Hacked Syrian Officials Used '12345' As Email Password

Nominei writes "The Israeli newspaper Haaretz reports that the Syrian President, aides and staffers had their email hacked by Anonymous, who leaked hundreds of emails online. Reportedly, many of the accounts used the password '12345' (which their IT department probably warned them to change when the accounts got set up, of course)."

That's amazing

[Anamelech]

I've got the same combination on my luggage!

Re:That's amazing

[LoverOfJoy]

It wouldn't surprise me if another anonymous hacker beat them to it and changed their addresses to 12345 for the lulz.

Re:That's amazing

[Frosty Piss]

Why do you insult neanderthals?

Re:

[Devout2]

He's not insulting them, he's just saying they're not well suited to lead a homo sapiens nation.

Re:That's amazing

[bosef1]

Oh, I see how it works. Sure, you let them clean your clothes, serve your food, teach your children. Heck, you'll even let them represent you politically (I've lived in DC, I've seen Congress). But the minute they display the first inkling of self-respect and self-organization, it's "Neanderthals aren't 'smart' enough", "Neanderthals are another species", "Neanderthals are extinct".

I see how it works, alright. You're afraid. Afraid to come out of your shell and admit your true feelings. It's easy enough to hate, but you're just to afraid... to love.

Re:

[BinarySolo]

Maybe he's just trying to properly convey that this situation is no laughing matter [slashdot.org].

Mine is 54321

[Taco Cowboy]

No zero, sorry

Re:Mine is 54321

[goombah99]

Fool! passwords need to be 8 digits at least. Mine is 1234567891011 It goes to 11, for extra security.

Re:

[Hentes]

It doesn't just use a few digits but is completely comprised of digits, making it unbreakable.

Re:Mine is 54321 UNREAL

[gmuslera]

Or this approach for secure passwords [xkcd.com]. You must make it hard to guess by other people or brute force approachs, not hard to remember .

Re:

[alreaud]

I actually try that xkcd password now on any word list I use. First...;-)

That approach is Diceware, BTW,
http://world.std.com/~reinhold/diceware.html [std.com]
http://happycattech.com/book/security-applications-0 [happycattech.com] (MS Excel and OpenOffice Calc implementations)

Re:

[SuricouRaven]

correct-horse-battery-staple

Re:

[Nadaka]

The reason password lengths were limited is because people were retarded and storing the password in a database. Now, good policy dictates that you never store a password, only its hash and salt. The only reasons to limit length is to limit the bandwidth required in case someone decides to use the unabridged works of Shakespeare as his pass phrase.

Re:

[Thud457]

oh yeah, I can top that!
0n3 7w0 7hr33 f0ur fiv3

Re:That's amazing

[Vintowin]

I've got the same combination on my luggage!

Came for this, leaving satisfied!! This thread will go to plaid soon.

Syrians?

[spidercoz]

Oh shit. There goes the planet.

Re:

[Jason Levine]

How soon?

http://www.youtube.com/watch?v=VeZ9HhHU86o

Re:

[MobileTatsu-NJG]

Awww c'mon, that was a subtle reference to Spaceballs!

Re:That's amazing

[cashman73]

I wonder if their President is surrounded by assholes, too?

Re:That's amazing

[Anonymous Coward]

In this case, the President is an asshole, too.

Well, yes. If you draw a Venn diagram of assholes and presidents, I am fairly certain that the latter is wholly contained within the former.

Re:

[Hognoxious]

s/hole/hat/

Re:

[iamwahoo2]

s/hat/helmet

Re:

[Osgeld]

http://www.youtube.com/watch?v=K95SXe3pZoY [youtube.com]

Re:

[slasho81]

Oblig. link [youtube.com]

You, sir,

[gwolf]

are now the primary suspect of breaking into Syria's government networks. You obviously have access to privileged information. Prepare to be arrested...

...On your next visit to Damascus, that is.

Re:

[Lumpy]

They made a rockband sequel to Contra?

That's COOL!

Re:

[ais523]

The same joke was also made on the Firehose submission. So I guess it was kind-of obvious...

Only 12345?

[froggymana]

I thought that everyone knew to use at least 123456 as their password. After all that increases its security by an order of magnitude!

