digg

Facebook Connect Join Digg About

Police blunder: passwords, email addresses published on web

smh.com.au A blunder by police in Australia has led to a database of email passwords - including those of the anti-terrorism commander and hundreds of journalists - published on the Internet.

Who dugg this? Made popular Apr 5, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

38 Comments

show profanity settings
expand all
  • LukePsywalker, on 10/12/2007, -1/+17http://72.14.203.104/search?q=cache:PY3xJ9cBRkYJ:customscripts.police.nsw.gov.au/news/jornal/jornalistlist.php%3Fstart%3D21+enforcer+site:police.nsw.gov.au&hl=en&gl=au&ct=clnk&cd=2
  • SilverRocket, on 10/12/2007, -0/+8sardonic: any website that can send you your password (as opposed to send you a link to reset it) is likely not hashed or encrypted.
  • Lewisham, on 10/12/2007, -0/+7They don't have the passwords for journalists email accounts (necessarily), but rather the passwords they use to administer their account for the police mailing list.

    Of course, the likelihood of those passwords being used elsewhere by the same people is quite high.
  • inactive, on 10/12/2007, -2/+9The worst part is that these passwords are clearly not hashed in the database itself. The person or person's responsible for plaintext passwords in the database should be fired instantly, no questions asked.

    It always astonishes me what kind of complete moron gets pushed into positions of responsibility regarding security. I know it's not nice to call a person an idiot, but this is a very serious issue.

  • sardonic, on 10/12/2007, -0/+6makes me wonder how many things i register for keep my password hashed or encrypted in some way? does digg? slashdot?

    I know every application I have ever written has done so, i find it irresponsible to store plain text passwords, much less have a admin function like that with no security on it.
  • Lewisham, on 10/12/2007, -0/+5Exactly. Passwords should *always* be hashed, and a reset for lost passwords the only possible option.

    There is no excuse for plain-text password storage, I'm always shocked by the number of online apps that think its OK to send me my password in plain-text through the email system. This is especially true of mailing lists that seem to think it's a good idea to send me my password *every month*. Why?!
  • .Steven, on 10/12/2007, -0/+5No AJAX, tags, no mention of Web 2.0 and didn't link to a blog!!!

    Digg ;
  • flizzoyd, on 10/12/2007, -2/+7Why does a police dept. have journalist's email passwords?
  • plamoni, on 10/12/2007, -0/+4You know what is really sad? The fact that most of the passwords are nothing more than lowercase letters. The vast majority are only lowercase and uppercase. It seems to me that this list is pretty usless because a dictionary attack would take down 75% of these passwords in a matter of minutes...

    This is your tax dollars at work. *sigh*
  • Xoligy, on 10/12/2007, -0/+4http://72.14.203.104/search?q=cache:ZNllqf09Ac0J:customscripts.police.nsw.gov.au/news/jornal/jornalistview.php%3Fkey%3D50+seven.com.au+nsw+customscripts&hl=en&gl=uk&ct=clnk&cd=2&client=firefox-a

    It's his own fault... how obvious do you want your password?

    Full Name: Seven
    email: onlinenewsproducers@seven.com.au
    password: news
    Organization: www.seven.com.au/news

    Mind you, his colleagues password isn't much better...

    http://72.14.203.104/search?q=cache:Sw06tIS7O8oJ:customscripts.police.nsw.gov.au/news/jornal/jornalistview.php%3Fkey%3D46+nsw+smellyundies&hl=en&gl=uk&ct=clnk&cd=2&client=firefox-a
  • themacboy, on 10/12/2007, -0/+3Yup do a google search for "crunchymaggots" and click the cache.
  • fulldecent, on 10/12/2007, -1/+4Which one do you think is technology related?
  • 83457, on 10/12/2007, -0/+3exactly, I'm sure a good percentage of those passwords are the same as the email account passwords which really sucks for those people
  • lasermike026, on 10/12/2007, -1/+4Here, here! Plain text passwords are bad!
  • myFriendDerrik, on 10/12/2007, -0/+3The chunder down under

    "There are also bizarre passwords such as "smellyundies", "enforcer", "chunder" (wtf?) and "crunchymaggots"."

