European Space Agency Records Leaked For Amusement, Attackers Say

itwbennett writes: A weekend data breach at the European Space Agency (ESA) by hackers calling themselves "Anonymous" has resulted in the release of 8,107 names, email addresses, and passwords of ESA supporters and researchers. "The leaked data highlights a troubling problem with regard to passwords used on the compromised domains," writes CSO's Steve Ragan. "Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.)."

Three characters?

[U2xhc2hkb3QgU3Vja3M]

Three characters is not enough for my luggage.

Re:

[Adriax]

I think that's the point of this piece. Our rocket scientists still can't match the password length of space fairing societies with planetary scale shielding, mega-ships capable of stripping the atmosphere off a planet in minutes, casual space travel, and speeds that are frankly ludicrous.

But there is a glimmer of hope. We are at 60%. Over half way there.

Re:

[Anonymous Coward]

It's "faring", my good man, not "fairing". A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag. Perhaps this is why all those scientists use three-character passwords; because the doubt their own ability to spell anything longer.

Re:

[Adriax]

Fail on my part. I wrote it as faring first but apparently derped when I rewrote the sentence.

Re:

[Anonymous Coward]

A "fairing" is an aerodynamic cover fitted, for example, over a high-performance motorbike to reduce drag.

Or like, you know, over the payload at the top of a rocket. Like the ESA uses.

Re:

[Anonymous Coward]

Like the mega-ships capable of stripping the atmosphere off a planet in minutes, the ESA is surrounded by assholes.

Re:

[AntiSol]

the ESA is surrounded by assholes

Clearly. I can't even find a shop on the ESA website. I was looking to buy some merchandise.

They should get into that, it's where the real money is made.

Re:

[Big Hairy Ian]

It still horrifies me that everyone's ATM Pin is just 4 characters!! Though the article does smack of "Scientists too dumb to use computers"

Re:

[Anonymous Coward]

It simply doesn't matter how long your PIN is because all current ways of stealing your card info include stealing your PIN, too.

Re:

[GuB-42]

Usually, after 3 failed attempts, the card becomes unusable.
You also typically don't choose your PIN, the bank picks a random number and mail it to you in a special envelope, separately from the card itself.

So that's really a 0.03% chance of getting it right. Not that bad considering that you also have to steal the card in the first place, use it before it is declared stolen and rendered unusable, and don't get caught by other safety measures.

Re:

[uninformedLuddite]

You can change your pin in a lot of cases. I did read somewhere once that most people change it to something stupid which enables 30% of cards to be guessed within 3 tries. Apparently only 5% of pins begin with the number 9 so that's a good start. Maybe 9999 would be clever.

Does GuB stand for Great Uncle Bulgaria?

Re:

[U2xhc2hkb3QgU3Vja3M]

AFAIK, in Canada, banks require five numbers. It's 25% more secure!

Re:

[Quirkz]

I dunno. When the first four digits of the PIN are 1, 1, 1, and 1, what are the odds that the fifth digit is going to be something else?

Re:

[ChoGGi]

I'm not sure of the minimum in Canada, but I do know my PIN is 8 chars (and no it doesn't work in the USA).

Re:

[RockDoctor]

While it's not untrue that the passwords in question are 4 or fewer characters long, it is far more significant (about 500 times more significant per digit, not that I've completely memorised my log(10) tables) that they are digits, not general purpose characters.

Re:

[Nutria]

Aren't Europeans supposed to be oh so much smarter than us rube Americans and our "they'll suck up the Sun's rays" idiocy?

Re:

[mwvdlee]

Yeah, they should atleast require some special characters like numbers and upper case to make it extra safe.
Nobody will ever guess "E5a".

Re:Three characters?

[U2xhc2hkb3QgU3Vja3M]

The woosh you're hearing is Spaceballs-1 passing over your head at ludicrous speed.

Re:

[U2xhc2hkb3QgU3Vja3M]

And what about the users with high blood pressure?

