John Podesta’s password was “password”

An interesting claim, no?

Wikileaks founder Julian Assange has said a 14-year-old could have hacked into the emails of Hillary Clinton’s campaign chairman.

John Podesta’s emails were made public by the whistleblowing website and proved to be a hammer blow to the Democrat’s election campaign as she lost out to Trump.
In an interview, Assange revealed the campaign chairman’s password was ‘password’ and that he had responded to phishing emails.
The Wikileaks founder said he was 1,000 percent confident the Russians did not hack the Clinton campaign, adding Barack Obama was ‘trying to delegitimize the Trump administration’.

Not wholly convinced that gmail will let you have such a password but perhaps in the past….

Still, interesting that this is from one of those technocratic wonks who know all the difficult policies to really make america work, right?

40 comments on “John Podesta’s password was “password”

  1. It seems that the media like to use the term hacked when they mean a password was guessed. This is also what happened with the Fappening. If they used the correct terminology perhaps people would better understand the need for good password security.

    I use a password manager that means I can use different virtually uncrackable passwords for each site I have an account with. It’s the fundamental method of online security.

  2. How can he be certain that the Russians didn’t access these accounts? He would of course be sure of his own source, but how can he be sure that his source is the one and only- I.e. that the Russians weren’t spying?

  3. Nah, it wasn’t “password” it was the infinitely subtler, nobody- has-ever-thought-of-this-before, p@ssw0rd.

  4. @Pat, because it wouldn’t matter. The charge is that the Russians “hacked” Podesta and released his e-mails.

    It doesn’t matter if they hacked Podesta and then retained the e-mails for future blackmail, because that’s not what the hysterical Dems have charged them with.

    No doubt half the hacking teenage nerds in the world have hacked Podesta, the DNC, the RNC, and (more importantly) Hillary’s bathroom server. But the outfit that released the DNC stuff is Wikileaks, and they say they got it from an insider DNC leaker, not by hacking. Have you any evidence to the contrary?

  5. This has been circling on reddit for quite awhile (by that I mean several months). Podesta responded to a phishing attempt and his password was “password”. Combine this level of 21st century awareness with Hillary’s private email server and you have a very dangerous collection of individuals managing the top state secrets. The workings of the entire government would have been open to anyone to read.

  6. “The workings of the entire government would have been open to anyone to read.”

    And have been. By everyone possible.

  7. @ Dearieme
    No evidence at all. But I’d be amazed if there were fewer than a score organisations at least attempting to get every bit of info they could. Spies spy, it’s what they do.
    And whilst I give some credence to the assertion that wiki’s source was not a government, I have trouble with the assertion that no-one else had the info.
    Whether the info is now any use to the Russians or anyone else is another matter.

  8. 1. Just watched the video where Assange said this (https://www.youtube.com/watch?v=qaHlN6Jm8X4), apparently it was in the leaked mails, so if you have the patience to look through them, you can find out whether he’s lying or not.

    2. What astounds me is that everyone has fallen hook-line-and-sinker for the narrative where the source of the data is more important than the content. And that people who know better are still talking about “hacking the election” (which implies hacking votes, apparently 50% of Clinton voters still believe it).

    3. Wikileaks didn’t actually say it was a DNC leak. That was Craig Murray. The furthest Assange would go was to say it wasn’t Russia (in line with their policy of not disclosing sources).

    4. Everyone goes on about there being no GOP email leaks. Maybe there weren’t any, or maybe there isn’t anything interesting to leak: The Republicans seem to have spent most of the campaign period plotting against each other out in the open anyway!

  9. “Assange revealed the campaign chairman’s password was ‘password’ ”

    Yeah. The Party of Smart.

    In the early 1970s, the NIxon administration sued the NY Times to prevent it from publishing the Pentagon Papers. These documents were secret diplomatic traffic pertaining to the war in Viet Nam – which was then still being fought.

    Part of the basis for the suit was that the NYT was not authorized to have possession of the documents in the first place – they had been stolen.

    Disregarding how the documents had been obtained, the Supreme Court ruled the First Amendment took precedence and allowed publication. The vote was 9-0.

  10. Tim

    Check out TRUK – brilliance from the Spud. Mentions Concentration Camp guards in defence of ‘The Establishment’ – that trip to Dachau obviously held great resonance.

