Whitehaven Coal Pty Ltd
Security Audit 2016 - Password Report
Account passwords that were successfully recovered
Active
178 51%
Inactive
169 49%
Complex Passwords
Passwords that meet all of the following are considered complex;
8 or more characters in length
Contains uppercase, contains lower case
Contains at lease one number, contains at least one symbol
This password audit was carried out by Rivercity Solutions to evaluate the relative strength of passwords being set by contractors and staff at Whitehaven Coal.
The tools and methodology used to perform this audit are the same that would be used by a malicious attacker if they already had elevated access within the Whitehaven Coal data network.
Moderate Passwords
Passwords that meet 4 of the following are considered moderate;
8 or more characters in length
Contains uppercase, contains lower case
Contains at lease one number, contains at least one symbol
Weak Passwords
Passwords that meet less than 4 of the following are considered weak;
8 or more characters in length
Contains uppercase, contains lower case
Contains at lease one number, contains at least one symbol
Password strength of all recovered passwords
In total we were able to successfully crack 28% or 347 passwords of 1238 total user accounts stored in the database.
178 of the passwords are for active users and 168 are for disabled accounts.
27
7.8%
124
35.7%
196
56.5%
9 of the active accounts recovered were for external contractors.
5 of the active accounts recovered had workstation administrator permissions or higher.
The average password age (date last changed) of the active user accounts where the passwords was recovered is 10 months old.
High risk account passwords recovered