Dutch ISP Discovers 140,000 Customers With Default Password

bs0d3 writes "In Holland, a major ISP (KPN) has found a major security flaw for their customers. It seems that all customers have had the same default password of 'welkom01'. Up to 140,000 customers had retained their default passwords. Once inside attackers could have found bank account and credit card numbers. KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security."

Verizon online

had to ban the password abc123 on thier ADSL network years ago..

Re:Verizon online

I was there for that... I got cursed out that week by many a little old lady.

Re:Verizon online

KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security.

It's a shame KPN changed their passwords for them. They were about to learn a valuable lesson!

The reasonably intelligent people only had to hear about one instance of fraud, one example of ID theft in the news, to understand that they need a decent password. Idiots don't learn the easy way like this. Idiots only ever learn the hard way. I don't agree with that but I respect their right to learn any way they want to. It's called freedom.

Re:Verizon online

[matazar]

Bell Canada used to use this password and no one would ever change it. It was kind of funny being able to tell people what their password was. They've recently made slightly better passwords, but it was a good couple of years of abc123.

Re:Verizon online

[jones_supa]

I kind of disagree. People shouldn't be unnecessarily punished for stupidity (unless it's something that harms other people). A much better idea would have been simply to have each user have some random password which they get printed at home.

Re:Verizon online

[CastrTroy]

I bet that most of these people never even knew there was an account to begin with. If it had credit card and banking details, I'm pretty sure that the password refers to the online billing system, and not something like the PPPoE password. Most of the people probably never even logged into their account if they were even aware they had one. Basically, the ISP was completely at fault here for setting up the default password for every account to be exactly the same.

Re:Verizon online

[mcgrew]

It's a shame KPN changed their passwords for them. They were about to learn a valuable lesson!

I doubt it. They'd just become part of a botnet.

The reasonably intelligent people only had to hear about one instance of fraud, one example of ID theft in the news, to understand that they need a decent password.

You confuse ignorance with stupidity. They heard about ID theft, they heard about phishing, they don't hear about weak passwords.

Re:Verizon online

[Klaus_1250]

An even bigger ISP in the Netherlands uses/used the very same password for people who forgot their original more secure password.

They are lucky ACTA got rejected

Those filthy communists enabling others to pirate through their connection would be in jail now.

It's the ISP's fault

[wickerprints]

It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

Re:It's the ISP's fault

Further, why was the credit/bank information displayed in full? Isn't that stuff usually masked out? I think all services that I subscribe too usually just show the last 3-4 numbers of the account information, for this reason (in case login credentials are stolen).

Re:It's the ISP's fault

[pipatron]

They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

Re:It's the ISP's fault

[tlhIngan]

They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

OTOH, I wonder if all 140,000 customers who used the default passowrd actually USED the account? It sounds like it was a customer service portal thing - not something they normally login with. For those people, they probalby managed their account by phone rather than thinking to log into the customer service potral and do all their changes there?

Re:It's the ISP's fault

They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

Not treating your customers like irresponsible children is a sign that you respect them.

Would you shed a tear for an automobile driver who said "gee, I didn't know what the red-line was or that revving it past the red-line could damage the engine!" No, you'd say anybody fit to drive a car should know this, if they don't then they get to go to a mechanic and pay the stupidity tax. Same deal with passwords and internet access.

Re:It's the ISP's fault

[knaapie]

I can't believe this remark gets +5 Informative! Everyone is responsible for their own security!
If I get a lock installed on the door of my new house, with a key that is the same as the key on 140000 other doors, guess what I am going to do next, install a new lock or wait until someone empties my house and blame the company that installed the lock.

BTW I am a customer of the same company since a few months, and Welkom01 is not the default password anymore. It is a random string.

Re:It's the ISP's fault

[ShanghaiBill]

but some people need to learn the hard way.

Should car companies remove seat belts and airbags, so people can "learn the hard way" to avoid accidents?
Or maybe we should be responsible professionals and design secure systems and appropriate procedures, instead of blaming our customers for our own incompetence.

Re:It's the ISP's fault

Yes. In fact, I think a big metal spike should stick out of the steering wheel. It would make for much safer drivers.