Re:

[iggymanz]

oh no, eight is the minimum recommended length. 12345678 is the shortest secure password you should be using. or qwertyui. wait, please don't use that second one, it's my paypal password

Re:

[blau]

Hey, some of them did ---> Password list on Pastebin [pastebin.com]

IT did warn them

[Anonymous Coward]

then the IT guy got taken into the alley and shot in the head for his impudence.

Re:IT did warn them

[HSonger]

The IT group probably forgot to install the Unicode language pack on their machines so the only Arabic they could put in were numerals.

Re:IT did warn them

[mjwx]

The IT guy was then shot again, for his incompetence.

Re:IT did warn them

[sycodon]

Should be scored as +1, in all likelihood, true.

Re:IT did warn them

[MightyMartian]

I don't know if Assad's quite that malevolent. I sure wouldn't have wanted to have been Uday Hussein's IT manager, that's for sure.

Re:IT did warn them

[Bucc5062]

"I don't know if Assad's quite that malevolent. "

You watching the news at all these days? The man is ordering troops to kill anyone, collateral damage is not an issue. I'm just not certain who is worse, the leader of Syria or the leaders of Russia and China for backing that pile of shit.

Re:

[jackbird]

I've heard this meme from my batshit right-wing zionist relatives, but I've never determined where it's coming from.

It seems to rest on some kind of question-begging with regard to US/Israeli foreign policy justifications, but it's so ludicrously extreme I can't see otherwise-intelligent people swallowing it without some evidence.

So what's the evidence at the root of this meme? Who in a position of any political power in America, from the municipal level on up, has any desire to advance the cause of the Mu

Incredibly stupid

[brickmack]

Seriously? People that use such easy to guess (and therefore pointless) shouldn't even have access to anything that needs protection...

Re:Incredibly stupid

[ceoyoyo]

Well, it was their own e-mail....

Speaking of which, people who don't put objects in their sentences shouldn't even have written them. ;)

Agree

[Roger W Moore]

I agree and since the people they are supposed to be governing clearly need protection....

Re:

[MyHair]

Seriously? People that use such easy to guess (and therefore pointless) shouldn't even have access to anything that needs protection...

Pfffft. You ever worked for a Director/VP or higher? Try telling them how to set their passwords. I've seen "boss", "super" and other motivational-poster-worthy simple words. And they want everything to auto-login. One of the last major worm outbreaks I encountered originated in the senior executive offices.

Okay, that was a few years ago. Maybe that company has learned a few

Re:

[jamstar7]

They're politicians and bureaucrats. How much fucking brains do you think they have? I'm willing to bet that password strained their limited intelligence. Rocket scientists they're not.

You know...

[koan]

Every time I go to pastebin.com and look at the hacked sites the passwords are always weak, extremely weak, virtually no one uses strong passwords.

Re:You know...

[arth1]

Every time I go to pastebin.com and look at the hacked sites the passwords are always weak, extremely weak

No surprise there.

, virtually no one uses strong passwords.

Non sequitur. The published passwords are weak because that's the passwords that were easily cracked. Those who have strong passwords are underrepresented on the lists precisely because they have stronger passwords so they weren't brute-forced easily.

IT departments and well-meaning distro packagers have to take some of the blame too. I can't choose a password like Zph9vZZZ3tPseX4 because it has Z repeated 3 times, and contains a word found in a dictionary?
Fuck that then, I'll go with abcd1234 instead. Oh, and I have to change it every four weeks? Next time it will be 1234abcd, then abcd12345 and 12345abcd - catch my drift?

Re:You know...

[Dwonis]

Every time I go to pastebin.com and look at the hacked sites the passwords are always weak, extremely weak

No surprise there.

, virtually no one uses strong passwords.

Non sequitur. The published passwords are weak because that's the passwords that were easily cracked. Those who have strong passwords are underrepresented on the lists precisely because they have stronger passwords so they weren't brute-forced easily.

Sure, but every now and then, some *site* uses a poor hash, which allows people like me to do research on password strength and frequency. These results don't exhibit the selection bias you're talking about, because they're a full dump of passwords on the site. This [dlitz.net] is just for one specific site, but I found that 36% of all passwords were easily discoverable using a rainbow table, 33% of passwords weren't unique, and 1 in 72 users had the password "super123" for some reason.

I actually had a list of email addresses and their corresponding passwords for the site. I wouldn't be surprised if a lot of these passwords could also be used to get access to their corresponding GMail/Yahoo/Hotmail accounts (but I didn't test it out, because I enjoy not being in jail).

Re:You know...

