Slashdot Mirror
Bad Password Allowed Swedish Watergate
fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "
that's a big problem in a lot of business
Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password".
I would have thought a snotty-nosed 11-year-old would regard that password as not-so-hard-to-crack. Oh well, nothing to see here, move on please...
I've got the same password on my briefcase!
Let's not forget the user who actually had a decent password.
uid: schef
pwd: mmborkburdyhurdymurdy
Those who believe the Internet is private,
find their privates are on the Internet.
There are atleast three ways this password could have been found. a) My brother lives in the town where these passwords were leaked, and he said that their office use unencrypted WLAN. b) The guy who presumably leaked it is in the office right next to the guy called 'Sigge'. c) As the article thinks: The password was very easy to crack. The latest rumour is that the guy who leaked the password (the left party) had a homosexual affair with the guy who *used* the password (the right party).
c++;
The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge"
My next password is going to be Göterborgs-Posten.
Try cracking that.
They're politicians, not security experts. I hear about this sort of problem all the time... in my own workplace, we talk about the people on the 3rd floor with their one-character passwords and machines that are hacked into on a daily basis.
In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.
This is all too common in many places. One company I worked for, about.. 1/3 to 1/2 of the users used some form of their name, and a number incrementation. I freaked out one who was *-18 asking him.. "so, you've been here a year and a half?" He had no idea how I did the math on that one.
Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.
{} ------ When I think of a good sig, I'll put it here
President Nixon: iam!acrook
President Clinton I: hopemyhusbanddoesntfindoutaboutthepassword
President Bush I: anybodybutmysons
President Clinton II: wishmyhusbandtoldmemonicawasbi8yearsago
President Bush II: 12345
President Quayle I: potatoe
Don't blame me for that last one. My password was "colbertstewart2012".
Here is the real question.. Is it a USER problem or an ADMINISTRATOR problem. Sounds like they need to hire a new IT director with a since of security. If that IT director allows passwords like that he probably also is running a firewall hosted in a Windows XP Pro machine and ICS and no service packs or hot fixes. All of the internal IP addresses are 192.168.x.x because of ICS so I'm sure the server is .1.
Heck, the director might have even turned on Remote Desktop Administration on the box so he could manage it from home without a VPN and the administrator accounts password on that box is either blank, password, or god.
Well, best of luck to their director or whomever is in charge of their computer network.
Obama = Socialism.
This is non-news. What happened was a member of the Social Democrats youth section _gave_ a username and password to a former member in the Liberal Party (which are not liberal at all BTW) youth section, around 2005! Of course, as the Social Democrats are about to lose the election (september 17th) they use this "news" to spread some primitive form of political FUD about the opposition.
Run crack weekly on your password repository. Lock any accounts cracked. Create a web page where people can generate strong passwords, don't expect them to think them up. Have single sign on/login to reduce the numbers of passwords to remember.
Deleted
From TFA:
Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter.
Translation:
He don't think he's been careless with his login info.
Hasn't anyone explained to him yet how stupid and careless this was?
The same guys aspire for the rulership of our country!
"Never EVER mess with a jumper you don't know about, even if it's labeled 'sex and free beer'." - Dave Haynie
You know, in my department we've found that a great way to introduce users to more complicated passwords is to introduce them as keyboard pattern passwords.
;)
Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.
While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.
for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.
Does anyone know if brute-force methods take into account keyboard patterning?
by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it!
My Computer Music Tutorial Videos
This is a good opportunity to outline a few tips for strong passwords. For example, I use my username twice and the number of states as my password.
... obviously has top of the line security!
The password could've been "password" (which used to be the default email password for one company). Back in the days of Windows NT, "hockey" was a popular password at several different companies (not sure why). Of course, "yousuck" was also a common password for a lot of Windows 95 systems at another company.
I wonder how common it is for a user to have something like "1al02sk93dj8" written on a postit on their monitor, when in fact all they have to remember about their password is that the 'sk' in the middle is really a 'RD' making their real password "1a102RD93dj8"
This would (I imagine) wind up being significantly more secure to outside attacks (those who can't see the postit) while still being moderately secure to inside attacks (joe shmo trying to login on his console)....
thoughts?
More data, damnit!
Ö, ä, ü etc are not a good idea in passwords when logging in remotely.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
You know what a bigger problem is? Posting an article that's not in English. Here's a brief article from the Inquirer, but in English at least.
