The Plymouth Herald reports on what appears to be an easy-to-avoid gaffe.
An eagle-eyed passer-by spotted a password on clear display at Her Majesty’s Passport Office in Ebrington Street, scrawled on a flipchart leaning against an upper window.
Of course, with modern smartphone technology it’s not hard for anyone to read a password written so large on a flipchart even if it is high up.
And what a password it is!
Passw0rd1
Okay, so they’ve taken possibly the world’s worst password, capitalised the first letter, changed an ‘o’ to a zero, and added a digit on the end, but err… that’s pretty pitiful.
The Plymouth Herald contacted the UK Home Office to ask them about the incident, and a rather exasperated-sounding spokesperson said:
“The Home Office takes security incredibly seriously and we have explained to Plymouth Live several times why this is not a security breach.
“This word would not have allowed members of the public or Home Office employees to access any Home Office systems.
“It was simply used to take our employees only through to a page where they would then have create a high security password, and cannot be used to access Home Office systems.”
I think that means that the password allows workers to access a webpage where they can choose a different password for themselves… which hopefully isn’t “Letme1n” or “Passw0rd2”.
One hopes that this webpage where users can choose their passwords isn’t accessible to the outside world, otherwise someone could easily go there and mess-up a new worker’s first day in the job, locking them out of the system.
That may be not be a realistic threat, but I see a number of real problems here:
- Passwords don’t need to be, and shouldn’t be, easy to guess or crack. There’s no reason why that password couldn’t be something like “XhxC$ndh2e&O”, for instance.
- It’s poor security to leave passwords on open display. Otherwise, what’s the point of having a password at all? Scrawling a password large on a flipboard seems unnecessary enough, but then leaning the flipboard against a window that can be seen from a public street is even dafter.
- It doesn’t matter that the password isn’t used for what the Home Office considers a “high security” purpose. The right approach is to consider all passwords to be sensitive, rather than some more important than others. If you take that approach, no-one has to be second guess whether this is a password you need to be careful with or not – they *all* need to treated properly.
- Finally, don’t sound annoyed when someone points out a potential security issue! Be grateful that they are being your eyes and ears, and alerted you to something that you didn’t notice.
What if the account isn’t used for a period of time or is orphaned? The account only being internally accessible may reduce the external threat, but it doesn’t address the internal threat. It’s just bad practice. The only excuse that would wash with me is this was being used to show staff what a bad password looks like.
If I had seen that password I would have assumed, and hoped, it was meant as a demonstration of bad passwords. Perhaps there was a security training course and someone was giving examples of bad passwords. Sounds like this was not the case though.
I would be curious of what the purpose of a password would be if you are going to literally let every person know the password. Much easier to just get rid of the password.