Weak passwords to blame for Australian Defence Force Academy hack

Security expert says some student and staff login passwords were stored in plain text

Hamish Barwick (Computerworld)
13 December, 2012 10:44
Comments

The Australian Defence Force Academy (ADFA) has been slammed by an Australian security expert for using “weak” passwords stored in plain text which were stolen by a hacker known as Darwinare in November.

Sophos Asia Pacific head of technology Paul Ducklin said in a blog post that the hack, which saw a number of SQL database records containing student and staff identification details posted online, shouldn’t have happened and there could be “no excuses”.

Security threats explained: Internal negligence

Social engineering, big data top security priorities for 2013

Privacy Commissioner condemns RailCorp over USB drive auction

Students at ADFA apply to the Defence Force and to the University of New South Wales (UNSW), which runs the academic side of ADFA's operations in Canberra.

While Ducklin praised the UNSW for acting quickly and notifying students/staff a day after the breach occurred, he scolded the University for storing usernames and passwords for at least one of its computer systems in plain text.

“To be fair, these passwords were meant just for initial login, and were therefore expected to have a short life. But passwords should never be weak or guessable, or, for that matter, stored in plain text.”

He said the algorithm for generating the passwords was like a “time warp” back into the 1970s because all of the passwords were seven and eight lower-case letters long.

“Many of these passwords are repeated and all are meant to be pronounceable -- surely an unnecessary step for a password that is intended to be typed in once and then changed -- which leads to a conspicuous lack of randomness.”

For example, Ducklin pointed out that 1 per cent of the passwords end in the word 'poo' which made the passwords “sadly self-descriptive”.

He warned companies to harden their Web services and bring password handling into the 21st Century to avoid compromises like the ADFA incident.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

"Suggesting that people's "purpose is to get information to flow through the ..."

Why change management doesn’t work
"Darn those pesky laws that get in the way of commercial exploitation ..."

Larry Page wants to see your medical records
"Instead of partitioning the device between corporate and personal data, another approach ..."

Dual-Persona Smartphones Not a BYOD Panacea
"Well that's a nice back-handed compliment isn't it? So now, finally, my ..."

After two-year hiatus, EFF accepts bitcoin donations again
"Actually, both Mobile App developers and CIOs should be blamed for it. ..."

CIOs struggle to deliver timely mobile business apps: survey

Tags: password security, Australian Defence Force Academy, Sophos Paul Ducklin, algorithms, hacking

Latest Blog Posts

Whitepapers

Hybrid IT Service Management: A Requirement for Virtualisation and Cloud Computing
When competition is tough and resources are limited, corporate leaders are depending on growing their existing capabilities in order to grow their business. Information technology can be a unique catalyst for business growth, delivering a competitive advantage when creatively applied to established and emerging problems. Read more on what trends are accelerating the value of IT.

Learn more »
Clearing the Clouds for Midmarket Businesses
Cloud computing promises to help midmarket companies reduce cost and complexity in the IT equation – and gain the flexibility and agility they need to thrive. Yet charting a clear course to the cloud isn’t always easy. In this paper, we aim to clear the clouds. We examine different cloud computing models, discuss the types of requirements that each can best address, and consider what midmarket businesses should look for in a cloud solutions provider.

Learn more »
Mobility Apps: What every developer should know
Learn how others have delivered industry-leading, multi-platform management and security solutions. In this whitepaper, we look how app developers can develop, deploy and manage apps that enterprises can rely on today and into the future. Click to download!

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

FTR&D EngineerSA
FTLead Software EngineerSA
FT.NET - Sitecore Developer - Melbourne - PermNSW
FTTechnical Business AnalystNSW
FTSenior Python DeveloperNSW
FTFlash / ActionScript Developer - ContractNSW
FTOS Web Applications DeveloperNSW
FTJob Title: Mac Systems/ Enterprise Systems EngineerNZ
FTQuality ManagerSA

Zones

Featured Whitepapers

Real-Time Protection Against Malware Infection

Malware is at such high levels (more than 60 million unique samples per year) that protecting an endpoint with traditional antivirus software, has become futile. More than 100,000 new types ...

Recent comments

"Suggesting that people's "purpose is to get information to flow through the ..."
Why change management doesn’t work
"Darn those pesky laws that get in the way of commercial exploitation ..."
Larry Page wants to see your medical records
"Instead of partitioning the device between corporate and personal data, another approach ..."
Dual-Persona Smartphones Not a BYOD Panacea
"Well that's a nice back-handed compliment isn't it? So now, finally, my ..."
After two-year hiatus, EFF accepts bitcoin donations again
"Actually, both Mobile App developers and CIOs should be blamed for it. ..."
CIOs struggle to deliver timely mobile business apps: survey

Follow CIO

Market Place

Deploying mobility worthwhile challenge hear what CIOs have to say.. Read more

Australian Breakfast Road Show: Enabling Proactive Security for Tomorrow's Business Trends

Now out of the office never means out of the loop. Office 365 – your complete office in the cloud.

Switch on The Symantec Business Critical Virtualisation Content Zone

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Weak passwords to blame for Australian Defence Force Academy hack

Recommended

eBay bids on big data challenge

The pros and cons of IT offshoring

Tapping into social experience: Tourism Australia

Homeless multinationals and taxing decisions

IT sourcing: in or out?

Avoiding your cloud vendor’s success trap

10 Tips for Dealing with a Bully Boss

5 open source help desk apps to watch

How to define the scope of a project

PMBOK vs PRINCE2 vs Agile project management

CenITex to become service “broker”

Opinion: Why national e-health is not for everyone

Dual-Persona Smartphones Not a BYOD Panacea

Larry Page wants to see your medical records

eBay bids on big data challenge

How Big Data can improve marketing and customer service

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

Real-Time Protection Against Malware Infection

Enable Flexible Working

NetApp FAS6240 Clustered SAN Champion of Champions

Best Practices for ERP Implementation

Legal Compliance in Electronic Record Keeping