Yes, Swedish passwords are weak. We Danes have known this for many years; it is inevitable given that the average number of syllables per word in Swedish is 1.22 (scientific studies have shown it!).
"sigge", a duosyllabic password, is an indication that the user was a member of the upper strata of Swedish society, with Abba and Ace of Base.
(NB: I can handle pissed off Swedes, but not moderators lacking the humor gene)
Blearf. Blearf, I say.
From what I understand (having trouble understanding the laymensterms of daily tabloids) it was also a completely open wifi network.
Just to be "picky", Göterborgs-Posten should read Göteborgsposten" after the Swedish town Göteborg.
A good solid password will have at least 7 alpha-numeric characters and at least 1 non alpha-numeric. For example don2006 is a shitty password. However don2006$ is not. The problem you will encounter is a basic user needs to be able to remember this password and will typically use it in more places than they should. This is impossible to manage so the best solution is to find hard to crack requirements that are easy to remember. don2006$ is a reasonable password for a normal user. More advanced users who have responsibilities over more sensitive data will also be able to remember more complex passwords or they can learn.
- What's the opposite to firewall? - Watergate
dictionary attack.
I remember readily available dictionaries containing only what you expect to see in an off the self dictionary 15-20 years ago then slowly they added star trek references then all sifi/film/book references.
The dictionaries are being updated with actual passwords, so coming across you example and deviations is not as low as you think.
Failing that brute forcing 8 characters is getting easier as CPU time becomes cheaper.
ERR 411[Max number of witty sigs reached]
> Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password".
Like "Superman" for Lois Lane!
Signed,
A Slashdot Reader
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Duh
Anyone else use the post-it-on-the-monitor as a booby trap? If anyone uses the post-it password on my monitor it sets off a series of security cascades that culminates with me getting a picture of them on my phone.
One day I hope to catch someone other than a janitor trying to surf porn. =P
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
One of our users wrote passwords to monitor using permanent marker. That way they newer got lost when he changed location.
mine is 12345. Nobody would ever guess that one. It's a password only an idiot would put on his luggage.
I think that's a great idea
My Computer Music Tutorial Videos
https://www.grc.com/passwords.htm
I like setting up the requirements as such:
3 numbers
3 special !@#$%^&*()
5 LeTtErs
thus
Is$7Rm@A9$0
crack that and you have my respect
and my attention
....it's a media reference, right? If not, then I just laughed for no reason at all.
...hell, it's been so long since I've seen it, they might have stopped at four, for all I know.
--"The password is 1 2 3 4 5"
--"I've got the same password on my briefcase!"
Something like the strategy used by one of the charactors in Tom Clancy's Executive Orders (and probably used by real spy operations, but I can't find data on that anywhere). The charactor in question has to give someone his phone number, without actually writing his phone number down there so he wrote a number 1 digit off from his and put a dot over the number to add 1 too.
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
Captain: You know what you doing.
Captain: Move 'sigge'.
Captain: For great justice.
Seasoned Slashdot readers probably use zig:zig on BugMeNot and other "social" logins. I guess it just translates different in Sweden, kinda cute even... mental images of the Swedish Chef singing AYB.
I8-D
Has anyone with access to lots of passwords ever done a statistical analysis on them? I imagine some words would come up fairly often, just because people aren't so different from each other.
We might soon see a law stating that it ain't hacking if the security is too weak to be considered security. Ahhh, the good ol' days shall return!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If you believe the people on battle.net (especially Diablo 2), they get "hacked" by other users.
However, after talking a bit with them, you find out that:
1. they gave away their password for some unknown reason (and the "hacker" simply logged in and changed their password)
2. they installed maphack or some other shit (which can also include some other things, i.e. a keylogger)
3. they used a weak password (such as, oh, I dunno.... "password" <g>)
This, my friend, can give a bad name to ANY operating system (or program, system or whatever)... "I'm using Linux but I still get hacked, it's as bad as Windows."
but your sense of humor is lacking.
I prefer the "u" in honour as it seems to be missing these days.
I keep a handful of 6-sided die in my desk drawer. 2 die give 36 possibilities (26 letters, 10 numbers), or 1 password character. I tend to use the maximum allowable password length. Aside from having to remember a random string of letters and numbers, this would seem to be the most secure way of generating new passwords.
