Bad Password Allowed Swedish Watergate 248
fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "
Password? (Score:5, Interesting)
Stig-Olof "Sigge" Fribergs (Score:2, Interesting)
Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter.
Translation:
He don't think he's been careless with his login info.
Hasn't anyone explained to him yet how stupid and careless this was?
Keyboard Patterning - at least it makes them think (Score:5, Interesting)
Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.
While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.
for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.
Does anyone know if brute-force methods take into account keyboard patterning?
by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it!
Re:Keyboard Patterning - at least it makes them th (Score:3, Interesting)
This would (I imagine) wind up being significantly more secure to outside attacks (those who can't see the postit) while still being moderately secure to inside attacks (joe shmo trying to login on his console)....
thoughts?
Solid Pasword examples (Score:2, Interesting)
Re:End user password selection (Score:5, Interesting)
Incremental-number passwords are an inevitable side-effect of this sort of policy and, even where password policy is more carefully implemented, the fact that average-joe users have to change it monthly anyway is a chore that WILL lead to short-cuts and, ultimately, weak passwords (or rather, associative passwords that are easy to infer after a little observation).
Try just having a very strict policy on passwords, and scrapping the regular-change part of it. People can be imaginative and obscure once, but ask them to do it regularly and they get sloppy.
Re:Keyboard Patterning - at least it makes them th (Score:5, Interesting)
One day I hope to catch someone other than a janitor trying to surf porn. =P
Re:End user password selection (Score:4, Interesting)
one system I log into at work requires "strong passwords"
ie
* has to be very diffrent from your last 10 passwords
* has to have special chars
* has to change your password every 2 months.
the problem is I login to this system every 6 weeks.
so every! time need to login I
1. Call the IT desk
2. Ask them to reset my password
3. They Email me my password.
4. I login
When the password is reset there is no Idenification of me.
They simply assume that access to my work email is valid enough
By Increasing the level of security They have effectivly reduced the level of security to that of a seperate system (company email).
BTW: company email pollicy is change every 6 months, incrimenal is allowed.
Question:
How many requests of Password resets do you get with your system?
What method of Password distribution do you use?
What method of verification do you use on reseting a password?
Bait (Score:4, Interesting)
Ugly indee and not very democratic.
Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..
Re:Random Passwords (Score:3, Interesting)
Bonus, every time I type my password my favorite line from whatever song runs through my head.
Re:Ohhhh... I hope the ruling party is the culprit (Score:3, Interesting)
An unlocked or even missing door doesn't save you from that.
A web page with "Click here for access to internal informantion (don't click if you're not authorized)." is enough to bring criminal charges for unathorized access.
There are other things that are more questionable.
If I'm handed a link that bypasses security (and the message) then it can be hard to state that I've commited anything illegal, ie someone has to prove that I knew that I wasn't athorized.
But bad security by itself isn't, hasn't ever been and will never be an excuse.
Re:Honestly unsurprising (Score:3, Interesting)
The normal reaction from j.random management is "erh? what? sounds good but how should it be written?"
Then it's your problem to provide them with the needed template.
and it has to be understood, as in 'if j random luser can gain access to your account he or she can make you look like a fool and cause severe media damage to our organisation".
Or, "a single idiot downloading a funky screensaver can kill our entire internal network for a days".
An IT security policy must come from management, not from IT.
But IT must be able to monitor it.
And j.random idiot breaking the policy must be hanged in public, no matter who he or she is.
The best publicity that the policy of my current company had was when our local security manager (not just IT) recieved a public dressdown for letting his teenage daugther install Sims on his company laptop.
We lost most of europe for 24 hours due to a little lady in finance at one office had a local connection to her bank. Which happened to be over a j.random ISP link and her computer was infected, spreading to 40.000+ computers in 16+ countries in 4 hours
Sure we should divide interal LANs with firewalls, but we also have to cooperate over the LAN borders.
It can't be solved with software or hardware, it can only be solved with policies and public hangings.