Re:

[NotInHere]

Can I use your username as password?

Re:

[mwvdlee]

I already use your username as my password.

If it is ever found on an unhashed password list, they'll simply think my password isn't on the list.

Re:

[U2xhc2hkb3QgU3Vja3M]

Not if you take the time to read my real name.

Re:

[mlts]

Use nonces instead of salts for less sodium?

Re:

[GuB-42]

If your password is "esa", "469" or "123", even the best salt/hash. Script kiddies could crack these in seconds, and that's if you use really strong crypto. With a reasonable hash/salt scheme and advanced attackers, you can get down to microseconds.

Re:

[geantvert]

And the fact that the leak contains so many 3 character passwords is probably a sign that this is exactly what happened.
The hackers probably got access to a database containing salted passwords.
The leak is just the output of a password cracker applied to that database.

What I find more problematic is that people where authorized to use a password with only 3 characters.

Any system I worked on during the last 20 years would never allow that.

Re:

[SharpFang]

They wouldn't find the generated 24-char ones.
Either the passwords were stored in plaintext or easily crackable crypt (unlikely), or the hackers hijacked the login system and collected the passwords as they were used for login.

Re:

[sims 2]

Yeah even netflix requires 4 characters. You can even use 0000 as a password if you want.

Re:

[cheater512]

To be fair, salted hashes provide no additional benefit if the password is 3 characters long. A brute force would still get them pretty much instantly.

Sometimes security isn't desired.

[Anonymous Coward]

Before you get all hysterical over weak passwords, please consider that three letter passwords are usually open secrets. In these cases security isn't desired, but because of policy, still needs to paid lip service. It happens at EVERY organization.

The question is whether the policy is reasonable and necessary.

Re:

[__aaclcg7560]

Most of the Fortune 500 companies I've worked at that had a shared user account still required a password with a minimum of eight characters, one upper character, one lower character, and one symbol. The ESA examples shows no minimum requirements whatsoever.

Re:

[mlts]

Even operating systems have a minimum character password demand for over a decade. Windows Server 2008 and newer have always required password complexity rules (uppercase, lower case, number, symbol), and at least 8 characters by default. Similar with non-root users and Linux.

For bonus points...

[__aaclcg7560]

My college instructor for Linux Admin informed the class that the password to his Redhat Linux server was 26 characters long, doesn't start with the letter 'a' and doesn't end with the letter 'z'. Bonus points for creating an algorithm that prints out all the possible variations with permissible characters. Automatic expulsion if anyone attempts to login into server. During his ten years of teaching Linux, only one student took him up on the challenge to write an algorithm and his password was in the result

Re: For bonus points...

[mistr]

But after paying the cost of the printout, the student went bankrupt and had to quit his studies

Re:

[__aaclcg7560]

The student submitted his algorithm and the resulting printout in text files on a floppy disk. No trees were sacrifice for this academic exercise.

Re:

[__aaclcg7560]

The characters didn't repeat, which narrows down the number of possibilities. Thanks for reminding me. The algorithm and printout were submitted as text files on a floppy disk.

Re:

[geantvert]

Hardly! 25^26 = 2.2e+36 is only a bit smaller than 26^26 = 6.1e+36

If all characters were different then the number of possibilities would still be in the range of 26! ~= 4e26
This is quite smaller but still too large to fit on a floppy or on a modern HD (or even on the whole internet)

A program running on a 10Ghz CPU that would enumerate one solution per cycle would need 1.26 billion years to complete.

So there was probably more restrictions.

Re:

[__aaclcg7560]

That probably explains why only one student ever attempted to write the algorithm.

Re:

[narcc]

I think you were sold a bill of goods. My guess? Your instructor lied about the attempt to trick his math-challenged students in to wasting a lot of time.

Re:

[__aaclcg7560]

You're probably right. Most of those math-challenged students became Java programmers.

Re:

[Gr8Apes]

You're probably right. Most of those math-challenged students became Java programmers.