Many of us swedes thinks this was a planned event where the login was "leaked" to the opposition by purpouse. The swedish social democrats would probably stop at nothing to keep in power. The person who did the breakin (Per Jodenius) was a former Social Democrat. This person is from the same town (Växjö) and local Social Democrat Youth member in the same circuit as the journalist ( Fredrik Sjöshult )who blowed the whistle. The fact that this happened just hours after the leading party (from the polls) had his turn in the national TV is to much for it to be a coincidense.
Ugly indee and not very democratic.
Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..
HTTP/1.1 400
They could have avoided this bad password mess! http://www.psynch.com/
Why does IT want to wield password policy like a club? ... (nevermind)
/. which can be taught in 10-15 minutes.
Are their egos so
The obvious solution is to do some simple training for the employees.
I've read many effective approaches on
This can be incorporated into new employee orientation or annual Data Privacy
updates.
Users are often unhappy with their interaction with corporate IT already. Why be so adversarial?
....then release Sigge for great justice!
This story is a moving target; there's new information almost every hour and what was "true" this morning is no longer true. That applies to this /.-story too:
Security firm Sentor (for some reason I associate it to badly drawn superheroes), which did the initial investigation, has found that out of four accounts used at the office, three has been used for unauthorised access. The fourth account used a Secure VPN connection, while the other three were unencrypted. The office also used an unencrypted wireless connection.
Easy to crack or not, maybe the "password" used wasn't the weak link in this case. But as I said, nothing is certain at this time. And it doesn't get better with journalists running around (ab)using words they don't understand; I don't think I've ever heard someone confuse "concrete wall" with "firewall" before.
I've been put under some pretty inane password policies in my (limited) years on this planet. Names in reverse, 1337-variations on password, numerical addendums to dictionary words, just plain dictonary words ("nochance" was popular at one place I frequented).. Oh, and I heard from a friend who worked at Radioshack that most of the important passwords were something very, very, VERY easy. I'll leave you to figure it out.
You know what I have been recommending recently as a password policy? Fake inventory ID tags. Put a fake inventory ID tag on each device (keyboard, mouse, monitor, tower), with a portion of the ID on one of the items at each station being the actual password. Set a login attempt limiter, which will discourage trial and error. Not only do you need physical access, you need to know the general policy to discover the password from the "inventory tags". Heck, it could just be 8 letters out of a 24-character alphanumeric. Too bad it got shot down for something "simpler" the last place I suggested it to.. ugh.
"Better to be vulgar than non-existent" -Bev Henson
Neither English nor Swedish is my mother tongue.
Everything began in Skövde [Swedish city]
In the eye of the storm is social democrat Stig-Olof Friberg. His password was the key to the FP-scandal: [FP = Folkpartiet, the "cracker party"]
"I'm enraged. Tough election tactics are ok, but they must be fair".
"In what school can you learn computer hacking that you're so good at?" - the question's asked by a longhaired boy in the class at Rudebeck school in Tidaholm, where the youth movements hold an infoday.
Johanna Nylander of the FP youth movement, LuF replies quickly, as if she'd waited for the question: "In my FP schoolworld you learn both that cracking is illegal, and to get passwords that can't be broken in 3 seconds. And that computer security is important", she adds with sharpness in her voice.
Actually Johanna Nylander wasn't supposed to visit Tidaholm today. LuF should have been represented by the now retired local guy Nicklas Lagerlöf. When the half-hour long party information is over and the hotel- and restaurant school class leave, Johanna Nylander repeats her view of the intrusion: "All politicians should take a course in how to get a working password".
So it is the fault of the Social Democrats themselves that LuF got the passwords? "I don't think Niklas knew that what he did was criminal, she says, and clarifies that she will not comment any further".
It's not a fun day to be LuF member from Skarsborg.
About 10 miles away, outside the social democratic party district office in Skövde Stig-Olof Friberg is standing in the september heat. He's enraged. According to him it's beyond any doubt, that Niklas Lagerlöf and Per Jodenius should have known that data intrusion is illegal, no matter how the password was obtained.
"It's like stealing my car key and then drive off in my car" he says.
He doesn't think he handled his login carelessly.
"But of course, knowing the result we should have handled security better".
Now the Skövde social democrats wants to leave the scandal and bring the election campaing into order, Stig-Olof Friberg thinks.
