Bad Password Allowed Swedish Watergate 248
fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "
Honestly unsurprising (Score:5, Insightful)
In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.
Re:End user password selection (Score:5, Insightful)
Re:End user password selection (Score:3, Insightful)
Re:End user password selection (Score:5, Insightful)
Re:Honestly unsurprising (Score:5, Insightful)
This is where the sysadmin has to figure out how to make a convincing argument that the suits will understand. If he thinks a strong password policy is important, that is.
Suits aren't security experts, and they don't need to be. In fact, they're not necessarily experts in everything/anything. That's where the sysadmin needs to learn the same skills that everyone else uses to influence them. Make a case, with pros and cons, costs and benefits and make a proposal. It doesn't have to be extensive. I just has to have the information needed to make a decision.
Then, let them make the decision. If they say "yes", then you have their backing when enforcing an unpopular policy - and they're already in the know when people complain. If they say "no"... well, you've covered your backside, or if you really believe it in, you need to make a more convincing case.
It's not black magic... but so many IT folks are either unable or unwilling to talk to non-IT decision-makers in a way that gets them to make favorable decisions. It's an important skill.
*sigh*, of course. (Score:3, Insightful)
I've been put under some pretty inane password policies in my (limited) years on this planet. Names in reverse, 1337-variations on password, numerical addendums to dictionary words, just plain dictonary words ("nochance" was popular at one place I frequented).. Oh, and I heard from a friend who worked at Radioshack that most of the important passwords were something very, very, VERY easy. I'll leave you to figure it out.
You know what I have been recommending recently as a password policy? Fake inventory ID tags. Put a fake inventory ID tag on each device (keyboard, mouse, monitor, tower), with a portion of the ID on one of the items at each station being the actual password. Set a login attempt limiter, which will discourage trial and error. Not only do you need physical access, you need to know the general policy to discover the password from the "inventory tags". Heck, it could just be 8 letters out of a 24-character alphanumeric. Too bad it got shot down for something "simpler" the last place I suggested it to.. ugh.
Re:Keyboard Patterning - at least it makes them th (Score:3, Insightful)
If the account requires an adminstrator to unlock it after three failed attempts, nothing is gained from requiring a strong password. Any password that isn't guessable in three attempts will do fine.
If the argument is that a strong password is harder to determine after the attacker has a dump of your password repository, how did the attacker get a dump of your password repository in the first place? That's like putting bars over your windows and leaving the front door open.
Re:Authoritarian mentality vs Education (Score:3, Insightful)
"Please try to keep your password complex. Yes, I know the system allows you to set it to your puppy's name every other month, but don't, mmkay?"
When it comes down to it, IT works for the company, and like everyone else, is charged with protecting the company's interests. Where the users insist on against the company's policy, I would hope that IT is willing to do their job.A question for you: Why is the security guard at the front door so "adversarial"? Insisting on asking for ID before letting you into the building after hours. Must be his ego, right?