Posted on 04/24/2026 3:09:37 PM PDT by nickcarraway
Keeping it simple for the developers can lead to very complex headaches later
PWNED Welcome back to PWNED, the column where we celebrate the people who’ve taught us how not to secure a server. If you’ve ever tied your own shoelaces together, then tripped over them, or attempted to dive into a swimming pool but hit your head on the diving board, we’ll be talking about your cyber equivalent.
This week’s connected kerfuffle comes courtesy of Gregory Shein, founder and CEO of software development firm Nomadic Soft. One of his clients made the fateful decision to prioritize convenience over security, leading to some serious data loss.
The client in question wanted to “keep things simple” for their team, so they used the same administrative password for both staging and production environments. That password was the hard-to-guess combination of “admin123.”
According to NordPass, which makes password management software and maintains a list of the 200 most common passwords, “admin123” is the 10th most popular password in the world. “Admin” by itself takes the second spot, while “123456” leads the pack. So if they were looking for high security, they came to the wrong place.
To make matters even worse, the company pinned the password in a Slack channel, just so that everyone who needed it would find it easily. Even if the password were “Vu+}?8wV?5TPy2cLBqc=,” this would have been a bad idea.
A few months after the client first shared the password around, a former contractor logged in to do some “testing.” But instead of benchmarking the software, they ended up triggering a full data wipe. Whoops!
According to Shein, the client had spent more than $30,000 on security tools. So we’ll guess they were surprised to find out that they’d lost their data in this fashion.
“In SaaS, the biggest threat is rarely technical,” Shein told us. “It is human laziness disguised as efficiency.”
It’s pretty easy to see what we can learn from Shein’s client’s mistake. Don’t share passwords between environments or among users. Make sure that everyone has only the access they need and cut off users who no longer need the access (like a former contractor).
At Nomadic Soft, they’ve introduced forced credential rotation with role-based access. According to Shein, this change reduced unauthorized access attempts by a full 60 percent in a period of just three months. I would also suggest that organizations implement multi-factor authentication and replace passwords with passkeys where their systems support them.
“Most teams chase advanced security while ignoring the obvious gaps right in front of them,” Shein said.
Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity available upon request.
Dear FRiends,
We need your continuing support to keep FR funded. Your donations are our sole source of funding. No sugar daddies, no advertisers, no paid memberships, no commercial sales, no gimmicks, no tax subsidies. No spam, no pop-ups, no ad trackers.
If you enjoy using FR and agree it's a worthwhile endeavor, please consider making a contribution today:
Click here: to donate by Credit Card
Or here: to donate by PayPal
Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794
Thank you very much and God bless you,
Jim
Hey, that’s the same code as I have on my luggage!
/Spaceballs>
CC
The admins where I work use “Changeme3456”. Security geniuses they are.
My password is “password”.
I am much more sophisticated, I use Admin321.
For the really important stuff I use RELIGIONOFPEACE, no-one will ever think of that.
Does this mean I have to change “abc123” after ten years of use?
I had a college roommate who was a linguistics major. He created a fake language for role-playing games that is basically a substitution code for English. He created it intending to make simple words as unpronounceable as possible for comic effect. I kept a copy of that code and create passwords using a D&D spoof language.
That's my password! What are the odds!
“Supposedly”, using three or 4 easily remembered but unconnected words is suppsoed to be the most secure- and soemthign about ising numbers sybols and whatnot is not secure because hacker algorithms or somethign figure them out easier- so something like duckfrogflowerballoon is sposed to be secure-
yeah that sucks, I know firsthand
In my test environment (not production) and in which no machines were domain joined.
there was a shared password so that it was easy to do anything.
Everyone had lives that were made easy.
One day some Dev evangelist who will remain anonymous mostly because I forget who it was, and some of you might know him published a code sample on how to do something cool with web pages and included this password in his code sample, mostly cause he just did a cut and paste code sample which was using this password to connect to the SQL database.
As soon as it leaked to the entire world people noticed and started emailing the dev, and it was a whole clusterfsck -f -y
actually it was worse than that for reasons I cannot even talk about.
We were able to purge it from the internet mostly immediately and had Google purge it from its cache
To make peace with the chaos, I condone thoughtful, unique words and/or phrases only known by the owner.
If you’re ever curious about whether a password has been compromised at some point, there’s several places that hold billions of records from know prior breaches and can tell instantly if that password is vulnerable. Not sure if it violates board rules to link to that stuff. Look around the web. Some nerdy stuff for tonight.
Diabolical.
I use passw0rd. Pretty clever, eh?
We’re not supposed to keep these secret, are we?
https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/276304
Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords
Article ID: 276304
Article Last Modified on 1/29/2007
APPLIES TO
Microsoft Windows 2000 Service Pack 1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Service Pack 1
This article was previously published under Q276304
SYMPTOMS
If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change Password, type your existing MIT password, and then type a new, simple password that does not pass the dictionary check in Kadmind, you may receive the following error message:
Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes.
Note that the number of required characters changes from 17,145 to 18,770 with the installation of SP1.
NOTE: This is not a common case; it occurs only when you configure Windows 2000 to authenticate against an MIT Kerberos domain.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
I remember when this was an issue at MIT
You just have to out think them.
EVERYONE knows you use a capital “A”
BTW, is that the sort of thing "CrowdStrike" does for the Dems when they need to erase evidence, say of assassinations and other nefarious criminal collaberations. The Dems always seem to be writing big checks to CrowdStrike right after such events.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.