"Worst of it all is that this increases disenchantment with politicians. It's an attack on democracy".
--- The rest in a moment ---
Any sufficiently advanced libertarian utopia is indistinguishable from government.
I think I understand what happened. What doesn't make sense to me is how and when the responsibility shifted from the unauthorized accessor to the user with the lame password.
Yes, I understand that there are inherent security responsibilities. Like, if I don't lock my house, car, etc., my insurance company won't pay if they can prove same.
Where and when did we start blaming the victim, though? Maybe I missed the update, but I'm still operating under the impression that a crime is the fault (subset of "responsibility") of the perpetrator.
Yes, yes, this example is complex, since it's possible that the person who accessed the system without authorization may have been given the trial uname/passwd combination. It's still his/her responsibility for having logged in illicitly, whether over wire or wi-fi.
Given the Watergate analogy, it was the GOP who was responsible; they broke in. Sure, the security guards who actually saw the clues and *still* blew it were part of the problem, but there wouldn't have been a problem (or crime) if the burglars had decided to have coffee and doughnuts instead.
This is distinct, in my opinion, from the responsibility of firms who acquire private information for their own business purposes. Those concerns do, indeed, have a profound responsibility to protect that data. This case is about a private organization whose own data was raided. Yes, they could have done better. It is provable that they *should* have done better. It is not their fault for not having done better; it is the fault (and therefore the responsibility) of the cracker.
"Press to test."
(click)
"Release to detonate."
Who couldn't figure out what the hell this article was about from the summary? Go editors Go!
Is that the technical term?
"Worst of it all is that this increases disenchantment with politicians. It's an attack on democracy".
The evening sun throws long shadows over the pink facade of the FP in the center of Skövde. It's half past five, and the atmosphere in the office is lättsam[??], despite the circumstances. A quickly called meeting with the [local?] workgroup is just about to begin as Göteborg-Posten [article is in this paper] tells the news that Niki Westerberg has been charged[?] with a crime.
Christer Winbäck (MP) takes a deep breath and a quick step backwards, towards the wall with the cutouts from the last few days papers. The colour leaves his face, and the smalltalk about the hairdo sticks in the throat.
"That's really complete news to me", he says after a bit of silence. "I'm schocked, is that really true?"
Suddenly the meeting must start in a hurry. Christer Winbäck assures that he knew nothing about the intrusion before Sunday. And that he didn't think it was a matter of anything but the temerity of a few election-fevered youths.
"I truly do regret what has now come out. It was the last thing we needed".
Johnny Foglander, [some youth movement title] is late for the evenings meeting and has managed to be better updated than his colleagues.
"Everything feels really sad. We've been loaded for the final sprint, and then this happens".
"Are you ashamed of your party?"
"No, not of the party. But of the persons that acted unfortunately. This is a wake up call for LuF [the youth movement]. You should start considering what methods are used. What seems innocent at first can become really serious."
Any sufficiently advanced libertarian utopia is indistinguishable from government.
First, it's not unlikely this will damage the social democrats, as they tend to get a lot of votes from people who otherwise wouldn't vote at all. Those people might just as well stay home because of this. Second, They could've planned it a lot better if it was a setup -- like waiting a few more days and bringing the whole thing closer to the election. Third, they reported it to the police earlier the same day they went public with it, and they didn't close the abused accounts until somewhere that same week.
What you're doing is just throwing around (up to now) highly ungrounded speculations. It might be true, but it doesn't seem very likely from what we actually know.
And in the end, if what you're saying IS true, giving your password to someone is stupid, and in this case both evil and undemocratic. On the other hand, using that password to your advantage in an election is all of the above AND punishable with up to two years in prison. See the difference?
Erh, unathorized access has never been legal.
// hdw
An unlocked or even missing door doesn't save you from that.
A web page with "Click here for access to internal informantion (don't click if you're not authorized)." is enough to bring criminal charges for unathorized access.
There are other things that are more questionable.
If I'm handed a link that bypasses security (and the message) then it can be hard to state that I've commited anything illegal, ie someone has to prove that I knew that I wasn't athorized.
But bad security by itself isn't, hasn't ever been and will never be an excuse.
Executive Pope (small) Kallisti Engineering
That is a terribly weak password.
From Glorious...
"Oh. Password protected. Billion possible chances."
"Er..."
"Jeff."
