Not a "Warm-Fuzzy" feeling. Government passwords are ridiculous

Article from DefenseOne.com

Quote :

Some of the federal government’s most sensitive data are protected by passwords that wouldn’t pass muster for even the most basic civilian email account, according to a new congressional report.

Passwords like “password,” “qwerty,” and users’ names have left Homeland Security Department data vulnerable, says a report released Tuesday by the Republican staff of the Senate Homeland Security and Governmental Affairs Committee.

And the password fiasco, the report says, is only the tip of the iceberg—plenty of other agencies have lost sensitive data as well.

The Nuclear Regulatory Commission left nuclear-plant security details on a shared drive with no protection. Hackers swiped Information on the nation’s dams—including their weaknesses and catastrophic potential if breached—from an Army Corps of Engineers database.

All that’s too much for Sen. Tom Coburn of Oklahoma, the panel’s top Republican. “Weaknesses in the federal government’s own cybersecurity have put at risk the electrical grid, our financial markets, our emergency-response systems, and our citizens’ personal information,” he said.

So far, the security failings have been more comedic than catastrophic (in one instance, hackers used the Emergency Broadcast System to warn TV viewers of a zombie outbreak). But the report warned we may not be so lucky in the future—and the problem appears to be widespread:

In addition, hackers have penetrated, taken control of, caused damage to, and/or stolen sensitive personal and official information from computer systems at the Departments of Homeland Security, Justice, Defense, State, Labor, Energy, and Commerce; NASA; the Environmental Protection Agency; the Office of Personnel Management; the Federal Reserve; the Commodity Futures Trading Commission; the Food and Drug Administration; the U.S. Copyright Office; and the National Weather Service.

“These are just hacks whose details became known to the public,” the report added.

At the Nuclear Regulatory Commission—responsible for safeguarding the nation’s nuclear plants—faith in IT is so bad that employees have started buying their own computers and setting up separate networks, which creates a whole new series of security concerns.

Things aren’t much better at the Department of Homeland Security. “To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops—even two credit cards left out,” the report stated.

NRC spokesman Eliot Brenner said many of that agency’s safety issues have already been addressed. All 44 security recommendations in reports cited by the committee have been closed or resolved pending final implementation, he said. “The NRC takes information security very seriously and works continuously toward improvements,” Brenner said.

That is really disturbing. I got written up on my first day at Siemens Wind Power because no one had told me that every time you leave your office your laptop must be locked (both physically and electronically) and that there are security guards who walk around and check people's computers, among other things. Also, we had to change our passwords for everything (and there were a lot of programs we used) once a month and you could not use the same password for any two programs or reuse a password you'd used in the past two years. Of course, there were complex password rules. I started following a certain formula for them so that they were easier for me to remember: P@55w0rd-01-10 but I'd use words and numbers that were really only significant to me. Apparently the gov't could learn something from Siemens. 

And yes, people got locked out of their computers and programs all the time. It was essential to have IT on speed dial.

I just changed the last number of my 8-10 digit passwords every month.. I had the same thing, 5 different programs with 5 different passwords, all with limits on the number of letters, numbers, or special characters at the top of the number row.. Some Must have a capital letter others couldn't..

I use very complicated and long passwords, but I cannot remember them.  Maybe it is stupid, but I put them all into a file and password protect that file.

I read something about a month or two ago about the nuclear launch codes that were, for a bunch of years, it was all zeroes. i kinda find that hard to believe.

And during the first months of the Clinton Administration THE CODES WERE LOST. http://www.forbes.com/sites/kevinunderhill/2010/10/25/general-claims-nuclear-launch-codes-were-misplaced-during-clinton-administration/

Eric wrote:

I use very complicated and long passwords, but I cannot remember them.  Maybe it is stupid, but I put them all into a file and password protect that file.

I read something about a month or two ago about the nuclear launch codes that were, for a bunch of years, it was all zeroes.

I think that might be safer than writing them down, E. We were not allowed to "record" in any way, electronic or in writing, our passwords, on threat of termination (all of this tells me Siemens must've had a serious run-in with intellectual property issues and corporate espionage somewhere along the way) so I kept a password protected file with hints to what words I was using in place of "password" for each iteration of P@55w0rd-01-10. It was all a real huge pain in the ass, but I could see the need for such a policy. 

I also read about the nuclear launch codes, E... I was horrified. :-o