked for the password on the CD . . ."

        I recently opened a bank account and was told - by a teller who could see my password in plaintext - that my password was too long and complex. She suggested I pick a simpler password intsead to avoid forgetting my properly complex password. This is why we can't have nice things.

        1. Alan Brown Silver badge

          Re: "They looked for the password on the CD . . ."

          "....told - by a teller who could see my password in plaintext"

          PLEASE name and shame that bank.

    5. Naselus

      Re: "They looked for the password on the CD . . ."

      "if you send a password-protected file and the password in the same package, it really totally defeats the purpose of the password."

      Unlike using the word 'Password' as the password, because that's totally in keeping with Best Practice.

    6. Alfred

      Re: "They looked for the password on the CD . . ."

      It does, but sometimes (maybe not in this case) there's no reason at all for the data to be password protected; there's simply a blanket demand that all data be password protected.

      I sent someone a list of suppliers I'd cut and paste from the internet. Policy was that all data being sent out had to be password protected. Duly zipped it in a password protected zipfile, named "thePasswordIsBeans", with "password = beans" written on the CD.

      Policy obeyed, data protected to the level required.

    7. TheRealRon

      Re: "They looked for the password on the CD . . ."

      I am pretty sure that the password had been sent in a separate letter as good practice would dictate, but we never found it. If only they hadn't chosen such a numpty password it would have been almost competent behaviour from <unnamed outsourced provider>.

  2. T. F. M. Reader

    Movie stuff

    The story seems unfinished. Did the hero get the girl in the end?

    1. Anonymous Coward
      Anonymous Coward

      Re: Movie stuff

      Paid and Layed? You don't; expect much from a Friday :D

      1. CrazyOldCatMan Silver badge

        Re: Movie stuff

        Paid and Layed

        No - she turned him down for not being able to spell..

    2. TheRealRon

      Re: Movie stuff

      I did not get the girl. But I did get paid on time which pleased my wife.

  3. defiler

    I'm unintentionally awesome at work regularly

    At least on a weekly basis. It's a shame that managers, users, basically anybody outside the thin seam of experienced techies ever realises. Until I've left, I suppose...

    1. Rich 11

      Re: I'm unintentionally awesome at work regularly

      "You don't know what you've got 'til it's gone"

    2. mr_souter_Working

      Re: I'm unintentionally awesome at work regularly

      wouldn't count on anyone realising after you leave either - I left my previous job just over a year ago, and only the techs that I worked with (and still ask for my advice on the odd occasion) realise how much work I did.

      1. defiler

        Re: I'm unintentionally awesome at work regularly

        Ach - I bumped into an old boss who'd bumped me. Long, bitter story...

        He did volunteer, though, that since I was away everything kept breaking. People had problems with all sorts of things. All because I wasn't there spinning the right plates at the right times. They had no idea how much of what I did in that place.

        1. Doctor Syntax Silver badge

          Re: I'm unintentionally awesome at work regularly

          "I bumped into an old boss who'd bumped me."

          Sometimes it works the other way round. In this case the boss was actually a client of the company I'd been working up to about 9 months previously. The conversation more or less went "Would you like to come and work for us?". The subsequent interview was more or less "Do you still want the job?". They knew how many plates I'd been spinning.

  4. Anonymous Coward
    Anonymous Coward

    That password is surprisingly similar to the local admin password a certain large company that sets up thin client cloud boxes uses for local admin and leaves in the unattended setup file on the c: drive.

    Incompetence is everywhere...

  5. big_D Silver badge

    One employer

    I worked for had used an external agency to run their support, before I took over the admin role. The agency had reset every employees password to 123456 and set it to "user can't change password". This was so that they could perform "remote support" for the users on their PCs (E.g. setting up network printers, configuring their accounts and copying their settings to new PCs etc.).

    Cleverly, the Exchange accounts all had OWA and ActiveSync activated, so that employees could access their accounts from their smartphones or any web browser...

    The first day was spent locking access to OWA and ActiveSync to all employees without a company phone and forcing those with a phone to change their passwords immediately. The rest of the employees were then informed that the policy had been changed and that they would need to come up with a new password the next morning, when they arrived for work. That caused quite a kerfuffle.

  6. Anonymous Coward
    Anonymous Coward

    I had a boss that kept forgetting his password.

