To make it easier, we’ve published the password on front of our magazine…

Diabetes they can manage. Passwords? Not so well…

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

What’s the point of a password, if it’s published on the front cover of a magazine?

It seems a reasonable question, and I can’t blame GP Thinus van Rensburg asking it on Twitter when a copy of Diabetes Management felt into his lap.

Magazine password

The password grants users access to the “complete, searchable archive of all Health Publishing Australia medical journals.”

Sign up to our free newsletter.
Security news, advice, and tips.

Okay, it’s probably not the most sensitive information in the world as it’s an archive of medical magazine articles. But you do have to wonder why they bothered to have a password at all if they’re going to make it so public?

And just to prove the point about the err… pointlessness of the archive having a password, just visit the website and try to visit the archive.

Hpa password

Do you see what I see?

Let’s zoom in it a bit more…

Hpa password 2

Still can’t quite read it? I’ll zoom in for the benefit of those of us in our forties…

Hpa password zoom

Yup. The magazine’s online archive has (alongside its password form) a sample cover of Diabetes Management – complete with its ever-so-helpful reminder of what the right username and password is.

Hat-tip: @tvren and @isecguy.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

9 comments on “To make it easier, we’ve published the password on front of our magazine…”

  1. Jim

    Even better, you can reset the password for the hpa account so nobody can access the website!

    1. Anonymous · in reply to Jim

      No you cannot – only if you manage to intercept the password reset email that goes to the email account associated to the user 'hpa'.

    2. coyote · in reply to Jim

      It's especially better for ankle-biters who think they're cleverer than others when in fact they're showing the exact opposite (as well as many other things)…

  2. Campbell

    The key question would be, how much access does that ID give to the person using it? If it is just read access, then it is an old practice since the 70s of giving "free" access or a free copy of/to [name product] so that you get to pay for the full access under your personal ID, or in the 70s case, phone this number, say the password/code for a freebie. Seems more like a internet age version of the freebie on the cover ( anyone remember the old copies of 45's on a thin piece of plastic, shaped square but stamped circular, plays on a 45/33 and a third player).

  3. Colin

    This has been used as a method to stop certain search engines being able to list the library content in their search results. Old method, but works.

  4. Aaron

    A username/password combination also makes it significantly more challenging to scrape the website for data…granted, they could ratchet this up a few notches by simply adding a ReCaptcha.

  5. Ian

    I have noticed that since your article was published, they appear to have taken the archive offline. Albeit by simply deleting the DNS record for the server.

    1. Thomas · in reply to Ian

      All still online :) I've just had a read through.

  6. coyote

    I get the point but limiting access to medical research/literature is only harmful so on the whole I don't see this as a problem.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.