And in unprotected documents.
Lots of passwords. Lots of documents. Lots of easy access.
No wonder the attackers got away with so much data.
At first, some said that attack had help from an insider.
That insider was a unprotected, easily found trove of passwords. Read about it here.
And Sony employees were allow to use easy passwords like “skateboard94” for Outlook and Novell systems (see item #7 here).
One seldom-mentioned risk of this policy is that administrators will also use this password scheme instead of a complex password, like they are supposed to–because they can. Very few companies put their personal admin accounts in a separate container (e.g., a separate OU in Active Directory) and apply a stricter password policy to that container.
Not the Worst
The Sony attack and results are bad. Really bad. But that’s not the worst part.
The worst part is that MANY other large companies, also household names, are not much better in some areas.
A Fortune 500 company that I worked at within the last 6 months also uses “skateboard94” and similar passwords for all systems.
I know because I was assigned such a password upon arrival AND saw the signed/approved risk assessment that allows the practice to continue.
When you have that kind of a password policy, you don’t need to find password lists. Most of the passwords in this company would be easy to crack.
This particular company uses this password policy because some of its key systems cannot handle complex passwords. So instead of requiring complex passwords everywhere else but these couple systems, they allow all passwords to be weak.
The reason I was given was to ensure single signon and a good user experience.
It also ensures a good attacker experience.
They will get attacked and compromised (if they aren’t already compromised, but don’t know it).
IT Audit and Security Considerations
(My new blogging friends at risk3sixty.com use this heading at the end of some posts, and I like it.)
If your audit or security group is not discussing the Sony attack and whether your company has similar issues, you might want to raise the banner.
And specifically look for passwords stored in clear text in files (and code).
You should also revisit your password complexity policy and any signoffs saying that non-complex passwords are okay. When you get resistance to this, ask:
- Do you think Sony regrets that policy now?
- Do you think their internal audit/security team regrets not standing up to management?
Let’s give management another opportunity to make the call.
If we’ve learned anything from the Sony hack, it’s that one of the emails that you WANT TO BE FOUND in your company’s data dump is that management was told this was a bad policy.
And that audit and security disagreed strongly with that policy.
ITauditSecurity 
I like to point out that as of Windows Server 2008, there are now Fine-Grained Password Policies!
Since Windows Server 2003 is in it’s twilight, there is no reason any organization utilizing AD (and pretty much 95% are) shouldn’t have the ability to harden their password policy.
http://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx
LikeLike
Shane,
Thanks for the input. I guess I’d rather have a couple different policies where some groups of users have better policies and only a few have weaker policies than for everyone to have a weak policy.
I audited one company that didn’t use complex passwords because they wanted single signon and one system wouldn’t accept complex passwords, so they went with the lowest policy everywhere. I would have leaned more toward a good policy everywhere except for that one system, and that system would not be available via single signon.
The problem with multiple policies is that it increase complexity,which causes more work during setup, troubleshooting, and (ahem) auditing. That makes it harder to manage.
The other thing is that when you make exceptions, they tend to multiply. I guess you have to determine at what level you want to fight the battle, at the policy level or the exception level…
But if you’re trying to do single signon, I don’t think having multiple policies will work….
One last point. I don’t think the SONY issue was password policy, but WHERE they stored the passwords and how. A great policy for complex 32-character passwords is easily undone when the passwords are stored in a spreadsheet.
Reminds me of the manufacturing plant I visited that had the password that everyone used to log into the system in 3-foot high letters.
LikeLike