Bad Password Allowed Swedish Watergate

fredr1k writes "The Swedish Watergate reported earlier this week was possible because of the usage of terrible weak passwords (Swedish) and a not functional IT policy. The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge" and was "stolen" in march this year. Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password". "

Hmmm...

Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password".

I would have thought a snotty-nosed 11-year-old would regard that password as not-so-hard-to-crack. Oh well, nothing to see here, move on please...

Re:Hmmm...

Seasoned Slashdot readers
vs.
snotty-nosed 11-year-old

So, why was this not modded redundant??

Aw, c'mon folks, let's laugh at ourselves once in a while ...

Re:Hmmm...

That rattling sound you hear is everyone on Slashdot changing their passwords at once. [slashdot.org]

Re:Hmmm...

"kinda strong" eh? That should be easibly crackable with a simple dictionary attack.

Re:Hmmm...

don't think so. It's based on the Phonic64 transform with numbers and punctuation at >10 characters.

Re:Hmmm...

Pffft, nobody can guess my password, 'hunter2'. I know you only see '*******' there, but I actually typed in my real password. This is one feature I'm really glad Slashdot stole from IRC.

Incredible!

I've got the same password on my briefcase!

Re:Spaceballs: The Movie

My suitcase goes to 11.

Effective PW

Let's not forget the user who actually had a decent password.

uid: schef
pwd: mmborkburdyhurdymurdy

Many theories about leaked passwords

There are atleast three ways this password could have been found. a) My brother lives in the town where these passwords were leaked, and he said that their office use unencrypted WLAN. b) The guy who presumably leaked it is in the office right next to the guy called 'Sigge'. c) As the article thinks: The password was very easy to crack. The latest rumour is that the guy who leaked the password (the left party) had a homosexual affair with the guy who *used* the password (the right party).

Password

The Swedish newspaper Göterborgs-Posten reports the source of the password was a partymember who's account was "sigge" with password "sigge"

My next password is going to be Göterborgs-Posten.
Try cracking that.

Re:Password

Since they spelled Göteborg wrong, yeah, it'll be a damn good password.

Honestly unsurprising

They're politicians, not security experts. I hear about this sort of problem all the time... in my own workplace, we talk about the people on the 3rd floor with their one-character passwords and machines that are hacked into on a daily basis.

In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

Re:Honestly unsurprising

Well the it admin/manager _should_ catch heat for it.

We're not talking about some small 3 person company here. We're talking a (by swedish standards) large and established political party organisation.

If I was made responsible for running that net/service I'd ask for a security policy established by management and make sure that we followed up on it's use.

The damage that can be inflicted on an organisation like this by one single idiot with access to that net is massive.

If the admin is the only tech savvy enough to understand those issues then it's his or hers frikken obligation to take that issue up with management and explain what could happen.

But should also note in this issue that gaining unathorized access to a private network is illegal, no matter how this access was achieved.

It should be quite obvious to any of the people involved that accessing data from a rival party's internal network is a criminal offence. // hdw

Re:Honestly unsurprising

In the end of course, the system administrator is going to catch heat for not having a strong password policy. Even though he/she would've caught hell if there had been one implemented in the first place.

This is where the sysadmin has to figure out how to make a convincing argument that the suits will understand. If he thinks a strong password policy is important, that is.

Suits aren't security experts, and they don't need to be. In fact, they're not necessarily experts in everything/anything. That's where the sysadmin needs to learn the same skills that everyone else uses to influence them. Make a case, with pros and cons, costs and benefits and make a proposal. It doesn't have to be extensive. I just has to have the information needed to make a decision.

Then, let them make the decision. If they say "yes", then you have their backing when enforcing an unpopular policy - and they're already in the know when people complain. If they say "no"... well, you've covered your backside, or if you really believe it in, you need to make a more convincing case.

It's not black magic... but so many IT folks are either unable or unwilling to talk to non-IT decision-makers in a way that gets them to make favorable decisions. It's an important skill.

