Weak passwords to blame for Australian Defence Force Academy hack

Security expert says some student and staff login passwords were stored in plain text

The Australian Defence Force Academy (ADFA) has been slammed by an Australian security expert for using “weak” passwords stored in plain text which were stolen by a hacker known as Darwinare in November.

Sophos Asia Pacific head of technology Paul Ducklin said in a blog post that the hack, which saw a number of SQL database records containing student and staff identification details posted online, shouldn’t have happened and there could be “no excuses”.

Security threats explained: Internal negligence

Social engineering, big data top security priorities for 2013

Privacy Commissioner condemns RailCorp over USB drive auction

Students at ADFA apply to the Defence Force and to the University of New South Wales (UNSW), which runs the academic side of ADFA's operations in Canberra.

While Ducklin praised the UNSW for acting quickly and notifying students/staff a day after the breach occurred, he scolded the University for storing usernames and passwords for at least one of its computer systems in plain text.

“To be fair, these passwords were meant just for initial login, and were therefore expected to have a short life. But passwords should never be weak or guessable, or, for that matter, stored in plain text.”

He said the algorithm for generating the passwords was like a “time warp” back into the 1970s because all of the passwords were seven and eight lower-case letters long.

“Many of these passwords are repeated and all are meant to be pronounceable -- surely an unnecessary step for a password that is intended to be typed in once and then changed -- which leads to a conspicuous lack of randomness.”

For example, Ducklin pointed out that 1 per cent of the passwords end in the word 'poo' which made the passwords “sadly self-descriptive”.

He warned companies to harden their Web services and bring password handling into the 21st Century to avoid compromises like the ADFA incident.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Recommended

  1. Optus launches 4G TD-LTE in Canberra

  2. AusCERT 2013: Police urge banks to install ATM ...

  3. Federal government slammed for blocking websites

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

References show all
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: password security, Australian Defence Force Academy, Sophos Paul Ducklin, algorithms, hacking
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/160/ultraiso/

UltraISO

UltraISO is an ISO CD/DVD image file tool that creates, edits and converts. It is also a bootable CD/DVD maker that has the ability to ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia