Comment by jeffbee
8 days ago
In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.
Most people are not qualified to handle computer security, is what I learned from that.
When I started my job in 2000, I introduced my fellow (emeretus) DBA to "ps -ef | grep sqlplus" and sprayed a pile of user accounts and passwords. I fixed the problem and learned about Oracle databases.
I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.
Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.
It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.