I wish you had not done this. I did not want to see anybody's passwords, or create any sort of record that I myself downloaded the password list (which i did not.) Perhaps this is my fault for even clicking on the comments thread of this article. And of course there are many reasons to call me paranoid. Nonetheless, well, I will be moving on now!
It seems someone else already did this hack and these guys simply copy-pasted the passwords to make it look like their hack. Apparently, these copy-pasters are The Hackers Army from Pakistan.
Personally I don't like spaces because every now and then I find a service that doesn't accept them - ex: you can't have spaces in your IRC password. ASCII printable characters are enough for me.
I find that typing a bunch of words with spaces is faster than with words. I guess my brain is wired by now to automatically press the spacebar between words.
Wouldn't it make it harder to remember which places accept a password with spaces and which don't? I already have trouble remembering which sites require long passwords and which require shorter ones.
It appears that, in general, the FBI staff are setting reasonable passwords. There are a few passwordNNN types but the majority are adequate and, in my opinion, would hold up well against a brute force vector, which is the primary purpose of password complexity.
The fact that some of those passwords appear very strong also means they weren't bruteforced and therefore most likely stored in plaintext. I guess even the FBI have sloppy programmers...
They say on the pastebin that one connexion sent passwords in clear text (through asipx-webadmin), so they probably were read there. At least it was probably an entry point.
3 and 4 would not take long to be brute forced by a dictionary attack, I think. Too many people use qwerty on their password, so it's probably high rated on a dictionary attack.
3 and 4 are weak because we have pretty good heuristics on how passwords are composed so it wouldn't take much longer to brute-force them than it would to do password123.
I'm sure this comment will be heavily downvoted but I read several times that FBI and similar agencies were 7 years ahead in terms of technology including security of systems.
I didn't believe in those quotes and every time a situation like this happens I'm more convinced that they are no more advanced than the big companies (Microsoft, Mozilla...) and depend heavily on the updates released by those companies every week... Just my 5 cents...
Well, they could for example invent RSA years before the public knows about it. (British intelligence did this). Or they could invent differential cryptanalysis before the public knows about it. (NSA did this.)
If my experience having worked closely with local government IT, also applies to the FBI (I would bet it does). Then they, just like any technology in the public sector, is usually 10 years behind in technology compared to the private sector. They're just mostly bored undertrained people, with no real incentives to do a good job. Who would rather play office politics to raise chances of getting promotion, than to learn the heck is this php injection thingy.
As opposed to the Hollywood scenes of ultra high tech rooms with floating transparent screens, shiny lights everywhere, and super advanced systems that can listen to your voice commands and instantly solve complex cases just by saying "enhance!". Which is probably the vision this person who talked to you had. Reality is more like windows xp and programs that compile even when the unit tests fail.
Well I would think that the FBI would really be the wrong agency for this to apply to has they are really no more than just normal police officers on the federal level.
These passwords look a bit suspect.. it seems like some are forced to have very complicated passwords while others do not.
Interesting to note, Timothy Lauster is on this list and was a person associated with the FBI call anonymous leaked.
Maybe they weren't stored in plaintext, they could have been reversed from the hash. A lot of legacy systems still store passwords in something like 3DES which is trivial to reverse.
PS - "reverse" just means using either rainbow tables or generating the entire set for a given hash(n).
All these people with "password123" as their password (and there's a bunch similar to that) should be fired. Sidney MacArthur, you work for the Navy and you have that as a password?
I more so blame the administrator who allowed them to have these passwords (and of course whoever was storing them in plaintext).
The reality is that employees can't be trusted to manage password strength. But it's trivial to implement a validation scheme that forces employees to be over a minimum length, use special characters, etc. Of course this is also not great -- and inevitably we'd see Pa$$word123 -- but it's at least a starting point.
