Security is a mixed bag. where we once were bound to bad aegis practices of autograph passwords on post-it notes, some have taken this same mentality online, as Troy Hunt points out.

Troy Hunt, Microsoft Regional Director and MVP for developer security, was prompted to tell a few stories after seeing this tweet:

Obviously this is a joke — from Reddit, natch. But it’s not that far off from some real aegis practices.

Hunt shared some doozies, including how anyone can log into your Betfair annual just by alive your email abode (public information) and your date of birth (not absolutely hard to find):

Another site has a rather accessible aegis question:

Some make it even more obvious:

I had to try one or two of the sites after he mentioned them, just to see if it was really that bad.

I can affirm that Strawberry is absolutely as he describes. When you visit the beauty website, you have the option of selecting “Express Checkout,” where all you have to do is enter your email abode and acquittal info to get things sent to you. Passwords aren’t required.

I’m not absolutely a black hat extraordinaire, but even I could figure out how to charge tons of Biosilk hair artefact to some random person’s email abode with that kind of security.

Read next: Slack decidedly reduces your affairs of a abode leash