I once worked at a company that had several interesting practices:
- It took over 3 months before IT could get me the access to the various file servers I needed to do my job. Apparently they didn't believe in setting access policies by groups, only on a per user account basis.
- We had numerous processes that depended on old PCs that for some reason could not be made to work on different systems. We had to do a major data import to our Sybase servers from Paradox. Only one system was capable of completing the import about 70% of the time. Every other machine might succeed 10% of the time. Without this data $1000s in billing could not be completed.
- We had tons of scripts scattered accross multiple fileservers, that were used by various processes that accessed the database with all of our billing information (including credit card data), which included hard coded passwords. All were using the same account. I found copies of these scripts on 'all employees' shares as well as more restricted areas.
- The password used by this well published account was very insecure. 8 characters, all the same. I won't say which character.
The biggest sin I committed was that I gave up and quit pushing to get sane policies in place. I got tired of pissing people off and getting nowhere, the money was good, and the work was easy--so I just let it slide while I tried to make sure that the new stuff that I worked on was sane.