"Hey!"
"How did you know it would be Jeff?"
"I knew there'd be a back door."
In films, the guy who made the software has always left a back door,
so he could get back in when he wanted and look at all the missiles and go, "Ooh".
And put one on his head.
"And the guy who made the software was called Jeff Jeffety Jeff, born on the first of Jeff, Nineteen-Jeffety-Jeff."
"So I put in Jeff and hey."
Works great at nightclubs with girls you don't like too (without the dot).
Master, teach me.
Hail Eris, full of mischief...
E pluribus sanguinem
How about this. People should use good passwords. Do I get informative too? =P
Actually it is.
You don't secure your WiFi network and someone uses it. No hacking, because it is quite possible that you deliberately keep it open. You allow anonymous FTP access to your server. Not illegal to use it, same reason.
Might be different in less free countries, but here, that's the law. Unless it does require you to bypass some kind of security mechanism (though the law does not specify just what actually IS a security mechanism. Is user: "anonymous" pass:(yourmailaddress) already a security mechanism? If not, is the default password for a WiFi router one?), it's fair game.
Of course, what happened in Sweden was illegal. Thus the "hope" that it falls back on the ruling party, which in turn just might pass a law that it ain't hacking if all you gotta do is try the "dumbest" UN/PASS combinations.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The security of any authentication system is the product of many factors. A "tight" [unbypassable] system facing brute-force has two main factors: the strength of the pw and the cost of bad guesses. ATM PINs can be very weak because the cost of bad guesses is high -- eaten card.
More along these lines should be done for computer systems so security doesn't rest on strong secrets. Increasing the cost of bad guesses is a matter of ingenuity: progressively slower response, IP banning before going to the detested acct lockout. To be sure, these are subject to DoS, but so is everything else. Always a balance.
The fact that you can brute force an account at all is not an indicator that strong passwords are needed. It is an indication that you need to disable an account after a number of unsuccessful attempts. The determining factor for how strong the password needs to be is whether the account is disabled for a few minutes or requires an administrator to unlock it.
If the account requires an adminstrator to unlock it after three failed attempts, nothing is gained from requiring a strong password. Any password that isn't guessable in three attempts will do fine.
If the argument is that a strong password is harder to determine after the attacker has a dump of your password repository, how did the attacker get a dump of your password repository in the first place? That's like putting bars over your windows and leaving the front door open.
I know that in a former company, the IT deparment had a very hard time making the suits use strong passwords. We solved it when we were doing some research to upgrade the banking system we used to verify credit cards. There were some published standards that needed to be supported if the bank was to continue to verify credit cards for us.
What we told the suits was, if an audit was performed and a bad password was found, that the credit card company could simply stop authorizing credit cards. (While this was published this way, what we didn't tell the suits was that normally the company is given a period of time to fix the problem if it fails the audit.) Since we were taking a lot of money over the Internet, the suits got paranoid and told us to implent the strongest possible security policy. We put one together, got the suits to sign off on it, entered it into the employee handbook and gave training classes on how to have strong passwords. (The suits made these classes mandatory for all employees.)
All you need to do is let them know how it could hurt them financially to not have a strong password policy and they will require the very policy you want. Knarfling
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Ah true.
// hdw
Connecting to a beaconing, unprotected Wlan and use it to surf the net make it very hard to prove that it was unauthorized access.
I have that prob with one of me sons computers, it prefers to connect to the unprotected gateway in the apartment below instead of the one he should, which is painful when they want to play LAN games.
But using such a connection to scan the internal network for login and passwords is illegal.
It's hard to say that you just happened to park your car outside an opposing party's office and happened to connect to their WIFI and happend to scan their network for login and pass.
And no, it's the, at least currently, ruling party who is 'victim', with moronic passwords and wlan security.
Executive Pope (small) Kallisti Engineering
There are many ways to strong passwords that are very easy to remember and very hard to crack. Often, you can even write down a reminder that will remind you of the password, but make no sense whatsoever to anyone else. I will give you an example that I use all the time only as an example. ( I do not use this specific password anywhere.)
First of all, I pick a phrase that I like and will remember but may not make sense to anyone else. In one of my favorite books there is a phrase I have modified to read, "The significant owls hoots twice in the night." I take the first leter of each word to get:
Tsohtitn
With a little obfuscation I get:
T$0h2!tn
Now I have a strong password that includes upper and lower case letters, numbers and special characters. I can even write down on a sticky, "Sig owl" to remind me of the phrase. Unless anyone else knows the book I am talking about, or the phrase I use, the reminder is completely useless.
