Australian Government Agencies Have Passwords That Are Too Easy To Crack

Yet another reminder that setting strong passwords is essential: an analysis of four government agencies by the Australian National Audit Office found that 20% of their systems were vulnerable to "brute force" attacks to guess passwords. The end result: more government departments will end up blocking access to Gmail and other webmail services.

You might not work for a government department, but choosing secure passwords and staying secure online don't require an enterprise-grade budget.

One recommendation in the report is that departments provide client computers in staff common areas to allow access to Gmail and other services, while blocking them on main work computers. While that might be a good security solution, I can't help thinking it will just encourage people to access those services on smart phones — which eliminates some of the security risk, but could also impact productivity more drastically. What do you think?

Australian National Audit Office [PDF via SMH]


Comments

    Turn on complex passwords in Active Directory and Password1 is still a valid password. Complex passwords don't add much to security and don't stop those passwords being reused outside. The audit office should insist on two factor authentication to all government systems.

    If you made it any harder for them to remember a password all you would end up with is sticky notes on every screen with "Password1"

    I don't understand what webmail access has to do with poor internal passwords being vulnerable to brute force attacks

    nathan, people are creatures of habbit, so natrually if you force a complicated password they just set them all the same overtime.... at my old job i found even with 35 day expiry it just ended up going Password 1 2 3 4 5 6 as they had too.

    I agree with Justin. There should be a two factor authentication. Say, RFID and password. If you can buy an RFID reader for $100 on eBay (just a quick search) then surely the government can buy them in bulk for much cheaper.

    But it'll take a Palin-esque email breach to get the government to listen.

    Complex passwords are not hard to make, I use random.org to generate a password of around 20-30 characters (or whatever the max is for what I am making an account for) and just use that.

    People seem to think passwords are tough, well they aren't. If you have trouble memorizing them, then make say 5 passwords each 4 characters long. Memorize them one at a time (4 characters is easy to remember, I mean, its less than your phone number, right?), then join them together.

    Also, a dictionary of 3000 words? No wonder it failed.

    Again I can't understand how they are even using passwords as the main securtisation method. Sure enforce complex passwords and make them rotate. At the very least they need two factor authentication in order to try to ensure the validity of the user. Everybody gets a token combined with an SSL VPN for outside the office use and for inside you need a smart card in order to login.

    How does blocking gmail/hotmail etc have anything to do with password strength? The two problems seem to be independent.

    If there is an overuse of outside email products or a use of outside comms avenues for official business create a policy and fire people that break the policy. Simple really. Behavourial security and change is just as important if not more so than technological change.

    If people are using their phones for personal email access more power to them. Even better install a wifi network for this purpose which is secured and users are Identified with devices etc.

    The fact that after the wikileaks debacle organisations have not started to address the holes in their systems simply boggles the mind.

    Hahaha come on guys you must have better security than that

Join the discussion!

Trending Stories Right Now