Software Engineers' Passwords Exposed – And They're Weak

Software Engineers' Passwords Exposed – And They're WeakEven the tech professionals who should know better can and do make basic security blunders. That is the lesson – taught twice – by revelations about a professional association for computer engineers.

The Institute of Electrical and Electronics Engineers (IEEE) is the leading professional assocation of engineers in computing and computer-related fields. Many of the industry standards for computer technology are IEEE standards, a term constantly seen in the technical literature.

But a recent graduate of the University of Copenhagen, Radu Dragusin, came across something decidedly non-standard at the IEEE website. Dragusin, now a teaching assistant at his alma mater, came across unprotected passwords and website activity logs of nearly 100,000 IEEE members. This information sat unprotected on the site for at least a month before he found and reported it.

Dragusin also analyzed the passwords, from users including engineers at Apple, Google, and presumably other major tech firms. His findings do not connect passwords to individuals, but they are still an eye-opener.

The most common password used by these 99,979 IEEE-member professionals? "123456." "Password" and "admin" also ranked among the eighteen most popular choices.

In fairness to these engineers, they may not have regarded their IEEE website passwords as a critical security issue. Most of us find ourselves needing to create passwords for dozens of online sites. Not all of them need the level of protection that, say, your bank account password needs. But passwords like "123456" are amazingly weak, even as lowest-priority passwords for casual-use websites.

And it is hard to say what is more embarrassing here: that computer professionals are so careless about their own passwords, or that the IEEE was so careless about its members' passwords.

But the lesson is that even the experts can ignore basic security precautions. The only way for companies and other organizations to protect their security is to establish strong cyber-security policies. And follow them.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."