Phrases from favorite songs, books, family sayings or even company specific phrases are very good for this type of password encryption. I knew one person who even used phrases from nursery rhymes. (figuring out which phrase was used at the time and which method of obfuscation he used was what made the passwords hard to guess.)
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
One day we needed to order a part and the part-ordering guy had disappeared (as usual).
His terminal was locked.
I sat down, looked at the picture of the puppy he and his wife had adopted a few weeks earlier, and entered the puppy's name when prompted for a password - in lower case of course.
Voila. Access granted. Part ordered. The mission was saved.
Yes, I changed his password.
No, I didn't tell him.
What?
I always use the word "gullible" as my password. It's not in the dictionary.
I think you hit the nail on this one. I wish I'd have mod points right know. There is way too much effort going on trying to get people to use obscure passwords. The simple fact is that limiting the number of possible login tries would basically render any bruteforce attacks unusable, which is why we have to have complex passwords in the first place. If you see more than ten attempts, you can be pretty sure it is a bruteforce attack. It could be the user him/herself trying to remember the password or it could be a malicious user. Anyway, it is a bruteforce attack, and should be denied. This would be so much easier, than to get everyone to use "good" passwords. I still don't get why people think it is a-okay to allow hundreds or thousands of login attempts per minute... It's not like the valid user would even type that fast.
I demand the Cone of Silence!
It may not be obvious to non-Swedes, so FYI "sigge" is a common nickname for Sixten -- his forename.
Beware: In C++, your friends can see your privates!
Then let's hope they don't take this as an excuse to "tighten security". Sweden is one of the few countries left with at least halfway sane laws.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's just a design philosophy. I don't do it in Windows, but with linux the PAM source is easy to obtain and I code a decent number of webapps, so that authentication code is easily available to me.
I got 'sploited early in my admin career, and since then I've made it a policy to leave (documented) backdoors in the code...A changed root password automagically emails the new root password (encrypted) to the designated root administrator...This has caused issues in the past, but it's usually sellable to management. I know people who install BackOrifice on their own servers for the same purpose.
With PAM, it's pretty easy to just kludge a little conditional logic into your custom authentication to make it check for a username/password combination, and then call the apps of your choice. Catching and emailing a picture is easy. You can also route people into a honeypot, log their activities, or just give 'em the finger...Don't reccomend this one for the outside world. Piss off the script kiddies only if your bandwidth and server power is unlimited.
I've got a honeypot mentality...If someone wants in, they can probably outsmart me given enough time, so I give 'em an early target...a misconfigued webapp that's "vulnerable" to sql injection, password stored in an insecure spot, an unpatched server. All that stuff is worthless if it faces the web (too many false positives) but if your primary concern is internal, it's gold.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
It was also announced today that the Paris Hilton International Computer Security School has closed its Sweedish operations offices effective immediately. A spokesperson for the company declined to comment when asked for a reason behind this sudden move.
What if the Hokey Pokey really is what it's all about?
Slashdot readers would call it "a-not-so-hard-to-crack-password".
...and the more security informed slashdot readers would call it a Joe account. http://www.answers.com/topic/joe-account
I think this hurts the party that was hacked more than the hackers. Of course I don't anyone as stupid as using "sigge" as a password to rule my country. Nowadays it is no excuse to be that computer illiterate.
No need to tighten any laws, since this is already illegal.
// hdw
Hopefully it can be used to teach two things.
1. Every company or organisation needs an IT Security policy, and they need to understand it.
2. Accessing someone elses internal information, even if the security is bad, is a criminal act.
Executive Pope (small) Kallisti Engineering
... i wouldnt even attempt to crack it ...
...
But then again, that would make it a password that is not so not-so-hard-to-crack-password
Read radical news here
after 3 companies in a row that had similar upper management that were inherently incapable of 'bothering' with logging on, we decided to get them laptops with fingerprint readers. Not as expensive as you think, and they proudly sign in with their 'high tech' printreader, and we no longer have to worry about the most sensitive laptops in the company being [easily] stolen and hacked into.
ps, who has an open wlan at a business? are you running it out of our college dormrooom or something?
