https://community.isc2.org/t5/Tech-Talk/Who-in-their-right-minds-would-set-hardcoded-passwords/m-p/50478#M3444 <P>I think this is a prime example of when a company need to be fined!</P><P>&nbsp;</P><P>There are so many other ways, how about an IAM access token?</P><P>&nbsp;</P><P>With a lot of the cloud environments the developers don't even know or have access to the passwords because it handled automatically on the back end.</P><P>&nbsp;</P><P>John-</P> Sat, 09 Apr 2022 14:43:44 GMT JKWiniger 2022-04-09T14:43:44Z https://community.isc2.org/t5/Tech-Talk/Who-in-their-right-minds-would-set-hardcoded-passwords/m-p/50439#M3440 <P>Hi All</P><P>&nbsp;</P><P>Did they bypass the change management process or was it someone who called themselves a cybersecurity professional?&nbsp;&nbsp;</P><P>&nbsp;</P><P><A href="https://www.bleepingcomputer.com/news/security/critical-gitlab-vulnerability-lets-attackers-take-over-accounts/" target="_blank">https://www.bleepingcomputer.com/news/security/critical-gitlab-vulnerability-lets-attackers-take-over-accounts/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Mon, 09 Oct 2023 10:09:03 GMT https://community.isc2.org/t5/Tech-Talk/Who-in-their-right-minds-would-set-hardcoded-passwords/m-p/50439#M3440 Caute_cautim 2023-10-09T10:09:03Z https://community.isc2.org/t5/Tech-Talk/Who-in-their-right-minds-would-set-hardcoded-passwords/m-p/50471#M3441 <P>I have worked in environments where some folks do hardcode passwords into application, regardless of the warnings, begging, wringing of hands, etc.&nbsp; They believe they know better and that THEY WILL NEVER be a target.</P><P>&nbsp;</P><P>It is unfortunate that this happens throughout IT/OT/ICS, etc.</P><P>&nbsp;</P><P>When found by auditors, there is always a promise to change but as soon as the auditors are out of ear shot.....guess what it happens again and they hard code the password once again.</P><P>&nbsp;</P><P>Would love to hear how others have handled this in the past</P><P>&nbsp;</P><P>d</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 09 Apr 2022 04:33:50 GMT https://community.isc2.org/t5/Tech-Talk/Who-in-their-right-minds-would-set-hardcoded-passwords/m-p/50471#M3441 dcontesti 2022-04-09T04:33:50Z https://community.isc2.org/t5/Tech-Talk/Who-in-their-right-minds-would-set-hardcoded-passwords/m-p/50478#M3444 <P>I think this is a prime example of when a company need to be fined!</P><P>&nbsp;</P><P>There are so many other ways, how about an IAM access token?</P><P>&nbsp;</P><P>With a lot of the cloud environments the developers don't even know or have access to the passwords because it handled automatically on the back end.</P><P>&nbsp;</P><P>John-</P> Sat, 09 Apr 2022 14:43:44 GMT https://community.isc2.org/t5/Tech-Talk/Who-in-their-right-minds-would-set-hardcoded-passwords/m-p/50478#M3444 JKWiniger 2022-04-09T14:43:44Z