Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bad Password Allowed Swedish Watergate

Posted by ryuzaki0 on from the thats-why-my-password-is-swordfish dept.

fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "

25 of 248 comments (clear)

  1. Incredible! by Guaranteed · · Score: 5, Funny

    I've got the same password on my briefcase!

  2. Effective PW by oahazmatt · · Score: 5, Funny

    Let's not forget the user who actually had a decent password.

    uid: schef
    pwd: mmborkburdyhurdymurdy

    --
    Those who believe the Internet is private,
    find their privates are on the Internet.
  3. Many theories about leaked passwords by pipatron · · Score: 5, Informative

    There are atleast three ways this password could have been found. a) My brother lives in the town where these passwords were leaked, and he said that their office use unencrypted WLAN. b) The guy who presumably leaked it is in the office right next to the guy called 'Sigge'. c) As the article thinks: The password was very easy to crack. The latest rumour is that the guy who leaked the password (the left party) had a homosexual affair with the guy who *used* the password (the right party).

    --
    c++; /* this makes c bigger but returns the old value */
  4. Re:Hmmm... by carpeweb · · Score: 5, Funny

    Seasoned Slashdot readers
    vs.
    snotty-nosed 11-year-old

    So, why was this not modded redundant??

    Aw, c'mon folks, let's laugh at ourselves once in a while ...

  5. Honestly unsurprising by mendaliv · · Score: 5, Insightful

    They're politicians, not security experts. I hear about this sort of problem all the time... in my own workplace, we talk about the people on the 3rd floor with their one-character passwords and machines that are hacked into on a daily basis.

    In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

    1. Re:Honestly unsurprising by hazem · · Score: 5, Insightful

      In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

      This is where the sysadmin has to figure out how to make a convincing argument that the suits will understand. If he thinks a strong password policy is important, that is.

      Suits aren't security experts, and they don't need to be. In fact, they're not necessarily experts in everything/anything. That's where the sysadmin needs to learn the same skills that everyone else uses to influence them. Make a case, with pros and cons, costs and benefits and make a proposal. It doesn't have to be extensive. I just has to have the information needed to make a decision.

      Then, let them make the decision. If they say "yes", then you have their backing when enforcing an unpopular policy - and they're already in the know when people complain. If they say "no"... well, you've covered your backside, or if you really believe it in, you need to make a more convincing case.

      It's not black magic... but so many IT folks are either unable or unwilling to talk to non-IT decision-makers in a way that gets them to make favorable decisions. It's an important skill.

  6. End user password selection by trazom28 · · Score: 4, Informative

    This is all too common in many places. One company I worked for, about.. 1/3 to 1/2 of the users used some form of their name, and a number incrementation. I freaked out one who was *-18 asking him.. "so, you've been here a year and a half?" He had no idea how I did the math on that one.

    Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.

    --
    {} ------ When I think of a good sig, I'll put it here
    1. Re:End user password selection by Zadaz · · Score: 5, Insightful

      And I'm sure a vast increase on post-it notes with cryptic characters stuck on monitors and backs of keyboards.

    2. Re:End user password selection by tygerstripes · · Score: 5, Interesting
      Can't remember where I read it (prolly /.), but there was an article that gave a very convincing argument to the effect that changing your password every month is totally without benefit. It's a common-rule-of-thumb kind of practice that has been handed down from admin to admin for years, probaby from early Unix days, and doesn't have any useful purpose anymore.

      Incremental-number passwords are an inevitable side-effect of this sort of policy and, even where password policy is more carefully implemented, the fact that average-joe users have to change it monthly anyway is a chore that WILL lead to short-cuts and, ultimately, weak passwords (or rather, associative passwords that are easy to infer after a little observation).

      Try just having a very strict policy on passwords, and scrapping the regular-change part of it. People can be imaginative and obscure once, but ask them to do it regularly and they get sloppy.

      --
      Meta will eat itself
    3. Re:End user password selection by Score+Whore · · Score: 4, Insightful

      I worked as a contractor for the Air Force for a while. They had a real strong policy in place on the Windows domain with the appropriate DLLs that would disallow "weak" passwords. Weak passwords being anything less than six letters; must have three of: upper case, lower case, numbers, symbols; must be substantially different than previous passwords; must not include words in it. Except that their dictionary includes two and three letter words. So you could have a password such as '1xIf%at$3' and it would be invalid since it has two two-letter words 'if' and 'at'. When deciding to implement draconian enforcement of your policies make sure your enforcement processes aren't stupid.

