Easy to hack some Australian officials passwords
More than 1,400 Western Australian government officials used ‘Password123’ as their password
Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out, or maybe all of the above. A security audit of the Western Australian government released this week by the state’s auditor general found that 26 per cent of its officials had weak, common passwords — including more than 5,000 including the word “password” out of 234,000 in 17 government agencies.
The legions of lazy passwords were exactly what you — or a thrilled hacker — would expect: 1,464 people went for “Password123” and 813 used “password1.” Nearly 200 individuals simply used “password,” perhaps never changing it to begin with. Almost 13,000 used variations of the date and season, and almost 7,000 included versions of “123.”
The laxness might be amusing, but the potential consequences definitely aren’t. Many of these accounts are used to access important information and vital government systems, according to the report — and several can do so remotely, with no additional vetting or credentials. Auditors were able to access one agency’s network, with full system-administrator privileges, by guessing the password: “Summer123.” Overall, the report found that most agencies didn’t help users store their information safely and securely; this meant some employees were storing their passwords in Word documents or spreadsheets.
“After repeatedly raising password risks with agencies, it is unacceptable that people are still using password123 and abcd1234 to access critical agency systems and information,” Auditor General Caroline Spencer said.
In the wake of the report, the government has agreed to step up its security game. It’s developing practices to help employees store their password information more securely. The new Office of Digital government will house a cybersecurity team dedicated to improving security practices governmentwide.
Recent years have seen several huge data breaches at major companies. In 2013, an email account breach at Yahoo exposed the data of 3 billion users. In a 2016 breach at the FriendFinder Network — which included adult content and casual hookup sites like FriendFinder, Penthouse.com and Stripshow.com — hackers accessed 20 years of data, including passwords and personal information. In 2017, a breach at major US credit bureau Equifax exposed the personal information, including Social Security Numbers, birth dates, addresses and drivers’ licence numbers, of 143 million consumers.