Honestly, this could happen at any company, for all the same reasons - in my experience, any workplace that isn't actually, or at least run as if it were, military is rife with subpar physical security.

And I can't claim not to be part of the problem - I'm forever wandering off to get coffee without locking my screen, holding doors for people I kinda think I might recognise... every security sin you can name, I'm guilty of it at some point. And so are you. Yes, you. No, probably not you, Mr. Schneier.

I have an amusing anecdote about the military and password security. I worked with some folks on a base once and everyone used the same keyboard pattern such that if I knew the first character of a password, I knew the whole password. This pattern was openly shared as a way to "remember" otherwise impossible to remember complex passwords.

So do I. Worked at a contractor hosting multiple sensitive/classified document repositories for one of the service branches. One of their attorneys' passwords expired for the document review platform. So this highly-qualified, TS/SCI cleared person accessing sensitive data emailed a bunch of our IT support and PMO distribution lists - basically an unknown number of anonymous third-party personnel - with an angry request to "reset [my] password back to [pass1234]! Right now!"

One thing I learned is that, with the exception of those directly concerned with the firing of weapons in anger, most military personnel don't give a hoot about operational security, and they HATED our IT department who did.

What about the nuclear launch codes being all set to 0000000. https://gizmodo.com/for-20-years-the-nuclear-launch-code-at-...