PWNED Welcome back to PWNED, the column where we celebrate the people who’ve taught us how not to secure a server. If you’ve ever tied your own shoelaces together, then tripped over them, or attempted to dive into a swimming pool but hit your head on the diving board, we’ll be talking about your cyber equivalent.
This week’s connected kerfuffle comes courtesy of Gregory Shein, founder and CEO of software development firm Nomadic Soft. One of his clients made the fateful decision to prioritize convenience over security, leading to some serious data loss.
The client in question wanted to “keep things simple” for their team, so they used the same administrative password for both staging and production environments. That password was the hard-to-guess combination of “admin123.”
According to NordPass, which makes password management software and maintains a list of the 200 most common passwords, “admin123” is the 10th most popular password in the world. “Admin” by itself takes the second spot, while “123456” leads the pack. So if they were looking for high security, they came to the wrong place.
To make matters even worse, the company pinned the password in a Slack channel, just so that everyone who needed it would find it easily. Even if the password were “Vu+}?8wV?5TPy2cLBqc=,” this would have been a bad idea.
A few months after the client first shared the password around, a former contractor logged in to do some “testing.” But instead of benchmarking the software, they ended up triggering a full data wipe. Whoops!
According to Shein, the client had spent more than $30,000 on security tools. So we’ll guess they were surprised to find out that they’d lost their data in this fashion.
“In SaaS, the biggest threat is rarely technical,” Shein told us. “It is human laziness disguised as efficiency.”
It’s pretty easy to see what we can learn from Shein’s client’s mistake. Don’t share passwords between environments or among users. Make sure that everyone has only the access they need and cut off users who no longer need the access (like a former contractor).
At Nomadic Soft, they’ve introduced forced credential rotation with role-based access. According to Shein, this change reduced unauthorized access attempts by a full 60 percent in a period of just three months. I would also suggest that organizations implement multi-factor authentication and replace passwords with passkeys where their systems support them.
“Most teams chase advanced security while ignoring the obvious gaps right in front of them,” Shein said.
Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity available upon request. ®
Click Here For The Original Source