    We'd reset it, he would put in a new one, correctly confirm it, then forget the damned thing the very next attempt. He wanted to use a password manager he found on the internet but corporate policy made that impossible. He kept getting frustrated at forgetting & we kept getting frustrated at having to reset. Then one day the failed attempts & reset requests stopped, he got happy, & we got concerned. Remote into his machine to figure out WTF was going on. We found a "Passwords.Txt" file on his desktop. He had resorted to copy & pasting in the new password into the file, so he could C&P it back when needed. On the one hand we were happy not to have him asking for a reset request every (and I do mean *EVERY* day) but on the other hand it was a serious NoNo. Thankfully someone more senior than I got to explain matters to him, but then it fell on my lowly peon's shoulders to figure out a way to fix it. I ended up asking him if he could remember something from his past that wasn't common knowledge. He thought for a moment, nodded, & changed his password to that memory. It seemed to work for he only required a reminder rather than a reset to get him logged in once again. I later found out that the memory he had used to trigger said password was the name of his first girlfriend. He remembered her rather fondly for very Friday reasons. All his reminder phrase needed to be was "Go visit your girlfriend." Grin, tappity, & Bob's yer uncle.

    1. JimC

      Re: something from his past that wasn't common knowledge

      When desperate I used to suggest "OK, look out of the window, what can you see".

      I don't *think* anyone ever typed in "RedFordFocus"...

      1. Phil O'Sophical Silver badge

        Re: something from his past that wasn't common knowledge

        I don't *think* anyone ever typed in "RedFordFocus"...

        We had a sysadmin who used that method for new users' first-time passwords. People would get new accounts with initial passwords of "BigRedBus" or "PoliceCar"

        1. Stevie

          Re: something from his past that wasn't common knowledge

          "Window?WhoTheFlockHasAWindowFFS?"

          1. CrazyOldCatMan Silver badge

            Re: something from his past that wasn't common knowledge

            "Window?WhoTheFlockHasAWindowFFS?"

            Not every company I've worked for as put the techies somewhere without natural light and away from normal people.

            Just most of them.

            1. Anonymous Coward
              Anonymous Coward

              Re: something from his past that wasn't common knowledge

              My second to last job was in just such a broom cupboard. Two us squashed into a room that wad smaller than the office toilets. Or the server room.

              So just after getting used to it being cramped we got a new manager in... then they added a door out onto our warehouse. So it was now even more cramped and used as a shortcut. Though it did mean I'd occasionally work in the warehouse just to get some breathing room.

    2. Lilolefrostback

      Re: I had a boss that kept forgetting his password.

      For people with that poor a memory, put the password on a business card and stick it in your wallet.

      Most people do a decent job of protecting their wallet. Anything in said wallet will be protected as well.

    3. G.Y.

      Re: I had a boss that kept forgetting his password.

      Dialog re: bluetooth

      me: use the 'phone # of the girl that would have been your girl firiend if only she had said yes

      Turner Whitted (yes, him!): 722...

      Me: hey that's a Seattle 'phone #!

      Turner: I didn't specify the area code ...

      This was the home 'phone of young Kathy Pappas, who is now (&has been for a while) Kathy Whitted.

  7. Anonymous Coward
    Anonymous Coward

    A certain non-technical individual standing within brick throwing distance of me keeps all his passwords to everything on an unencrypted file on his iPhone.

  8. Anonymous Coward
    Anonymous Coward

    Conficker

    Circa 2011, Conficker all over my network, ficking things. Microsoft advise is to enable password complexity (duh).

    Response from the CAB: We can't do that, because managers aren't able to use complex passwords. In other words, people who have a driving licence and are able to vote in elections are nevertheless too stupid to come up with a word and stick a couple of digits and a percent sign on the end.

    1. defiler

      Re: Conficker

      Just for shits and giggles, Password123 meets the Active Directory password complexity requirements. It's not all that complex...

      1. John Riddoch

        Re: Conficker

        For a lot of my POC stuff (mainly on VMs on my laptop) where I don't care about security but can't be bothered fixing the complexity rules, I use "Passw0rd" which meets the necessary complexity requirements. "Password1" will generally get past most rulesets as well.

    2. Anonymous Coward
      Anonymous Coward

      Re: Conficker

      Microsoft's password complexity rules on my dev account are so extreme I have no chance at all of remembering them. In a good month it takes just a few attempts to find words I've never used before and guess what rule I've broken inserting numbers and non alpha chars. Bonus points if I remember it lies about the current rules if you use Firefox.

      So every month my pinboard gets another new password written on it just above the monitor. I think they secretly hate security.