If a password gets written down, buried in a pile of paper, and thrown into the dumpster six months later, then regular password changing will prevent a breach. It will also cover up the real problem.
If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.
Regular password changing adds friction to the marketplace of shared passwords. The password that A told to B to let B do one job will be invalid when B tries it long after the job is over.
It's really hard to assess the benefit of periodic password changes unless you need them for regulatory compliance, in which case the benefit is avoiding fines rather than improving security.
Using passwords is so inherently broken, though, that nothing's ever going to be really satisfactory.
I can simply add /usr/bin/crack to my root crontab.
Deleted
The largest hole in our own (awful) password security must be this, and it has little to do with lazy users.
In our company, we must have about 50 different applications that require users to enter passwords; maybe more. Some were bought off-the-shelf, others were developed internally, and others were contracted out or written by consultants. Quite a lot of it was customized for us, or even developed entirely to our own specifications.
To the best of my knowledge, nobody of us has ever verified what actually happens to a password after it is entered in the login dialog. We don't do code reviews... at all. Password checking against the directory server is encouraged, to ensure that users need to remember as few passwords as possible.
So next time I log in to the financial software to file an expense note, the system may actually be mailing my password to John Doe, or to the competition. Who knows?
I wouldn't be surprised if it was 998819, if the suitcase allowed six digits of course.
Absolutely hilarious!
In Hungary, one of the leading parties is suspected to crack the other party's server this spring.
The 'stolen' password was 'pirosvirag' == 'redflower'. Actually the logo of the cracked party is a red flower, a red carnation. Anyhow they got the password, it is still a shame.
It's luggage. The correct answer is luggage.
You better watch out, there may be dogs about . .
I do that too!
And, as I type my password, I hum along:
m i c . . . k e y . m o u s e
YMMV
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
...when everybody tapes their password on the side of the screen :)
I did once. I'd forgotten a password for a service, but I remembered the basic form of the password (how I'd constructed it, essentially.) I just didn't know the variables. So I whipped up a program and blitzed the login form with about 200 passwords.
Yes, it worked.
Of course, I did it this way because I didn't want to go through support - force-changing this particular password would, I believe, have taken a few days since it was protecting SSL signatures that only I had. I'd have had to wait several days to push new signatures. Also, said signatures were stored on my own computer anyway, so it's not like they could have enforced "disable logins after ten attempts".
Breaking Into the Industry - A development log about starting a game studio.
All of my passwords are liscense plate numbers from random cars I have been behind while on the freeway.
I either have a knack for remembering plates, or the fact that traffic does not move much during rush hour gives me plenty of time to memorize completely random letter and number combinations.
Given the correct approach to password security, using your own plate or your wifes plate would be a dumb idea, as well as cars that commonly appear in your parking lot at work.
Today's show is brought to you by the number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0: 25
First, to generate them use KeyMaker http//www.itoolpad.com/products/keymaker/
Then, to keep all of those weird, unrememberable passwords safe, try Password Guardian http://www.crypto-central.com/html/passgard.html
There are other good products out there too, but the above are free.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
No need to tighten a law has never been a reason not to tighten it. Where's the need for all those CCTVs that spring up everywhere?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
From http://bash.org/?244321 hey, if you type in your pw, it will show as stars ********* see! hunter2 doesnt look like stars to me ******* thats what I see oh, really? Absolutely you can go hunter2 my hunter2-ing hunter2 haha, does that look funny to you? lol, yes. See, when YOU type hunter2, it shows to us as ******* thats neat, I didnt know IRC did that yep, no matter how many times you type hunter2, it will show to us as ******* awesome! wait, how do you know my pw? er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw oh, ok.
Yes, I'm fairly sure that at least some dictionaries take basic patterns into account, based on first-hand experience rebuilding a client's compromised mail server after someone brute-forced their root password, "qweasdzxc".
This based on that a total of 3 accounts where used to access the network - all from a local socialdemocrat office - where a fourth account using VPN was unused.
Also providing credibility to this, is that the passwords on the used accounts are of sufficient complexity - although not commented on because of policies, by the security firm.
All from the article, read more on (swedish): http://computersweden.idg.se/2.139/1.75972
So, its intresting how something unconfirmed and almost on a "urban legend" level turns into news.....
"If it can be thought up, there exists at least one person trying to make it happen for real" - Phil