Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bad Password Allowed Swedish Watergate

Posted by ryuzaki0 on from the thats-why-my-password-is-swordfish dept.

fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "

4 of 248 comments (clear)

  1. Honestly unsurprising by mendaliv · · Score: 5, Insightful

    They're politicians, not security experts. I hear about this sort of problem all the time... in my own workplace, we talk about the people on the 3rd floor with their one-character passwords and machines that are hacked into on a daily basis.

    In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

    1. Re:Honestly unsurprising by hazem · · Score: 5, Insightful

      In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

      This is where the sysadmin has to figure out how to make a convincing argument that the suits will understand. If he thinks a strong password policy is important, that is.

      Suits aren't security experts, and they don't need to be. In fact, they're not necessarily experts in everything/anything. That's where the sysadmin needs to learn the same skills that everyone else uses to influence them. Make a case, with pros and cons, costs and benefits and make a proposal. It doesn't have to be extensive. I just has to have the information needed to make a decision.

      Then, let them make the decision. If they say "yes", then you have their backing when enforcing an unpopular policy - and they're already in the know when people complain. If they say "no"... well, you've covered your backside, or if you really believe it in, you need to make a more convincing case.

      It's not black magic... but so many IT folks are either unable or unwilling to talk to non-IT decision-makers in a way that gets them to make favorable decisions. It's an important skill.

  2. Re:End user password selection by Zadaz · · Score: 5, Insightful

    And I'm sure a vast increase on post-it notes with cryptic characters stuck on monitors and backs of keyboards.

  3. Re:End user password selection by Score+Whore · · Score: 4, Insightful

    I worked as a contractor for the Air Force for a while. They had a real strong policy in place on the Windows domain with the appropriate DLLs that would disallow "weak" passwords. Weak passwords being anything less than six letters; must have three of: upper case, lower case, numbers, symbols; must be substantially different than previous passwords; must not include words in it. Except that their dictionary includes two and three letter words. So you could have a password such as '1xIf%at$3' and it would be invalid since it has two two-letter words 'if' and 'at'. When deciding to implement draconian enforcement of your policies make sure your enforcement processes aren't stupid.