[quote post=”2548″]I remember a few years ago having to do maintenance work in a couple of servers for a major phone company. Root pasword for both servers was “changeme”. [/quote]

LOL! Well, at least it was not “password” I guess.

Same here, Luke.
Login name is user id. It is not printed on id card, but is used as cn on ldap server, and as uid for most listings (class list, grades, and so on). And password by default is date of birth ddmmyyyy. Can we consider it more secure for using four digit year? :-)

I remember a few years ago having to do maintenance work in a couple of servers for a major phone company. Root pasword for both servers was “changeme”.

Funny but my school works in a very similar way. We have this thing called NetID – which is a single login that works for all school services. You use it for the email, for Blackboard, for the online storage, student downloads – hell, you even use it to register your laptop on the wifi network.

How do you change your password? You type in your student id # (which is printed on your student id card) and your 6 digit numeric pin #. The pin is by default set to your date of birth (mmddyy). Yay for security.

Also, some of the school services do not use SSL which means your password is sent in plain text part of the time. :P

I was forced to change my password at work a week or so ago and ran into a bit of “fun.” It took me a LONG time to come up with something acceptable, because I kept triggering various problems. qpRY!@12 failed because “@” is not allowed. fiancmpa!1 did not work, because it contains my first name (even though it stood for “f***, I am not changing my password again”). QW1!qw1! failed because of repetition. tisfrIHTC$$5 failed for not meeting all of the rules in the first eight characters (letter, number, special character). Eventually I got one that passed and of course instantly forgot it. It’s a lot like meeting 50 people and being expected to remember their names; I came up with dozens and dozens of passwords and eventually they stopped being significant.

When I had to log in again several hours later, I couldn’t quite remember my password. I tried many variations on what I thought was my most recent theme but could not figure it out (so, how does forcing a user to reset his/her password every few months make the site more secure if you allow infinite tries to guess the password?). I opted to go with the forgotten password process. The link sent me to the exact same form (well, an uglier version), so I had to click another forgotten password link and then my security questions came up.

“What was your first elementary school?” or something like that was one of the few that showed. Great, was it “blahblah,” “blahblah elementary,” “blahblah elementary school,” or…? So I ended up learning that you can lock your account by guessing at these questions, but not the actual password…

I was curious to see how they would handle a password reset over the phone (can’t exactly just tell anyone what the new password is for an account, shouldn’t really use email to send it since that isn’t secure and those poor souls who actually use the campus email system instead of forwarding it would not even be able to access their email anyway. etc.). The lady asked for my username and then unlocked the account. Then she let me know about this other “secret” method of logging in where you type a keyword instead of your username. That takes you to a screen where you enter the username and your PIN, which is used for another system. It was mildly funny, because the pin is a restricted field of just a few numbers… and I have only had to change my pin one time in the three years I’ve been there…