Weak passwords to blame for Australian Defence Force Academy hack
- 13 December, 2012 10:44
The Australian Defence Force Academy (ADFA) has been slammed by an Australian security expert for using “weak” passwords stored in plain text which were stolen by a hacker known as Darwinare in November.
Sophos Asia Pacific head of technology Paul Ducklin said in a blog post that the hack, which saw a number of SQL database records containing student and staff identification details posted online, shouldn’t have happened and there could be “no excuses”.
Students at ADFA apply to the Defence Force and to the University of New South Wales (UNSW), which runs the academic side of ADFA's operations in Canberra.
While Ducklin praised the UNSW for acting quickly and notifying students/staff a day after the breach occurred, he scolded the University for storing usernames and passwords for at least one of its computer systems in plain text.
“To be fair, these passwords were meant just for initial login, and were therefore expected to have a short life. But passwords should never be weak or guessable, or, for that matter, stored in plain text.”
He said the algorithm for generating the passwords was like a “time warp” back into the 1970s because all of the passwords were seven and eight lower-case letters long.
“Many of these passwords are repeated and all are meant to be pronounceable -- surely an unnecessary step for a password that is intended to be typed in once and then changed -- which leads to a conspicuous lack of randomness.”
For example, Ducklin pointed out that 1 per cent of the passwords end in the word 'poo' which made the passwords “sadly self-descriptive”.
He warned companies to harden their Web services and bring password handling into the 21st Century to avoid compromises like the ADFA incident.
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Trust issue looms large for tech companies capitalizing on personal data
5 women who've made it in IT
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Pathways Advanced ICT Leadership Development Program Course Outline and Big 6 2013
Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals
Evolving Threats Demand New Approaches to Security
As the world becomes increasingly hyperconnected, the opportunities for innovation are virtually limitless. At the same time, the complexity and risk associated with those opportunities is great. Security threats have the potential for enormous ramifications, but so does deploying a security strategy that compromises the user experience, performance, and the ability to innovate online. This paper will profile the emerging disruptive players, and identifies the essential steps to establishing a secure environment without compromising performance or experience.
APAC Digital Performance
With some of the highest levels of social media penetration, mobile device ownership, and Internet connectivity in the world, Asian markets are ripe for more innovative and adept interactive engagement. In this study, we look at how marketers in the region express high hopes for digital, but hare held back with limited budgets and a region-wide lack of talent and training. Click for more