The rest post on /.

Re:

[wile_e_wonka]

From TFA: "Based on the posted list, an unfortunate detail becomes rather clear; either the passwords were poorly secured and easily reversed, or they were stored in clear text inside the database."

Low opinion of ESA?

[Crowd Computing]

Perhaps more damaging is the claim it was done for amusement: "Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest."

ISIS and Trump at least deserved some sort of mass attack.

Re:Low opinion of ESA?

[Solandri]

ISIS and Trump at least deserved some sort of mass attack.

ISIS deserves to be hacked because they are out there killing innocent people.

Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

The acid test for supporting the First Amendment isn't whether you'll stand up to defend the right of people you agree with to speak their opinion. It's whether you'll stand up to defend the right of people saying things you find reprehensible to speak their opinion. When I was growing up, the concept behind the First Amendment was often summarized as, "I disagree with what you say, but I will defend to the death your right to say it." At some point this has morphed into, "I disagree with what I say, and I will do everything I can to stop you from saying it as long as I don't get in trouble for it." That's a very dangerous slippery slope to start sliding down.

Re:

[rahvin112]

Trump, for all the stupid things he's said, has not committed a crime.

Lol, yea right. He's committed crime, lots of it. He's just never been convicted for any of it.

Re:

[fahrbot-bot]

Trump, for all the stupid things he's said, has not committed a crime. The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

Like the things Trump has been saying about and proposing to do with/to Mexicans and Muslims? Or was that your point?

Re:

[bmo]

The moment you start dehumanizing people who haven't committed a crime, deciding that it's OK to do bad things to them just because you disagree with them, and they're not worthy of the same rights and protections you give to people you agree with, you've started using the same reasoning ISIS uses to justify what they do.

So you mean that TRUMP saying that we should "take out" the families of suspected terrorists is a bad thing, right?

"I would do my best, absolute best â" I mean, one of the problems we

Re:

[rtb61]

As 'Anonymous' can be anyone who chooses to act in an activist sense, anonymously, in the name of 'Anonymous'. It could just be a pissed off security BOFH https://en.wikipedia.org/wiki/... [wikipedia.org], always having to work extended hours due to crappy passwords. Seriously, how hard are three word passwords, no spaces and minimum word length of four characters and with varying length words, as a nonsense string preferable eg 'crankyBOFHgoesnuts' is good. When anyone can be 'Anonymous', all sorts of interesting and oft

The account owners with simple passwords

[maroberts]

..were obviously not rocket scientists.

Oh, wait.....

Anonymous

[Noah Haders]

European Space Agency Records Leaked For Amusement, Attackers Say

Bruce Wayne: Targeting me won't get their money back. I knew the mob wouldn't go down without a fight, but this is different. They crossed the line.

Alfred Pennyworth: You crossed the line first, sir. You squeezed them, you hammered them to the point of desperation. And in their desperation, they turned to a man they didn't fully understand.

Bruce Wayne: Criminals aren't complicated, Alfred. Just have to figure out what he's after.

Alfred Pennyworth: With respect Master Wayne, perhaps this is a man that *you*

Examples

[dohzer]

Does anyone have some more examples of three letter passwords? I'm having trouble understanding the concept.

Password length = data protected

[justcauseisjustthat]

I've used 4 digit passwords on sites that store nothing besides my email, name, corp address and nothing of true significance. On the otherhand I'll use the maximum allowed digits for banking and commerce sites. What blows my mind, is a site that doesn't allow unicode character set and more than 12 digits.

Publicly funded

[RockDoctor]

The ESA is publicly funded - as are most of it's collaborating institutions. Quite likely a significant number of the people intended to have read-write access to their data systems are aware that they information they contain are the property of the people who paid for the data. i.e., everyone. So the only sensible reason for using passwords is to prevent vandalism of the databases. and nobody in their right mind is going to be interested in vandalising a "public good" such as the records that may help our