“Before I broke into the IT racket,” Scott Simons writes, “I was a front-line Customer Service Rep. At the time, the procedure for logging into our service management system was a bit puzzling.”

“Like many organizations, your User ID was assigned by the company, but you had to choose your own password. But instead of having a screen to do that, you had to fill out a Password Request Form and fax it corporate headquarters. And then things got strange.

“There was a 50/50 chance that corporate would reject your password. There was no rhyme or reason, such as not having enough numeric characters, or anything like that. It was just a simple notice, sent back via fax: Your password was not created. Please choose a different password.

“Actually, their rejection messages weren’t always so simple. I decided to change my password one day to something more secure – two mixed-case passwords with numbers and special characters – but IT rejected it because they couldn’t read my handwriting. I typed out my secure password and then refaxed it. They responded that they changed my password... but not to what I picked: they just randomly chose some word, like frequency. Evidently they were tired of dealing with me.

 

“And then, one day, everything clicked. I became enlightened when I mistakenly typed in a password that I had unsuccessfully requested at one time in the past: instead of a invalid credentials message, I found myself logged in as a completely different user.

“A little testing (at other people’s workstations, just in case) confirmed my incredible suspicion: the User ID field on the login screen was a dummy. The login script looked only at the password field, comparing it to the list of passwords; if it matched, you were logged in as the user who owned that password, regardless of what User ID you had entered into the screen. The reason that passwords were sometimes rejected was simply that each user had to have a unique password for this ‘security’ scheme to work.

“I guess you could call it could call it fake one-factor authentication? Or half-factor authentication?

“After playing around a bit more, it was really easy to find some poorly-thought out passwords that belonged to users with much more powerful system permissions than mine. I believe one of them was a sales manager in Boston, who was apparently fond of kittens.

“I never chose to wreak any havoc with this knowledge – or even share this crazy scheme with my coworkers – but I’m glad I can finally tell someone about it today.