      1. Anonymous Coward
        Anonymous Coward

        I worked at a place where the AD admin wrote the (previous) password policy

        I spent several days (a half day at a time) figuring out passwords that complied with them and not having them accepted. I'd work through the rules, work out the combinations, write them down, enter them and try a few times in case I'd mis-keyed. Helpdesk would help by setting the password to the day of the week and I'd live with that for the rest of the day then change on login the next day, with same result.

        It took several goes and my talking to my boss (IT Director) to get the admin responsible to look at the problem and say (not an admission) that of course he didn't apply the rules he'd written, he just left the default settings. I rewrote the password policy. I've no idea if they're applied.

        He's still working there. I'm not.

    3. phuzz Silver badge
      Happy

      Re: Conficker

      Something along the lines of Password123 is my go-to "I need an initial password to give to the user before they change it" password.

      Which of course means it's used as the sole password all over the place. I drove past my old employers recently, and while they've moved offices since I worked for them, it's still the password for their guest wifi.

      (Actual password changed to preserve some of my anonymity)

      1. Anonymous Coward
        Anonymous Coward

        Re: Conficker

        Recently went back to the boozer which was next door to the company I used to work for. Whilst there and waiting for a mate to turn up I watched updates finish on my phone. It is supposed to update over wifi only not celluar and was doing so because it had connected to the company wifi The password was very easy to guess and before leaving I said they should change it to prevent unauthorised access. Obviously following best practice they hadn't bothered and had just left it.

      2. Alan Brown Silver badge

        Re: Conficker

        > "I need an initial password to give to the user before they change it" password.

        Only acceptable if you ALSO set "force password change at next login"

        Personally, I do that every time I have to set a new pass for a user, even with some randomness in it.

        It means they can't blame me for the non-secure password they _do_ choose.

  9. Mystic Megabyte
    Happy

    rtfm

    I used to keep unimportant passwords in a file called README.TXT on the assumption that nobody is ever going to read it.

    1. Nick Kew

      Re: rtfm

      I used to keep unimportant passwords in a file called README.TXT on the assumption that nobody is ever going to read it.

      :-)

      My practice has kind-of evolved over the decades, from a few passwords barely better than PASSWORD1 to many passwords I have to keep in a special directory called passwords. All my stuff there, from unimportant things like my login at El Reg, to others like my bank, stockbroker, and HMRC.

      Lots of files there you really couldn't mistake if you were looking. Like, for instance, "theregister.gpg".

      1. ROC

        Re: rtfm - password logging

        I usually make up the password in an email draft that is not normally sent. Note that is on a local POP3 account, so no IMAP replication, and not sent unless it is a convenience account (such as discussion fora like this one).

        That is for private use nowadays since I retired a couple years ago. When I was working, I would put it in my phone's "Notes" section for my own contact info in some cases, or a post-it that I kept around my desk at home as I worked from there 90% of the time my last 10 years or so. Considering how many post-it scraps littered up my home "work" desk with my random filing system of paper piles, it was fairly safe in obscurity mode as it was scruffy looking with no mention of which password it was...

  10. wolfetone Silver badge

    " I allowed my altruism to win over my cynicism, took off my jacket and sat down to help.”"

    Yeah this used to happen to me when a good looking person was struggling with an IT problem and I offered to help, in the attempt to wow them with my technical prowess.

    Never worked though.

    1. Andy Taylor

      ALWAYS, ALWAYS ALWAYS assist with any issue that affects your salary getting paid on time.

      1. big_D Silver badge
        Pint

        I worked on a contract at a naval dockyard and filled in the vetting paperwork, but I was a last minute addition to the team rolling out the new personnel and payroll system.

        If the vetting isn't complete, you get 3 daily passes and that's it...

        On the fourth day, I turned up at the gate and the security guard didn't want to let me in. I pointed out that my vetting was being processed, but I had to come on site. That didn't impress him.

        Then I informed him, that I was working on the new payroll system and if I didn't come on site, his bank account would be suspiciously empty at the end of the month... I got a 3 month temporary pass.

        1. JimC

          There was a time when I had to rush down to the local Police HQ every now and then to help out with problems with the folks who did the overtime payments. I sort of wanted to get stopped on route but it never happened:

          Cop: What's the hurry

          Me: problem with the overtime payments at **** ****

          at this point I imagined a high speed escort!

        2. matchbx
          Holmes

          I spent 6 years in the Navy, 3 groups of people you don't piss off...

          The folks who process payroll, the folks that process mail....

          or anyone in Medical.... your shot records might go missing....

          1. Roger Varley

            I would add to that list;

            The Tea Ladies

            The Canteen Staff

            (back in the days when they existed)

            1. big_D Silver badge

              Ah, Plessey canteens. They were great.

