BDSM, LGBTQ+, and sugar dating apps have been found exposing users’ private images, with some of them even leaking photos shared in private messages.
BDSM, LGBTQ+, and sugar dating apps have been found exposing users’ private images, with some of them even leaking photos shared in private messages.
I had a test engineer demand an admin password be admin/admin in production. I said absolutely not and had one of my team members change it to a 64-character password generated in a password manager. Dumbass immediately logs in and changes it to admin again. We found out when part of the pipeline broke.
So, we generated another new one, and he immediately changed it back to admin again. We were waiting for it the second time and immediately called him out on the next stand-up. He said he needs it to be admin so he doesn’t have to change his scripts. picard_facepalm.jpg
How is he not fired? Incompetence and ignorance is one thing, but when you combine it with effectively insubordination… well, you better be right. And he is not.
Firmly agree, I don’t believe he should have had access to change these password in the first place unless I’m misunderstanding their definition of test engineer, but if OP had the authority and permission to change the password in the first place, and that person deliberately changed it back to the insecure route again, management would be involved and there would some sort of reprimandment because that’s past ignorance, that’s negligence
It was an admin account to do regression testing for the admin interface and functions before prod releases.
I had my guys enable/disable the account during the testing pipeline so people can’t login anymore.
Why would you have regression on prod? Or why would you care what the password is on staging environments?
We have our lower environments (where all testing happens) on a VPN completely separated from prod, and testing engineers only ever touch those lower environments. Our Ops team manages all admin prod accounts, and those are completely separate from lower environment accounts.
So I guess I’m struggling to understand the issue here. Surely you could keep a crappy password for pre-prod testing? We even create a copy of prod as needed and change the admin accounts if there’s something prod-specific.
He was a subcontractor, so technically, he’s not our employee.
I bubbled it up the chain on our side, and it hasn’t happened since.
my main question in this is, why does a test engineer have the credentials to change an admin password in production. Like I get that he needs to test things but I doubt he needs access to changing profile/account settings
He had to do admin functionality regression tests before prod releases to make sure nothing broke.
The system uses SSO for logins for everything else.
He is a subcontractor who was using scripts for all his projects. I told him he really needs to use env vars for creds.