End user password selection

This is all too common in many places. One company I worked for, about.. 1/3 to 1/2 of the users used some form of their name, and a number incrementation. I freaked out one who was *-18 asking him.. "so, you've been here a year and a half?" He had no idea how I did the math on that one.

Eventually, we put in place a very, very restrictive password policy. No incrementing numbers, no password similar to last month's password, etc. You wouldn't believe the riots in the streets. But, we held firm, and eventually, the noise died down, and everyone finally is using more secure passwords.

Re:End user password selection

And I'm sure a vast increase on post-it notes with cryptic characters stuck on monitors and backs of keyboards.

Re:End user password selection

Can't remember where I read it (prolly /.), but there was an article that gave a very convincing argument to the effect that changing your password every month is totally without benefit. It's a common-rule-of-thumb kind of practice that has been handed down from admin to admin for years, probaby from early Unix days, and doesn't have any useful purpose anymore.

Incremental-number passwords are an inevitable side-effect of this sort of policy and, even where password policy is more carefully implemented, the fact that average-joe users have to change it monthly anyway is a chore that WILL lead to short-cuts and, ultimately, weak passwords (or rather, associative passwords that are easy to infer after a little observation).

Try just having a very strict policy on passwords, and scrapping the regular-change part of it. People can be imaginative and obscure once, but ask them to do it regularly and they get sloppy.

Re:End user password selection

I worked as a contractor for the Air Force for a while. They had a real strong policy in place on the Windows domain with the appropriate DLLs that would disallow "weak" passwords. Weak passwords being anything less than six letters; must have three of: upper case, lower case, numbers, symbols; must be substantially different than previous passwords; must not include words in it. Except that their dictionary includes two and three letter words. So you could have a password such as '1xIf%at$3' and it would be invalid since it has two two-letter words 'if' and 'at'. When deciding to implement draconian enforcement of your policies make sure your enforcement processes aren't stupid.

Re:End user password selection

ahh, yes More Secure.
one system I log into at work requires "strong passwords"
ie
  * has to be very diffrent from your last 10 passwords
  * has to have special chars
  * has to change your password every 2 months.

the problem is I login to this system every 6 weeks.
so every! time need to login I
  1. Call the IT desk
  2. Ask them to reset my password
  3. They Email me my password.
  4. I login

When the password is reset there is no Idenification of me.
They simply assume that access to my work email is valid enough

By Increasing the level of security They have effectivly reduced the level of security to that of a seperate system (company email).

BTW: company email pollicy is change every 6 months, incrimenal is allowed.

Question:
How many requests of Password resets do you get with your system?
What method of Password distribution do you use?
What method of verification do you use on reseting a password?

Other passwords of note.

President Scroob: 12345
President Nixon: iam!acrook
President Clinton I: hopemyhusbanddoesntfindoutaboutthepassword
President Bush I: anybodybutmysons
President Clinton II: wishmyhusbandtoldmemonicawasbi8yearsago
President Bush II: 12345
President Quayle I: potatoe

Don't blame me for that last one. My password was "colbertstewart2012".

Password?

Here is the real question.. Is it a USER problem or an ADMINISTRATOR problem. Sounds like they need to hire a new IT director with a since of security. If that IT director allows passwords like that he probably also is running a firewall hosted in a Windows XP Pro machine and ICS and no service packs or hot fixes. All of the internal IP addresses are 192.168.x.x because of ICS so I'm sure the server is .1. Heck, the director might have even turned on Remote Desktop Administration on the box so he could manage it from home without a VPN and the administrator accounts password on that box is either blank, password, or god. Well, best of luck to their director or whomever is in charge of their computer network.

Seriously

This is non-news. What happened was a member of the Social Democrats youth section _gave_ a username and password to a former member in the Liberal Party (which are not liberal at all BTW) youth section, around 2005! Of course, as the Social Democrats are about to lose the election (september 17th) they use this "news" to spread some primitive form of political FUD about the opposition.

