[jamps]

> A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group

A hardcoded password... are these guys for real?

[shakna]

It would not at all shock me to learn that the hardcoded password is in response to Australia's insane anti-encryption bill [0]. Pretty much everything it demands is insane. Like blocking notification of any senior personnel, allowing them to force a more junior member to carry out the will of the government or the entire business suffers the consequences.

[0] https://www.theguardian.com/australia-news/2020/jul/09/austr...

[walrus01]

There's a reason some people call it shitlassian

[hulitu]

"If Cisco does it, we can also do it".

[kramerger]

You think this is uncommon?

Gitlab had the same issue just a few months ago.

[aaaaaaaaata]

Gitlab had hardcoded passwords...? Excuse me?

[rad_gruchalski]

Yes: https://blog.malwarebytes.com/privacy-2/2022/04/gitlab-issue....

[hactually]

I think the fact it's so weak (disabled1system1user6708) and it was part of the default.properties adds insult to injury.

[feet]

I understand the hard coding is bad, but what makes that a weak password?

[redanddead]

one anecdote that might be relevant is that on bitwarden when I go to generate a new password, I can let my password be 64 characters long, have symbols, uppercase, lowercase etc. I can even make it generate a key phrase

in comparison to that, disabled1system1user6708 seems pretty weak

[feet]

Using kaspersky's password checker at https://password.kaspersky.com we can easily check the brute-foecability of any given string.

Using this method we can see that this password (disabled1system1user6708) would take over 10,000 centuries to brute force

That seems relatively secure to me