[arth1]

Sure, but every now and then, some *site* uses a poor hash, which allows people like me to do research on password strength and frequency. These results don't exhibit the selection bias you're talking about, because they're a full dump of passwords on the site. This is just for one specific site, but I found that 36% of all passwords were easily discoverable using a rainbow table, 33% of passwords weren't unique, and 1 in 72 users had the password "super123" for some reason.

The link you provide supports that this is selection bias - he cracked 26025 out of 93688 passwords, and then made the brilliant deduction that boils down to "of those passwords that I easily cracked, most were found to be easily cracked". No shit, Sherlock.

Sure, that 36% of passwords are easily cracked is bad in itself, but that's another thing entirely. It can't be used as statistics to extrapolate anything using the word "most". It only applies to that subset of weak password.

I also have to arrest you for " I found that 36% of all passwords were easily discoverable using a rainbow table". This is incorrect. 100% of all passwords are easily discoverable using a rainbow table. 36% may be easily discoverable using a partial rainbow table, which is not the same thing.

Re:

[ceoyoyo]

So what you're saying is that MOST passwords were pretty decent (not discoverable using a rainbow table) then? That's a little different from the OP's assertion that "virtually no one uses strong passwords."

That depend on the system

[aepervius]

On most web site including some email account i use as a throw away, my password is something like julie. very weak, because I don't care. But on some stuff like online banking my password is more like Sushi-tAbLe#722915;DeadPan (not the real password, but same similar structure). I have to wonder from those study you are speaking of, if they took into account how much importance the user gave to the service/data protected behind the password.

Re:You know...

[LordLucless]

yep never use the same user name or password for different sites you care about, at the minimum.

FTFY. I mean, really, nobody has the mental capacity to remember a unique, strong password for every titchy site they have an account on.

Me, I have a strong, unique password for the handful of things that deserve it (My workstation, email, banking, facebook) and then a common password that I use among all the other sites, that I really don't care about being compromised.

Re:

[am 2k]

I mean, really, nobody has the mental capacity to remember a unique, strong password for every titchy site they have an account on.

Yes, I'm using a password manager for the rest (1password). It can also generate super-secure randomly generated passwords.

Re:

[St.Creed]

I use keepass for that the same way. However, after I got a smartphone I needed to retype all of those passwords. Yeah that's nice, to manually enter the 30 character random bytestring... I've since fallen back to a bit simpler scheme. The XKCD scheme works rather well.

Re:

[DMUTPeregrine]

I use that method, and a password safe (keepass) to store the generated passwords. "hbar=1.05E-34" is a good terrible password. Easy to remember, useful to remember (never know when you'll need the reduced Plank's constant...) and fits most site password rules: over 12 characters, less than 16, includes upper-case, lower-case, numbers, and punctuation. It's "strong" to most password meters, despite being a rather weak password to a dictionary attack against physicists.

Re:

[mark-t]

Where routine password changes are strictly enforced, the system would notice that there were too many characters similar between your old and newly chosen password and would not allow it.

Re:

[Arancaytar]

I think you mean: Virtually no one who uses strong passwords ends up with their password posted on pastebin.com for you to see. :P

Re:

[martas]

And this, ladies and gentlemen, is the Holy Mother of sampling biases (and a 5-digit-uid /. reader who fell for it... for shame).

Palin Popcorn Password

[kenh]

Is this really 'hacking' when you guess the password?

Reminds me of the script-kiddie who 'hacked' into Sarah Palin's email account once he successfully guessed her password was 'popcorn'...

Wonder how he's doing in prison?

Re:

[betterunixthanunix]

Is this really 'hacking' when you guess the password?

It is hacking if you manually enter a URL, so yes, guessing a password is hacking too. Basically, if people are not creative enough to think of how their security system might be defeated, then anyone who defeats it is a hacker (and deserves a jail sentence).

Re:Palin Popcorn Password

[Dwedit]

That never happened.

Someone guessed Sarah Palin's security questions (such as "Where did you first meet your spouse" with the answer of her high school in Alaska), and got into the account. Then the password was changed to popcorn.

Re:

[artor3]

No, he served nearly a year in prison. It was that punk kid who falsified evidence to shut down ACORN and who tried to wiretap a senator's office who got off with minimal punishment.

