Some users w/d on’t learn.

We all know that you should have good secure passwords and you can enforce this in Active Directory, but it is the other applications on the network that might raise a concern.
I got a helpdesk ticket saying that the password for a Peachtree database was not the normal one….the password that was the same as the company name! After trying password, no password I then discovered that a google search for Peachtree password removers comes up with tons of hits but no free ones. The shareware ones were about 60 bucks for a corporate licence but about $30 for personal use. However, one of them would demonstrate that it could actually break the password by revealing the first two characters of the password. I thought this might give me and the user a clue as to what the password could be. When the first two characters were revealed to be 12 it didn’t take the user long to realise what the password was and they got it on the first attempt.
Sometimes it is really hard to demonstrate the reasons that passwords should be used and you would have thought that the importance of security and a good password for company financial data would be recognised…
I wonder what will happen if at the next Board meeting I do a demonstration of insecurity with LIVE data…..


  1. Jonathan

    Reminds me of the time I had to get into the MIS (computer systems) Director’s computer at one place I worked, which was at the parent company offices in another state, while he was on vacation. His computer name and username were(like every other logon in the company except mine, my coworker’s, and a handful of machines named by purpose) his first name and the first initial of his last name.

    Nobody was in the office at the time, and I needed project files to continue what I was supposed to be working on, so just on a hunch I tried….the username as the password. And got in. Most every other computer in the company also had the same setup of username/password/computer name being identical.

    That’s not to mention the SQL server with no password that included, among other things, the entire personnel database with names, addresses, phone numbers, social security numbers, and photographs.

Comments are closed.