A Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers.
Off the top of my head, every company I have ever seen does this in some shape or form. I am always the one saying don’t do it, but usually I don’t have a big enough hammer to get person X to be forced to NOT do this.
I have written this topic before… http://blog.joeware.net/2005/05/08/10/
I wonder how many other companies around the world are in the same bad spot as the company mentioned above and they just don’t realize it.
These bad IDs are easy to find… Download oldcmp and run a report with the following command
oldcmp -report -users -age 365 -sh -realage -h test.loc -format csv
Then chop the non-CSV portion from the top of the file and pull into excel and look at what you have out there. Very likely you will find service/app/generic IDs that have been out there set as non-expiring and haven’t had a password change in years…
joe