A Security Management review of the passwords revealed by AntiSec's hack of local law enforcement domains shows that insecure passwords were not hard to find. It takes only one weak link from a user with an easily cracked password to give a hacker the opportunity to gain access to a network and wreak havoc.
Seventy different law enforcement domains were hacked and 300 email accounts were listed. The majority of users had passwords with letter and number combinations, as recommended, but many passwords were just name and birth year combinations. Some passwords were first and last names, addresses, or simple words like “apple,” “hardcore,” “Ironman,” and, “Master.”
Security experts say there’s really no excuse for not knowing how to make secure passwords.
“One of the things that LulzSec and Anonymous are doing is exposing the simplicity of security. We’ve been discussing password strength and saying to use different passwords for account for literally decades now. People are doing things that at this point and they should know better,” Bit9’s Chief Technology Officer Harry Sverdlove, told Security Management.
Sverdlove says the average user has 27 online accounts, but the average user doesn’t have 27 different passwords because he or she doesn't have a good system for keeping track of all of those passwords. “We all tend to choose the most obvious things, which make it that much easier for hacktivist organizations who don’t use very sophisticated techniques,” he said.
How's this for obvious: Two people at one sheriff’s office both used the word “police” as their password. Multiple people used the word “glock,” a common pistol used in law enforcement, and also in the top 5,280 most used passwords.
An online tool to check password security from Small Hadron Collider indicates that it would take a computer program less than one second to guess the password "police," so passwords like these are a hacker’s best friend.
“If it's a dictionary word, it could be hacked very quickly,” the site states. The two most common ways passwords are broken are dictionary-based attacks and attacks using a tool called a rainbow table.
A dictionary-based attack uses a text file with thousands of common words. “Even a very simple hacker could write a script that goes through this dictionary file,” Sverdlove said. The program continually guesses the password based on these words until it eventually figures them out. A rainbow table works like a digital Rosetta Stone to crack encrypted passwords after they’ve been extracted from an existing database.
Several agencies listed by AntiSec appeared to use one password or a variation of the same password for multiple employees. Everyone at the Prairie County Sheriff’s Department in Des Arc, Arkansas was shown as having the same password, according to the leaked list. When contacted, Sheriff Gary Burnett acknowledged that the email addresses listed in the dump were valid, but he questioned the validity of the passwords. He also doubted that the department had been hacked and said that he would have their computer tech look into it.