Once, while doing an internal network vulnerability assessment, I asked the customer's security officer: "What is this Oracle server"?
"The one with all the default passwords?"
"Yep".
"Oh, it has been installed by a vendor. The vendor said that if we change any of the passwords, it will void our warranty. The legal are dealing with it now".
Unbelievable.
