Thieves stole jewellery from the Louvre worth €88 million last month. It has now transpired that the two main security systems had the passwords “Louvre” and “Thales”. Thales is the firm that runs one of the systems. And you thought you were remiss in using your dog’s name.
And so what do we think the government will use as the master login – you know, administrator privileges – for the national digital ID system?
“Password1″.
Password_01……
Got to have a thingie that’s not a letter or number *and* at least 2 numbers in, and the password must exceed 10 characters, nowadays….
Starmer’s favourite totalitarian obviously :- JosefStalin#1
Alli1 perhaps?
1984
“ID”, obvs. All caps, of course.
I only use my dog’s name because it’s Kier.
Or, to give him his full title, Sir Cur.
Gamecock broke into a nuclear site computer ~40 years ago.
DEC computers shipped with a standard factory system account and password. I was looking around our network and noticed the presence of the nuke site computer. Just for jollies, I tried to log into the default account. IT WORKED!!! What a bunch of losers. FIRST thing you do when you start up new computer is change the system account password. Better, create new system accounts and just delete the factory account.
Sternly worded letter sent to project manager.
Password “Thales?” Betcha it’s factory default and no one could be bothered to change it. And every Thale system manager in the world knows what the default password is.
Maybe even “Louvre” was delivered system password, and again, no one bothered to change it.
Every installation process I’ve worked on has included “… delete admin user NOTE irreversable, only do at end of process.” after a setup process creating a cryptic replacement admin user.
Field / Service?
Yes. Things like: new employee, build and provide new laptop; existing employee with dead laptop, build and provide new laptop; XP->Win7 rollout, test PC build and replace where needed; Win7->Win10 rollout, test and replace PC where needed; etc. It all becomes a blur. 😉
Just a rummage though my process scripts, one here near the end says:
Have the Asset number and Serial number ready. Call XXXX… say you need them to change the Local Administrator. Once you log off, the Administrator account will be deleted.
They remoted in and “did stuff” to create a local admin account based on the asset number with a password based on a scramble of the serial number and some internal data.
It’s not hard to construct a logon script that will try to log onto Internet-facing routers with the password “cisco”. 99.9% of them will have been changed, but that still leaves a lot that haven’t.
There was a time when every SQL Server shipped with no password. Microsoft changed the install process so that you had to specify an SA password.
Some operating systems don’t like it when you delete the system account. Just upgraded a Debian install and apparently the default install doesn’t offer to delete “root”.
It’s a single user system (me), so I create a new account which can sudo and disable root.
Honestly, government password stuff is better than this. I’ve had to fix things on police systems and the security is insane.
The problem is that really, no-one gives a shit about the Louvre. Yeah, people will say it has priceless art, but all of that art could be 3d scanned and printed and you couldn’t tell it apart from the original without X-rays. Every town could have something that to the human eye is the Mona Lisa. That’s before we get into whether people actually care much about the Mona Lisa rather than going to watch Inception.
Most people only go to show off to their mates that they’re in Paris. You want to see the Mona Lisa? Click on Wikipedia. There I saved you 2 days of travel and £500 in travel. Shit, it probably looks better than it being behind glass, which you have to stand 50′ away from.
But in the Wikipedia version, you can’t tell if she is smiling.
Who can forget Kemi Badenoch (for it was she) taking over Harriet Harman’s website in 2008 by guessing Username: Harriet / Password: Harman?
Not me – I actually knew her at that time. Heard it direct.
According to other reports (e.g. https://www.independent.co.uk/news/world/europe/louvre-security-password-museum-heist-burglary-b2859831.html ) that was the password in 2014 when they had a security audit. Presumably changed as a result of the audit.
But even if it was, is there any suggestion that the thieves exploited this weakness? If not, it’s irrelevant.
Passwords giving access to what? Probably nothing serious – file under nothing to see here.
.
[