Company Continually Demands Password, Tech Support Says No, Wild Revelation Ensues

Advertisement
  • 01
    Font - r/talesfromtechsupport + Join u/Gingrpenguin • 1d 1 We need you to tell us our current password. No not reset tell us. We must have that exact password. Medium For backstory i worked for a small tech company. Our largest client was a national franchise so effectively a group of small businesses. Each site was its own franchise but some sites were in their own groups. A few years prior HO had a very basic software and alot of franchises had their own. When we came on the scene these system
  • 02
    Font - When we first rolled out we were fairly immature company and lacked alot of best pratice guidelines, including how passwords are assigned. (new passwords were all the same (think "changeme") and users should change this but at that time we didnt have any enforcement of that. One unassuming Tuesday our tech support team receives a request to retrive a password. We explain they can reset it automatically but thats not what they want. They want us to tell them their password. Our tech guy ex
  • 03
    Font - 10 minutes later we get a call from the users manager, turns out they use the account for lots of users, not all present and that it had previously been saved on all their browsers. We explain that whilst that sucks, theres f all we can do and besides, each user should have their own account. The convo got a bit heated but the call ends and thats that, or so we think. Around lunchtime we get a call from one of the senior guys at HO, who asks us the exact same thing. Were obviously annoyed
  • 04
    Font - They dont actually use our software but a series of their own, both developed in house and bought and stitched together. Their only use for us is to transfer data from HO into their own systems and vice versa. The users with access only use it for more manual tasks and one specifc customer query. The account in question is used by 8 different applications and its details are hardcoded into the calls. Their only developer is off on a 5 week gaunt in the aussie outback and is completely unr
  • 05
    Font - As he scrolls we notice something. Alot of the entries look identical (we werent salting them?) including the account in question. Thats when it dawns on us. They never changed the password from the default. A quick login attempt validates this and we give our conclusion to the client and to HO. HO also gets an (absolutely deserved) earful about security and ensuring their sites follow policies from our ceo who is not happy half his company has been dealing with this bullshit for the best
  • 06
    Font - In some ways its an utter miracle noone got into their systems. That same password had been sent to tens of thousands of users on our first rollout before we changed the process (randomly generated single use password) You only needed the email address to get in and that was literally sitename@companyname.com How that lasted 2 years i shall never know... 4 1.4k 3 Q 178 ↑, Share

Tags

Scroll Down For The Next Article