I don't know if i agree with fired but if you work for the fbi, you probably have some access to non-public information, some people have classified or high clearance levels. If you can't manage to have a password that matches patterns that people warn you to avoid for your facebook let alone your fbi password maybe your supervisor should reevaluate what level of trust you should be given
Or whoever is in charge of tech security, yes. I think the whole Wikileaks-State-Dept. episode showed how a global system can be undermined by the weakest link.
Rough estimate, about a 1/3 of the passwords can be easily cracked.
Of the rest, some are human inputted for sure but some seem randomly generated.
Can I venture guess that some weak accounts are pretty trivial and the important one's are using randomly generated passwords? Yes it's still bad practice, weak link and all that. I'm not condoning such practice.
I don't like this being listed on ycombinator. I have now just gone to a site with all the passwords on, I was expecting an article about it. I do not like the fact that I have just browsed that page!
This is Hacker News...I appreciate the direct source of the leak. Not some shitty article that someone wrote about what happened. If you don't like it, don't click it.
The title is "FBI got Hacked, Reveals Hundreds of Passwords" and while it does point to pastebin, the title reads like the title of an article. So it's hard to know not to click it until you click it. If the title did a better job indicating what the content was, you could both be happy.
Maybe I'm very naive but I have a hard time imagining one would get into trouble by browsing such a list now that it's in the open. Thousands of people are browsing this list right now....
It's half principle and I think that I would worry about things like that. I have no idea what kind of monitoring tools and methods the FBI have and I don't want any attention because someone linked a load of passwords to ycombinator and I went to it expecting a fairly inocent article :)
Exactly, and that is how it normally is on ycombinator. If there's a link to the actual data on the article, then whoever wants to go to that, go ahead, but I stay away.
So where do we sign in to validate this works?
Purely for research purposes. Not saying I want to sign in another person's account, but just out of curiosity, where do we sign in?
I would hope by now they have locked out all those accounts and pulled the server.. but on the other hand its a government agency we are talking about =)
I see some email addresses referring to recent cases in there, i.e. findwhitey@ic.fbi gov. I wonder if these guys just tipped off mobsters still under investigation... or even read some of those case mailing lists (presuming that's what they are).
It's interesting to see that, for the most part, there appears to be a lot of randomly generated passwords. Of course, it's also worrying to see that there's passwords as insecure as "passwords123" for an organisation where security is paramount.
This looks pretty fishy to me. There are a lot of super-simple passwords like firstname.lastname and then stuff like )(^!@tyukjas or )(klhkdgkajst2.
The simple passwords are too simple [ali@ic.fbi.gov - noentryplease1897182 - really?] and the complicated ones are way too complicated [I assume they don't use tools like 1Password and such].
Also most of the emails are firstname.lastname@... and every 3rd of 4th is Firstname@... and some of them are really weird, like SCAM@ic.fbi.gov - juyt8&81igasd, Bogdan@ic.fbi.gov - 19127gasdg8991872
Perhaps this is the wrong place for this kind of discussion, but don't these kind of leaks seem careless? I'm all for transparency, but how does exposing this kind of information help anyone?
> Joseph McQueen III, chief of the FBI personnel recruitment unit according to [0].
daniel.clegg@ic.fbi.gov - clegg.passwd
> is an FBI supervisory agent
Some others
laura.eimiller@ic.fbi.gov - passwored12
William.So@ic.fbi.gov - cutelilyian191
tammy.mchugh@ic.fbi.gov - passwords123456
Rich.Ernst@osd.mil - ernst.richard
celkins@vertizontalinc.com - celkins.vertizon
joseph.herold@us.af.mil - 128482joshqwerty
joseph.s.dufresne@uscg.mil - qwerty9876
IC_Complaints@ic.fbi.gov - JulianICcomplaints
gavin.edward@bdsus.mod.uk - eduardopassword123
IC_Complaints@ic.fbi.gov - JulianICcomplaint
ronald.menold@ic.fbi.gov - password111111
[0] http://www.diversitycareers.com/articles/pro/09-augsep/dia_f...