back to article Major London rail station reveals system passwords during TV documentary

What looks like system passwords at one of London's busiest railway stations – printed and attached to the top of a station controller's monitor – were exposed to viewers during a BBC documentary on Wednesday night. The login credentials were visible just before the 44 minute minute mark in the documentary Nick and Margaret: …

  1. Anonymous Coward
    Anonymous Coward

    Humans

    Still one of the weakest links in the security chain. But also goes to show - make your security too complex and people write things down.

    1. The Quiet One

      Re: Humans

      I would hardly call "Password1" Complex.....

      1. Benchops

        Re: Humans

        Clearly what's really happened here is that there is a secret table of 512 different randomly generated 16 character passwords that every member of staff has memorised. The sticker on the monitor simply tells the operative that they should use Password number 1.

        Just like when I memorised the colour code sheet for JetSet Willy.

        I'm joking, I didn't.

        1. I. Aproveofitspendingonspecificprojects

          Clarity pleases

          Is your willie jet set?

      2. G2

        Re: Humans

        or changed regularly...

        probably it was recently changed... recently as in last century.

    2. Anonymous Coward
      Anonymous Coward

      Re: Humans

      I worked for an IT contractor years ago that provided IT support for the local branches of a major bank.

      We were in contact with their network operations center on a regular basis. They were very proud of their password security policy. They required a password change every 30 days, at least 10 characters, it had to include one caps and one number.

      All of this was great, except that when real users are involved, it doesn't work. If you went to ANY PC in any of the branches (including the teller line), there was a post-it note with the last two or three passwords crossed out, and the current one listed below them. When I commented about how insecure this is, users complained that the passwords were so complex and changed so often, that there was no way to remember them.

      So, the operations guys, by forcing a strict password policy, created a situation where they had effectively no security. You may be thinking that management should put a stop to people posting their passwords on their monitor, right? Wrong. One day when I was working on the PC that belongs to regional manager for our entire state, guess what? She had her password list posted on her monitor!

      In the end, people are people. I tell this story frequently to other junior network admins (leaving out the bank's name of course). If you push too hard with security, users will push back. And, remember we are outnumbered! Plus, with some exceptions, managers are humans too. Don't expect them to enforce security policy if they find it too hard to follow themselves. They will just tell staff "don't worry about it, you know how IT is".

      Anonymous for obvious reasons...

      1. Yet Another Anonymous coward Silver badge

        Re: Humans

        Depending on the threat model that can be perfectly good,

        If the physical access to the post-it note is secure - because it's in a room with guards - but the computers are on the net, then having a complex password written down can be the best security.

        1. Alan Brown Silver badge

          Re: Humans

          humans are remarkably good at looking after bits of paper if they think they're important.

          Those ones in your wallet with pictures of Elizabeth Windsor on them as a for-instance.

      2. Robert Carnegie Silver badge

        Re: Humans

        The story that I read about in a computer magazine once was about the open-plan department that had a large-print wall poster saying "This month's password for the accounts system is: Tsirac64" "because the buggers keep changing it".

        That password in fact was constructed from the first six unique letters in this post - usually I take a newspaper - and two unique digits constructed from looking at my digital watch, and it isn't as long as the specification you described. And, as I need to log in to more and more different services, scrupulously using different passwrods, I am considering having them written down in a more outrageously conspicuous form than I have already. Maybe set as my PC's wallpaper?

  2. Alister Silver badge

    The signalling application would appear to be running on Windows XP as well, the default border and taskbar colours rather give it away...

    1. Anonymous Coward
      Anonymous Coward

      appear to be running on Windows XP

      Which would make it one of the more modern parts of TfL (and you think I"m joking?)

      1. Anonymous Coward
        Anonymous Coward

        Network rail not TfL.

      2. Yet Another Anonymous coward Silver badge

        But how can they possibly run a C19 railway system with 10year old operating system

    2. coffeehair

      Probably Embedded, so it would still be supported and relatively secure.

      1. Anonymous Coward
        Anonymous Coward

        The machines they use for this are not embedded, though they are quite heavily restricted.

