Slashdot Mirror
Bad Password Allowed Swedish Watergate
fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "
Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password".
I would have thought a snotty-nosed 11-year-old would regard that password as not-so-hard-to-crack. Oh well, nothing to see here, move on please...
I've got the same password on my briefcase!
Let's not forget the user who actually had a decent password.
uid: schef
pwd: mmborkburdyhurdymurdy
Those who believe the Internet is private,
find their privates are on the Internet.
There are atleast three ways this password could have been found. a) My brother lives in the town where these passwords were leaked, and he said that their office use unencrypted WLAN. b) The guy who presumably leaked it is in the office right next to the guy called 'Sigge'. c) As the article thinks: The password was very easy to crack. The latest rumour is that the guy who leaked the password (the left party) had a homosexual affair with the guy who *used* the password (the right party).
c++;
The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge"
My next password is going to be Göterborgs-Posten.
Try cracking that.
They're politicians, not security experts. I hear about this sort of problem all the time... in my own workplace, we talk about the people on the 3rd floor with their one-character passwords and machines that are hacked into on a daily basis.
In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.
This is all too common in many places. One company I worked for, about.. 1/3 to 1/2 of the users used some form of their name, and a number incrementation. I freaked out one who was *-18 asking him.. "so, you've been here a year and a half?" He had no idea how I did the math on that one.
Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.
{} ------ When I think of a good sig, I'll put it here
President Nixon: iam!acrook
President Clinton I: hopemyhusbanddoesntfindoutaboutthepassword
President Bush I: anybodybutmysons
President Clinton II: wishmyhusbandtoldmemonicawasbi8yearsago
President Bush II: 12345
President Quayle I: potatoe
Don't blame me for that last one. My password was "colbertstewart2012".
Here is the real question.. Is it a USER problem or an ADMINISTRATOR problem. Sounds like they need to hire a new IT director with a since of security. If that IT director allows passwords like that he probably also is running a firewall hosted in a Windows XP Pro machine and ICS and no service packs or hot fixes. All of the internal IP addresses are 192.168.x.x because of ICS so I'm sure the server is .1.
Heck, the director might have even turned on Remote Desktop Administration on the box so he could manage it from home without a VPN and the administrator accounts password on that box is either blank, password, or god.
Well, best of luck to their director or whomever is in charge of their computer network.
Obama = Socialism.
This is non-news. What happened was a member of the Social Democrats youth section _gave_ a username and password to a former member in the Liberal Party (which are not liberal at all BTW) youth section, around 2005! Of course, as the Social Democrats are about to lose the election (september 17th) they use this "news" to spread some primitive form of political FUD about the opposition.
From TFA:
Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter.
Translation:
He don't think he's been careless with his login info.
Hasn't anyone explained to him yet how stupid and careless this was?
You know, in my department we've found that a great way to introduce users to more complicated passwords is to introduce them as keyboard pattern passwords.
;)
Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.
While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.
for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.
Does anyone know if brute-force methods take into account keyboard patterning?
by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it!
My Computer Music Tutorial Videos
This is a good opportunity to outline a few tips for strong passwords. For example, I use my username twice and the number of states as my password.
I wonder how common it is for a user to have something like "1al02sk93dj8" written on a postit on their monitor, when in fact all they have to remember about their password is that the 'sk' in the middle is really a 'RD' making their real password "1a102RD93dj8"
This would (I imagine) wind up being significantly more secure to outside attacks (those who can't see the postit) while still being moderately secure to inside attacks (joe shmo trying to login on his console)....
thoughts?
More data, damnit!
Yes, Swedish passwords are weak. We Danes have known this for many years; it is inevitable given that the average number of syllables per word in Swedish is 1.22 (scientific studies have shown it!).
"sigge", a duosyllabic password, is an indication that the user was a member of the upper strata of Swedish society, with Abba and Ace of Base.
(NB: I can handle pissed off Swedes, but not moderators lacking the humor gene)
Blearf. Blearf, I say.
From what I understand (having trouble understanding the laymensterms of daily tabloids) it was also a completely open wifi network.
Just to be "picky", Göterborgs-Posten should read Göteborgsposten" after the Swedish town Göteborg.
A good solid password will have at least 7 alpha-numeric characters and at least 1 non alpha-numeric. For example don2006 is a shitty password. However don2006$ is not. The problem you will encounter is a basic user needs to be able to remember this password and will typically use it in more places than they should. This is impossible to manage so the best solution is to find hard to crack requirements that are easy to remember. don2006$ is a reasonable password for a normal user. More advanced users who have responsibilities over more sensitive data will also be able to remember more complex passwords or they can learn.
- What's the opposite to firewall? - Watergate
Anyone else use the post-it-on-the-monitor as a booby trap? If anyone uses the post-it password on my monitor it sets off a series of security cascades that culminates with me getting a picture of them on my phone.
One day I hope to catch someone other than a janitor trying to surf porn. =P
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Wouldn't that have been more appropriate for Windows Me systems...
mine is 12345. Nobody would ever guess that one. It's a password only an idiot would put on his luggage.
