Weak Passwords Common In WA Public Service Systems

From PC repairs in Perth to global security efforts always recommend strong passwords for computers and computer systems. According to an annual Information Systems Audit Report recently presented in Parliament, Western Australia’s public service missed the memo.

According to the report, an in-depth assessment of passwords used at 17 agencies in the state released by Auditor General Caroline Spencer late in 2018, noted that many computer systems in the state’s public service are at risk from cybersecurity breaches due to weak passwords.

She concluded that information systems were vulnerable, with weak passwords set for at least a quarter of the enabled network accounts in the systems. The report stated that, in several instances, the accounts were used or are in use for accessing critical agency systems and information via remote access, without additional controls to verify the access.

Ms. Spencer stated that, after the many times password risks have been discussed with agencies, it is outright unacceptable that critical agency systems and information can be accessed with passwords like password123 and abcd1234. She says that it’s frustrating due to the fact that the office has repeatedly demonstrated to agencies over the past years just how weak passwords and poor system controls can be exploited in order to access information systems without detection.

Other weak passwords that were in the top 10 of the most commonly used list were password, password1, and support, passwords that even people handling PC repairs in Perth gripe at.

One in five of the weak passwords were also noted to be variations of a date or season, while thousands of iterations of the word ‘password’ were found on many accounts.

Part of the probe involved having the auditor-general’s office attempt to gain system administrator access to the web system of one of the WA’s agencies. The agency, which will remain unnamed, was accessed with the password ‘Summer123’, with the office adding that they were then able to identify a significant amount of production data from the test.

The report also noted that relying only on passwords leaves the key systems the WA agencies rely vulnerable to attacks and heightens the risk of unauthorized access to key government information.