Re:

[rahvin112]

Not minimal, none. He got like 80 hours of community service. No fine and no jail time. The guy should be in jail for fraud and slander/libel at a minimum and for trying to tap a member of congresses phone he should be in jail for espionage. Anyone that thinks that jackass is a hero needs their head examined.

Re:

[gl4ss]

if he really was a kid when doing it, what do you expect? convicting him as an adult?

Re:

[artor3]

He was 25, so yes, I do think he should be tried as an adult. He should be in prison, but he's not because Fox (and by extension their mindless viewers) adore him for his destruction of an organization that had the gall to try to help poor people.

Re:

[orphiuchus]

*And to destroy our economy by getting said poor people mortgages they couldn't afford.

Re:Palin Popcorn Password

[mjeffers]

You've confused your right wing memes.

ACORN, the group shut down after the faked videos, is the group that was going to destroy the country by letting poor people vote.

The keywords you want for "destroy our economy by getting poor people mortgages" are either Barney Frank or Fannie Mae/Freddie Mac.

Just pointing this out to help but if you want to keep your right wing memes straight, watch more Fox news.

Re:

[Attila Dimedici]

his destruction of an organization that had the gall to try to help poor people.

By registering them to vote without telling them and then sending someone to vote for them, because after all, they knew how they really wanted to vote.
OK, that statement is hyperbole, but ACORN commttied systematic voter fraud in the entire country. And ACORN has not been destroyed, it has just changed its name and is happily continueing to collect taxpayer dollars (despite a law forbidding that) through "unaffiliated" affiliates and other shady techniques. Do a thorough study of ACORN's corporate structu

Re:

[repapetilto]

Reversing mods to say this...

Have you ever raked leaves for 80 hours?

Is it even hacking anymore?

[corychristison]

When people use such stupid passwords, is it really even considered hacking anymore?

Conversely, does calling this hacking diminish the skills of those who actually know their security inside and out?

Re:

[betterunixthanunix]

Here is the mainstream definition of hacking:

If nobody thought of a way that a security system could be defeated, then anyone who defeats that system is a hacker and has engaged in hacking.

Now I'll have to change my dadblasted passwords!

[edibobb]

The Syrians stole my password for everything! Now I'll have to come up with a new one.

Assads email wasn't hacked

[highwaytohell]

It was just the dept staff. Looked like it was hacked through the webmail portal of mopa.gov.sy. The only thing of note was the exchange re the Barbara Walters visit. The Ministry of Presidential Affairs is basically his marketing department. Whilst one would hope they busted into this despots email, the truth is they did no such thing.

BAD PASSWORD: it is too simplistic/systematic

[hcs_$reboot]

No, 12345 is actually a very complex password for Bashar al-Assad.

Leet Hackers

[jjp9999]

I'm curious to know how many hacker just go around typing 12345 and 1qaz into every account out there just to see what they can get.

Don't shoot the messenger

[Beeftopia]

... when he comes up from the IT department and tells you that your password is weak and you need to change it. However, in Assad's Syria, user change* you!

* And by "change" I mean "shoot."

The headline gave me a headache

[rebelwarlock]

I had thoroughly convinced myself that the days of people using passwords this stupid was behind us, left to rot in the dark ages of the internet. $faithInHumanity--

Comment removed

[account_deleted]

Comment removed based on user account deletion

Strong simple passwords explained

[dbIII]

http://xkcd.com/936/ [xkcd.com]
I know it's preaching to the converted with the above two posters, but it's worth looking at.
The passwords I give users from permutations of a word list make them laugh but they can remember them.

Old rumour regarding US nuke launch codes...

[Tastecicles]

...apparently the launch keys for each and every silo-based ICBM were/are all "0000000000" (ten zeroes). Scary.

Re:

[Johann Lau]

Okay, now that the hardest part is solved - where to punch them in?

Re:

[Tastecicles]

I doubt they'd be connected via public WAN... or could the US Government possibly be that stupid??

Re:

[dbIII]

It was true.
Since the requirement for a password was forced on the military from the outside and they wanted the last man standing to be able to launch without being locked out they set the password to all zeros as a workaround for what they considered to be a stupid and dangerous restriction. I can see their point.