  3. Anonymous Coward
    Anonymous Coward

    The most secure option

    I keep my password tattoo'd backwards on my forehead then only I can read it when I look in a mirror.

  4. Stuart Castle

    The old acronym.. PEBCAK. Problem Exists Between Chair And Keyboard.

    This shows the trouble with humans and security. You can have the best, most advanced systems in the world protecting your computer, but as soon as you involve humans, they can blow the system wide open.

    1. Brenda McViking

      PICNIC was the other variant I saw the techs use: Problem in Chair; Not In Computer

      1. Keven E.

        KMIE

        I've heard "keyboard-monitor interface error".

        1. Swarthy Silver badge

          Re: KMIE

          MT favorite has always been "a nut loose on the keyboard"

    2. Anonymous Coward
      Anonymous Coward

      Oh yawn, here we go again.

      The old acronym.. PEBCAK. Problem Exists Between Chair And Keyboard.

      This shows the trouble with humans and security. You can have the best, most advanced systems in the world protecting your computer, but as soon as you involve humans, they can blow the system wide open.

      Bull. Whoever designs systems that don't take into account that we're all human has failed miserably in their risk managent. Giving it a funny SLA (six letter acronym) doesn't make it go away - you design systems for humans to use so it's not like you don't know that you have the risk exposure, deal with it. Really, a large part of security failures is exactly the failure to realise that humans make mistakes, and create some fault tolerance or a better UI to address that.

      I saw a simple but classic example of that in the POS system of a jewellery store I had to audit recently. They had one login to log payments, items and client details, and we're not talking about trivial people here. When I asked why they didn't have a login per staff, it emerged the POS author had based the login on the Windows login (yes, running XP, hush), which meant the system had to deal with all the crud that goes with a Windows login, which is timewise taking centuries to load, whereas a login in the (server based) application would have been one single hash check in a small table and go (Windows simply provided the terminal function, it had no other role in that shop).

      So, the store didn't follow best practice security because a developer had been an idiot by not checking the store sales process actually worked. Once we had both parties actually talking to each other it was addressed one software update later.

      Barring blatant stupidity, blaming the user only becomes acceptable if they were consulted in the creation of any IT facility they are to use. Otherwise, not handling their errors is like any other lack of error handling: an IT problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh yawn, here we go again.

        systems that don't take into account that we're all human

        Puhlease. Are you saying that the humans cannot memorize passwords? Sticking logins and passwords on to monitors isn't a failure of the authentication system.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh yawn, here we go again.

          Puhlease. Are you saying that the humans cannot memorize passwords?

          Not when one wants 10 alphanumeric, excluding special characters

          The other want between 6 and 15 and include special characters

          Another wants more than 10 including special character, except for spaces, comma's, full stops

          Another wants less than 8 but must contain at least 1 uppercase, 1 number, 1 special character

          Another wants more than 15

          Another want 10 but must contain at least 2 numbers and 2 uppercase

          And so on and so on.

          1. Sir Runcible Spoon Silver badge

            Problem description

            I always liked "Chair to Keyboard Interface Error"

    3. Anonymous Coward
      Happy

      I'll take your PEBACK and PICNIC and raise you a:

      Computer User Not Technical

      1. Haku

        Don't forget the ID-Ten-T part of the equation,,,

  5. Lee D Silver badge

    Surely the lesson to learn is:

    DON'T PUT PASSWORDS ON HUGE DISPLAYS ATTACHED TO THE COMPUTERS THAT NEED THEM.

    I don't disagree with writing them down. But put them in a book and lock the book away. Hell, I used to seal our "disaster recovery" password book such that anyone opening it would break the seal that couldn't be redone with damage. Then we put it in the company safe. Anyone slyly opening that to get the password would hastily put it back, and I'd know if a superior had ordered it open without my knowledge (for which I stated in advance, at that point I would be handing in my resignation unless there was a REALLY good reason, e.g. I was in a foreign country and uncontactable and a major incident, or if they were investigating myself for some reason, etc.).

    Passwords are still passwords. Don't broadcast them on the same machines that require them. That's pointless. Don't whiteboard them at all. RAF places having them written clearly on bulletin boards? You're idiots. Distribute an internal email/memo to those who need them instead.

