Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Bad Password Allowed Swedish Watergate

Posted by CmdrTaco on Wed Sep 06, 2006 10:17 AM
from the thats-why-my-password-is-swordfish dept.
Security
fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "
+ -
story

Related Stories

[+] Sweden's Watergate 179 comments
An anonymous reader writes, "Sweden's ruling Social Democratic Party's internal network has been illegally accessed several hundred times over a period of several months. Party treasurer Tommy Ohlstroem describes the incident as "wide-scale and systematic." Computer security company Sentor's investigation has revealed intrusions originating from computers belonging to Sweden's Liberal Party, and with the upcoming election in only two weeks many commentators are already describing this as Sweden's Watergate (Swedish only). An employee of the Young Liberals has admitted to unauthorized access, but a series of mysterious coincidences in the form of exceptionally well timed public announcements by the Liberal Party suggests the involvement of more than one person."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Bad Password Allowed Swedish Watergate 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Hmmm... (Score:3, Funny)

    by BrokenHalo (565198) on Wednesday September 06 2006, @10:23AM (#16052559)
    Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password".

    I would have thought a snotty-nosed 11-year-old would regard that password as not-so-hard-to-crack. Oh well, nothing to see here, move on please...

  • Incredible! (Score:5, Funny)

    by Guaranteed (998819) on Wednesday September 06 2006, @10:24AM (#16052561)
    I've got the same password on my briefcase!

  • Effective PW (Score:5, Funny)

    by oahazmatt (868057) on Wednesday September 06 2006, @10:24AM (#16052564) Journal
    Let's not forget the user who actually had a decent password.

    uid: schef
    pwd: mmborkburdyhurdymurdy

  • Many theories about leaked passwords (Score:5, Informative)

    by pipatron (966506) <pipatron@gmail.com> on Wednesday September 06 2006, @10:26AM (#16052583) Homepage
    There are atleast three ways this password could have been found. a) My brother lives in the town where these passwords were leaked, and he said that their office use unencrypted WLAN. b) The guy who presumably leaked it is in the office right next to the guy called 'Sigge'. c) As the article thinks: The password was very easy to crack. The latest rumour is that the guy who leaked the password (the left party) had a homosexual affair with the guy who *used* the password (the right party).

  • Password (Score:4, Funny)

    by Frankie70 (803801) on Wednesday September 06 2006, @10:27AM (#16052600)
    The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge"

    My next password is going to be Göterborgs-Posten.
    Try cracking that.

  • Honestly unsurprising (Score:5, Insightful)

    by mendaliv (898932) on Wednesday September 06 2006, @10:27AM (#16052602)
    They're politicians, not security experts. I hear about this sort of problem all the time... in my own workplace, we talk about the people on the 3rd floor with their one-character passwords and machines that are hacked into on a daily basis.

    In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

    • Re:Honestly unsurprising (Score:4, Informative)

      by hdw (564237) on Wednesday September 06 2006, @11:05AM (#16052959)
      Well the it admin/manager _should_ catch heat for it.

      We're not talking about some small 3 person company here. We're talking a (by swedish standards) large and established political party organisation.

      If I was made responsible for running that net/service I'd ask for a security policy established by management and make sure that we followed up on it's use.

      The damage that can be inflicted on an organisation like this by one single idiot with access to that net is massive.

      If the admin is the only tech savvy enough to understand those issues then it's his or hers frikken obligation to take that issue up with management and explain what could happen.

      But should also note in this issue that gaining unathorized access to a private network is illegal, no matter how this access was achieved.

      It should be quite obvious to any of the people involved that accessing data from a rival party's internal network is a criminal offence. // hdw

        • Re: (Score:3, Interesting)

          by hdw (564237)
          Well actually been there and no.

          The normal reaction from j.random management is "erh? what? sounds good but how should it be written?"

          Then it's your problem to provide them with the needed template.
          and it has to be understood, as in 'if j random luser can gain access to your account he or she can make you look like a fool and cause severe media damage to our organisation".

          Or, "a single idiot downloading a funky screensaver can kill our entire internal network for a days".

          An IT security policy must come fro

    • Re:Honestly unsurprising (Score:5, Insightful)

      by hazem (472289) on Wednesday September 06 2006, @11:07AM (#16052971) Journal
      In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

      This is where the sysadmin has to figure out how to make a convincing argument that the suits will understand. If he thinks a strong password policy is important, that is.