  7. Other passwords of note. by Tackhead · · Score: 5, Funny
    President Scroob: 12345
    President Nixon: iam!acrook
    President Clinton I: hopemyhusbanddoesntfindoutaboutthepassword
    President Bush I: anybodybutmysons
    President Clinton II: wishmyhusbandtoldmemonicawasbi8yearsago
    President Bush II: 12345
    President Quayle I: potatoe

    Don't blame me for that last one. My password was "colbertstewart2012".

  8. Password? by madshot · · Score: 5, Interesting

    Here is the real question.. Is it a USER problem or an ADMINISTRATOR problem. Sounds like they need to hire a new IT director with a since of security. If that IT director allows passwords like that he probably also is running a firewall hosted in a Windows XP Pro machine and ICS and no service packs or hot fixes. All of the internal IP addresses are 192.168.x.x because of ICS so I'm sure the server is .1. Heck, the director might have even turned on Remote Desktop Administration on the box so he could manage it from home without a VPN and the administrator accounts password on that box is either blank, password, or god. Well, best of luck to their director or whomever is in charge of their computer network.

    --
    Obama = Socialism.
  9. Seriously by Psionicist · · Score: 5, Informative

    This is non-news. What happened was a member of the Social Democrats youth section _gave_ a username and password to a former member in the Liberal Party (which are not liberal at all BTW) youth section, around 2005! Of course, as the Social Democrats are about to lose the election (september 17th) they use this "news" to spread some primitive form of political FUD about the opposition.

  10. Re:Hmmm... by Rob+T+Firefly · · Score: 5, Funny

    That rattling sound you hear is everyone on Slashdot changing their passwords at once.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  11. Keyboard Patterning - at least it makes them think by w33t · · Score: 4, Interesting

    You know, in my department we've found that a great way to introduce users to more complicated passwords is to introduce them as keyboard pattern passwords.

    Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.

    While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.

    for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.

    Does anyone know if brute-force methods take into account keyboard patterning?

    by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it! ;)

    --
    My Computer Music Tutorial Videos
  12. password tips by digitalderbs · · Score: 5, Funny

    This is a good opportunity to outline a few tips for strong passwords. For example, I use my username twice and the number of states as my password.

    1. Re:password tips by digitalderbs · · Score: 5, Funny

      I, digitalderbs, Is a COMPL3TE iDiOT AND MorON!1!!111 OMG.

      I also have small reproductive organs!11!

  13. Re:Password by grazzy · · Score: 5, Funny

    Since they spelled Göteborg wrong, yeah, it'll be a damn good password.

  14. Swedish passwords by MadFarmAnimalz · · Score: 5, Funny

    Yes, Swedish passwords are weak. We Danes have known this for many years; it is inevitable given that the average number of syllables per word in Swedish is 1.22 (scientific studies have shown it!).

    "sigge", a duosyllabic password, is an indication that the user was a member of the upper strata of Swedish society, with Abba and Ace of Base.

    (NB: I can handle pissed off Swedes, but not moderators lacking the humor gene)

    --
    Blearf. Blearf, I say.
  15. A little joke by SlashGet · · Score: 5, Funny

    - What's the opposite to firewall? - Watergate

  16. Re:Stig-Olof "Sigge" Fribergs by JackBuckley · · Score: 4, Funny

    From TFA: Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter. Translation: My hovercraft is full of eels!

  17. Re:Hmmm... by beef3k · · Score: 5, Funny

    "kinda strong" eh? That should be easibly crackable with a simple dictionary attack.

  18. Re:Keyboard Patterning - at least it makes them th by SatanicPuppy · · Score: 4, Interesting

    Anyone else use the post-it-on-the-monitor as a booby trap? If anyone uses the post-it password on my monitor it sets off a series of security cascades that culminates with me getting a picture of them on my phone.

    One day I hope to catch someone other than a janitor trying to surf porn. =P

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  19. All Your Swedes by Kamiza+Ikioi · · Score: 4, Funny
    Captain: Take off every 'sigge' !!
    Captain: You know what you doing.
    Captain: Move 'sigge'.
    Captain: For great justice.


    Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password"


    Seasoned Slashdot readers probably use zig:zig on BugMeNot and other "social" logins. I guess it just translates different in Sweden, kinda cute even... mental images of the Swedish Chef singing AYB.
    --
    I8-D
  20. Re:Hmmm... by kalirion · · Score: 5, Funny

    Pffft, nobody can guess my password, 'hunter2'. I know you only see '*******' there, but I actually typed in my real password. This is one feature I'm really glad Slashdot stole from IRC.