    If you need to publicly advertise the password, you are effectively making that account unpassworded. That might even be a sensible alternative (if you can only access from the intranet anyway, and have to be logged in to do that, and it's just a hassle of yet-another-password). But you do have to consider that.

    UK Data Protection basically says nothing that you can't write passwords down. But they have to be given only to those with need for them to carry out their duties. As such, writing them in a personal book or a memo in your (hopefully passcoded) phone is fine. Putting them on a noticeboard is not.

    1. Mike Dimmick

      Actually...

      Don't put authentication into systems that don't need it. It looks to me as if that's a username/password combo for routing the appropriate signalling information to that particular workstation. That is, the signalman for that area always goes to that workstation, rather than the signals following the user to whatever workstation he logs in at.

      If that's the desired configuration it shouldn't require the user to enter it at all!

    2. Anonymous Blowhard

      "Surely the lesson to learn is:

      DON'T PUT PASSWORDS ON HUGE DISPLAYS ATTACHED TO THE COMPUTERS THAT NEED THEM."

      No; you're wrong and the AC is right; the lesson to learn is:

      "DON'T SHARE PASSWORDS" and "DON'T DESIGN SYSTEMS THAT REQUIRE SHARED PASSWORDS".

      As soon as password communication becomes "normal" to users, then there is no password security. You also have no audit-ability, so if something goes wrong you can't trace it back to the user who transacted it, unless they own up.

  6. Anonymous Coward
    Anonymous Coward

    Wednesday: TV program reveals password of system at Waterloo station.

    Thursday: Major disruption on line into Waterloo station due to loss of power to lines.

    Hmmm ... wonder if this is a coincidence

    1. Brenda McViking
      Joke

      Meanwhile, behind the scenes

      Reg_hack@elreg.co.uk to TFL_bigwig@tfl.com: Hey, you broadcast your passwords to all and sundrie last night, were you aware?

      TFL-bigwig: autoresponse: I have very important champagne breakfast meetings with suppliers and lobbyists until 10am, I'll read my emails then

      TFL_bigwig to TFL_minions: some hackers at the registrar know our passwords. please change them and write them down for the nightshift.

      TFL_minions: we don't have those fancy printers to make those password labels anymore due to budget cuts, what should we do?

      TFL_bigwig: I don't know, just cross out the "1" at the end. Just sort it and stop coming to me with problems. I want solutions!

      TFL_minions: we've changed the password from "Password1" to "Password," please distribute to those who need it

      TFL_bigwig to TFL_all_employees: the new password is "Password"

      TFL_bigwig to TFL_renumeration: I've hit my data security target 3 months early, make sure my bonus reflects my outstanding performance. P.S. You're all invited for celebratory champagne at spearmint rhinos later this evening.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile, behind the scenes

        One problem - this is a documentary, not a joke.

  7. Tromos

    Red herrings.

    Having the password on a note stuck to the monitor isn't a bad idea. It stops people bothering to watch what you're typing when you sit down and enter the real password.

    1. Stuart Moore

      Re: Red herrings.

      Hopefully "Password1" is "complicated password number 1 from the list you have to memorise and not write down" rather than literally "Password1"

      1. Anonymous Coward
        Anonymous Coward

        Re: Red herrings.

        no, it's Password1

        Well, until yesterday.

        1. Rimpel

          Re: Red herrings.

          Today it is Password2

      2. Anonymous Coward
        Anonymous Coward

        Re: Red herrings.

        Nope not Password1 or Password2, they've introduced complex password requirements now.

        it's now Password1!

        1. billse10

          Re: Red herrings.

          Passw0rd!

    2. Fred Flintstone Gold badge

      Re: Red herrings.

      Having the password on a note stuck to the monitor isn't a bad idea. It stops people bothering to watch what you're typing when you sit down and enter the real password.

