Do I look like Lord Helmet to you?

[The Conservative]

Seriously, do people not take passwords seriously?

I've been doing IT since 1996, I got some stories that people think are meme's only... they aren't. In many cases they really happened to us.

Anywho, here is my story.

Here I am taking in a laptop because it is having issues with Outlook (nothing new in my environment) The engineers constantly try to fix things, well, let's just say Bethesda has a better record of successfully patching anything.

I try the standard, check AD make sure they aren't locked out, go through the keychains and delete, then add back, etc... no prevail.

I need to test a few things in the admin side to see if it's a user issue or a computer wide issue (OS, etc), so I ask for their login password because well, I don't want to keep them here, since they have a meeting to go to.

The user gives me their password. Test1234&
I've also had people tell me:

• Today1234

• Yesterday1234

• Monday1234 (And every day of the week otherwise noted)

• August1234 (Or any other month)

• Password1234

These people are DEVELOPERS, and DATABASE ENGINEERS! WTF people!

They are getting paid normally close to or more than I am, and they have a password my son can crack and he's 4...

We don't give them these passwords, we give them a temporary password which is made by a random password generator... These people make their passwords this...

I give them a booklet upon the welcome aboard from the IT, and it specially says what to do and what not to do, and the one thing it says what not to do is to use any password that is easily guessed.

I really am too old for this crap.

[Speaker to Animals]

ITDidn'tCutRealEngineeringCoursework123

That's the best password right there.

[The Conservative]

ITDidn'tCutRealEngineeringCoursework123

That's the best password right there.

Yeah, and you need to realize I am their boss, ultimately. Director of Infrastructure/IT. They fall under my purview.

Each time I find out they use these passwords, I give them a verbal. If I find out they don't change it, I write them up, and if the third time, they get walking papers...

I don't hire them, but I sure in hell fire them...I hire people as managers that are smarter than me, because I know my limitations, and I know how to hire people who will fill in the gaps of where I lack.

If these people don't follow security protocols that are not only common sense, which they should know by the time they graduate college general security. If they don't, but risk the biometric and personal data of our clients, and they lied on their resume, or came from India. (or both)

[Speaker to Animals]

They are not legit developers, then.

IT is beneath engineering in every way.

But funny passwords that piss off IT is a perennial game we play. Don't get too upset.

[The Conservative]

They are not legit developers, then.

IT is beneath engineering in every way.

But funny passwords that piss off IT is a perennial game we play. Don't get too upset.

Infrastructure is not underneath engineering. Hence why I am a director of both.

And when you deal with terabytes of biometric data you better believe security is important.

Anyway, better password F/k@rD.

[SuburbanFarmer]

Our new warehouse management software has a SQL server backend. Sold as a package product.

That product uses the sa (sysadmin) account for all of its functionality. This is a login that’s not even supposed to be used by humans, or anything outside of the internal database functions.
This was not mentioned to anyone. Ever.

So being the simple fool that I am, one of my first actions was to change the sa password on the server. Which immediately shut down all warehouse functions. Clearly this was my fault for not anticipating their stupidity.

Also, their entire codebase is full of NOLOCK hints - meaning that it just reads ‘whatever’s available’ at that time. Not necessarily the correct data in a table.

Great times.

[The Conservative]

Our new warehouse management software has a SQL server backend. Sold as a package product.

That product uses the sa (sysadmin) account for all of its functionality. This is a login that’s not even supposed to be used by humans, or anything outside of the internal database functions.
This was not mentioned to anyone. Ever.

So being the simple fool that I am, one of my first actions was to change the sa password on the server. Which immediately shut down all warehouse functions. Clearly this was my fault for not anticipating their stupidity.

Also, their entire codebase is full of NOLOCK hints - meaning that it just reads ‘whatever’s available’ at that time. Not necessarily the correct data in a table.

Great times.

It usually says in the documentation and the initial setup, to not use the sysadmin password as the overall password.

[C-Mag]

ITDidn'tCutRealEngineeringCoursework123

That's the best password right there.

Yeah, and you need to realize I am their boss, ultimately. Director of Infrastructure/IT. They fall under my purview.

If this shit is a continuing problem.


It may be a failure of Leadership.

[Speaker to Animals]

The trick to the uncrackable password is to type password in all caps.

[The Conservative]

ITDidn'tCutRealEngineeringCoursework123

That's the best password right there.

Yeah, and you need to realize I am their boss, ultimately. Director of Infrastructure/IT. They fall under my purview.

If this shit is a continuing problem.


It may be a failure of Leadership.

That's the point... and now I am aware of it, I took care of it. I've demanded a review of all security protocols and password implementations.

I also stated that passwords need to follow a specific criteria, and in this case it is not something to be taken lightly. I've put those who have failed the initial review are now on a written warning, and will be let go if this happens again.

The IT department was reviewed and corrected as well. I had to let two people go because before I showed up they were known to bend rules. I also caught several things on their computer that shouldn't have been there.

I hate letting people go, but I run a fair, but tight ship, and there is no excuse for lax security, especially when personal information we collect is at risk.

I'm in the process of reviewing the entire infrastructure design and finding a few bothering trends that I will have to fix, or get the departments to fix if I think they are competent enough to do so. I did it at my old job, and it looks like I may have to do it here too.

The engineering department, has run rampant as well, and boy they hated being reigned in as well, but I will not allow programmers to be the weak spot.