Nö!
Vöilà!
Nöt that that's a wörd, ör anything.
just an analog boy living in a digital age.
Captain: You know what you doing.
Captain: Move 'sigge'.
Captain: For great justice.
Seasoned Slashdot readers probably use zig:zig on BugMeNot and other "social" logins. I guess it just translates different in Sweden, kinda cute even... mental images of the Swedish Chef singing AYB.
I8-D
but your sense of humor is lacking.
I prefer the "u" in honour as it seems to be missing these days.
Many of us swedes thinks this was a planned event where the login was "leaked" to the opposition by purpouse. The swedish social democrats would probably stop at nothing to keep in power. The person who did the breakin (Per Jodenius) was a former Social Democrat. This person is from the same town (Växjö) and local Social Democrat Youth member in the same circuit as the journalist ( Fredrik Sjöshult )who blowed the whistle. The fact that this happened just hours after the leading party (from the polls) had his turn in the national TV is to much for it to be a coincidense.
Ugly indee and not very democratic.
Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..
HTTP/1.1 400
I've been put under some pretty inane password policies in my (limited) years on this planet. Names in reverse, 1337-variations on password, numerical addendums to dictionary words, just plain dictonary words ("nochance" was popular at one place I frequented).. Oh, and I heard from a friend who worked at Radioshack that most of the important passwords were something very, very, VERY easy. I'll leave you to figure it out.
You know what I have been recommending recently as a password policy? Fake inventory ID tags. Put a fake inventory ID tag on each device (keyboard, mouse, monitor, tower), with a portion of the ID on one of the items at each station being the actual password. Set a login attempt limiter, which will discourage trial and error. Not only do you need physical access, you need to know the general policy to discover the password from the "inventory tags". Heck, it could just be 8 letters out of a 24-character alphanumeric. Too bad it got shot down for something "simpler" the last place I suggested it to.. ugh.
"Better to be vulgar than non-existent" -Bev Henson
Bonus, every time I type my password my favorite line from whatever song runs through my head.
As a republican I feel it my responsibity to manufacture criminals. People need punished!
Erh, unathorized access has never been legal.
// hdw
An unlocked or even missing door doesn't save you from that.
A web page with "Click here for access to internal informantion (don't click if you're not authorized)." is enough to bring criminal charges for unathorized access.
There are other things that are more questionable.
If I'm handed a link that bypasses security (and the message) then it can be hard to state that I've commited anything illegal, ie someone has to prove that I knew that I wasn't athorized.
But bad security by itself isn't, hasn't ever been and will never be an excuse.
Executive Pope (small) Kallisti Engineering
From Glorious...
"Oh. Password protected. Billion possible chances."
"Er..."
"Jeff."
"Hey!"
"How did you know it would be Jeff?"
"I knew there'd be a back door."
In films, the guy who made the software has always left a back door,
so he could get back in when he wanted and look at all the missiles and go, "Ooh".
And put one on his head.
"And the guy who made the software was called Jeff Jeffety Jeff, born on the first of Jeff, Nineteen-Jeffety-Jeff."
"So I put in Jeff and hey."
My suitcase goes to 11.
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
The fact that you can brute force an account at all is not an indicator that strong passwords are needed. It is an indication that you need to disable an account after a number of unsuccessful attempts. The determining factor for how strong the password needs to be is whether the account is disabled for a few minutes or requires an administrator to unlock it.
If the account requires an adminstrator to unlock it after three failed attempts, nothing is gained from requiring a strong password. Any password that isn't guessable in three attempts will do fine.
If the argument is that a strong password is harder to determine after the attacker has a dump of your password repository, how did the attacker get a dump of your password repository in the first place? That's like putting bars over your windows and leaving the front door open.
but I'm first!!!!
... i wouldnt even attempt to crack it ...
...
But then again, that would make it a password that is not so not-so-hard-to-crack-password
Read radical news here
If a password gets written down, buried in a pile of paper, and thrown into the dumpster six months later, then regular password changing will prevent a breach. It will also cover up the real problem.
If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.
Regular password changing adds friction to the marketplace of shared passwords. The password that A told to B to let B do one job will be invalid when B tries it long after the job is over.
It's really hard to assess the benefit of periodic password changes unless you need them for regulatory compliance, in which case the benefit is avoiding fines rather than improving security.
Using passwords is so inherently broken, though, that nothing's ever going to be really satisfactory.
"Please try to keep your password complex. Yes, I know the system allows you to set it to your puppy's name every other month, but don't, mmkay?"
When it comes down to it, IT works for the company, and like everyone else, is charged with protecting the company's interests. Where the users insist on against the company's policy, I would hope that IT is willing to do their job.A question for you: Why is the security guard at the front door so "adversarial"? Insisting on asking for ID before letting you into the building after hours. Must be his ego, right?
Spelling, grammar, punctuation? We need something that checks logic.