      Thumbs up for the Health & Safety excuse :)

  8. imanidiot Silver badge

    All too common unfortunately

    My job/company involves working with highly sensitive client data. Stuff industrial espionage, hacking and other illegal activities are committed for. The main account for the mechanics/spannermonkeys around here to access work instuctions has it's username and password clearly written out on a large sticker stuck to the front of the PC. Access to the space is not that secure to say the least...

    1. Ammaross Danan
      Go

      Re: All too common unfortunately

      Could be worse....in an office with a clear view of the monitor from outside the window....

  9. Peter 26
    Happy

    The funniest thing is the image clearly shows the password was "Password1"

  10. adam payne Silver badge
    Joke

    Educate users will cricket bat and for those hard cases cricket bat wrapped in razor wire.

  11. Anonymous Coward
    Anonymous Coward

    No Problem

    Its a generic login to a system access controlled by physical security. The username / password security isn't implemented in any (that I know of) signal boxes, hence the default user / password is printed onto long lasting tape on the top of the monitor (it's not a post-it or similar put there by the signaler). Stop making up problems that don't exist.

    1. Salts

      Re: No Problem

      Unless someone installs a rogue access point then all bets are off, apart from that, as has been shown the physical security was easily breached, they let a full camera crew in!

    2. MalPearce

      Re: No Problem

      Lots of use cases for generic logins if the apps are designed for turnkey use and have transactional authentication and it DOES NOT MATTER what Windows profile is being used.

      I bang my head on my virtual desk when people forget that this use case exists. If a time sensitive system that a lot of people need instant access to, requires users to log into Windows, wait 3 minutes for the desktop to appear, then 15 seconds for the app to start up, just so they can perform a 5 second transaction in it before doing a full Windows logout that is a 200 second turnaround for a 5 second action. Not clever at all.

      And the exact same principle applies for real time safety monitoring systems on the railways. What do you want - a 2 minute handover at shift change where no bugger can see what's happening on the track because some numpty thinks the ability to have persistent mapped drives on a user-by-user basis is so important that they impose unique logons where there's bugger all point to them?

      There's a good reason why cashpoints don't require full Windows login and logout for every different person in the queue.

  12. This post has been deleted by its author

  13. Nigel Campbell
    Coat

    Open Look - joys of legacy systems

    I've seen that application open at Waterloo one or two other locations - it looks like a realtime display of the status of the points and signals. The buttons on the application have the fairly distinctive oval styling (rounded ends) of the Open Look intrinsics, which places the app at something like 20-25 years old, probably running on Solaris.

  14. slinkywizard

    Move along now, nothing to see here...

    If only this was real news...

    The app shown on the screens is simply a real-time display of the approaches to Waterloo. It is on a completely isolated intranet with no external connectivity other than inbound feeds from various Network Rail systems. It has no control over any signalling or train movements.

    Also, the problem yesterday was a dislodged conductor rail on the Southern network into Victoria - completely unrelated to SWT, which goes into Waterloo.

    Sadly, knowing the username and password won't do you any good unless you happen to work for SWT and have access to their Intranet.

    Nice try though :)

    1. Phil O'Sophical Silver badge
      Thumb Down

      Re: Move along now, nothing to see here...

      Sadly, knowing the username and password won't do you any good unless you happen to work for SWT and have access to their Intranet.

      Or manage to insert a virus onto a USB stick or BYOD gadget used by someone who works there. CF stuxnet.

  15. Anonymous Coward
    Anonymous Coward

    Calm down

    This is a bit of a non-story, really. First of all, that workstation does not control signalling, it is merely an information display with no control over trains or signals whatsoever. Second of all you'd need to be at a workstation on the local network to use that login, so you'd have to physically gain access to the London Waterloo office to use it.

    Best practice? No. Dangerous? No.

    1. Kubla Cant Silver badge

      Re: Calm down

      What you say obviously makes sense. The worry is that a LAN can be accidentally connected to the outside world, for example by deciding that a workstation needs Internet access for a legitimate reason.

    2. Martin Summers Silver badge

      Re: Calm down

      What if that password shown on screen is indicative of the types of passwords used where usernames and passwords are used? That's the possible danger.

      1. Anonymous Coward
        Anonymous Coward

        Re: Calm down

        it isn't.

