Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bad Password Allowed Swedish Watergate

Posted by ryuzaki0 on from the thats-why-my-password-is-swordfish dept.

fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "

6 of 248 comments (clear)

  1. Password? by madshot · · Score: 5, Interesting

    Here is the real question.. Is it a USER problem or an ADMINISTRATOR problem. Sounds like they need to hire a new IT director with a since of security. If that IT director allows passwords like that he probably also is running a firewall hosted in a Windows XP Pro machine and ICS and no service packs or hot fixes. All of the internal IP addresses are 192.168.x.x because of ICS so I'm sure the server is .1. Heck, the director might have even turned on Remote Desktop Administration on the box so he could manage it from home without a VPN and the administrator accounts password on that box is either blank, password, or god. Well, best of luck to their director or whomever is in charge of their computer network.

    --
    Obama = Socialism.
  2. Keyboard Patterning - at least it makes them think by w33t · · Score: 4, Interesting

    You know, in my department we've found that a great way to introduce users to more complicated passwords is to introduce them as keyboard pattern passwords.

    Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.

    While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.

    for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.

    Does anyone know if brute-force methods take into account keyboard patterning?

    by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it! ;)

    --
    My Computer Music Tutorial Videos
  3. Re:End user password selection by tygerstripes · · Score: 5, Interesting
    Can't remember where I read it (prolly /.), but there was an article that gave a very convincing argument to the effect that changing your password every month is totally without benefit. It's a common-rule-of-thumb kind of practice that has been handed down from admin to admin for years, probaby from early Unix days, and doesn't have any useful purpose anymore.

    Incremental-number passwords are an inevitable side-effect of this sort of policy and, even where password policy is more carefully implemented, the fact that average-joe users have to change it monthly anyway is a chore that WILL lead to short-cuts and, ultimately, weak passwords (or rather, associative passwords that are easy to infer after a little observation).

    Try just having a very strict policy on passwords, and scrapping the regular-change part of it. People can be imaginative and obscure once, but ask them to do it regularly and they get sloppy.

    --
    Meta will eat itself
  4. Re:Keyboard Patterning - at least it makes them th by SatanicPuppy · · Score: 4, Interesting

    Anyone else use the post-it-on-the-monitor as a booby trap? If anyone uses the post-it password on my monitor it sets off a series of security cascades that culminates with me getting a picture of them on my phone.

    One day I hope to catch someone other than a janitor trying to surf porn. =P

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  5. Re:End user password selection by hswerdfe · · Score: 3, Interesting

    ahh, yes More Secure.
    one system I log into at work requires "strong passwords"
    ie
      * has to be very diffrent from your last 10 passwords
      * has to have special chars
      * has to change your password every 2 months.

    the problem is I login to this system every 6 weeks.
    so every! time need to login I
      1. Call the IT desk
      2. Ask them to reset my password
      3. They Email me my password.
      4. I login

    When the password is reset there is no Idenification of me.
    They simply assume that access to my work email is valid enough

    By Increasing the level of security They have effectivly reduced the level of security to that of a seperate system (company email).

    BTW: company email pollicy is change every 6 months, incrimenal is allowed.

    Question:
    How many requests of Password resets do you get with your system?
    What method of Password distribution do you use?
    What method of verification do you use on reseting a password?

    --
    --meh--
  6. Bait by miffo.swe · · Score: 3, Interesting

    Many of us swedes thinks this was a planned event where the login was "leaked" to the opposition by purpouse. The swedish social democrats would probably stop at nothing to keep in power. The person who did the breakin (Per Jodenius) was a former Social Democrat. This person is from the same town (Växjö) and local Social Democrat Youth member in the same circuit as the journalist ( Fredrik Sjöshult )who blowed the whistle. The fact that this happened just hours after the leading party (from the polls) had his turn in the national TV is to much for it to be a coincidense.

    Ugly indee and not very democratic.

    Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..

    --
    HTTP/1.1 400