This is pretty funny, picked up on the story from Bruce Schneier’s Security Blog which I read a lot usually. Anyway here is a link to the real article.

This I think is a hilarious statement. First I don’t think anyone actually gave away their password. Who wouldn’t think to just give them a fake one right away? “oh all you want is my password and I can have a piece of chocolate? oh ok its 1234567, THANKS!!!” Of course I’m sure that someone gave their password out, to some people the security of their data just doesn’t matter. Its not tangible therefore its worthless, right? Even less so if its the data of their large corporation/company that maybe they don’t feel personally responsible for.

Thats why a good security person knows that the weakest link is always within (and sometimes yourself).

When I was at school I has setup a little website that was a parody of the facebook for a class, and it turned out to be more of a lesson in security than anything else. I provided a form for people to fill out basic information, email address, password for logging in, name, etc. Then this info was saved in a mySQL db that wasn’t secured/encrypted at all beyond having a separate username/password for the application (like my app wasn’t writing/checking the db as root). Anyway the lesson came as the site took off in popularity and people outside of the small class I was in started signing up to use it. Then I finally noticed that I had neglected to set any sort of encryption on the passwords being saved into my DB, basically I could read every single password saved there in beautiful plaintext. Now I know this is seriously bad form. Like I was so terrified after I saw all those passwords that I trashed the whole database and took down the site. But I was a sophomore in college, so thats where I should make my mistakes right?

Anyway, I learned an important lesson that day. its that anyone that has access to your data can do whatever they like with it. even if they save your password encrypted there is a way for some administrator somewhere with high enough security access that can probably read that password and maybe even copy it. so the moral of the story? DON’T HAVE THE SAME PASSWORD FOR EVERYTHING. and for the love of jeebus, CHANGE IT EVERY ONCE IN A WHILE.