Brute force attack on Scottish Parliament's email system
Brute force attack on Scottish Parliament's email system

Yesterday members of the Scottish Parliament in Holyrood were notified that hackers were trying to crack their email passwords and they were advised to update their passwords with longer and stronger combinations of letters, numbers and special characters.

The news follows a similar brute force attack on Parliament in Westminister in June.  Again, it is reported (by the Guardian) that too many of the Scottish Parliament members were using weak passwords.  Whilst there are no reports of successfully compromised email accounts, some members may have now found themselves locked out of their accounts.

Rich Campagna, CEO at Bitglass emailed SC to suggest that, Rather than advising users to create random strings of letters and words passwords, we should be recommending the use of passphrases. These will still be lengthy, but made up of real words, so easier to remember. It might seem simple, but the truth is, if a password takes too long to crack, hackers will simply move onto the next batch.”

Jamie Graves, CEO at ZoneFox adds, "A brute force attack is a tale as old as time and relies on one of the weakest areas of security - passwords. That the Scottish Parliament's security measures were able to keep systems operational is a case in point of how important it is to be in a position to rapidly identify attacks and stop them in their tracks. The hackers may have been thwarted this time, but there's nothing to say they won't be back.

He continued, “That the IT department will force a change on weak passwords is a good, proactive measure. However, this isn't a failsafe. What the Scottish Parliament has in its favour is a transparent, open culture and so unquestionably all staff will heed Sir Paul Grice's request to remain vigilant. A united, digitally alert team is one of the greatest tools organisations can deploy in their fight against hackers."

But before people leap on the ‘password is dead' argument, Hitoshi Kokumai, Mnemonic Security, Inc argues on LinkedIn that in his view a society which allows log-in without user's volition is one where democracy would be dead.