      Suits aren't security experts, and they don't need to be. In fact, they're not necessarily experts in everything/anything. That's where the sysadmin needs to learn the same skills that everyone else uses to influence them. Make a case, with pros and cons, costs and benefits and make a proposal. It doesn't have to be extensive. I just has to have the information needed to make a decision.

      Then, let them make the decision. If they say "yes", then you have their backing when enforcing an unpopular policy - and they're already in the know when people complain. If they say "no"... well, you've covered your backside, or if you really believe it in, you need to make a more convincing case.

      It's not black magic... but so many IT folks are either unable or unwilling to talk to non-IT decision-makers in a way that gets them to make favorable decisions. It's an important skill.

  • End user password selection (Score:5, Informative)

    by trazom28 (134909) on Wednesday September 06 2006, @10:28AM (#16052603)
    This is all too common in many places. One company I worked for, about.. 1/3 to 1/2 of the users used some form of their name, and a number incrementation. I freaked out one who was *-18 asking him.. "so, you've been here a year and a half?" He had no idea how I did the math on that one.

    Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.

    • Re:End user password selection (Score:5, Insightful)

      by Zadaz (950521) on Wednesday September 06 2006, @10:38AM (#16052704)
      And I'm sure a vast increase on post-it notes with cryptic characters stuck on monitors and backs of keyboards.

    • Re: (Score:3, Insightful)

      by baadger (764884)
      I'd like to know why you can view user passwords in plaintext anyway....

    • Re:End user password selection (Score:5, Interesting)

      by tygerstripes (832644) on Wednesday September 06 2006, @10:54AM (#16052860)
      Can't remember where I read it (prolly /.), but there was an article that gave a very convincing argument to the effect that changing your password every month is totally without benefit. It's a common-rule-of-thumb kind of practice that has been handed down from admin to admin for years, probaby from early Unix days, and doesn't have any useful purpose anymore.

      Incremental-number passwords are an inevitable side-effect of this sort of policy and, even where password policy is more carefully implemented, the fact that average-joe users have to change it monthly anyway is a chore that WILL lead to short-cuts and, ultimately, weak passwords (or rather, associative passwords that are easy to infer after a little observation).

      Try just having a very strict policy on passwords, and scrapping the regular-change part of it. People can be imaginative and obscure once, but ask them to do it regularly and they get sloppy.

      • If a password gets written down, buried in a pile of paper, and thrown into the dumpster six months later, then regular password changing will prevent a breach. It will also cover up the real problem.

        If an employee leaves and goes crazy later, and if you didn't change all his passwords when he left, then a regular change policy will avoid one problem. Of course it's more likely that a problem employee will strike back immediately. Or will have planted back doors before leaving.

        Regular password changing adds

    • Re:End user password selection (Score:5, Insightful)

      by Score Whore (32328) on Wednesday September 06 2006, @11:00AM (#16052917)
      I worked as a contractor for the Air Force for a while. They had a real strong policy in place on the Windows domain with the appropriate DLLs that would disallow "weak" passwords. Weak passwords being anything less than six letters; must have three of: upper case, lower case, numbers, symbols; must be substantially different than previous passwords; must not include words in it. Except that their dictionary includes two and three letter words. So you could have a password such as '1xIf%at$3' and it would be invalid since it has two two-letter words 'if' and 'at'. When deciding to implement draconian enforcement of your policies make sure your enforcement processes aren't stupid.
    • ahh, yes More Secure.
      one system I log into at work requires "strong passwords"
      ie
        * has to be very diffrent from your last 10 passwords
        * has to have special chars
        * has to change your password every 2 months.

      the problem is I login to this system every 6 weeks.
      so every! time need to login I
        1. Call the IT desk
        2. Ask them to reset my password
        3. They Email me my password.
        4. I login

      When the password is reset there is no Idenification of me.
      They simply assume that access to my work email is valid enough

      By Increasing the level of security They have effectivly reduced the level of security to that of a seperate system (company email).

      BTW: company email pollicy is change every 6 months, incrimenal is allowed.

      Question:
      How many requests of Password resets do you get with your system?
      What method of Password distribution do you use?
      What method of verification do you use on reseting a password?