And the solution is easy

Run crack weekly on your password repository. Lock any accounts cracked. Create a web page where people can generate strong passwords, don't expect them to think them up. Have single sign on/login to reduce the numbers of passwords to remember.

 

Stig-Olof "Sigge" Fribergs

From TFA:
Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter.

Translation:
He don't think he's been careless with his login info.

Hasn't anyone explained to him yet how stupid and careless this was?

Re:Stig-Olof "Sigge" Fribergs

From TFA: Själv tycker han inte att han handskats ovarsamt med sina inloggningsuppgifter. Translation: My hovercraft is full of eels!

they want to run our lifes

The same guys aspire for the rulership of our country!

Keyboard Patterning - at least it makes them think

You know, in my department we've found that a great way to introduce users to more complicated passwords is to introduce them as keyboard pattern passwords.

Of course we have complexity requirements, but it's amazing how a user can find a way to simplify a complexity requirement. Think a user unknowledgeable, but never think a user unclever - I always say...well, actually that's the first time I've said that...back to my point.

While these patterned passwords may not be as hard to crack as truly random passwords, they are at least non-semantic.

for example 1al02sk93dj8 - I imagine this password is probably pretty common, but if it were scrawled on a stickynote on someones monitor it would discourage causual account browsing by a coworker.

Does anyone know if brute-force methods take into account keyboard patterning?

by the way 1al02sk93dj8 is not my accounts password - so don't even think about trying it! ;)

Re:Keyboard Patterning - at least it makes them th

Anyone else use the post-it-on-the-monitor as a booby trap? If anyone uses the post-it password on my monitor it sets off a series of security cascades that culminates with me getting a picture of them on my phone.

One day I hope to catch someone other than a janitor trying to surf porn. =P

password tips

This is a good opportunity to outline a few tips for strong passwords. For example, I use my username twice and the number of states as my password.

Re:password tips

I, digitalderbs, Is a COMPL3TE iDiOT AND MorON!1!!111 OMG.

I also have small reproductive organs!11!

Could've been worse...

The password could've been "password" (which used to be the default email password for one company). Back in the days of Windows NT, "hockey" was a popular password at several different companies (not sure why). Of course, "yousuck" was also a common password for a lot of Windows 95 systems at another company.

Swedish passwords

Yes, Swedish passwords are weak. We Danes have known this for many years; it is inevitable given that the average number of syllables per word in Swedish is 1.22 (scientific studies have shown it!).

"sigge", a duosyllabic password, is an indication that the user was a member of the upper strata of Swedish society, with Abba and Ace of Base.

(NB: I can handle pissed off Swedes, but not moderators lacking the humor gene)

Not only bad password.

From what I understand (having trouble understanding the laymensterms of daily tabloids) it was also a completely open wifi network.

newspaper name

Just to be "picky", Göterborgs-Posten should read Göteborgsposten" after the Swedish town Göteborg.

Solid Pasword examples

A good solid password will have at least 7 alpha-numeric characters and at least 1 non alpha-numeric. For example don2006 is a shitty password. However don2006$ is not. The problem you will encounter is a basic user needs to be able to remember this password and will typically use it in more places than they should. This is impossible to manage so the best solution is to find hard to crack requirements that are easy to remember. don2006$ is a reasonable password for a normal user. More advanced users who have responsibilities over more sensitive data will also be able to remember more complex passwords or they can learn.

A little joke

- What's the opposite to firewall? - Watergate

Superhard

> Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password".

Like "Superman" for Lois Lane!

Signed,

A Slashdot Reader

choosing good passwords

mine is 12345. Nobody would ever guess that one. It's a password only an idiot would put on his luggage.

Great Password Website

https://www.grc.com/passwords.htm [grc.com]

All Your Swedes

Captain: Take off every 'sigge' !!
Captain: You know what you doing.
Captain: Move 'sigge'.
Captain: For great justice.

Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password"

Seasoned Slashdot readers probably use zig:zig on BugMeNot and other "social" logins. I guess it just translates different in Sweden, kinda cute even... mental images [savethechildren.org.uk] of the Swedish Chef singing AYB.

