11 comments

[ 2.7 ms ] story [ 32.8 ms ] thread
> A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group

A hardcoded password... are these guys for real?

"If Cisco does it, we can also do it".
There's a reason some people call it shitlassian
I think the fact it's so weak (disabled1system1user6708) and it was part of the default.properties adds insult to injury.
I understand the hard coding is bad, but what makes that a weak password?
one anecdote that might be relevant is that on bitwarden when I go to generate a new password, I can let my password be 64 characters long, have symbols, uppercase, lowercase etc. I can even make it generate a key phrase

in comparison to that, disabled1system1user6708 seems pretty weak

Using kaspersky's password checker at https://password.kaspersky.com we can easily check the brute-foecability of any given string.

Using this method we can see that this password (disabled1system1user6708) would take over 10,000 centuries to brute force

That seems relatively secure to me

It would not at all shock me to learn that the hardcoded password is in response to Australia's insane anti-encryption bill [0]. Pretty much everything it demands is insane. Like blocking notification of any senior personnel, allowing them to force a more junior member to carry out the will of the government or the entire business suffers the consequences.

[0] https://www.theguardian.com/australia-news/2020/jul/09/austr...