Skip to content
Naked Security Naked Security

OFFICIAL! Good passwords more difficult than rocket science

Some of the passwords allegedly exposed in a recent European Space Agency breach were "not very good", to put it kindly.

It’s official!

Picking proper passwords is harder than rocket science.

While the UK is celebrating the arrival of British astronaut Tim Peake at the International Space Station, a reminder that rocket science is alive and well…

…the European Space Agency (ESA) is living down a database breach that took place over the weekend, in which three tranches of data were dumped anonymously, for the lulz.

LULZ, if you aren’t fluent in hackerspeak, is the mis-spelled plural of LUL, itself a mis-spelling of LOL, which is an acronym meaning Laughing Out Loud, often at someone else’s expense.

In fact, there used to be a hacking collective called Lulzsec, who went on a hacking spree in 2011, breaching a number of high-profile websites and deliberately dumping stolen data to prove their claims.

Lulzsec’s professed motivation was almost entirely disconnected from politics, money or activism, and the loosely-knit cybergang operated under the tagline “Laughing at your security since 2011.”

In July 2011, they pulled the plug on the operation, announcing:

We must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

But the lulz soon ended altogether, with numerous members tracked down, identified, arrested, and convicted.

The courts didn’t share the sense of fun, or accept the concept that hacking for the lulz could be an expression of love, or of thoughtfulness, and sent a number of Lulzseccers to prison.

We assume that a similar fate awaits the ESA hacker or hackers, if they are ever caught.

Their offence is exacerbated because they didn’t just hack and report the problem privately so it could be fixed, but instead dumped thousands of records, apparently including full names, email ids, office addresses, workplace names, phone numbers and even plaintext passwords.

Don’t be tempted to hack off your own bat, even if your motivation is pure and you intend to report your findings confidentially. Penetration testing “just for kicks” is a bit like verifying the roadworthiness of someone else’s car by taking it for a joyride in rush hour traffic. For this reason, even just poking around in other people’s networks is illegal in most jurisdictions, unless you have explicit permission. Penetration tests often involve destructive failure, such as crashing a critical server instead of breaking into it.

Of course, even though ESA was the victim of a cybercrime, the security question nevertheless remains, “Where did those plaintext passwords come from?”

CSO Online reports that close to 40% of more than 8000 alleged passwords that were dumped in the breach were just three characters long, and that more than a third of the rest were no longer than 8 characters.

The 8-character passwords included two of the worst passwords possible: password and 12345678.

In other words, those passwords may have been cracked by the hackers, rather than stored insecurely by ESA.

But poor password choice by users doesn’t seem to be a sufficient explanation on its own, because the about 2% of the dumped passwords were apparently 14 characters or longer.

Chances are that those passwords weren’t cracked, but were simply sitting there in plaintext form.

It’s rarely necessary to store plaintext passwords, even briefly, and this story is yet another good reason why you shouldn’t do it.

There are much better ways of handling password authentication, and we urge you to use them.

💡 LEARN MORE – How to store passwords safely ►

Image of rocket blasting off courtesy of Shutterstock.

8 Comments

What about some validation, rejecting weak passwords… that would be a great step for stupid-kind ;-)

I’m not a big fan of password strength meters, not least because they are often coupled with “rules for randomness”, such that:

493KVXDFNMPLTHWDCIWTZZNTD9ED516FCK4

would be considered weak because it doesn’t have a punctuation mark in it, while:

pAss!!!w0RD

might be considered strong because it passes the length+variety test.

But blocking 3-character passwords would indeed be a start!

I recall reading that the password for permitting the launching of nukes in the USA used to be something like 123.

The codes were eight digits, apparently, and there’s a suggestion that for Minuteman missiles, those eight digits were 00000000:

https://nakedsecurity.sophos.com/2013/12/11/for-nearly-20-years-the-launch-code-for-us-nuclear-missiles-was-00000000/

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?