Weak passwords in WA Government agencies are putting sensitive data at risk

How strong is your Password?
Our public servants are using the same easy-to-guess passwords over and over again

 

NO DOUBT using a strong password is a user's responsibility. But when it comes to government agencies, businesses, institutions, etc. much of the blame and accountability MUST be put on the CIOs, security officers, and network administrators too.

It is easy to make a policy (on paper and in the system) that requires the use of upper and lower case letters, numbers and special symbols in passwords and to require passwords be X or more characters long. And it is easy to force password changes every few months and to disallow the use of previously used passwords. In many systems, passwords like "Password123" can easily be blacklisted and not allowed. But those admins and managers who are not forcing strong passwords are just being lazy and negligent. And IMO, at least for government (and perhaps medical and insurance) networks, criminally negligent!

Did you know that "The cat in the hat!" is a stronger and harder password/passphrase for bad guys to crack than "~FN2ue%:"? Why? Because there are 19 characters (including spaces) in that pass "phrase" while only 8 in that pass "word". And "The cat in the hat" is easier to remember, and to type in too. Something to think about.

 

Bill I was looking at the humorous side of it about the employees using the word "Password".
You are correct re the lack of security from the top boys. (heads should roll etc.)
There is an Australasian saying - "she'll be right mate"

 

It is humorous, but in a tragic way. I had a client who heard "12345678" was a commonly used password. So he thought he was being clever by using "87654321". My elderly neighbor was surprised when I guessed her password, "Mittens" - the name of her cat. Then another elderly client was shocked when I lifted his keyboard and so easily found his list of passwords on an index card.

Yeah, "she'll be right" but sadly, others may get hurt before that happens.

 

Hmmm. That password testing site is interesting. I don't think I would be willing to test out any of my actual passwords on it though. My friend Bing Google shows nothing to suggest it is a legitimate or safe site. It does not even support https. I would not want it to be collecting my real passwords or passphrases.

Still, plugging in Mittens and 87654321 proved they are very weak, easy to crack passwords and "The cat in the hat!" would take 2 years, 11 months, at least with an every day computer. An organized crime cracker would only take 7 days. But as a WPA Password Hashing and a dedicated $5000 cracker, it would only take 61 centuries. So I guess my wifi network would be safe with that one!

Fortunately, pretty sure I have nothing of value a dedicated bad guy, mobster, or the government would be interested in so pretty sure none would waste their resources on me, and would move on to easier pickings.