Bad Password Allowed Swedish Watergate

fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "

Password?

[madshot]

Here is the real question.. Is it a USER problem or an ADMINISTRATOR problem. Sounds like they need to hire a new IT director with a since of security. If that IT director allows passwords like that he probably also is running a firewall hosted in a Windows XP Pro machine and ICS and no service packs or hot fixes. All of the internal IP addresses are 192.168.x.x because of ICS so I'm sure the server is .1. Heck, the director might have even turned on Remote Desktop Administration on the box so he could manage it from home without a VPN and the administrator accounts password on that box is either blank, password, or god. Well, best of luck to their director or whomever is in charge of their computer network.

Stig-Olof "Sigge" Fribergs

[lillgud]

From TFA:
Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter.

Translation:
He don't think he's been careless with his login info.

Hasn't anyone explained to him yet how stupid and careless this was?

Keyboard Patterning - at least it makes them think

[w33t]

You know, in my department we've found that a great way to introduce users to more complicated passwords is to introduce them as keyboard pattern passwords.

Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.

While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.

for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.

Does anyone know if brute-force methods take into account keyboard patterning?

by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it! ;)

Re:Keyboard Patterning - at least it makes them th

[edmudama]

I wonder how common it is for a user to have something like "1al02sk93dj8" written on a postit on their monitor, when in fact all they have to remember about their password is that the 'sk' in the middle is really a 'RD' making their real password "1a102RD93dj8"

This would (I imagine) wind up being significantly more secure to outside attacks (those who can't see the postit) while still being moderately secure to inside attacks (joe shmo trying to login on his console)....

thoughts?

Solid Pasword examples

[RaigetheFury]

A good solid password will have at least 7 alpha-numeric characters and at least 1 non alpha-numeric. For example don2006 is a shitty password. However don2006$ is not. The problem you will encounter is a basic user needs to be able to remember this password and will typically use it in more places than they should. This is impossible to manage so the best solution is to find hard to crack requirements that are easy to remember. don2006$ is a reasonable password for a normal user. More advanced users who have responsibilities over more sensitive data will also be able to remember more complex passwords or they can learn.

Re:End user password selection

[tygerstripes]

Can't remember where I read it (prolly /.), but there was an article that gave a very convincing argument to the effect that changing your password every month is totally without benefit. It's a common-rule-of-thumb kind of practice that has been handed down from admin to admin for years, probaby from early Unix days, and doesn't have any useful purpose anymore.

Incremental-number passwords are an inevitable side-effect of this sort of policy and, even where password policy is more carefully implemented, the fact that average-joe users have to change it monthly anyway is a chore that WILL lead to short-cuts and, ultimately, weak passwords (or rather, associative passwords that are easy to infer after a little observation).

Try just having a very strict policy on passwords, and scrapping the regular-change part of it. People can be imaginative and obscure once, but ask them to do it regularly and they get sloppy.

Re:Keyboard Patterning - at least it makes them th

[SatanicPuppy]

Anyone else use the post-it-on-the-monitor as a booby trap? If anyone uses the post-it password on my monitor it sets off a series of security cascades that culminates with me getting a picture of them on my phone.

One day I hope to catch someone other than a janitor trying to surf porn. =P

Re:End user password selection

[hswerdfe]

ahh, yes More Secure.
one system I log into at work requires "strong passwords"
ie
  * has to be very diffrent from your last 10 passwords
  * has to have special chars
  * has to change your password every 2 months.

the problem is I login to this system every 6 weeks.
so every! time need to login I
  1. Call the IT desk
  2. Ask them to reset my password
  3. They Email me my password.
  4. I login

When the password is reset there is no Idenification of me.
They simply assume that access to my work email is valid enough

By Increasing the level of security They have effectivly reduced the level of security to that of a seperate system (company email).

BTW: company email pollicy is change every 6 months, incrimenal is allowed.

Question:
How many requests of Password resets do you get with your system?
What method of Password distribution do you use?
What method of verification do you use on reseting a password?

Bait

[miffo.swe]

Many of us swedes thinks this was a planned event where the login was "leaked" to the opposition by purpouse. The swedish social democrats would probably stop at nothing to keep in power. The person who did the breakin (Per Jodenius) was a former Social Democrat. This person is from the same town (Växjö) and local Social Democrat Youth member in the same circuit as the journalist ( Fredrik Sjöshult )who blowed the whistle. The fact that this happened just hours after the leading party (from the polls) had his turn in the national TV is to much for it to be a coincidense.

Ugly indee and not very democratic.

Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..

Re:Random Passwords

[boingo82]

I prefer song lyrics as an endless source of good passwords. For example, suppose I like the Foo Fighters. I'll choose a song I like, say, Monkey Wrench, and choose a line, say "what do you do when all your enemies are friends?" and then get "wdydw@yeaf" for a password. If I DO have to leave a sticky on my monitor for a week after the change, it might say "monkey wrench", or "all this time to make amends" which is the preceding line. Generally enough to remind ME but not enough for Joe Average to bother guessing what it is.

Bonus, every time I type my password my favorite line from whatever song runs through my head.

Re:Ohhhh... I hope the ruling party is the culprit

[hdw]

Erh, unathorized access has never been legal.

An unlocked or even missing door doesn't save you from that.

A web page with "Click here for access to internal informantion (don't click if you're not authorized)." is enough to bring criminal charges for unathorized access.

There are other things that are more questionable.

If I'm handed a link that bypasses security (and the message) then it can be hard to state that I've commited anything illegal, ie someone has to prove that I knew that I wasn't athorized.

But bad security by itself isn't, hasn't ever been and will never be an excuse. // hdw

Re:Honestly unsurprising

[hdw]

Well actually been there and no.

The normal reaction from j.random management is "erh? what? sounds good but how should it be written?"

Then it's your problem to provide them with the needed template.
and it has to be understood, as in 'if j random luser can gain access to your account he or she can make you look like a fool and cause severe media damage to our organisation".

Or, "a single idiot downloading a funky screensaver can kill our entire internal network for a days".

An IT security policy must come from management, not from IT.
But IT must be able to monitor it.

And j.random idiot breaking the policy must be hanged in public, no matter who he or she is.

The best publicity that the policy of my current company had was when our local security manager (not just IT) recieved a public dressdown for letting his teenage daugther install Sims on his company laptop.

We lost most of europe for 24 hours due to a little lady in finance at one office had a local connection to her bank. Which happened to be over a j.random ISP link and her computer was infected, spreading to 40.000+ computers in 16+ countries in 4 hours ...

Sure we should divide interal LANs with firewalls, but we also have to cooperate over the LAN borders.

It can't be solved with software or hardware, it can only be solved with policies and public hangings. // hdw