Re:It's the ISP's fault

[CanHasDIY]

I can't believe this remark gets +5 Informative!

I second that.

What kind of fucked up childhood does a person have, to make them honestly believe that securing your own shit is somehow someone else's problem?

Re:It's the ISP's fault

[geekoid]

what if you don't know everyone has the same key?
Why would you even buy that lock?

While everyone is responsible for their own security, people developing the products are responsible for good implementation; which this was not.

Re:It's the ISP's fault

It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

Definitely true!! Let's face it whilst us geeks will roll our eyes and groan at the stupidity of the user, we should remember that most people don't choose or want to care about complexity of security. A lock and key is a nice easy physical reminder in our daily routine that we need to keep the bad guys out, but passwords are not intuitive to our lifestyle yet. Until people become accustomed to the digital set of keys, or it becomes as easy as a set of keys, then people will rely on default passwords.

So yes the ISP is to blame for using such common passwords, and yes we will all still leave our doors unlocked to worse still the keys in the door, but until someone comes up with a unified, but yet secure way of protecting digital access, these stories will still continue to populate /.

In some ways I long for an apocalypse that will annihilate the digital stress in our lives and bring us back to the good 'ol days of man-traps being legal to stop burglars ;-)

Re:It's the ISP's fault

[stanlyb]

Actually, your analogy should be: Should car companies use default password for the ignition key?

Re:It's the ISP's fault

[geekmux]

It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

Exactly. And when I read "major security flaw", I laughed, trying to figure out what is the larger "flaw" here. The rather blatant and obvious shortcomings you've pointed out, or the fact that there are at least 100,000 people in Holland who don't know why they should ever change their default password.

Re:It's the ISP's fault

[pipatron]

No, they should keep the seat belts. They should keep letting people decide when to use them, and they should not be responsible for any deaths that occur if someone did not use them.

Like letting people change their password as they should if they want to remain safe, or leave them if they want to get hurt badly in case someone hits them.

Re:It's the ISP's fault

[lgw]

If I get a lock installed on the door of my new house, with a key that is the same as the key on 140000 other doors, guess what I am going to do next, install a new lock or wait until someone empties my house and blame the company that installed the lock.

Unless you went out of your way to get a special lock, the lock on the door of your house is likely trivial to defeat with a "bump key", which is pretty easy to come by and use (unlike lockpicks, which would also open your door easily, but are somewhat controlled and take a bit of practice). But you probably didn't know that, because you're not a technical expert in that area of security.

Most people aren't a technical expert in the area of computer security, and so don't have a clue that they would need to change the password their ISP gave them. They would expect their ISP to be competant in such matters.
 

Re:It's the ISP's fault

[kulnor]

You mean everyone should get an Internet User License and an Insurance policy against Uninsured Users? :-)

Re:It's the ISP's fault

[ls671]

Would you shed a tear for an automobile driver who said "gee, I didn't know what the red-line was or that revving it past the red-line could damage the engine!" No, you'd say anybody fit to drive a car should know this, if they don't then they get to go to a mechanic and pay the stupidity tax. Same deal with passwords and internet access.

Your car analogy is out of date and it could be used against the point your are trying to make in modern days. Nowadays, cars have "rev limiters" that will prevent going above the red line too much. I guess with a manual, sticking it first gear at highway speed would still do the trick although.

So "rev limiters" == better protection for drivers who do not know.

Dummy driver goes to the dealer and says: "My car is broken, every time I go 500 rpm above the red line, my engine cuts off."

Re:It's the ISP's fault

That one is easy. In the Dutch system, they don't use security by obscurity when it comes to bank account numbers, it's like an address. Most payments above a hand full of euros are done by bank transfer (cheques were phased out decades ago, credit cards are rarely used). You would have trouble paying for things or receiving payments if your bank account number was a secret there.

Re:It's the ISP's fault

they don't use security by obscurity when it comes to bank account numbers, it's like an address. Most payments above a hand full of euros are done by bank transfer

Now what is that called, security-through-the-honor-system?

Re:It's the ISP's fault

they don't use security by obscurity when it comes to bank account numbers, it's like an address. Most payments above a hand full of euros are done by bank transfer

Now what is that called, security-through-the-honor-system?