      • Re: (Score:3, Insightful)

        by Ykant (318168)

        Why does IT want to wield password policy like a club?[...]The obvious solution is to do some simple training for the employees.

        And when simple training doesn't work, you just end up beating people over the head anyway. What sense would it make to teach someone corporate policy and then not enforce it?

        "Please try to keep your password complex. Yes, I know the system allows you to set it to your puppy's name every other month, but don't, mmkay?"

        Users are often unhappy with their interaction with corpor

  • Other passwords of note. (Score:5, Funny)

    by Tackhead (54550) on Wednesday September 06 2006, @10:28AM (#16052611)
    President Scroob: 12345
    President Nixon: iam!acrook
    President Clinton I: hopemyhusbanddoesntfindoutaboutthepassword
    President Bush I: anybodybutmysons
    President Clinton II: wishmyhusbandtoldmemonicawasbi8yearsago
    President Bush II: 12345
    President Quayle I: potatoe

    Don't blame me for that last one. My password was "colbertstewart2012".

  • Password? (Score:5, Interesting)

    by madshot (621087) on Wednesday September 06 2006, @10:29AM (#16052619) Homepage Journal
    Here is the real question.. Is it a USER problem or an ADMINISTRATOR problem. Sounds like they need to hire a new IT director with a since of security. If that IT director allows passwords like that he probably also is running a firewall hosted in a Windows XP Pro machine and ICS and no service packs or hot fixes. All of the internal IP addresses are 192.168.x.x because of ICS so I'm sure the server is .1. Heck, the director might have even turned on Remote Desktop Administration on the box so he could manage it from home without a VPN and the administrator accounts password on that box is either blank, password, or god. Well, best of luck to their director or whomever is in charge of their computer network.

  • Seriously (Score:5, Informative)

    by Psionicist (561330) on Wednesday September 06 2006, @10:31AM (#16052627)
    This is non-news. What happened was a member of the Social Democrats youth section _gave_ a username and password to a former member in the Liberal Party (which are not liberal at all BTW) youth section, around 2005! Of course, as the Social Democrats are about to lose the election (september 17th) they use this "news" to spread some primitive form of political FUD about the opposition.

    • Re: (Score:3, Informative)

      by hdw (564237)
      Well, first off all.
      The story that he was given the password has gone a bit dry now, since it's more than one password that has been used and the alleged giver denies the fact and has sued him for defamation.

      But lets assume that that peice of story is true.

      Then handing the information over to other members of his new party isn't very smart.
      And using this information to access a rival party's internal network to download internal information several times over 9 months, and passing this information on to sen

  • Keyboard Patterning - at least it makes them think (Score:5, Interesting)

    by w33t (978574) on Wednesday September 06 2006, @10:36AM (#16052679) Homepage
    You know, in my department we've found that a great way to introduce users to more complicated passwords is to introduce them as keyboard pattern passwords.

    Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.

    While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.

    for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.

    Does anyone know if brute-force methods take into account keyboard patterning?

    by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it! ;)
    • I wonder how common it is for a user to have something like "1al02sk93dj8" written on a postit on their monitor, when in fact all they have to remember about their password is that the 'sk' in the middle is really a 'RD' making their real password "1a102RD93dj8"

      This would (I imagine) wind up being significantly more secure to outside attacks (those who can't see the postit) while still being moderately secure to inside attacks (joe shmo trying to login on his console)....

      thoughts?

      • Re: (Score:3, Insightful)

        by Chazmyrr (145612)
        The fact that you can brute force an account at all is not an indicator that strong passwords are needed. It is an indication that you need to disable an account after a number of unsuccessful attempts. The determining factor for how strong the password needs to be is whether the account is disabled for a few minutes or requires an administrator to unlock it.

        If the account requires an adminstrator to unlock it after three failed attempts, nothing is gained from requiring a strong password. Any password that

  • password tips (Score:5, Funny)

    by digitalderbs (718388) on Wednesday September 06 2006, @10:37AM (#16052680)
    This is a good opportunity to outline a few tips for strong passwords. For example, I use my username twice and the number of states as my password.

  • Swedish passwords (Score:5, Funny)

    by MadFarmAnimalz (460972) on Wednesday September 06 2006, @10:43AM (#16052750) Homepage
    Yes, Swedish passwords are weak. We Danes have known this for many years; it is inevitable given that the average number of syllables per word in Swedish is 1.22 (scientific studies have shown it!).

