I don't know if this is legit or not, but just do a quick ctrl + F and you will find plenty of users still using "password123" and "qwertypassword." Seems like the government should require employees to use a more secure password rather than trusting them to use their own standards.
I don't really get it, there's some server information followed by a long list of passwords. Since at least one of the passwords is 18 characters long, I guess they haven't been brute forced. So does it mean that the FBI is storing some passwords in plain text?
There's a few ways someone could do this that wouldn't use "store password in plain text". A MITM attack using remote access to a router/server would work if a webmail login didn't require SSL (or if the attacker is sophisticated enough, it would work even if SSL was on). I can think of a few ways one could social engineer their way to that level or just escalate by gathering data.
Even something as simple as cracking the home WIFI router of an unsuspecting employee, and use those credentials as a base point to work your way up the access chain. Lots of places spend loads of time securing the border to prevent outside access, but don't spend loads of time preventing users with access from escalating. I know we're talking about the FBI, but really it only takes one small mistake.
Dude, I heard even talking about these combinations is considered as illegal, as in effect you're [illegally] distributing classified information. Better delete it, just for your safety!
Wow, some of those passwords are unbelievably shocking. Is this a real leak? By the looks of it, those passwords weren't brute forced they were stored in plaintext... The complexity of some of these passwords is pretty high and some not so high, "Diego@ic.fbi.gov - opjwpoejt9U)(hfodkl"
The classic trick with such nonsensical passwords is to use a phrase as mnemonic. "I replied to Garbage on Hacker News on the ninth of January" becomes "IrtGoHNotnoJ".
I was positively surprised by the amount of good passwords in that list. If you look at any other leak incident the amount of 'simple' and non-randomly generated passwords is much much higher.
In fact I think that is a testament to that this is actually a list from the FBI.
BTW everyone immediately assumes that these passwords were stored in plain text, but that does not have to be the case at all, this leak nowhere states that these passwords are from a database.
If a host gets hacked, there are plenty ways to obtain passwords without looking into a database.
35 comments
[ 1.4 ms ] story [ 80.0 ms ] threadEven something as simple as cracking the home WIFI router of an unsuspecting employee, and use those credentials as a base point to work your way up the access chain. Lots of places spend loads of time securing the border to prevent outside access, but don't spend loads of time preventing users with access from escalating. I know we're talking about the FBI, but really it only takes one small mistake.
qwertylol@me
In fact I think that is a testament to that this is actually a list from the FBI.
BTW everyone immediately assumes that these passwords were stored in plain text, but that does not have to be the case at all, this leak nowhere states that these passwords are from a database.
If a host gets hacked, there are plenty ways to obtain passwords without looking into a database.
When it was posted back then, it was called out to be a repost of an older one. * Sigh * [1]
[1] http://news.ycombinator.com/item?id=4678064