Come on, try to think about it. Do you rely on keeping your house address a secret as a protection against burglary? Can anyone who knows where your house is take your stuff? Answer: no, there's a lock, with retina scan, a heavily armed robot, a shark pond (frickin lasers included).

Why should knowing your bank account number be enough to be able to take your money out of the bank? To take money out of your account two things are needed: to know your bank account number and to BE you.

Re:It's the ISP's fault

[jones_supa]

To refine that analogy a bit... it would be like having seat belts that in this particular car model required you to separately remember to enable the automatic locking mechanism so that it works in accidents.

Re:It's the ISP's fault

This is how it works in mosty of Europe.

Re:It's the ISP's fault

This. Very much this. I can give my bank account number to anyone (I'm Dutch). They can't pull money from it. They could try by faking my signature on an automatic incasso form, but I can repeal that at any time.

To take money out of my account they either need my card and PIN (which, granted, is the 4-digit one, not the newer 6 digit one. If I had the choice, I'd pick 8 or more digits, I have no trouble remembering digits) or a very good forgery of my ID card or passport.

Re:It's the ISP's fault

[arth1]

Now what is that called, security-through-the-honor-system?

No, it's called having a payer-initiated system, as opposed to the payee-initiated system we have here in the US.

When I send money to you:
In the US system, it starts with me sending a debit authorization to you, and your bank forwarding it on to my bank, which then debits my account and sends it to your bank
In the European system, it starts with me telling my bank to take the money from my account and send it to your bank, where it's deposited into your account.

One side effect of this difference is way less "float" - when I pay a bill, the money has left my account and entered yours within seconds, not days. And the banks don't get to sit on the money and earn interest rates on it.
It also allows payers to control exactly when a bill gets paid, and when the receiver can expect it. There's no "the check is in the mail" or "wait for the payment to clear". You can't cancel a payment because it has already been made. And you can't reverse charges, because you can not debit the account of someone else. But you can cancel a reoccurring payment at any time - you don't have to go to the company and ask them to stop charging you, because it's all set up by you, on your end.

This is also why cheques went the way of the dodo in the 80s and 90s in Europe - they serve little purpose when you have payer-initiated transfers.

The comparison to mail addresses is relevant. The European system is a system where you put the recipient on the mail when you send it. The US system is like you giving the recipient your address, and they instruct FedEx to pick up your letter, without you having the details.

Re:It's the ISP's fault

And you can't reverse charges, because you can not debit the account of someone else.

Where do you get that from? I can reverse any transaction that originated from my account.
It has to be within 60 days and I'll be paying a fine if the charge back was without merit but it works just fine. I have used this feature multiple times when O2 Germany + Jesta tried to scam me.

Re:It's the ISP's fault

[geekmux]

Most people aren't a technical expert in the area of computer security, and so don't have a clue that they would need to change the password their ISP gave them. They would expect their ISP to be competant in such matters.

I'm sorry, but at some point, ignorance with basic computer functions needs to be frowned upon, not placated to. 50 years ago, hardly anyone had a password to anything. These days, it's almost impossible to find someone without at least one, and yet we're going to continue to act like people don't know what the hell they're for, or why they should change them (like, ever).

It's one thing to not know how to set up custom firewalls and DMZ segments. It's another matter entirely if a user cannot seem to grasp why they should change their own password, regardless if anyone forces them to or not.

Of course, the only ones who actually become educated on the value of good password practice are the users who have been hacked before, so unfortunately, the actions taken speak more to the legal liability and saving face, not common sense. Want to educate ignorant users and better our computing society? Let them get hacked.

Then again, let's remember why customer accounts even exist today with a default password and no policy to ever force a change. Because ignorant customers want it that way.

Re:It's the ISP's fault

[Alumoi]

I can't believe this remark gets +5 Informative!

I second that. What kind of fucked up childhood does a person have, to make them honestly believe that securing your own shit is somehow someone else's problem?

Most Americans?

Re:It's the ISP's fault

Well, not quite, there are ways to take money out of an account without authorisation due to the processes created to allow for automatic payments / direct debit, e.g. Paypal connected to a bank-account doesn't require a PIN or signature.
Also in the small print you'll read that the bank is not responsible for unauthorized payments and that you will need to report unauthorized payments within a certain period, typically between two to four weeks after the unauthorized payment.