    "sigge", a duosyllabic password, is an indication that the user was a member of the upper strata of Swedish society, with Abba and Ace of Base.

    (NB: I can handle pissed off Swedes, but not moderators lacking the humor gene)

  • Not only bad password. (Score:4, Informative)

    by Lussarn (105276) on Wednesday September 06 2006, @10:44AM (#16052758)
    From what I understand (having trouble understanding the laymensterms of daily tabloids) it was also a completely open wifi network.

  • A little joke (Score:5, Funny)

    by SlashGet (985115) on Wednesday September 06 2006, @10:53AM (#16052857) Homepage
    - What's the opposite to firewall? - Watergate

  • choosing good passwords (Score:4, Funny)

    by rice_burners_suck (243660) on Wednesday September 06 2006, @11:08AM (#16052986)
    mine is 12345. Nobody would ever guess that one. It's a password only an idiot would put on his luggage.

  • All Your Swedes (Score:5, Funny)

    by Kamiza Ikioi (893310) on Wednesday September 06 2006, @11:25AM (#16053159) Homepage
    Captain: Take off every 'sigge' !!
    Captain: You know what you doing.
    Captain: Move 'sigge'.
    Captain: For great justice.


    Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password"


    Seasoned Slashdot readers probably use zig:zig on BugMeNot and other "social" logins. I guess it just translates different in Sweden, kinda cute even... mental images [savethechildren.org.uk] of the Swedish Chef singing AYB.

  • Bait (Score:4, Interesting)

    by miffo.swe (547642) <(es.ellos) (ta) (leinad)> on Wednesday September 06 2006, @11:38AM (#16053262) Homepage Journal
    Many of us swedes thinks this was a planned event where the login was "leaked" to the opposition by purpouse. The swedish social democrats would probably stop at nothing to keep in power. The person who did the breakin (Per Jodenius) was a former Social Democrat. This person is from the same town (Växjö) and local Social Democrat Youth member in the same circuit as the journalist ( Fredrik Sjöshult )who blowed the whistle. The fact that this happened just hours after the leading party (from the polls) had his turn in the national TV is to much for it to be a coincidense.

    Ugly indee and not very democratic.

    Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..

  • *sigh*, of course. (Score:3, Insightful)

    by SocialEngineer (673690) <invertedpanda@gmail. c o m> on Wednesday September 06 2006, @11:47AM (#16053357) Homepage

    I've been put under some pretty inane password policies in my (limited) years on this planet. Names in reverse, 1337-variations on password, numerical addendums to dictionary words, just plain dictonary words ("nochance" was popular at one place I frequented).. Oh, and I heard from a friend who worked at Radioshack that most of the important passwords were something very, very, VERY easy. I'll leave you to figure it out.

    You know what I have been recommending recently as a password policy? Fake inventory ID tags. Put a fake inventory ID tag on each device (keyboard, mouse, monitor, tower), with a portion of the ID on one of the items at each station being the actual password. Set a login attempt limiter, which will discourage trial and error. Not only do you need physical access, you need to know the general policy to discover the password from the "inventory tags". Heck, it could just be 8 letters out of a 24-character alphanumeric. Too bad it got shot down for something "simpler" the last place I suggested it to.. ugh.

  • ... i wouldnt even attempt to crack it ...

    But then again, that would make it a password that is not so not-so-hard-to-crack-password ...

    • Re: (Score:3, Interesting)

      by boingo82 (932244)
      I prefer song lyrics as an endless source of good passwords. For example, suppose I like the Foo Fighters. I'll choose a song I like, say, Monkey Wrench, and choose a line, say "what do you do when all your enemies are friends?" and then get "wdydw@yeaf" for a password. If I DO have to leave a sticky on my monitor for a week after the change, it might say "monkey wrench", or "all this time to make amends" which is the preceding line. Generally enough to remind ME but not enough for Joe Average to bother gue
    • Erh, unathorized access has never been legal.

      An unlocked or even missing door doesn't save you from that.

      A web page with "Click here for access to internal informantion (don't click if you're not authorized)." is enough to bring criminal charges for unathorized access.

      There are other things that are more questionable.

      If I'm handed a link that bypasses security (and the message) then it can be hard to state that I've commited anything illegal, ie someone has to prove that I knew that I wasn't athorized.

      But b

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.