The problem with trying to convince someone that your security model is dangerous is that, unless you work in something obvious like banking, any scenario you try to throw out as an example leaves you sounding like Cassandra. Worse, as people question why this extra level of security might be needed, you might feel compelled to start throwing out half-baked worst case scenarios. If there’s not some obvious, immediate use to breaking into your system, people’s immediate reaction is to say “So they get a password they shouldn’t. Then what?”
It doesn’t matter if someone can think of a scenario. That you didn’t consider a malicious application of your system or network is no deterrent to those who will. One mistake people make with security is to assume the limit of their own imagination relates in any way to their exposure to actual threat. This is especially perilous when your own faulty assumptions put people paying you for your expertise at risk.
This is not cause to go overboard, but simply to be sensible. Opting for a clearly flawed security model because you don’t think someone has any reason to break it is folly. In most cases anonymous FTP is no danger if the right fences are put around it, but that doesn’t stop many hosting providers from refusing to offer it. They don’t do this because someone gaining access through anonymous FTP is likely, but because the worst case scenario is an unacceptable risk to them. What is the worst case scenario? Something worse than the worst thing you considered.
Requiring insane, impossible to remember passwords is not what I’m talking about. How about something simple like sending a user name and password through clear-text e-mail, but not allowing your users to change either? Or assuming your third party providers have a security policy that’s as tight as your own, and leaving yourself vulnerable if you’re wrong? Or not having a thorough and up to date audit of what any given permission actually opens up across your systems, figuring that users will only open things they’re supposed to?
If people sending you a check are relying on you to be stable and secure, don’t allow arrogance to convince you that the things you haven’t thought of are unimportant. Don’t allow yourself to believe that you are not important or big enough for someone to bother breaking down the door. You’ll always make mistakes and you’ll always miss something. Do yourself, and your users, the favor of at least checking both the doors and the windows before you go to sleep. One way or another, your security prowess is irrelevant in the face of human stupidity and malice. Crackers aren’t relying on your imagination when deciding what to do with your system. There’s always a bigger fish.