Last year a scam used paypal to withdraw money from business accounts, they posed as interested buyers, but had 'trouble' wiring the money to the account. They then called the businesses and were able to learn amounts of the verification payments Paypal makes and were able to plunder the accounts.

Re:It's the ISP's fault

Sorry, expecting users to understand the details of the devices and services they are using is unreasonable. The right solution is for services to be secure by default.

As other posters have mentioned, the initial passwords should have been randomized and possibly set to require a change on first login. If you want users to change passwords regularly, you require them to do so.

There is the further problem that passwords are simply a broken concept for remote login security. Something like Mozilla's BrowserID idea would be better: the user only needs to remember their e-mail password and everything else is done via public key authentication.

Re:It's the ISP's fault

[arth1]

I can reverse any transaction that originated from my account.
It has to be within 60 days and I'll be paying a fine if the charge back was without merit but it works just fine. I have used this feature multiple times when O2 Germany + Jesta tried to scam me.

Was that a payER initiated transfer, though? I.e. did you choose to pay them, then changed your mind?
Or was it them charging your card, in which case it was a payEE initiated transfer, like in the US?

Re:It's the ISP's fault

[lgw]

Again, you're (likely) ignorant about basic physical security functions - most people are, and yet society does find because physical security is a mature field, and end users simply don't need to understand any of that! Computer security needs to reach that point - the users will never get any "smarter" (generally users aren't actually dumb, they just don't care about your software).

Re:It's the ISP's fault

Forcing people to change their password is not effective in this case.

You call the help desk, tell them you want ADSL. They ask you for your name address etc. They set you up. Case closed.

You CAN login to your private control space and change your billing address. Nice if you need to. But if you don't you won't login.

P.S. Of the 140k accounts, 120k had the default password of "welkom01". The other 20k had logged in, changed their password..... to their username....

Re:It's the ISP's fault

[geekmux]

Again, you're (likely) ignorant about basic physical security functions - most people are, and yet society does find because physical security is a mature field, and end users simply don't need to understand any of that! Computer security needs to reach that point - the users will never get any "smarter" (generally users aren't actually dumb, they just don't care about your software).

Actually, I am acutely aware of the importance of physical security. It is the primary line of defense.

Now, perhaps you could explain to me how exactly physical security measures are going to apply to the average user who walks around with an unencrypted hard drive in their laptop (that a 10-year old could remove and copy), a cell phone (with an "unlock" button for security), and most of their personal information now stored online in webmail, facebook, twitter, picasa, etc (all secured by the same impossible-to-guess family dog password).

Yes, physical security (encrypted drives, strong passwords, two-factor auth) is a mature field. Too bad it's unused by most of the computing population. The real problem here is users want it that way and that mentality is what needs to change, and usually the only way that mentality changes is by learning that lesson the hard way. Instead, we placate to users and cower behind threats of litigation.

Imagine if we lived in some kind of liability-free zone, free of lawyers and political correctness, and you were given the authority to walk up and slap the shit out of anyone you found had a weak password, and continue to be allowed to do it until they complied.

I doubt we would be having this discussion if that were the standard deterrent everywhere. (oddly enough, I just realized that the scenario above would be a form of "physical" security).

Re:It's the ISP's fault

[lgw]

Yes, physical security (encrypted drives, strong passwords, two-factor auth) is a mature field.

Heh, you sort of made my point for me. You're so focused on your specialty that that's what you think of when I say "physical security". You worry about personal information being stolen, but what steps did you take to preven tyour actual, physical passport being stolen? Or any valuables in your house? Or your car? Most people don't understand the basics of physical security, and while tere would be less crime if they did, we don't blame the victim when a crime occurs.

Once upon a time...

[Mr.+Firewall]

When I was a sysadmin at a certain Bible college known for its weak security, I collected the password hashes of the students & faculty and ran them through a cracker (John the Ripper if I remember correctly), then sent out a mass email with the decrypted passwords, sorted by the amount of time it took to crack them.

Yeah, the majority of them were cracked within five seconds. Of course, I omitted the information on just whose passwords they were.

Dunno if it resulted in anyone actually doing something about their passwords though.

