Slashdot Mirror
Hacked Syrian Officials Used '12345' As Email Password
Nominei writes "The Israeli newspaper Haaretz reports that the Syrian President, aides and staffers had their email hacked by Anonymous, who leaked hundreds of emails online. Reportedly, many of the accounts used the password '12345' (which their IT department probably warned them to change when the accounts got set up, of course)."
I've got the same combination on my luggage!
I thought that everyone knew to use at least 123456 as their password. After all that increases its security by an order of magnitude!
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
then the IT guy got taken into the alley and shot in the head for his impudence.
Seriously? People that use such easy to guess (and therefore pointless) shouldn't even have access to anything that needs protection...
Every time I go to pastebin.com and look at the hacked sites the passwords are always weak, extremely weak, virtually no one uses strong passwords.
"If any question why we died, Tell them because our fathers lied."
Is this really 'hacking' when you guess the password?
Reminds me of the script-kiddie who 'hacked' into Sarah Palin's email account once he successfully guessed her password was 'popcorn'...
Wonder how he's doing in prison?
Ken
If a bunch of kids could hack into Syran government email by typing "12345", you'd imagine that at least one of the big cyberwarfare or intelligence units out there- the U.S., Israel, or China- would have thought of the same trick and has already been monitoring their communications for a while. At least you'd hope so. I'd hate to think that right now there are of a couple of NSA agents looking at each other and saying, "12345... hey, why didn't we think of that?"
Really, Why weren't these accounts configured to expire on the first login, like most default passwords?
They are not configured to expire on the first login because most users never truly log in - they tend to access the services through point-and-drool applications that have no facilities for changing the password.
And even when they do log in, it's likely with dumbed down Windows terminal progs which for unfathomable reasons close the window immediately on disconnect, so the user won't have a chance to read why he was logged out and what to do about it.
So some admins take the easy way out and don't expire the passwords, while others spend time hand-holding the users individually, and yet others pre-generate strongish passwords for the users, but have to communicate them through untrusted media.
For what it's worth, I provided a web based password change service for our technical users so they could change their passwords even if they never logged in to the servers. Within a year, and several reminders later, one out of over 300 users had used it.
tl;dr: You're seldom allowed to break the users' kneecaps when they fail to follow instructions.
The Syrians stole my password for everything! Now I'll have to come up with a new one.
It was just the dept staff. Looked like it was hacked through the webmail portal of mopa.gov.sy. The only thing of note was the exchange re the Barbara Walters visit. The Ministry of Presidential Affairs is basically his marketing department. Whilst one would hope they busted into this despots email, the truth is they did no such thing.
No, 12345 is actually a very complex password for Bashar al-Assad.
Slashdot, fix the reply notifications... You won't get away with it...
Or a couple of NSA agents looking at each other and saying "shit, I've got to go change my password."
Perhaps they did. Do you seriously think that: 1. they'd let /. know and that B. they'd tell Syria when they have a free pass?
Or a couple of NSA agents looking at each other and saying "shit, now we can't read their email"
Comment removed based on user account deletion
To be fair, the current Administration (NDAA) agrees with ASSad, just as long as you label them "terrorist" first ;)
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
As the hacker saw much to his horror that the Syrian President's e-mail password was indeed 12345 he tried to break the connection but it was too late. Word had spread and all knew that his most important hack was one that a five year old could have bested. A week later the hacker was found with a gun in his mouth and the numbers "12345" scrawled across his walls. His last e-mail was a simple "Who uses 12345 as a password!" Other hackers said that it was a tragedy that he would be remembered for one lame hack. Word came later that day that the Syrian President had beefed up security by using his son's name as his current password. Hackers world wide turned away in disgust and refused to stoop to hacking some one that lacked even basic internet skills.
Some turned their attention to hacking President Obama's e-mail until it was found he used the password "Romneysucksballs". No hacker would dignify such a password with a hack. Later that day it was revealed that Bill Gates used "stevejobsisaweiner" as his password but most knew this was the case since the late 90s.
Governments will go to extreme lengths to avoid revealing when they have access to information that the "enemy" thinks is secure. The allies went to very extreme measures to avoid tipping the Germans off that they had access to all the communications that went out on the Enigma machine. This included letting their own troops be ambushed and killed and massive use of resources and manpower to cover up when they did use the information, such as flying a hundred aerial survey missions to cover up knowing the travel path of a sea convoy.
Fool! passwords need to be 8 digits at least. Mine is 1234567891011 It goes to 11, for extra security.
Some drink at the fountain of knowledge. Others just gargle.
The password doesn't matter if your account is at a place where everything is already readable by the Man.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The Papal and Italian agencies turn to their roots for cipher strength: IIIIIIIVV
They claim they have never allowed an ambush to cover up codebreaking in WWII, just the difficulty in diffusing this information in a covert way meant it did not always get to who needed it in time. From this, it can slowly snowball in retelling to generals and spies sending men into ambushes to cover their efforts, which is stragegically retarded since it is not realistic for the enemy to notice something is amiss just because they don't get lucky in ambushes. However I think people just like the weight of the supposed situation: *movie trailer voice* "the ultimate sacrifice, to protect the ultimate secret".
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Or this approach for secure passwords. You must make it hard to guess by other people or brute force approachs, not hard to remember .
correct-horse-battery-staple
I actually try that xkcd password now on any word list I use. First...;-)
That approach is Diceware, BTW,
http://world.std.com/~reinhold/diceware.html
http://happycattech.com/book/security-applications-0 (MS Excel and OpenOffice Calc implementations)
The reason password lengths were limited is because people were retarded and storing the password in a database. Now, good policy dictates that you never store a password, only its hash and salt. The only reasons to limit length is to limit the bandwidth required in case someone decides to use the unabridged works of Shakespeare as his pass phrase.
oh yeah, I can top that!
0n3 7w0 7hr33 f0ur fiv3
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
The German air raid that almost destroyed Coventry was an example of this, The Brits knew it was coming but they also knew that the Germans were beginning to get suspicious. As a result, the British government felt that they had to let this air raid occur even though they knew many people would be killed.