Password-related horror
At a prior employer, I was responsible for applications running on quite a few servers (not responsible for the servers themselves, just the applications on them), so I had password access to them. Being paranoid, my AD password is long (> 30 characters; yes, I'm nuts). One day, I was logging into a particular server and mistyped my password. Muscle memory being what it is, I couldn't stop my fingers from finishing the password and hitting enter. To my surprise, I was logged in. Confused, as I was sure I had mistyped the password, I logged out and then logged in again, deliberately mistyping the password. And was logged in. With a bit of experimenting, I found that as long as the first N characters were correct, the rest of the characters did not matter.
I called the admin who was responsible for the servers themselves. Turns out, one of our servers ran a very old version of its OS and for some reason could not be upgraded, but it could not handle passwords of more than N characters. So rather than single it out, AD passwords had been universally compromised so that only the first N characters (and N was frighteningly small) were relevant.
Posting anonymously to protect the guilty.
Biting the hand that feeds IT
