To make it easier, we've published the password on front of our magazine...

Diabetes they can manage. Passwords? Not so well…

What's the point of a password, if it's published on the front cover of a magazine?

It seems a reasonable question, and I can't blame GP Thinus van Rensburg asking it on Twitter when a copy of Diabetes Management felt into his lap.

Magazine password

The password grants users access to the "complete, searchable archive of all Health Publishing Australia medical journals."

Okay, it's probably not the most sensitive information in the world as it's an archive of medical magazine articles. But you do have to wonder why they bothered to have a password at all if they're going to make it so public?

And just to prove the point about the err... pointlessness of the archive having a password, just visit the website and try to visit the archive.

Hpa password

Do you see what I see?

Let's zoom in it a bit more...

Hpa password 2

Still can't quite read it? I'll zoom in for the benefit of those of us in our forties...

Hpa password zoom

Yup. The magazine's online archive has (alongside its password form) a sample cover of Diabetes Management - complete with its ever-so-helpful reminder of what the right username and password is.

Hat-tip: @tvren and @isecguy.

Tags:

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

9 Responses

  1. Jim

    October 18, 2016 at 6:20 am #

    Even better, you can reset the password for the hpa account so nobody can access the website!

    • Anonymous in reply to Jim.

      October 18, 2016 at 9:11 am #

      No you cannot – only if you manage to intercept the password reset email that goes to the email account associated to the user 'hpa'.

    • coyote in reply to Jim.

      October 23, 2016 at 1:21 am #

      It's especially better for ankle-biters who think they're cleverer than others when in fact they're showing the exact opposite (as well as many other things)…

  2. Campbell

    October 18, 2016 at 10:02 am #

    The key question would be, how much access does that ID give to the person using it? If it is just read access, then it is an old practice since the 70s of giving "free" access or a free copy of/to [name product] so that you get to pay for the full access under your personal ID, or in the 70s case, phone this number, say the password/code for a freebie. Seems more like a internet age version of the freebie on the cover ( anyone remember the old copies of 45's on a thin piece of plastic, shaped square but stamped circular, plays on a 45/33 and a third player).

  3. Colin

    October 18, 2016 at 12:26 pm #

    This has been used as a method to stop certain search engines being able to list the library content in their search results. Old method, but works.

  4. Aaron

    October 18, 2016 at 2:17 pm #

    A username/password combination also makes it significantly more challenging to scrape the website for data…granted, they could ratchet this up a few notches by simply adding a ReCaptcha.

  5. Ian

    October 19, 2016 at 5:53 am #

    I have noticed that since your article was published, they appear to have taken the archive offline. Albeit by simply deleting the DNS record for the server.

    • Thomas in reply to Ian.

      October 21, 2016 at 10:41 am #

      All still online :) I've just had a read through.

  6. coyote

    October 23, 2016 at 1:19 am #

    I get the point but limiting access to medical research/literature is only harmful so on the whole I don't see this as a problem.

Leave a Reply