Hacker walk of shame

[Anonymous Coward]

As the hacker saw much to his horror that the Syrian President's e-mail password was indeed 12345 he tried to break the connection but it was too late. Word had spread and all knew that his most important hack was one that a five year old could have bested. A week later the hacker was found with a gun in his mouth and the numbers "12345" scrawled across his walls. His last e-mail was a simple "Who uses 12345 as a password!" Other hackers said that it was a tragedy that he would be remembered for one lame hack. Word came later that day that the Syrian President had beefed up security by using his son's name as his current password. Hackers world wide turned away in disgust and refused to stoop to hacking some one that lacked even basic internet skills.

Some turned their attention to hacking President Obama's e-mail until it was found he used the password "Romneysucksballs". No hacker would dignify such a password with a hack. Later that day it was revealed that Bill Gates used "stevejobsisaweiner" as his password but most knew this was the case since the late 90s.

Re:

[account_deleted]

Comment removed based on user account deletion

Gmail, Yahoo, Hotmail...

[flyingfsck]

The password doesn't matter if your account is at a place where everything is already readable by the Man.

Was it hacking?

[Zaatxe]

Can you call the access to an account which password is "12345" hacking? To make an analogy, can you call yourself a lock-picker if you open an unlocked door?

Cracking..?

[hilather]

Even Slashdot has given up on trying to save the word "hacking"...

It's a good password

[bluestar]

Maybe 12345 is really complicated in Arabic. Like MMMMMMMMMMMMCCCXLV.

Re:12345

[flyingsquid]

If a bunch of kids could hack into Syran government email by typing "12345", you'd imagine that at least one of the big cyberwarfare or intelligence units out there- the U.S., Israel, or China- would have thought of the same trick and has already been monitoring their communications for a while. At least you'd hope so. I'd hate to think that right now there are of a couple of NSA agents looking at each other and saying, "12345... hey, why didn't we think of that?"

Re:12345

[ceoyoyo]

Or a couple of NSA agents looking at each other and saying "shit, I've got to go change my password."

Re:12345

[Culture20]

Or a couple of NSA agents looking at each other and saying "shit, now we can't read their email"

Re:

[Gumbercules!!]

Man I wish I hadn't already frivolously burnt the mod points I had earlier today. That one made me laugh out loud.

Re:12345

[retech]

Perhaps they did. Do you seriously think that: 1. they'd let /. know and that B. they'd tell Syria when they have a free pass?

Re:12345

[rahvin112]

Governments will go to extreme lengths to avoid revealing when they have access to information that the "enemy" thinks is secure. The allies went to very extreme measures to avoid tipping the Germans off that they had access to all the communications that went out on the Enigma machine. This included letting their own troops be ambushed and killed and massive use of resources and manpower to cover up when they did use the information, such as flying a hundred aerial survey missions to cover up knowing the travel path of a sea convoy.

Re:12345

[donscarletti]

They claim they have never allowed an ambush to cover up codebreaking in WWII, just the difficulty in diffusing this information in a covert way meant it did not always get to who needed it in time. From this, it can slowly snowball in retelling to generals and spies sending men into ambushes to cover their efforts, which is stragegically retarded since it is not realistic for the enemy to notice something is amiss just because they don't get lucky in ambushes. However I think people just like the weight of the supposed situation: *movie trailer voice* "the ultimate sacrifice, to protect the ultimate secret".

The air raid on Coventry.

[wfstanle]

The German air raid that almost destroyed Coventry was an example of this, The Brits knew it was coming but they also knew that the Germans were beginning to get suspicious. As a result, the British government felt that they had to let this air raid occur even though they knew many people would be killed.

Re:

[MightyMartian]

The thing about, say, the CIA or Mosad, they would hack, but not reveal they had and just keep reading the emails as they came in.

Re:12345

[ArundelCastle]

The Papal and Italian agencies turn to their roots for cipher strength: IIIIIIIVV

Re:

[corychristison]

I count three prior to your post.

You either need to type faster or reload the page before deciding to comment.

Re:

[Anonymous Coward]

Really, Why weren't these accounts configured to expire on the first login, like most default passwords?

They are not configured to expire on the first login because most users never truly log in - they tend to access the services through point-and-drool applications that have no facilities for changing the password.
And even when they do log in, it's likely with dumbed down Windows terminal progs which for unfathomable reasons close the window immediately on disconnect, so the user won't have a chance to read why he was logged out and what to do about it.

So some admins take the easy way out and don't expire th

Re:

[Archangel Michael]

To be fair, the current Administration (NDAA) agrees with ASSad, just as long as you label them "terrorist" first ;)

Re:

[Osgeld]

more likely C) shot in the head for questioning his judgement