Stupid password policy
Students at a college where I lectured all got a computer account. They used their name or badge ID and a password to log in. To make it easy to pass this on to hundreds of new students during week one, all had the same initial password - the legendary changeme ! They were told change it whenever they logged in without changing it. Now almost everyone did this, and they got email reminders during the first week or two as well. So initially all your data was mine as well, until you set a new password. Risky? Yes, but most got the message. And they had little or no data to worry about at this stage, apart from emails being sent in their name of course.
BUT
They were also told that at regular intervals they must change their password, the commonest interval being during the second-last week of the last term of the academic year. It used to be the end of every term at one point, but that caused too many problems.
And if they didn't change it during the second-last week? Their password was reset to...
Yes, back to changeme - ALL you data, assignments and emails are now my data, assignments and emails!!! A quick delete of a folder by a nasty student taking advantage of this could result in someone they didn't like failing a course!
This was before I took computing courses, and so when I suggested that this was a very risky thing to do, the IT people told me to go away and leave the qualified people to get on with their work.
I kid you not.
Needless to say I often had panicking students coming to my office as they couldn't log in to get their final assignments printed - their "friends" had logged in and changed the password.
Often these passwords would remain as changeme until the new term started.
Biting the hand that feeds IT
