|
|
|
|
|
|
by katzgrau
2780 days ago
|
|
|
It seems school district security practices are pretty atrocious universally. In my junior year of high school me and a buddy realized that all passwords for our district were 6 digit numbers. We didn't have to be mad geniuses to realize how easy that would be to crack. And sure enough there was a webmail login form on the district's front page that apparently didn't involve a nonce or security token. So we whipped up a visual basic app (because that's all we knew) and cracked a teachers password in two days. Once we were in, we eventually found access to the district website server and found the admin password for the entire district (it was a big district) sitting in plaintext on the school website server. We were smart enough never to do anything malicious or even questionable, apart from getting there in the first place. And we kept it a secret for years. But the amount of sensitive info we had access to was unreal. That same password was used for every major system (school lunches, grading, etc). And whats crazier is that about ten years later I had bumped into somebody at a bar who was on the IT staff for that district. He was stunned to hear the story, and even worse, that the same password was still being used. |
|
|