    Additionally there is a classic justification of the ‘Independent Civil Service’ where his ‘but I am a democrat’ argument starts to look a little flimsy. Not sure if Noel or one of the other assiduous followers of TRUK can point to a link where he explicitly says the UK should not respect the result of the referendum but that’s the clear implication. For those who are unwilling to turn to the page itself. Here’s a taste of the comments……

    R. says:
    January 4 2017 at 6:29 am

    On the GP point… You are of course correct there are not enough GPs. (Ed Miliband promise for twoday wait was similarly unrealistic)

    But if it is a choice between being open on a Saturday and being ki open on a Tuesday… Shouldn’t GPs be open on the weekend?

    I know it’s inconvenient for them… But it’s very convenient for patients who work/have school.

    Just a thought anyway. Nice blog.’

    Richard Murphy says:

    January 4 2017 at 7:50 am

    ‘ The evidence is very strong that people do not want to see GPs at the weekend

    So why do it?’

    R. says:
    January 4 2017 at 7:58 am

    ‘Interesting.

    This survey suggested that 19% are not happy with GP opening times… And that the three quarters of those want them open on Saturdays. Far fewer wanted Sundays.

    http://www.bbc.com/news/health-34732926

    To me that suggests that Saturday opening is worth going for. There’s a significant minority… c. 15% who would benefit.’

    Richard Murphy says:
    January 4 2017 at 8:13 am

    ‘Did the same survey ask if people wanted a free holiday in Barbados? I suspect they said yes to that too’

  11. “What astounds me is that everyone has fallen hook-line-and-sinker for the narrative where the source of the data is more important than the content. And that people who know better are still talking about “hacking the election” (which implies hacking votes, apparently 50% of Clinton voters still believe it).”

    It’s not astounding. These people believe Hitler, literately. has been elected US President. From here they need to either;

    – Admit Trump is not Hitler and they are wrong,
    – A very large number of people in the US have voted for Hitler, or;
    – The Ruskies did it!

    The first one would be beyond thinking, the second painful, so the third one is there way of recompiling the events of the last couple of months in a way that fits nicely with their world view, even if it utter bullshit.

  12. It doesn’t matter how many times they say the Russians did it, it doesn’t make it true.

    DNC was an insider leak.
    Podesta gmail account was phished.

    There is no (hard) evidence the Clinton server was hacked, it had classified documents on it and she would have got more than a slap on the wrist if they had been exposed.

    The unknown is the Weiner Laptop, it had Humas’ cached emails on it, he was almost certainly trojaned (looking for underage girls), if she had been copied a classified document then Hillary is in deep shit.

    Obama, in his ‘Russians did it’ speech before christmas made no mention of Hillary which leads me to believe that Hillary is indeed in deep shit and that he is not going to help her.

  13. The Democrat position is that Podesta’s emails ARE the U.S. election, and that Russia hacked them.

    Yeah, I know it’s stupid. But it’s on the front page of WaPo, NYT, etc. Each of which, instead of telling the Dems, “This is stupid,” printed it anyway, and continue to print it. And presumably their editorial boards sleep just fine every night.

    The legacy press’s suicide is almost complete.

  14. “The workings of the entire government would have been open to anyone to read.”

    Yeah, but that’s small beer compared to the Democrats losing an election.

  15. It’s actually good news for our side. The leftists continue to delude themselves as to the reasons they’ve been losing.

    I’d be more worried if they started cottoning on to the truth.

  16. The rest of the world ended the cold war decades ago, the US with their collective mental health issues never did. Of course the Russians did whatever the US said they did. Because to believe otherwise opens up all sorts of potential issues like over a hundred other countries who would be glad to do it.

  17. Fun fact:

    There are 95 character on an ASCII keyboard, including upper case.

    If you have a 25 character password there are a possible 27,738,957,312,183,400,000,000,000,000,000,000,000,000,000,000,000 combinations. Edward Snowden tells us to assume our enemies can brute force a trillion combinations per second. At that speed it would take 879,596,566,215,861,000,000,000,000,000years, (that’s 879,596 trillion trillion years) for 100% success of finding the correct combination.

    And that’s why password managers were invented.

  18. I guess it would depend on the software doing the brute forcing and what order it chooses to try each combination. If the first five characters were upper case, lower case and special then it would probably defeat any hobbyists. Though not quite as secure as totally random.

    The pinnacle of security comes in using different passwords for each login. I have 85 online accounts in my password manager. There are few people in the world who could remember even 5 character passwords for 85 accounts.

  19. magnusw – I am fairly ignorant of these things, but doesn’t your system just mean that the security weak point is your password manager?

  20. If the Democrats had had a password manager they would either have shared the master password amongst themselves or it would have been ‘password’.