              I also worked at GEC/Plessey Telecoms in Coventry. The managers could take guests to the on-site company Golf Club for lunch. Great food, silver service. The manager I was visiting was upset one day, when I said I would grab a sandwich in town, because I had to go to the bank, he thought about letting me go to the bank on company time, so that he could get his free lunch.

      2. CrazyOldCatMan Silver badge

        ALWAYS, ALWAYS ALWAYS assist with any issue that affects your salary getting paid on time.

        Three departments to *never* annoy: HR[1], Finance[2] and IT[3]. Because they *will* get their revenge.

        [1] Fancy getting paid the right amount this month?

        [2] Fancy being able to buy $STUFF?

        [3] Fancy being able to log in this week?

        1. J. Cook Silver badge

          I usually add the facilities and security groups to that list, the former because they keep the roof from falling on my head (most of the time) and the latter because they'll bend some of the more petty rules for you when you are nice to them. :D

          1. big_D Silver badge

            Exactly J. Cook. I am always nice to the security guards and / or receptionist when I go somewhere new. They know their way around, they can help you out and they know the short cuts to get you what you need.

            If you rub them up the wrong way or are snooty to them when you first come on site, you will find your time there very difficult.

    2. Steve the Cynic

      You need an entirely different sort of prowess if you're looking to wow non-IT staff.

  11. Oengus
    Pint

    Favourite

    If I have to put a password on a file that really doesn't need the password but some numpty insists I password protect the file I like to use something like "What password" or "There is no password"...

    When the user asks what the password is I look at them blankly and repeat the password. It takes some of them ages to realise that I am telling them the password. Some will argue for ages that there is a password and don't get the joke... I just keep repeating the password.

    1. Andy Taylor

      Re: Favourite

      My favourite is blank as in "The password is blank".

      1. Alister

        Re: Favourite

        The password is "secret" was always a good one as well...

        1. Mike 16

          password is secret

          Happened to me. Bought some surplus industrial-control systems (Idris. Ask grandpa). Had to call the vendor to get the root password. yep.

    2. Phil O'Sophical Silver badge

      Re: Favourite

      Who's on first base...

      (Youngsters may need to Google it)

      1. David 132 Silver badge
        Thumb Up

        Re: Favourite

        Who's on first base... (Youngsters may need to Google it)

        As always, there's an SMBC comic to subvert that one.

    3. Daedalus

      Re: Favourite

      It all depends who's on first....

      Or what's on second.

    4. Midnight

      Re: Favourite

      There are quite a few low-security systems around me where the password is "I already told you that."

    5. Anonymous Coward
      Anonymous Coward

      Re: Favourite

      Or set the password to something like - Idontknow

      "What's the password?"

      "I don't know"

  12. Christoph
    Mushroom

    Not a patch on the time Richard Feynman took only a couple of guesses to open the set of safes containing a complete copy of all the data for the Manhattan Project.

    He put a note in one of them saying "Guess Who" and locked them again.

    1. Midnight

      ...Followed by Feynman becoming quite unpopular with the secretaries and personal assistants due to a directive from On High that if he has spent any time at all in their offices, they needed to immediately change the combination of the filing cabinet and safe.

    2. Daedalus

      Feynman's Rule

      Actually what he did was put "Wise Guy" in one, "Same Guy" in the second, and "Feynman" in a third. The hapless victim opened "Same Guy" first and declared "It's the Same Guy! The one who's been trying to get into Area X!" (actually the result of a lot of false alarms by dozy guards). He then opened "Wise Guy" and panicked all over again. Finally he opened the last one and hugged his tormentor out of relief.

  13. Doctor Syntax Silver badge

    A client for whom I used to do occasional work got so pissed off with the support from a package vendor* that he cracked the licensing file in order to not have to keep paying their "maintenance" charges. On the basis that I really wanted to keep my distance from that I didn't pay too much attention to how he did it - I think it was simply a matter of resetting some text every few months or updating some date related number.

    *He had my sympathy. One gem was that I ended up having to edit the Informix sysindexes table to bring it into line with the actual indexes their C-ISAM S/W had created.

    1. Anonymous Coward
      Anonymous Coward

      I have had to crack fully licensed software with dongle protection several times just so it actually becomes usable.

      Either it's old and the dongle is lost/broken, the check simply doesn't work on some computers, or it needs to work on thin clients without USB ports.

  14. Zippy's Sausage Factory
    Facepalm

    Movie hacking is based on the idea that people are idiots.

    Turns out that in the real world, people are idiots.

    Who knew?

    1. I ain't Spartacus Gold badge

      That's often how Bletchley Park did it.

      One of the breakthroughs (on the Lorenz code I think) was because some radio operator had mistyped one word in a signal. So with identical machine settings he re-sent the entire message with just that one letter corrected.

      This gave them a message that started identically and then diverged - giving lots of lovely clues on how it worked.

      1. Alan Brookland

        That was the work of Bill Tutte on the reverse engineering of Lorenz. Boggles the mind how they worked that one out.

        https://www.codesandciphers.org.uk/lorenz/fish.htm

        1. I ain't Spartacus Gold badge

          As I was typing it I was thinking, "and how the hell does that help exactly?" All it means is that you've now got two incomprehensible gobbets of letters, instead of one. So you've actually made the job harder as you've now got more work...

          It helped them to spot mathematical patterns, of course. Which would be no bloody use to me, being a bear of very little brain.

          What's even more astounding is that they had an Enigma machine to play with, smuggled out of Poland, and then later got some from captured subs. Whereas they never got a physical Lorenz machine, and had to work everything out from just the signals they saw.

          Damned clever chaps!

      2. Andy Taylor

        Lorenz break

        The actual story is the radio operator broke several rules. First by sending the wheel settings in clear text at the start of the message (HQIBPEXEZMUG), second by resetting back to the same starting position to re-send the message that hadn't been received, third by abbreviating words (the second message was almost 500 letters shorter than the first).

        These two messages directly led to the breaking of the Lorenz cipher and the building of the world's first electronic computer.

      3. Maty

        I recall listening in despair on the radio as some numpty of a reserve officer - in a combat zone - gave his unit's map location in clear. Then realizing his error, he gave the same map location again, in code.

  15. 9Rune5

    Simple statistics

    Not to brag, but guessing the right password is just a matter of simple statistics really.

    "In the fragile reality of Discworld, and with the gods who like to play games, a million-to-one chance succeeds nine times out of ten."

    (Why is the "Discworld" icon missing?)

  16. Lloyd

    Pft, amateurs

    Ours are Password123

    1. I ain't Spartacus Gold badge

      Re: Pft, amateurs

      I know someone who changed one of their accounts to:

      Username: password

      Password: admin

      Which is actually surprisingly hard to enter, as your hands just automatically try to type them in the other way round, whatever your brain tells them to do.

      1. Trollslayer

        Re: Pft, amateurs

        That is a brilliant idea!

  17. Field Commander A9

    Just try to set a password to VMware's Photon OS

    I challange you to come up with a password accpeted by that OS without you needing to write it down.

  18. Anonymous Coward
    Joke

    My default password is "密码", if numbers are required it is "密码123"

    1. Anonymous Coward
      Anonymous Coward

      Ooh you are awful ! But I like you.

  19. Mike 16

    So many memories

    1) An employer had pretty much every Windows machine in one (literally globe-spanning) domain, with a password consisting of the company name and some numbers in an easily recognized sequence (because best practices require changing it periodically...) "network neighborhood" took several minutes to populate.

    2) Another employer had a handy feature for any Windows user who occasionally had to log into the Unix systems. Complete with a drop-down menu of all the usernames, and no password needed (Because SSH is secure, right?). "Who do you want to be today?"

    3) Offices with windows (The real sort)? Not me. At yet another employer, those went to the folks who made the concept drawings (literally, on paper) for presentations of upcoming products. On the ground floor, next to public parking, drawing boards facing out for the best natural light.

  20. Kevin McMurtrie Silver badge

    Ops

    I've worked at several places where critical network passwords were a big deal. They came from secure generators, they were long, and they were not allowed to be stored in digital form. Only a select few people could ever touch one. Hours were spent changing them if there was the slightest suspicion of one being compromised.

    That meant that you walked over to the desk of one of the select few, opened the top drawer, and grabbed the Post-It Notes. Threatening to read one aloud was all the power you needed.

  21. eJ2095

    Bit late i know

    We normally get the users laptop passwords / bitlocker keys cellotaped to the laptop..

    We then have to tell them not to do this and why but goes in one ear out the other

  22. This post has been deleted by its author

  23. arctic_haze
    Facepalm

    How stupid is this?

    I am a customer of a bank which is so stupid it makes the clients choose a password for telephone communications with them and then when calling you trying to sell you some financial products (every time from a different number), they ask you for the password.

    Our civilization is on the verge of collapse.

    1. My-Handle

      Re: How stupid is this?

      I would be sorely tempted to give them a different password every time they call, and I can get quite inventive with random passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like