Hell. Not surprising, but that is a lot of incompetence. That's much worse. I'm hesitant to trust this. Beefing up security could look like two things: a) Forcing over-stringent password...
A security audit of the Western Australian government released this week by the state's auditor general found that 26 per cent of its officials had weak, common passwords
Hell. Not surprising, but that is a lot of incompetence.
Auditors were able to access one agency's network, with full system-administrator privileges, by guessing the password: "Summer123."
That's much worse.
In the wake of the report, the government has agreed to step up its security game. It's developing practices to help employees store their password information more securely.
I'm hesitant to trust this. Beefing up security could look like two things:
a) Forcing over-stringent password requirements on users, forcing them to generate passwords they can't remember, but a computer will guess easily. Which will also lead to passwords being written down and shared.
b) Adopting better security practices - like using security keys, 2-factor authentication and FIDO. Like Google did when they adopted the Yubikey.
... It seems more likely, considering this countries terrible history of technology, and particularly security, they will go for option a.
The reason people still use short 'default' passwords is straight up lazyness. I think the 2FA route is the way to go as it forces at least some level of security and not simply "Pretty please,...
The reason people still use short 'default' passwords is straight up lazyness. I think the 2FA route is the way to go as it forces at least some level of security and not simply "Pretty please, use some symbols in your passwords or something".
I think a lot of IT-Sec work goes straight down the drain because the people using the systems don't have the needed sec training so they end up being big gaping securityholes in a relatively sturdy fortress.
Unfortunately, passwords were a terrible idea. Now, however, we can escape them easily with gpg, and FIDO hardware keys. Users are easily convinced by sentences like 'No more passwords. Just tap...
Unfortunately, passwords were a terrible idea. Now, however, we can escape them easily with gpg, and FIDO hardware keys. Users are easily convinced by sentences like 'No more passwords. Just tap this button when you want to login.'
It doesn't solve all the security problems, and certainly doesn't when it comes to government infrastructure, which has shown to be analogous to a holey sort of cheese in recent years... But it's a start.
I worked in government and semi-government agencies. There is a big disclaimer to be done: Most IT department are terribly incompetent. I've seen users with basically access only to their computer...
I worked in government and semi-government agencies.
There is a big disclaimer to be done:
Most IT department are terribly incompetent.
I've seen users with basically access only to their computer and the unfiltered internet having to use a 12 char long password and change it every 14 days.
But then, internal systems that are fed XML or CSV files and nothing to do online, being on the same network that is connected to internet.
Anyway, users using weak password is just a fruit of the societal approach to IT.
The only smart enough approach I've seen using was an rsa-key login with a 6 number prefix, always constant, chosen by the user and of course IP/geolocation detected that raise a warning to the admins for something weird.
It feels the most simple and reliable solution for a medium-high profile company imho.
Hell. Not surprising, but that is a lot of incompetence.
That's much worse.
I'm hesitant to trust this. Beefing up security could look like two things:
a) Forcing over-stringent password requirements on users, forcing them to generate passwords they can't remember, but a computer will guess easily. Which will also lead to passwords being written down and shared.
b) Adopting better security practices - like using security keys, 2-factor authentication and FIDO. Like Google did when they adopted the Yubikey.
... It seems more likely, considering this countries terrible history of technology, and particularly security, they will go for option a.
The reason people still use short 'default' passwords is straight up lazyness. I think the 2FA route is the way to go as it forces at least some level of security and not simply "Pretty please, use some symbols in your passwords or something".
I think a lot of IT-Sec work goes straight down the drain because the people using the systems don't have the needed sec training so they end up being big gaping securityholes in a relatively sturdy fortress.
Unfortunately, passwords were a terrible idea. Now, however, we can escape them easily with gpg, and FIDO hardware keys. Users are easily convinced by sentences like 'No more passwords. Just tap this button when you want to login.'
It doesn't solve all the security problems, and certainly doesn't when it comes to government infrastructure, which has shown to be analogous to a holey sort of cheese in recent years... But it's a start.
I worked in government and semi-government agencies.
There is a big disclaimer to be done:
Most IT department are terribly incompetent.
I've seen users with basically access only to their computer and the unfiltered internet having to use a 12 char long password and change it every 14 days.
But then, internal systems that are fed XML or CSV files and nothing to do online, being on the same network that is connected to internet.
Anyway, users using weak password is just a fruit of the societal approach to IT.
The only smart enough approach I've seen using was an rsa-key login with a 6 number prefix, always constant, chosen by the user and of course IP/geolocation detected that raise a warning to the admins for something weird.
It feels the most simple and reliable solution for a medium-high profile company imho.