Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Unspoken Taboo - The Never Expiring Password

Posted by CowboyNeal on from the silent-threats dept.

anon writes "Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords."

4 of 537 comments (clear)

  1. Re:guilty by ATeamMrT · · Score: 5, Interesting
    how many of us computer-savvy are guilty of doing this for our login accounts, web banking, Email, etc? I know i am.

    I am not a cracker or hacker. But I know a guy who uses password trading websites for porn. According to him, once you get a password for one porn website, that same password will work for others. According to him, these porn members use the same password for all sites they subscribe to.

    Once companies start losing money to crackers/hackers, then they will start issuing more complex security.

  2. Re:guilty by Anonymous+Crowhead · · Score: 5, Interesting

    I used to work for a free adult hosting site. We stored the passwords in plain text in a database. One day, just for the hell of it, I pulled out the top ten passwords. They accounted for something like 40-45% of the passwords for more than 250,000 accounts.

  3. Why is it "best practice"? by raehl · · Score: 4, Interesting

    If the new way is so good, how come the world wasn't going to hell before? Did Enron and Worldcom go bust because the passwords wern't changed? Or did they go bust because our government coddles corporate criminals - in the cases suits stealing money is even illegal in the first place.

    I can understand mandating a security protocol for systems that protect information subject to privacy. But if I have a company, and the only thing on my computers is my company's design information, my company should be able to choose the appropriate level of security for our business.

    Why is a password that a user has committed to memory that never changes worse than a password that changes every three months that a user has to write down?

    --
    paintball
  4. Re:guilty by AdamWill · · Score: 4, Interesting

    Mine's a completely random 12-character string. My passwords for every other website (and other password-protected things) I use are also (different) random 12-character strings. They're all stored in my password storage app (gpass), which is protected by one extremely strong password I spent five minutes memorising (and will change next month). This whole thing only took about two hours to set up, and it's certainly worth it in terms of peace of mind.