With all the furore surrounding the launching of a British man into space, you may have missed the fact that the European Space Agency was breached over the weekend.
Hacktivist collective Anonymous, which claimed responsibility for the attack, said it did so for the “lulz” rather than to make any kind of point.
Be that as it may, the aftermath of the breach has revealed some interesting data from the agency, though it has nothing to do with aliens, Hollywood superstars or even the fourth of July.
It does, however, have everything to do with passwords, and what appears to be a massive security failing, either by the agency, its staff, or both.
Among many details uploaded to a public document server, was a list of names, email addresses and passwords – 8,107 of them, to be precise.
Of those passwords, almost 2-in-5 (39%) were found to be just three characters long, featuring such gems as “esa” and “123”.
The second most popular character length of eight (16% of the total) would not have troubled password crackers either, with many being based on the user’s name or email address, or being timeless classics such as “password,” “trustno1” or “12345678”.
Based on the complexity of some of the longer passwords, CSO Online reckons a small number of users had been quite savvy and used a password manager to generate complex login credentials though, in this case, it doesn’t appear to have done them much good.
Because all the leaked passwords had either been poorly secured (hashed, but not salted, perhaps?) or not secured at all (stored in plaintext).
So, whichever way you want to look at this, it’s a pretty poor security tale.
If you take away one thing from this story it’s that your own passwords should contain at least 8 characters, feature both upper and lower case letters, at least one number and one special character, and not include your user id or name.