By now everyone knows about the major breach of the U.S. Government (and probably others) that had its genesis in an exploit that gave attackers access to the SolarWinds build chain. Some are reporting that the problem was a leaked and very weak password. Others say that the password doesn’t really matter and that the nation state responsible would have gained access one way or the other.
Whatever the truth of the matter, the password itself deserves comment. The password was the comically inept solarwinds123. The only thing you can say about it is that it’s not 123456 or password. It’s so bad that the SolarWinds CEO felt that blaming it on the standard, all-purpose rouge engineer was not enough so he blamed an intern. I’m sure he would have blamed the janitor if he could have come up with a plausible story to go with the accusation.
The CEO can say what he wants but how is it not a massive management failure for this to happen? Not only was an intern allowed to set a password that gave access to the company’s network but that password was exposed on the Internet for two years before a security researcher found it and reported the exposure to SolarWinds. Why wasn’t the intern’s actions monitored by IT? Why wasn’t he provided with a token generator for two-factor authorization or at least told to use an SSH key?
It’s almost a cliché to say that passwords are dangerous and need to be replaced. I don’t think that’s necessarily right and it’s certainly not going to happen but we can surely do better than solarwinds123. And no one should think that blaming an intern in any way relieves management of the responsibility to see that we do do better.