Re:Once upon a time...

[GodfatherofSoul]

OK, am I to understand you published actual passwords? That never works to motivate the technically challenged.

Re:Once upon a time...

[Mr.+Firewall]

Yes, I published them. One year later.

Re:Once upon a time...

Why the bleep did you do that? If they had a password that could be cracked in a few thousand guesses, it'd take under a second to brute-force it from the hash - but an outside attacker trying to log in should be stopped after three guesses if the sysadmin is halfway competent. Unless you're expecting to leak the hashes, you're solving the wrong problem - and, in the process, making the real problem worse.

Re:Once upon a time...

[Teun]

Why do you ask? It was a Bible College where everyone daily recites the 10 commandments not excluding the 8th. and 10th, no need for passwords!

Re:Once upon a time...

[Mr.+Firewall]

Your error is in assuming that any & all attackers would be from the outside.

Not a safe assumption.

other common passwords found around the world

welcome01
willkommen01
aloha01
benvenuto01

Well if they werent burglarized before this post..

[detain]

So let me get this straight, and ISP just told us the password to 140,000 of its clients? I would seriously consider changing ISP's.

Nothing lost

[belthize]

They also do not believe anyone has actually been burglarized since discovering this weak spot in security.

Sure, that's believable. It'd be bad if googling 'welkom01' turned up hits on free password sites but that'll probably never happen.

What's particularly humorous is forcing google to not include pages from the last week. One of the first pages is this gem from 2010.

http://www.autoitscript.com/forum/topic/118849-import-csv-file-to-add-users-in-ad/

Almost looks like the ISP's admin asking how to make it so new accounts get the right password in a scripted fashion. There are a few other admin type questions on pages asking how to use SAMBA and other cruft that include that password.

Re:Well if they werent burglarized before this pos

[mr100percent]

Well they are no longer the current password to those accounts, and with regards to other sites it's no less secure than someone who has a password on the top 10 most popular passwords list.

burglarized???

[philofaqs]

For heaven's sake what's wrong with burgled?

Re:burglarized???

Nothing. But there's nothing wrong with burglarized either.

Re:burglarized???

Burgle is a back-formation from burglar. Notice that burgler is not a word, and burglar doesn't come from "one who burgles."
While burgle may be a perfectly cromulent word in the sense that it's acknowledged by dictionaries as actually used, it's really less standard and too informal for news reports.

Re:burglarized???

[philofaqs]

Umm less standard? OK I'm English from England, we would never, ever say I've been burglarized, I've never even heard the word in 50 years on this planet before but Chambers says it's OK well actually not with the final D. Still I guess the verbification of a nounifiction etc is Ok on the intertubes.

Re:burglarized???

[CanHasDIY]

Better than buggered, I suppose...

Re:burglarized???

blagged the bookies

Re:burglarized???

[mako1138]

I guess it's American usage. We don't ever say "burgled" over here; it sounds funny.

Re:burglarized???

Nope, it's "burglarized" that's really less standard and too informal for news reports.

Re:burglarized???

Aha! Divided by a common language again.
That explains why the only place I ever saw burgle was The Hobbit.

Re:burglarized???

[Dishevel]

I would rather be burgled than buggered.

Re:burglarized???

[Sulphur]

Burgle is a back-formation from burglar. Notice that burgler is not a word, and burglar doesn't come from "one who burgles."
While burgle may be a perfectly cromulent word in the sense that it's acknowledged by dictionaries as actually used, it's really less standard and too informal for news reports.

At least the cromulescence is clear.

Re:burglarized???

'gotten burglarized' perhaps?

I love to see what non-English speakers make of the language!

Re:burglarized???

[Inda]

And someone who does the deed is a burglarizer.

Why couldn't they have picked French to bastardize (sic)?

Re:burglarized???

That has to be the stupidest made up American word I've ever heard!

I thought it was supposed to be some sort of joke. I can't believe someone would ever say that and not start laughing.

New password

All offending passwords were changed to "welkom02." Crisis averted!

Re:New password

That was probably the advice of the over payed security experts they hired to handle this crisis after a high school kid found about the problem.

Re:New password

The sad thing is... They are close to being stupid enough to handle this crisis THAT way indeed.