  21. Potentially, but there are two things that should be done to prevent attack
    1. Use two factor authentication.
    2. Use a long but memorable password of [i]random[/i] words, Diceware is good way of doing this
    “At one trillion guesses per second — per Edward Snowden’s January 2013 warning — it would take an average of 27 million years to guess this passphrase.
    Not too bad for a passphrase like “bolt vat frisky fob land hazy rigid,” which is entirely possible for most people to memorize”

    https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

  22. Circa 1985, boss told all us computer jocks that our passwords were crap, so we were going to go to online generated passwords.

    They were crap – 10 characters of nonsense. We did what any sensible person would do: we wrote them down.

    Duh. That didn’t last long.

  23. What exactly was this the password for, anyway? The majority of ‘accounts’ I’m forced to register end up with ‘password’ or ‘Pass1234’ (depending on site requirements) because I don’t trust them with my real passwords, and don’t require their ‘security’.

  24. Gamecock>

    I used to do IT security audits of various types. As well as checking things like password policies, we also checked the top right-hand drawer of every desk for the post-it notes with passwords written on. I never found somewhere that didn’t have the notes in a fairly high proportion of desks.

    One time, the senior VP at a major bank left me waiting alone in his office for about 15 minutes. That’s more than enough time to find his post-it with the passwords, log onto his computer, type up a contract awarding me a few million quid, and append his signature file. Handed it to him when he came back in the room, that was about when he started to take our testing seriously.

  25. Dave, as I understand it that is one of the reasons Diceware was invented, so you can have a memorable very secure password that won’t need to be written down.

  26. Julian Assange? I’d count my fingers after shaking hands with him. As a source, he’s not reliable – unless there’s secondary confirmation.

  27. I have a book with passwords in.
    Its not a book where people expect it and the characters are not written as you would type.
    Number of people willing to scan through millions of pages in books then try figuring out from the characters written what the password is…. pretty small.
    Amazing what can be done with space in a book these days. And fluency in runescript.

  28. To span a 265-bit keyspace (e.g. for AES256) with the 95 ASCII characters you can get from a standard US-102 keyboard requires 39 characters (⌈256/log₂ 95⌉). Upper and lower case with digits needs 43. With other password schemes like the XKCD one you generate a lot less entropy per character and the passwords become completely unwieldy. Most people can remember a 20 character truly random password (>128 bit entropy) with a bit of practice and that needs to be the one you use for your password manager, ideally with two factor. For things like WiFi passwords unless you own a café and need to hand them out frequently they should be strong and ideally hardware generated (I have a bag of dice I got from a Dungeons and Dragons shop I use to generate a bitstream which then gets base64 encoded into a password; they’re good for stats as well).

  29. My system is to remember something easily remembered, then I google it and use the first letter of each word from a particular document I find, with one or two substitutions to give me the digits and funnies. No need to remember the actual password, though I do have it backed up in a suitably unguessable and inconvenient place in writing.

    However, there’s a limit to how many passwords I can handle this way. My memory is not too brilliant, so half a dozen max. That tells me the max number of bank accounts I can use online.

  30. As mentioned above, the whole thing would be a lot safer if sites/databases or whatever properly enforced the limitation of guesses.

    I’d invite Edward Snowden’s trillion guess a second machine to try to guess my password on my system (no, it’s not Windows) – after 6 guesses the account is locked and only an administrator can free it. That took 0.0000003 of a second to get that far, the next 24 years they won’t get any further.

    There are probably other ways to break in, but brute-force guessing of passwords is totally ineffective if limited attempts only are allowed. Apple does this and extend it so that if you chose, even if it is you, the owner, who locks it up, they can’t free it at all under any circumstances. Note that there are claims that the actual secure hardware can potentially be destructively read at the memory gate level, but that remains largely conjecture.

  31. Even using password you get cyfrinair which with you can mix some characters and numbers etc could become cYfr1n@ir

  32. I stick all my passwords in an Excel sheet and lock that with a password which is probably not that hard to crack. I’ve found if I don’t do this I have no way of remembering the literally dozens of passwords that I have to use, plus there are all the usernames as well – it’s no good remembering the password if you can’t remember the helpful 12 digit customer number you were given when you signed up.

    There are probably better methods out there, but this one has proven workable at least: I spent half my time prior to this calling up people to unlock my accounts.

  33. The number of people I talk to who have one password. Just one.
    Yes, easy to remember. Extremely bad security though.

    Had a friend who designed systems, as a demonstration he was doing to the board he rigged a system to allow what appeared to be admin access on the third attempt no matter what password was tried. And waited to see who would try it. Was not a real admin access just looked like one.
    Then a week later gave a presentation to the board about the computer security.
    And that 3 board members had tried logging into the system as admins when they were not and had no business logging in at that level.

Leave a Reply

Name and email are required. Your email address will not be published.