A group calling themselves the “Islamic State Hacking Division” published what it claimed were the personal details of thousands of individuals linked to the US government and military, which included seven email addresses ending in gov.au.
These seven individuals include one official from the Australian National Audit Office, two from the Department of Defence, one from the NSW Department of Family and Community Services, two from area health services under NSW Health and one Victorian Opposition frontbencher.
ISHD does not state how the details were obtained, but it does claim to also have credit card details and access to Facebook accounts of at least some on the list.
With the exception of one of the Defence officials, whose password was salted, the remaining had passwords that could at best be described as very easy to guess. They included:
- A phone number
- A licence plate number
- A racist epithet
- A common nickname
- A spouse’s first name
However the most astonishing password belonged to an alternative minister, who previously ran a technology consulting firm according to the biography on his website.
At the time of the hack, the MP’s password — since changed — consisted of a two-digit number repeated three times. That is a very weak password.
Longer is better
Government officials, especially those who use their gov.au email addresses on social networks, make attractive targets for hackers.
No password is uncrackable, but some are exponentially better than others. The most important factor is length. The longer a password is, the better.
Choosing a good password is simple if the agency’s ICT infrastructure does not arbitrarily limit passwords to short lengths, as many continue to do. A significantly longer — but meaningful — password can be easier to remember than a short password of random characters, digits and punctuation yet still provide better security. Some prefer to use the term “passphrase” to encourage users of a system to consider using 40 or more characters, including spaces.
Microsoft says a good passphrase consists of these characteristics:
- Is 20 to 30 characters long.
- Is a series of words that create a phrase.
- Does not contain common phrases found in literature or music.
- Does not contain words found in the dictionary.
- Does not contain your user name, real name, or company name.
- Is significantly different from previous passwords or passphrases.
Substituting vowels with easily guessable numbers and punctuation does not significantly increase a password’s strength.
Poor passwords continue to dominate hacking lists in part because decades of advice and arbitrary limits on password length have trained a generation of users that a “good” password is too hard for them to remember, which simply isn’t true anymore. This comic from XKCD explains: