Weblog entry — 2003-05-15 09:32:49
This is one of the greatest inventions. Ever. Really.
Some people are so lame I'm ashamed of sharing the planet with them. The story is about people working from home and logging in to a secure gateway giving them full access to the company intranet. The system administration is outsourced, and all user get a new username/password combo for the gateway:
"Each user name was first initial and last name," fish reports. "Each password was initials and phone number. For example, user John Smith at phone extension x1234 would have a user name of jsmith and a password js1234. Users were not allowed to change their password from the official one."
Fish is dumbfounded — anyone who knows the system and has access to the company phone directory can now log in through every employee's gateway account.
Life is too good for consultants building that sort of system. Too bad security "mistakes" of that magnitude isn't lethal to the kind of — supposedly — security professionals building it.