You could have guessed DNC’s weak passwords
(Last updated on August 1, 2019)
Data breaches are no holds barred. No one is off-limits, especially not politicians. So it should not come as a surprise that WikiLeaks has released nearly 20,000 emails from the Democratic National Committee (DNC). What is rather surprising is the lack of basic password security. Here’s what we know:
- Staff used weak passwords. An exchange of emails from the staff revealed passwords such as Obama-Biden-2012 and obamain08 were in use. At first glance, they don’t seem that problematic – at least nine characters long and are a combination of some of these character sets: uppercase/lowercase letters, numbers and special characters. So why are they weak? Because they are highly predictable especially for the DNC. Password strength is not only determined by the length which should be at least 10 characters but most importantly is the ‘unpredictability’ of its characters. Words such as Hilary, Obama, democratic, DNC should be banned from use. Obviously someone could have easily guessed the ‘Obama’ oriented passwords that were leaked or used a password hacking tool that can run through combinations of dictionary words, cracking Obama-Biden-2012 and obamain08 with ease.
- Passwords were shared. A press assistant with the DNC had sent an email to staff alerting them, “We have been compromised! But it’s all ok. Here is our new password: HHQTevgHQ@z&8b6.” Do you see the problem here? A strong password will not be secure if everyone knows it. Here’s a cautionary tale: Vodafone, the Australian wireless carrier, had their customer database compromised in 2011 when a journalist revealed that she could access customer data using shared credentials Vodafone had been engaging in this dangerous practice for years – employees frequently gave out shared passwords to people outside the company’s circle of trust. Needless to say, the breach resulted in serious consequences that could have been avoided.
If an organization like the DNC can’t protect its sensitive communication, is there hope for everyone else? Yes. Implement these simple tips to mitigate security threats:
- Block common words. Dictionary attack involves repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords. This can be mitigated by blocking the username, organization name, common words, and keyboard patterns such as qwerty. Some password mechanisms have the ability to block dictionary words, such as Specops Password Policy.
- Use a passphrase. Passphrases consist of a series of words which make them long, usually between 20 and 30 characters. They are not only stronger, but also easier to remember, since they make more sense than a string of random letters, numbers and special characters.
- Embed security within the organizational culture. To change bad habits, you must start with changing Simply telling employees “password sharing is bad” doesn’t provide an incentive to change behavior. Explain why password sharing is a great threat to internal security and anyone that partakes in the practice will be held liable.