The Sydney Morning Herald report that a NSW Police security glitch exposed “email passwords” is misleading. But it provides useful lessons in password choice — hackers, relax, you’ve got it easy! — website security and media management.
The 5 April story Police secret password blunder explains how a database of email passwords was published on the Internet.
The names, email addresses and passwords of as many as 800 people who signed up to receive NSW Police media releases are listed on the database.
Among the exposed passwords is that of Detective Chief Superintendent Mark Jenkins, the man responsible for the state’s Counter Terrorist Co-ordination Command unit.
The headline’s “secret” is misleading. Nothing secret was revealed, apart from the passwords themselves. They only gave access to mailing list functions such as unsubscribing and changing your address.
But as the Herald points out:
Many [passwords] appear to be the secret codes journalists use to access their email accounts and other password-dependent information.
Well that’s not the police’s fault, that’s the journalists being stupid. People are told over and over again never to use the same passwords for different accounts — precisely because this sort of accident can compromise everything using that password.
The Herald makes a point of noting…
… bizarre passwords such as “smellyundies”, “enforcer”, “chunder” and “crunchymaggots”.
But “smellyundies” and “crunchymaggots” are good passwords, longer phrases less likely to be uncovered by a dictionary attack. And what on earth is bizarre about “enforcer”? Particularly when the user was a member of the Australian Protective Service.
What is “bizarre”, or at least disappointing, are such lame passwords as the Channel 7 newsroom’s “news”, Damian from the South Sydney City Council’s “damian” and AAP Sydney’s “editorial”.
Of the 40 passwords I could still dig out of Google’s cache, only three were halfway decent or better — 7.5%. “Could do better.”
Oh, and just for the record, the “smellyundies” belong to Channel 7 producer Anna Szymanski. Choice.
Now the NSW Police should really have been paying more attention to the website security. But they could have avoided all this embarrassment with a simple email. “We are rebuilding our mailing list to improve security,” which would have been true, “and we are issuing new passwords.” Routine. End of story.
But they didn’t. And so their counter-terrorism chief was caught with his pants down.
He said he had no idea it was available on the internet.
“I’d like to make some inquiries with our media unit before I make any comment whatsoever,” he said.
And the official police response was clumsy.
To rectify the problem, Police Media has arranged for all access to the service to be deleted.
All subscribers will have to re-register and can do so without a password.
This poor media management was probably cock-up rather than cover-up.
The Police Media Unit was informed by its Internet host, that the passwords used by subscribers are visible on the Internet. [Their comma, not mine.]
The media team was probably too embarrassed to tell the bosses and didn’t understand The Power of the Google Cache. But the journalists who re-used passwords should be equally embarrassed.
Yes, the police made a mistake. But, journalists, the only reason your email accounts might have been compromised is because you were stupid enough to use the same password.
I agree; it is akin to idiots being caught out by phishing scams. However, I must admit that it can be difficult to keep coming up with new passwords (even enough categories) for everything that one registers with… Categorisation is a reasonably good way to go, but for those with less than perfect self-filing mechanisms, can still be arduous.
‘Enforcer’ = ‘Tosser’!
Having worked alongside coppers, I’m surprised they didn’t all use ‘password’.