Statistical password question

Has anyone with access to lots of passwords ever done a statistical analysis on them? I imagine some words would come up fairly often, just because people aren't so different from each other.

Ohhhh... I hope the ruling party is the culprit!

We might soon see a law stating that it ain't hacking if the security is too weak to be considered security. Ahhh, the good ol' days shall return!

Bad passwords and bad users are everywhere

If you believe the people on battle.net (especially Diablo 2), they get "hacked" by other users.

However, after talking a bit with them, you find out that:
1. they gave away their password for some unknown reason (and the "hacker" simply logged in and changed their password)
2. they installed maphack or some other shit (which can also include some other things, i.e. a keylogger)
3. they used a weak password (such as, oh, I dunno.... "password" <g>)

This, my friend, can give a bad name to ANY operating system (or program, system or whatever)... "I'm using Linux but I still get hacked, it's as bad as Windows."

Bait

Many of us swedes thinks this was a planned event where the login was "leaked" to the opposition by purpouse. The swedish social democrats would probably stop at nothing to keep in power. The person who did the breakin (Per Jodenius) was a former Social Democrat. This person is from the same town (Växjö) and local Social Democrat Youth member in the same circuit as the journalist ( Fredrik Sjöshult )who blowed the whistle. The fact that this happened just hours after the leading party (from the polls) had his turn in the national TV is to much for it to be a coincidense.

Ugly indee and not very democratic.

Its like, if you hassled a country for not being democratic and then imposed sanctions on them for choosing the wrong people in the votings....oh, wait..

Circus in town

This story is a moving target; there's new information almost every hour and what was "true" this morning is no longer true. That applies to this /.-story too:

Security firm Sentor (for some reason I associate it to badly drawn superheroes), which did the initial investigation, has found that out of four accounts used at the office, three has been used for unauthorised access. The fourth account used a Secure VPN connection, while the other three were unencrypted. The office also used an unencrypted wireless connection.

Easy to crack or not, maybe the "password" used wasn't the weak link in this case. But as I said, nothing is certain at this time. And it doesn't get better with journalists running around (ab)using words they don't understand; I don't think I've ever heard someone confuse "concrete wall" with "firewall" before.

*sigh*, of course.

I've been put under some pretty inane password policies in my (limited) years on this planet. Names in reverse, 1337-variations on password, numerical addendums to dictionary words, just plain dictonary words ("nochance" was popular at one place I frequented).. Oh, and I heard from a friend who worked at Radioshack that most of the important passwords were something very, very, VERY easy. I'll leave you to figure it out.

You know what I have been recommending recently as a password policy? Fake inventory ID tags. Put a fake inventory ID tag on each device (keyboard, mouse, monitor, tower), with a portion of the ID on one of the items at each station being the actual password. Set a login attempt limiter, which will discourage trial and error. Not only do you need physical access, you need to know the general policy to discover the password from the "inventory tags". Heck, it could just be 8 letters out of a 24-character alphanumeric. Too bad it got shot down for something "simpler" the last place I suggested it to.. ugh.

Quick and ugly partial translation

Neither English nor Swedish is my mother tongue.

Everything began in Skövde [Swedish city]

In the eye of the storm is social democrat Stig-Olof Friberg. His password was the key to the FP-scandal: [FP = Folkpartiet, the "cracker party"]

"I'm enraged. Tough election tactics are ok, but they must be fair".

"In what school can you learn computer hacking that you're so good at?" - the question's asked by a longhaired boy in the class at Rudebeck school in Tidaholm, where the youth movements hold an infoday.

Johanna Nylander of the FP youth movement, LuF replies quickly, as if she'd waited for the question: "In my FP schoolworld you learn both that cracking is illegal, and to get passwords that can't be broken in 3 seconds. And that computer security is important", she adds with sharpness in her voice.

