At a previous fortune 500 company I worked at a few years ago, you could reset your password by simply knowing your manager's name and your username by calling the helpdesk.
I contacted the security team about this on my last day basically telling them to get their act together as this is the lowest hanging fruit for a hacker to take advantage of.
The CSO, a woman, wanted to know how a bad actor would be able to figure out the company's usernames. I told her usernames are trivial and easy to ask for over the phone and I could easily find out who someone's manager was by going onto Linkedin. People know not to give out passwords, but usernames? Fucking idiot.
They still don't have a decent system implemented.
I contacted the security team about this on my last day basically telling them to get their act together as this is the lowest hanging fruit for a hacker to take advantage of.
The CSO, a woman, wanted to know how a bad actor would be able to figure out the company's usernames. I told her usernames are trivial and easy to ask for over the phone and I could easily find out who someone's manager was by going onto Linkedin. People know not to give out passwords, but usernames? Fucking idiot.
They still don't have a decent system implemented.