    Chunder -
    From Peter McCarthy, Australia: “A common Australian euphemism for vomit is chunder, as you undoubtedly know. Is the derivation watch under? This was supposedly shouted out by upper-deck passengers on emigrant ships, before vomiting over the rails to the peril of those below.

    http://www.worldwidewords.org/qa/qa-chu1.htm
  • aphonik, on 10/12/2007, -0/+2Well that all depends on whether they exploited the database to retrieve that data or if it was already published by accident by the administrator. If its in the google cache, that would lead me to believe that it was published by the admin? Correct me if I'm wrong.
  • nesquik, on 10/12/2007, -1/+3Because the Police and the News in Australia sleep together.
  • FelixdaaHack, on 10/12/2007, -0/+2And the dictionary attack word list keeps on growing...
  • sfacets, on 10/12/2007, -0/+2Anyone get into an account yet?
  • gator99, on 10/12/2007, -0/+1Unlike Kangaroos in Australia, I guess stupid cops are not indigent to the US.
  • MrGeneric, on 10/12/2007, -0/+1In later news the testicles of several nerds were seen hanging from a flagpole in front of NSW Police headquarters.
  • imightbewrong, on 10/12/2007, -1/+2and the password is...flaming
  • yahoofrom, on 10/12/2007, -0/+1Oh no. Look at their passwords. They are all from dictionary.
  • inactive, on 10/12/2007, -4/+5How come this story makes it to the frontpage, but that story about an official for the Department of Homeland Security being caught seducing a 14 year old girl for sex over the internet in a police sting that someone submitted didn't? They're both shocking, but the one is significantly more horriffic than mere incompetance.

    http://digg.com/security/Homeland_Security_Deputy_Press_Secretary_Arrested
  • webcrumb, on 10/12/2007, -0/+1You'll probably find that chunder isn't an "Australian word." It's in widespead use in other parts of the world, most notably to my knowledge the North of England.

    Next you'll be telling me that English is what they speak in the US, and in England they speak Latin or something. :)

    (What film was that from?)
  • itsonlyb, on 10/12/2007, -0/+1why bother???
  • wyld, on 10/12/2007, -0/+1... right next to the heads of those who allowed this to happen. Seriously, I wouldn't want to be in the webteam (and next to the person with the "responsibility" token next their name in the org structure) who allowed this to happen. Somewhere in NSW, there is a very scared manager.
  • inactive, on 10/12/2007, -0/+1Of course not!
    Who in their right mind would do that?!
  • Fosnez, on 10/12/2007, -0/+0Chunder - to be sick, up-chuck, spew, throw up.
    http://en.wikipedia.org/wiki/Australian_words

    More interestingly:
    dianthus, The name Dianthus is from the Greek words dios ("god") and anthos ("flower"), and was cited by the Greek botanist Theophrastus.

    http://en.wikipedia.org/wiki/Dianthus

    I would be interested to see a study of what people's passwords said about themselves...
  • akaminki, on 10/12/2007, -2/+2Has anybody found the google cache?
  • garbage, on 10/12/2007, -0/+0Yeh, i tried the hotmail account, it told me the account had been locked out, then i tried the bigpond one and it let me in, i could go to the inbox and everything!! funnily enough its 3 days later and 1.the google cache page is still up and 2. some of the passwords havent been changed (although im sure theyd be just as easy to crack even if they did change them, i mean come on, bannana and news what the hell kind of a passwords are they.
  • sastivoke, on 10/12/2007, -0/+0So anybody tried those usernames and passwords on any websites yet? Like Hotmail, aap.com.au.. Personally, I wouldn't do it because it is unethical. Besides, if some of the stuff are classified or top secret, I'm sure the Interpol or CIA or DHS will come track me down for viewing those.
  • Venganza, on 10/12/2007, -2/+0I wonder how many of those e-mail accounts with compromised passwords will become spam-bots. Or rather, how soon...
  • Systembomber, on 10/12/2007, -5/+2Owned. =]
  • userdefined, on 10/12/2007, -4/+0"The worst part is that these passwords are clearly not hashed in the database itself. The person or person's responsible for plaintext passwords in the database should be fired instantly, no questions asked."

    True, they're not hashed. That does not mean they are plaintext though. They may be encrypted. (though not likely, admittedly).

    Encrypting the passwords would allow them to be stored securely and still be retrievable by the app for display on the site. Though I ultimately agree with Lewisham that passwords in a web based app should only be hashed ...
  • DigitalBrian, on 10/12/2007, -6/+0not to mention whoever dug this first gotta violate a bunch of laws.
  • DigitalBrian, on 10/12/2007, -7/+0Oh my and if I go there will Homeland Security bust me? *lol* not to mention who cares about a bunch of journalists passwords?
  • vonskippy, on 10/12/2007, -15/+2Wow, you mean they will have to change their email passwords. That's awful, the inhumanity of it all.

    Big ***** deal.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.