More Than 1400 Australian Government Accounts Are Protected by "Password123"

Every day, we see a number of research reports detailing how poor the state of information security is nowadays. Hours upon hours are spent putting together these papers, and the idea of all this hard work is to tell users, organizations, and service providers what should and what shouldn't be done when data security is on the line. That's the theory, but as Western Australia's government is about to show you, it hasn't really worked.

Auditor General Caroline Spencer led the team that was tasked with determining how good the information security of Western Australian government agencies is. A total of 17 agencies were reviewed, and the results were pretty shocking. The 59-page report published last Tuesday highlights a number of different shortcomings, including lack of vulnerability management and risk assessment, poor access control, etc., but the section of the paper that draws the most attention is the one that discusses Australian officials' password practices.

Many Australian government workers have extremely poor passwords

To find out what sort of passwords Australian government employees use, Caroline Spencer's team took a list of common weak passwords from a penetration testing tool and simulated a dictionary attack against the Active Directory environments of the 17 government agencies. If it were real, the attack would have been successful at cracking open 26% of the 234 thousand accounts it was aimed at.

The passwords that broke the accounts open were just as terrible as you would expect. Protecting well over 1,400 accounts, the most common password the Australian auditors found was "Password123", and in second place, we have "Project10" which was used by just under 1,000 government officials. In the Top 20 list, we can see other predictable and horrendous picks like "password" and "abcd1234", but we also have entries like "Logitech1" which should probably tell you a lot about the brand of keyboards the reviewed agencies use.

It should be noted that all these accounts are a part of the agencies' internal systems meaning that you'll most likely need more than just a computer and an internet connection to access them, but this doesn't make the passwords any less important. Furthermore, the auditors said in the report that in 2017, they managed to break into a public-facing government account after correctly guessing that the password was "Summer123".

Who's to blame for the woeful passwords Australian government employees use?

Are we supposed to be really surprised by all this? Sure, the results of the pretend-dictionary attack were quite tragic, but then again, so are the findings in other reports examining the password-creating habits of regular users. In other words, humans work for the Australian government, and like all humans, they're bad at managing passwords. That's not exactly breaking news, is it?

The thing is, this is not a small online shop or a messaging board we're talking about. It's a government – a huge organization in charge of running a whole country (and a rather big one at that). It should have known better, and it should have created strict policies regarding what can and what can't be used as a password. It should have also invested in teaching its employees how proper password management is done.

It has done neither of these things, but perhaps more worryingly, in all likelihood, it's not the only government that has failed in this respect.