Actually Johanna Nylander wasn't supposed to visit Tidaholm today. LuF should have been represented by the now retired local guy Nicklas Lagerlöf. When the half-hour long party information is over and the hotel- and restaurant school class leave, Johanna Nylander repeats her view of the intrusion: "All politicians should take a course in how to get a working password".

So it is the fault of the Social Democrats themselves that LuF got the passwords? "I don't think Niklas knew that what he did was criminal, she says, and clarifies that she will not comment any further".

It's not a fun day to be LuF member from Skarsborg.

About 10 miles away, outside the social democratic party district office in Skövde Stig-Olof Friberg is standing in the september heat. He's enraged. According to him it's beyond any doubt, that Niklas Lagerlöf and Per Jodenius should have known that data intrusion is illegal, no matter how the password was obtained.

"It's like stealing my car key and then drive off in my car" he says.

He doesn't think he handled his login carelessly.

"But of course, knowing the result we should have handled security better".

Now the Skövde social democrats wants to leave the scandal and bring the election campaing into order, Stig-Olof Friberg thinks.

"Worst of it all is that this increases disenchantment with politicians. It's an attack on democracy".

--- The rest in a moment ---

Am I retarded, or just missing something?

I think I understand what happened. What doesn't make sense to me is how and when the responsibility shifted from the unauthorized accessor to the user with the lame password.

Yes, I understand that there are inherent security responsibilities. Like, if I don't lock my house, car, etc., my insurance company won't pay if they can prove same.

Where and when did we start blaming the victim, though? Maybe I missed the update, but I'm still operating under the impression that a crime is the fault (subset of "responsibility") of the perpetrator.

Yes, yes, this example is complex, since it's possible that the person who accessed the system without authorization may have been given the trial uname/passwd combination. It's still his/her responsibility for having logged in illicitly, whether over wire or wi-fi.

Given the Watergate analogy, it was the GOP who was responsible; they broke in. Sure, the security guards who actually saw the clues and *still* blew it were part of the problem, but there wouldn't have been a problem (or crime) if the burglars had decided to have coffee and doughnuts instead.

This is distinct, in my opinion, from the responsibility of firms who acquire private information for their own business purposes. Those concerns do, indeed, have a profound responsibility to protect that data. This case is about a private organization whose own data was raided. Yes, they could have done better. It is provable that they *should* have done better. It is not their fault for not having done better; it is the fault (and therefore the responsibility) of the cracker.

Am i the only one?

Who couldn't figure out what the hell this article was about from the summary? Go editors Go!

Technical term

Seasoned Slashdot readers would call it "a-not-so-hard-to-crack-password"

Is that the technical term?

Ob. Eddie Izzard

From Glorious [eddieizzard.com]...

"Oh. Password protected. Billion possible chances."

"Er..."

"Jeff."

"Hey!"

"How did you know it would be Jeff?"

"I knew there'd be a back door."

In films, the guy who made the software has always left a back door,

so he could get back in when he wanted and look at all the missiles and go, "Ooh".

And put one on his head.

"And the guy who made the software was called Jeff Jeffety Jeff, born on the first of Jeff, Nineteen-Jeffety-Jeff."

"So I put in Jeff and hey."

Terrible Weak Password

One day we needed to order a part and the part-ordering guy had disappeared (as usual).

His terminal was locked.

I sat down, looked at the picture of the puppy he and his wife had adopted a few weeks earlier, and entered the puppy's name when prompted for a password - in lower case of course.

Voila. Access granted. Part ordered. The mission was saved.

Yes, I changed his password.

No, I didn't tell him.

What may not be obvious to foreign readers

It may not be obvious to non-Swedes, so FYI "sigge" is a common nickname for Sixten -- his forename.

In Other News...

It was also announced today that the Paris Hilton International Computer Security School has closed its Sweedish operations offices effective immediately. A spokesperson for the company declined to comment when asked for a reason behind this sudden move.

Obviously very stupid

I think this hurts the party that was hacked more than the hackers. Of course I don't anyone as stupid as using "sigge" as a password to rule my country. Nowadays it is no excuse to be that computer illiterate.