Weak passwords revealed by Sony Pictures hackers

Experts emphasise the need for user education as Sony hackers reveal employee passwords such as "password" and "s0ny123"

Weak passwords revealed by Sony Pictures hackers
Weak passwords revealed by Sony Pictures hackers

Experts are blaming a lack of user education for Sony Pictures employees' weak passwords, after hackers Guardians of Peace posted more of the firm's confidential details online.

It comes after Sony Pictures was hit by a blackmailing hacker attack last week, which shut down its IT systems, hijacked Twitter accounts and stole confidential documents and passwords.

According to The Next Web, a new dump of files has appeared, apparently taken from Sony Pictures' internal computers. Among the files, which include security certificates, signing keys and private keys for accessing servers, a folder named "passwords" reportedly revealed a plain text list of employee passwords and credit card details. Another file appeared to contain user credentials for logging onto the corporate network.

Among the passwords posted online were "password" and "s0ny123".

The breach has emphasised an urgent need for employee education, according to Steven van der Baan, cyber security expert at 7Safe, PA Consulting Group's technical security practice.

He told SCMagazineUK.com: "This shows that even at high profile companies like Sony, the 'human factor' plays a key role and there is still much more to be done to educate users. People much prefer to use a password that is easy to remember, however this can mean it's much easier to break. Policies alone will not change that, only training and awareness targeted at changing behaviours will."

Andrew Mason, an ethical hacker and technical director of UK penetration testing and scanning company, RandomStorm, said: "As a penetration tester, I would never use a password under 10 characters and we always advise customers to use alphanumeric and symbols. However, where a company password policy has been enforced, we often find that users resort to a common password such as the terrible 's0ny123' example."

He added: "Systems can be used to automatically enforce best practice in password security, but you do have to be careful, as they can create a management headache, with users forgetting passwords. The key solution is to keep educating users in all organisations, so that they are aware of the enormous risks posed by using easily guessed passwords - or by sharing passwords between applications, or employees."

Guillaume Desnoes, head of European markets at Dashlane advised companies to make hackers' jobs harder by making sure employees adopt a secure password protocol. Within this, he said: "Make sure no passwords are stored in a non-encrypted format; use a unique password for each site or service; use randomly generated passwords with a combination of lower case and upper case letters, numbers and special characters."

He added that it is also important to enforce the regular password changes, as well as using two-factor authentication for sensitive data.

Yesterday, SCMagazineUK.com reported that the FBI had issued a warning to be aware of highly-destructive malware following the attack on the US film and TV producer.