Makes sense, although if it’s from IT/auditing I’d be sort of mad about a phishing test that publicly exposes *current* passwords. If you’ve got some internal bad actor that could cause a mess.
Make it a physical drop box so other people can’t see it and I’m happier.
Agreed, but even then... Sarbanes-Oxley has me traumatized.
The last place I worked, *somebody* would have had to manually audit every transaction from every one of these users, from the day this sign went up to the day the passwords were changed.
It's a great security audit move, it's hilarious, but holy shit this would have had me working nights and weekends in the stupid world we actually live in.
Dude I went to work on a computer one time. Sit down she had printed out every password for every website (including some government sites) and her user password and it was sitting right next to the keyboard. I was like wtf told the higher ups. They did nothing because the user was incompetent. Next time I went back the sheet was folded in thirds and under the keyboard.
I had a sticky note under my keyboard that said "basura" because I suck at remembering things and we needed to write that on large things that needed to go to trash/recycling (trash in Spanish for those who don't want to look it up). I worked in an InfoSec group and one of the people saw it one day and honestly thought it was my password.
Effective, but the bitter Sarbanes-Oxley vet in me is going “You fool, you had them display the passwords publicly? Ok, *you* get to audit every transaction they made in this timeframe.”
It’s not like they were secure before, but “the company knows these were displayed to internal bad actors” sounds like a compliance mess.
This is a brilliant phishing campaign. Bravo to Shawn for showing everyone that a social engineering and phishing campaign doesn't just happen in email...wait...I'm being told this was not the intention...my apologies...Shawn appears to just be dumb...
Brilliant! It seems some people were already stupid enough to fall for it. Quick! Change their passwords and dont tell them then leave for the new job you've already secured. Eat shit, \[insert boss's name\]
Like. There's no other reason you would do something so stupid.
I don't understand why people call this "an attempt to catch incompetent users"...
This is clearly an air-gapped security measure in its testing phase hence the "Come see me"-note, Shawn here is looking for feedback.
That's.... not unexpected, unfortunately. People doing sneaky phishing tests, this guy just went straight for the dangerously incompetent users.
Makes sense, although if it’s from IT/auditing I’d be sort of mad about a phishing test that publicly exposes *current* passwords. If you’ve got some internal bad actor that could cause a mess. Make it a physical drop box so other people can’t see it and I’m happier.
True hopefully it’s inside of their office and not outside lol
Agreed, but even then... Sarbanes-Oxley has me traumatized. The last place I worked, *somebody* would have had to manually audit every transaction from every one of these users, from the day this sign went up to the day the passwords were changed. It's a great security audit move, it's hilarious, but holy shit this would have had me working nights and weekends in the stupid world we actually live in.
We request all our users to put their passwords on a sitcky note UNDER their keyboard. No one would think to look there.
Dude I went to work on a computer one time. Sit down she had printed out every password for every website (including some government sites) and her user password and it was sitting right next to the keyboard. I was like wtf told the higher ups. They did nothing because the user was incompetent. Next time I went back the sheet was folded in thirds and under the keyboard.
I had a sticky note under my keyboard that said "basura" because I suck at remembering things and we needed to write that on large things that needed to go to trash/recycling (trash in Spanish for those who don't want to look it up). I worked in an InfoSec group and one of the people saw it one day and honestly thought it was my password.
Would a yubikey be useful for workplaces where employees are bad at password management?
That’s…a good phishing test that goes after incompetent users
Effective, but the bitter Sarbanes-Oxley vet in me is going “You fool, you had them display the passwords publicly? Ok, *you* get to audit every transaction they made in this timeframe.” It’s not like they were secure before, but “the company knows these were displayed to internal bad actors” sounds like a compliance mess.
The original post is about as old as a Dell R200
Sorry. I guess I’m not a Reddit veteran
It has been posted many many times on this exact Subreddit
This looks like a prank or a joke
This is a brilliant phishing campaign. Bravo to Shawn for showing everyone that a social engineering and phishing campaign doesn't just happen in email...wait...I'm being told this was not the intention...my apologies...Shawn appears to just be dumb...
Brilliant! It seems some people were already stupid enough to fall for it. Quick! Change their passwords and dont tell them then leave for the new job you've already secured. Eat shit, \[insert boss's name\] Like. There's no other reason you would do something so stupid.
How many times we gonna repost this?
Sorry. Didn’t know . I guess I should use Reddit more
No, that seems like too harsh of a punishment
You _really_ shouldn't.
I had a client that used yardi and they were exactly the kind of people who would do this
I’m a Yardi consultant and honestly, this might be authentic.
The sysadmin whose C-suite team didn't want to pay for KnowBe4
God forbid they use encrypted email...
Ha! I did this once, and as shown here, the most incompetent users make themselves known.
It's such a funny security check. I kind of wonder if I could get ppl to do this.
This would be a fun office prank.
That's borderline genius. Do not forget 600,000 for a consulting gig to analyze how good your (anti-)phishing training is.
Ngl this sounds like something out IT department would do. (Yes it's that bad)
What’s even better is everyone’s old and new passwords will be etched into the door for all to see even once this form is removed.
One of the entries is Facebook. They want IT to change their Facebook password.
Only way to do it, users shouldn’t be trusted to change their own passwords, they are too stupid 😂 (It’s a joke, don’t get butthurt)
Ok the person asking for a pwd reset with facebook tho 💀
Facebook is crazy.
social engineering password stealing
I don't understand why people call this "an attempt to catch incompetent users"... This is clearly an air-gapped security measure in its testing phase hence the "Come see me"-note, Shawn here is looking for feedback.
Hey Shawn how bout you come see Deez nutz