Australian Government Agencies Have Passwords That Are Too Easy To Crack

13 years ago

March 28, 2011 at 10:30 am

Yet another reminder that setting strong passwords is essential: an analysis of four government agencies by the Australian National Audit Office found that 20% of their systems were vulnerable to “brute force” attacks to guess passwords. The end result: more government departments will end up blocking access to Gmail and other webmail services.

You might not work for a government department, but choosing secure passwords and staying secure online don’t require an enterprise-grade budget.

One recommendation in the report is that departments provide client computers in staff common areas to allow access to Gmail and other services, while blocking them on main work computers. While that might be a good security solution, I can’t help thinking it will just encourage people to access those services on smart phones — which eliminates some of the security risk, but could also impact productivity more drastically. What do you think?

Australian National Audit Office [PDF via SMH]

Comments

8 responses to “Australian Government Agencies Have Passwords That Are Too Easy To Crack”

READ THE COMMENTS

Justin Thomas

March 28, 2011

Turn on complex passwords in Active Directory and Password1 is still a valid password. Complex passwords don’t add much to security and don’t stop those passwords being reused outside. The audit office should insist on two factor authentication to all government systems.

Log in to Reply
Miro

March 28, 2011

If you made it any harder for them to remember a password all you would end up with is sticky notes on every screen with “Password1”

Log in to Reply
Nathan P

March 28, 2011

I don’t understand what webmail access has to do with poor internal passwords being vulnerable to brute force attacks

Log in to Reply
Ben Cooper

March 28, 2011

nathan, people are creatures of habbit, so natrually if you force a complicated password they just set them all the same overtime…. at my old job i found even with 35 day expiry it just ended up going Password 1 2 3 4 5 6 as they had too.

Log in to Reply
Grayda

March 28, 2011

I agree with Justin. There should be a two factor authentication. Say, RFID and password. If you can buy an RFID reader for $100 on eBay (just a quick search) then surely the government can buy them in bulk for much cheaper.

But it’ll take a Palin-esque email breach to get the government to listen.

Log in to Reply
Anon

March 28, 2011

Complex passwords are not hard to make, I use random.org to generate a password of around 20-30 characters (or whatever the max is for what I am making an account for) and just use that.

People seem to think passwords are tough, well they aren’t. If you have trouble memorizing them, then make say 5 passwords each 4 characters long. Memorize them one at a time (4 characters is easy to remember, I mean, its less than your phone number, right?), then join them together.

Also, a dictionary of 3000 words? No wonder it failed.

Log in to Reply
Chris Sandifer

March 29, 2011

Again I can’t understand how they are even using passwords as the main securtisation method. Sure enforce complex passwords and make them rotate. At the very least they need two factor authentication in order to try to ensure the validity of the user. Everybody gets a token combined with an SSL VPN for outside the office use and for inside you need a smart card in order to login.

How does blocking gmail/hotmail etc have anything to do with password strength? The two problems seem to be independent.

If there is an overuse of outside email products or a use of outside comms avenues for official business create a policy and fire people that break the policy. Simple really. Behavourial security and change is just as important if not more so than technological change.

If people are using their phones for personal email access more power to them. Even better install a wifi network for this purpose which is secured and users are Identified with devices etc.

The fact that after the wikileaks debacle organisations have not started to address the holes in their systems simply boggles the mind.

Log in to Reply
adam smolkowicz

March 30, 2011

Hahaha come on guys you must have better security than that

Log in to Reply

Interest Rates April: Top Picks For Home Loans, Credit Cards and Savings Accounts

ANZAC Day Weather 2024: Here’s the Latest Forecast for Every Capital City in Australia

How to Turn Any Space in Your House Into a Bathroom (Without Plumbing)

‘TikTok Notes’ Is Instagram’s Newest Competition

Google Just Added Dark Mode to Drive

The Best Mobile Plans to Keep Your Phone Bill Under $30

Here Are Amazon Australia’s Best Deals of the Week

Here Are the Fastest Internet Providers and NBN Plans in Australia

19 Sustainable Mother’s Day Gifts That’ll Show Some Love to Your Mum and the Planet

Save up to $300 on Optus’ Biggest SIM-Only Plan Bundle

Australian Government Agencies Have Passwords That Are Too Easy To Crack

Comments

8 responses to “Australian Government Agencies Have Passwords That Are Too Easy To Crack”

Leave a Reply Cancel reply