  16. Anonymous Coward
    Anonymous Coward

    "TFL_bigwig to TFL_renumeration"

    Remuneration.

    1. Anonymous Coward
      Anonymous Coward

      Re: "TFL_bigwig to TFL_renumeration"

      if i put a thumbs up on that, I'm not suggesting it's their remuneration that goes up ....

  17. Graham Triggs

    Assumptions...

    That could just be the name and password of a local account for that particular PC, and the account only exists to restrict access away from administrator functions on that machine for general users.

    In other words, it could be utterly useless, unless you have physical access to that PC, and if someone has physical access to that machine who shouldn't, you've probably got bigger problems.

    Or, the labels could just tell people which password is in use - the password not being "Password1", but the first password in rotation.

    It's easy to jump to conclusions without considering all the possibilities.

  18. Chris Gray 1
    FAIL

    Another one

    Nicely timed article, for me.

    There is a provincial election going on here in Alberta. I was watching the evening news yesterday, where they had an article about some of the female candidates. In one HQ shot, there was a whiteboard quite prominent in the background, with the note "Voicemail password" followed by something I couldn't catch.

    I laughed, and thought briefly about calling the station to inform the reporter to inform the candidate's office,... but quickly forgot about it.

    I wonder if there will be a news item this evening about that candidate having voicemail problems? Nah!

  19. PrivateCitizen

    Remote Access?

    Surely unless this is an account which needs remote access, the broadcast of the PW isnt a problem? If someone breaks in to sit a machine and log in, they've got other security failures to worry about.

    And as others have pointed out, the fact it seems to be a shared / generic password means its kind of pointless. So the news here should be "idiots designed IT system" not users posted password.

    1. razorfishsl

      Re: Remote Access?

      Or maybe... if you are in the station near the control room you can pickup a suitable WIFI network...

      I know of at least one major ISP that propagates 172.16-31.x.x data packets both in and out of their customers equipment...... and I have seen where a DNS server on 172.18.33.x in another customers equipment is used to service DNS requests on 172.18.66.x in a secondary installation.

      Yes it won't work once the IP address is allocated (depending on the subnet mask), but you target this stuff a bit at a time and there are 'loop holes' in the most unexpected of places.

  20. boltar Silver badge

    Anyone else notice...

    ... that they're track diagram system was running in an Exceed window with OpenWin widgets? Obviously a unix/linux backend with Windows clients.

  21. Stratman

    " its PR staff have said that it changes its passwords regularly."

    Regularly =/= frequently.

    Halley's Comet appears regularly. It does not appear frequently.

  22. Lockstep Technologies

    Security isn't secure

    May I suggest the real question is this: how on earth do such organisations pass their infosec audits?? Do none of the auditors at any of these companies ever notice the passwords in plain view? Or do the operators do a quick clean up before the auditors arrive? Either way, here's yet more proof that security audit is a sick joke. And that security practices aren't worth the paper they're printed on. Security isn't what people think it is. Instead of meticulous processes and hawk-eyed inspections, it's just mediocrity and theatrics. Security isn't secure.

  23. Anonymous Coward
    Anonymous Coward

    It's amazing...

    ...that these people just don't get it. Ignorance must be contagious?

  24. stringyfloppy

    Henry the Green Engine was sent to run over that station controller until he's dead.

  25. David Roberts Silver badge
    Coat

    With a user account ID like that.........

    ........who needs a complicated password?

  26. Anonymous Coward
    Anonymous Coward

    If you...

    can set your own password and you can't come up with a nenorable one, regardless of demands, then you're a fucking idiot.

    The 2nd crazy cow jumps highest out of ten.

    T2ndccjhof10 , 11, 12, so on with each rolling change. Better than nothing and unforgettable. Unless it's a shared terminal with the same login but centrally set password, and you use lots of them, then.... Ah fuck. You know what, people will never learn, so fuck em.

  27. razorfishsl

    Ahhh yes.....

    Anyone remember the BBC micro fiasco, where the presenter could not get his username and password correct.

    Ended in typing in in so slowly that every viewer watching the episode knew his password...

    Then some started to exploit it.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019