In what is perhaps the most brilliant act of malicious compliance I have ever witnessed…

Early in my career I bullied my way into a de facto tech lead position on a small software team in a pretty big organization.

The most powerful and vocal of our users used our software passively as a kind of combination dashboard and news aggregator. They had lots of passwords to lots of systems, and they did not want another one for ours. They made this very clear - not one more goddamned password.

This system was not on the internet, and installing outside software was strictly forbidden. H:\passwords.txt was the closest thing anyone had to a password manager. OAuth, SAML and LDAP were either not invented or not accessible. One intrepid developer did figure out how to make NTLM authentication work, mostly out of spite, but we could never get it to work reliably. Oh, we also didn’t have internet access, so we were limited to what we knew, which wasn’t much.

In what is perhaps the most brilliant act of malicious compliance I have ever witnessed, our Functional Manager ascertained that while the customers had firmly established a “no-password” requirement, they had not established ANY sort of authentication or authorization requirement.

Therefore, we simply removed the password from the system. Our authentication was now on the honor system.

Notably, we had a “security guy” in the organization, but he viewed his job as a mechanical one - scan software, check a box. He was too stupid or incompetent to intervene, so I’m guessing he still works there.

Remarkably, nobody called this bluff. Everyone knew it was stupid and risky, the unspoken agreement was to not talk about it, because it was a great convenience.

The next generation of software engineers were justifiably horrified and promptly re-introduced a password scheme, pissing off the users, causing a further loss of political clout and the end of our application’s glory days.