One industry expert shows just how badly you suck at online security

Security is a mixed bag. where we once were limited to bad security practices of writing passwords on post-it notes, some have taken this same mentality online, as Troy Hunt points out.

Troy Hunt, Microsoft Regional Director and MVP for developer security, was prompted to tell a few stories after seeing this tweet:

Your password is not unique. pic.twitter.com/ga4GwxtzrQ

— Lars Klint (@larsklint) April 16, 2017

Obviously this is a joke — from Reddit, natch. But it’s not that far off from some real security practices.

Hunt shared some doozies, including how anyone can log into your Betfair account just by knowing your email address (public information) and your date of birth (not exactly hard to find):

Another site has a rather obvious security question:

This is one of the worst security questions I’ve seen. pic.twitter.com/iBm3kdaFDc

— Marie Huynh (@mariehuynh) October 9, 2014

Some make it even more obvious:

Uhh.. Seriously? Wow. This is a whole new level of stupid. @troyhunt pic.twitter.com/4F3MCocusw

— James Allman-Talbot (@JAllmanTalbot) March 16, 2015

I had to try one or two of the sites after he mentioned them, just to see if it was really that bad.

I can confirm that Strawberry is exactly as he describes. When you visit the beauty website, you have the option of selecting “Express Checkout,” where all you have to do is enter your email address and payment info to get things sent to you. Passwords aren’t required.

I’m not exactly a black hat extraordinaire, but even I could figure out how to charge tons of Biosilk hair product to some random person’s email address with that kind of security.