Years ago, a pbs documentary (coocoos egg?) interviewed Richard stallman. He was standing in front of a whiteboard with "prep.ai.mit.edu" user "rms" pw "rms".
Of course I tried it, of course it worked. There was a nice "motd" to the effect: be cool, don't break stuff.
I'm sure this breach was nowhere near as deliberate.
As a hacker in MIT's AI laboratory, Stallman worked on software projects such as TECO, Emacs for ITS, and the Lisp machine operating system (the CONS of 1974-1976 and the CADR of 1977-1979—this latter unit was commercialized by Symbolics and LMI starting around 1980). He would become an ardent critic of restricted computer access in the lab, which at that time was funded primarily by the Defense Advanced Research Projects Agency. When MIT's Laboratory for Computer Science (LCS) installed a password control system in 1977, Stallman found a way to decrypt the passwords and sent users messages containing their decoded password, with a suggestion to change it to the empty string (that is, no password) instead, to re-enable anonymous access to the systems. Around 20% of the users followed his advice at the time, although passwords ultimately prevailed. Stallman boasted of the success of his campaign for many years afterward.[15]
RMS has previously encouraged people to "just press enter" when asked for a password on unix systems. So I'd imagine he does this sort of thing on purpose.
Absolutely hilarious. Obviously, if you allow the TV cameras inside your "Secret, First-of-it's kind Command Centre", it might be good practice to make sure you don't have any wall-sized notes with your password scribbled on it.
There's a widespread misconception that cryptic, hard-to-remember passwords are more secure. That's why people do foolish things such as displaying credentials on mega-TV screens. Forget words. Use memorable, unique phrases.
It's not a new concept, but it's worth repeating, considering that we're still using the term "password" in 2014.
You're right. But it just reminded me of this fact:
"Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."
Jokes aside, I'd really prefer if we'd ignore passwords and passphrases (and passpoems) altogether, leaving them for emergencies, and generally switch to keypairs and, preferably, hardware security tokens.
Or you know, set individual credentials for each authorized user. So they remember their own passwords and can be better tracked. Just sayin'. 2FA is a bonus in that scenario.
Edit: keypairs works too. Doesn't change the advice.
They're quite common. Many laptops have TPM modules, popular SoCs (like nVidia Tegra) have them too, and most modern motherboards at least have a socket for one. Yet, the only use of them I've ever seen is validating the boot chain's integrity.
Also, USB tokens are not common in users' possession, but if necessary I believe you could get one within a day.
It just need a little push from software vendors. Imagine your OS or browser says "Hey, do you want to secure your credentials? Here's how...". Or just start with an option "use hardware security token" somewhere under settings - while of less impact than active suggestion, it will still strike users curiosity and start things moving bit by bit.
Instead of running a dictionary on words, password crackers will run dictionaries on phrases (concatenated words).
So in essence 1 word becomes equivalent to 1 character and since people will probably use less than 10 words these passwords might be easier to crack.
log_2(7776^6)=77.5 bits of strength. Not too bad, but I wouldn't use it for anything cryptographic with local attack potential.
If you want phrases to work properly, just put 1 (or many) non-dictionary word in them. This means the attack has to go to an alphabetic one instead of a phrase one, making it _much_ more painful.
Weird, that portion of the screen looks more like something out of a Hollywood hacker film than something I'd imagine in real life. I'm trying to imagine what circumstances would result in that particular panel, plaintext password and all, ending up broadcast on a wall.
I'm pretty sure that screen is just running Notepad, with the default font size blown up.
A lot of staffers are likely in and out of that room in the weeks leading up to today, with the instructions probably posted by some exhausted sysadmin being asked "how to I get on the wifi again?" for the thousandth time.
For a venue this large, I don't understand why they wouldn't be using WPA2-Enterprise with a RADIUS server, so employees log onto the network with their own (unique) credentials. Ideally paired with machine certificates.
Playing devil's advocate here. What harm was done by this? Was it really deserving of a news article and, further, a post on Hacker News? Now, maybe if there is a company out there working to replace or revolutionize passwords... otherwise I just don't see the point of this story.
Plenty. Anybody with ill intentions could set up a similar wifi network or tamper with the existing one and suddenly thousands of people's traffic/passwords are all being sent via MITM.
This kind of reminds me of the time Prince William's publicity visit to an RAF base in 2012 accidentally revealed a password on a piece of paper stuck up on the wall, it was in pictures broadcast and published everywhere. Having said that, the leaking of Wifi details in the grand scheme of things isn't all too bad as other things that could have been leaked.
Has this really been on TV? I mean, I've only seen that image, which doesn't look like the most clear image even, and using Photoshop won't be that difficult... Is there any video of that part?
(Sorry, but I tend to be skeptical about this kind of thing)
Of course I tried it, of course it worked. There was a nice "motd" to the effect: be cool, don't break stuff.
I'm sure this breach was nowhere near as deliberate.