"Dear Subscribers"

[bitt3n]

"We have discovered you have been using default password 'welkom01'. This represents a grave security risk. Therefore, we have changed your password to 'welkom02'."

Doesn't surprise me.

I had to do some support for a satellite office in Rotterdam and they had KPN as a broadband provider in 2007. I had to deal with the a couple of times and I thought they weren't terribly good, even compared to British Telecom - which is saying something!

Unfortunately I can't recall specifics. Just a general sense of "Arrrrghhh!"

Love the Dutch as a people though :)

and the usernames too

[slashmydots]

It's twice as bad as the summary makes it sound: "It seems that the Usernames were easy to guess because it was comprised of the persons zipcode + street address."
But at least then it'd have to be targetted. What isn't clear is what the login actually does. The article says it was the "account management" login. So to use Time Warner as a comparison, I assume that means they would change the ISP-based e-mail account passwords from there and read their e-mail via a webmail interface not to mention reset their passwords for online banking sites then verify the change via that e-mail. But to say they could retrieve their credit card numbers is ridiculous. No webpage displays all digits of a stored credit card like one on file for ISP bill payments. It's always just the last 4 digits.

Damn!

[evenmoreconfused]

Just lost about 140K bots on my net...

Re:Well if they werent burglarized before this pos

[causality]

Well they are no longer the current password to those accounts, and with regards to other sites it's no less secure than someone who has a password on the top 10 most popular passwords list.

Some users think passwords are a nuisance or a bother and resent having to stop and take the 2 seconds necessary to type it in. Others appreciate the safeguard that it represents and treat it accordingly. Both reap what they sow.

There is definitely a strong overlap between that first group, and this more general (sadly widespread) mindset that ever putting any thought into anything is some kind of terrible burden to be avoided at all costs.

centurylink same thing

uses similar default passwords for pppoe authentication, mail and wireless routers... pretty much leaving everyone that doesn't do a self install (and know what they're doing) vulnerable.

Re:centurylink same thing

Which is why you don't use your local phone monopoly as your ISP.
CenturyLink just provides me a dumb pipe.

Re:centurylink same thing

That's a shame because Qwest did a fairly decent job in terms of default passwords for the service. I'm not going to post my password, but it was substantially stronger than the ones the article refers to.

Re:Tourism in Holland is going to EXPLODE

[Ziekheid]

The only thing missing from your post is something about wooden shoes and windmills. Thanks for the generalization, again.
Just for the record, it's no a normal or common thing to have sex with underage eastern european girls here.

Re:Tourism in Holland is going to EXPLODE

[ZigiSamblak]

Right. And we can't be any more inviting than allowing foreign people to "come in" our country.

Can't be much more inviting than cheap pot&prostitutes and identical passwords for everybody that translate as "Welcome".

Doesn't surprise me much... KPN is a shit company who are still benefitting from being the previously state-owned telecom provider, meaning they can milk their customer base without having to do too much about anything, including security.

Re:Tourism in Holland is going to EXPLODE

[formfeed]

The only thing missing from your post is something about wooden shoes and windmills. Thanks for the generalization, again.

This, and that war-driving has to be done on a bicycle.

Re:Well if they werent burglarized before this pos

Right. Now the password is 'welkom02'.

My ISP

[rickb928]

Cox isn't much, but I don't actualll get a default account, except for email, and that is just email.

My account info is not necessary to use service, just to automate payment, and I have to set up everything, no defaults.

My real concern is how this ISP determined using defaults made any sense. Really?

ISP didn't discover it.

[Amarantine]

KPN didn't discover it themselves. An ICT company did (accidentally even), and reported the flaw to an IT site (webwereld.nl) instead of contacting KPN directly.

Dutch link: http://tweakers.net/nieuws/82955/kpn-maakt-blunder-met-standaardwachtwoord-z-adsl-accounts.html and http://webwereld.nl/nieuws/111057/140-000-kpn-adsl-accounts-lek-door-welkom01-fail.html

Passwords shamaswords

[jago25_98]

Sounds like users have had it with passwords...

  or is the problem still between the keyboard and the chair?

Re:Tourism in Holland is going to EXPLODE

[sortius_nod]

You forgot the tulips & orange!

