For passwords: default values ​​are

[rakhirhif8963]

A) Lack of understanding of security terminology in general, not to mention specific knowledge and solutions applied.

As a rule, developers associate security at best with the following things: access control and logging and password protection, less often - connection protection at the https level (using encryption mechanisms that are available out of the box by default). That is, formally they will use security methods that in fact will remain formal, "for show", without taking into account the requirements and nuances:

— usually used and the length, strength, frequency of change, non-repeatability, and number of attempts are not additionally configured. Quite often, these parameters cannot be further configured, since macedonia whatsapp data were not included in the software development scope task, which leads to the need to rewrite the code.

— Regarding access management and logging: in the best case, developers were described user groups or roles and access objects that should be available in the software. In the worst case, the developers themselves “divided” the sections and objects into those necessary for users and administrators. In the first case, we get a system that can be flexibly configured, but it requires spending a significant amount of time on setting up and coordinating rights. In the second case, we get a formal access control system. In addition, developers need to understand what information and in what volume needs to be logged. However, they are often not provided with this information, which leads to insufficient detail in the logs for analyzing incidents or understanding what is happening in the software. Or to excessive storage of logs and large volumes of information, which imposes significant restrictions on the ability to store information for the required period of time (for example, one to three years) or there is a need to purchase additional information storage. With excessive recording of information, additional problems arise with the speed of analysis and analysis of incidents and the speed of finding the necessary information. Redundancy may also require additional funding for staff expansion, purchasing SIEM systems with unique information processing rules, or lead to risks associated with information being out of date. At the same time, too much time is spent on analyzing and processing information.