Bad Password Allowed Swedish Watergate

fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "

Honestly unsurprising

[mendaliv]

They're politicians, not security experts. I hear about this sort of problem all the time... in my own workplace, we talk about the people on the 3rd floor with their one-character passwords and machines that are hacked into on a daily basis.

In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

Re:End user password selection

[Zadaz]

And I'm sure a vast increase on post-it notes with cryptic characters stuck on monitors and backs of keyboards.

Re:End user password selection

[baadger]

I'd like to know why you can view user passwords in plaintext anyway....

Re:End user password selection

[Score Whore]

I worked as a contractor for the Air Force for a while. They had a real strong policy in place on the Windows domain with the appropriate DLLs that would disallow "weak" passwords. Weak passwords being anything less than six letters; must have three of: upper case, lower case, numbers, symbols; must be substantially different than previous passwords; must not include words in it. Except that their dictionary includes two and three letter words. So you could have a password such as '1xIf%at$3' and it would be invalid since it has two two-letter words 'if' and 'at'. When deciding to implement draconian enforcement of your policies make sure your enforcement processes aren't stupid.

Re:Honestly unsurprising

[hazem]

In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

This is where the sysadmin has to figure out how to make a convincing argument that the suits will understand. If he thinks a strong password policy is important, that is.

Suits aren't security experts, and they don't need to be. In fact, they're not necessarily experts in everything/anything. That's where the sysadmin needs to learn the same skills that everyone else uses to influence them. Make a case, with pros and cons, costs and benefits and make a proposal. It doesn't have to be extensive. I just has to have the information needed to make a decision.

Then, let them make the decision. If they say "yes", then you have their backing when enforcing an unpopular policy - and they're already in the know when people complain. If they say "no"... well, you've covered your backside, or if you really believe it in, you need to make a more convincing case.

It's not black magic... but so many IT folks are either unable or unwilling to talk to non-IT decision-makers in a way that gets them to make favorable decisions. It's an important skill.

*sigh*, of course.

[SocialEngineer]

I've been put under some pretty inane password policies in my (limited) years on this planet. Names in reverse, 1337-variations on password, numerical addendums to dictionary words, just plain dictonary words ("nochance" was popular at one place I frequented).. Oh, and I heard from a friend who worked at Radioshack that most of the important passwords were something very, very, VERY easy. I'll leave you to figure it out.

You know what I have been recommending recently as a password policy? Fake inventory ID tags. Put a fake inventory ID tag on each device (keyboard, mouse, monitor, tower), with a portion of the ID on one of the items at each station being the actual password. Set a login attempt limiter, which will discourage trial and error. Not only do you need physical access, you need to know the general policy to discover the password from the "inventory tags". Heck, it could just be 8 letters out of a 24-character alphanumeric. Too bad it got shot down for something "simpler" the last place I suggested it to.. ugh.

Re:Keyboard Patterning - at least it makes them th

[Chazmyrr]

The fact that you can brute force an account at all is not an indicator that strong passwords are needed. It is an indication that you need to disable an account after a number of unsuccessful attempts. The determining factor for how strong the password needs to be is whether the account is disabled for a few minutes or requires an administrator to unlock it.

If the account requires an adminstrator to unlock it after three failed attempts, nothing is gained from requiring a strong password. Any password that isn't guessable in three attempts will do fine.

If the argument is that a strong password is harder to determine after the attacker has a dump of your password repository, how did the attacker get a dump of your password repository in the first place? That's like putting bars over your windows and leaving the front door open.

Re:Authoritarian mentality vs Education

[Ykant]

Why does IT want to wield password policy like a club?[...]The obvious solution is to do some simple training for the employees.

And when simple training doesn't work, you just end up beating people over the head anyway. What sense would it make to teach someone corporate policy and then not enforce it?

"Please try to keep your password complex. Yes, I know the system allows you to set it to your puppy's name every other month, but don't, mmkay?"

Users are often unhappy with their interaction with corporate IT already. Why be so adversarial?

When it comes down to it, IT works for the company, and like everyone else, is charged with protecting the company's interests. Where the users insist on against the company's policy, I would hope that IT is willing to do their job.

A question for you: Why is the security guard at the front door so "adversarial"? Insisting on asking for ID before letting you into the building after hours. Must be his ego, right?