Default Frontier password

welcome1 is the default Frontier DSL password.

Re:Default Frontier password

[zippthorne]

It's their own fault for not making the default password a variant of "everybodygetsthispassworditsnotsecureatall" or, "IShouldChangeThisToSomethingUnique"

weak password

[kwikrick]

The ISP replaced it with another weak password? What? welkom02? Why not a strong password? Strong passwords do not have to be hard to remember or type, see: http://xkcd.com/936/

Re:weak password

[wvmarle]

Thanks. Now everyone please change your password from "welkom01" to "correcthorsebatterystaple" and we all have become a lot more secure!

Uncromulent neologisms

The word you are looking for is burgled.

At least you didn't write 'gotten burglarized'...

Re:Well if they werent burglarized before this pos

[Bert64]

The problem is that there are simply too many sites asking for passwords these days..

The sensible thing is obviously to use a different password everywhere, but you will never remember them and end up keeping them written down somewhere. Either somewhere inconvenient, so that you don't have access to the password when you need it, or somewhere convenient where it could more easily fall into someone else's hands.

So people reuse passwords across sites, the problem with this is that you don't know how a given site will store your password... It might be in plain text, or using a weak algorithm... A compromise of one site (see linkedin) thus compromises your accounts on other sites.

Great password!

[XiPHiaS81]

welkom01 and welkom02 have to be great passwords. The (Dutch) company I work for gave me an internal SVN user whose password I can't change. However, they require me to change it every month (because they're very security-conscious). Since I can't do this, the account gets locked every time. When this happens, I just call the helpdesk. They will then reset the password for me. They usually provide me a new password like 'welkom01'. This, and the fact that 140,000 other people are using it, proves to me that it is one of the best passwords around.

What are the odds ...

[fritsd]

What are the odds that they've changed 140 000 passwords to "sukkel01" now, I wonder.

I think you accidentally a whole word

[L4t3r4lu5]

In Holland, a major ISP (KPN) has found a .

First sentence, guys. A grammatical mistake in the First. Fucking. Sentence.

The 9 year olds in the special school I tech for can construct full sentences. They can also read through their work and pick out mistakes. You, as paid editors, have no excuse. I don't care if this is a missing angle bracket on a tag or other technical issue; It's inexcusable.

Don't underestimate industrious users

[Shivetya]

On a system I manage we have rules in place to prevent the reuse of passwords, simple ones like you cannot use a password you used the previous 31 times and such with limits on how often you can change them.

Well unless we put a limit of changes that were beyond a day you can guess what many users figured out to do... Forcing users to change passwords doesn't always end up with the results you expect.

Oh, mixed case and numbers... don't even get me started. Surveyed users on how they handled that and its pretty hilarious at times.

Re:Tourism in Holland is going to EXPLODE

Shtop! It'sh too much!

Re:Well if they werent burglarized before this pos

[causality]

The problem is that there are simply too many sites asking for passwords these days..

The sensible thing is obviously to use a different password everywhere, but you will never remember them and end up keeping them written down somewhere. Either somewhere inconvenient, so that you don't have access to the password when you need it, or somewhere convenient where it could more easily fall into someone else's hands.

So people reuse passwords across sites, the problem with this is that you don't know how a given site will store your password... It might be in plain text, or using a weak algorithm... A compromise of one site (see linkedin) thus compromises your accounts on other sites.

A nice solution is to use a browser add-on (Firefox has a few like this, other browsers probably do, too) that generates a strong per-site password for you.

The way it works is that you choose one good master password. The add-on then makes a cryptographic hash of the site's domain name and your master password. This produces a password that is unique to each site, can be safely stored without fear of compromise, and provides a high degree of entropy (looks like random characters). You only have to remember one good password.

It's definitely a solvable problem. Most modern browsers can also store the passwords you use. This is locally insecure, unless you have a browser master password with which that database is encrypted and then decrypted only as-needed. The problem is coming up with consistently strong passwords for each unique site. That's why I like those add-ons better.

It does not take very much determination, nor very much regard for one's own security to find that such solutions exist and are freely available. The very biggest problem with average users is that they seem to have no initiative, not even when it's their own ass that will suffer the consequences of failure.