West Australian public servants are leaving sensitive and confidential information vulnerable to hacking by using easy-to-guess passwords, with more than 1,400 people using 'Password123' as their login.
An examination of passwords and computer systems within WA Government agencies by auditor-general Caroline Spencer found 26 per cent of accounts had weak or commonly used passwords.
That equates to 60,000 out of the 234,000 accounts examined across 17 government agencies.
'Password123', 'Project10', 'support' and 'password1' were the most common passwords discovered, with 'password', 'abcd1234' and 'password2' also cracking the top 15.
One in five of the weak passwords found were also variants of a date or season, while variants of the word 'password' were identified on thousands of accounts.
As part of its probe, the auditor-general's office was able to gain system administrator access to a WA agency's web system by using the password 'Summer123', saying it was then able to identify "a significant amount of production data".
Agencies not taking risks 'seriously enough'
Some of the Government agencies examined had as many as half of their privileged accounts protected by weak passwords, the report found.
"Those passwords contain agency systems, which contain sensitive and confidential information, to inappropriate access and unauthorised use," Ms Spencer said.
"Agency systems are being attacked regularly, so the risk is real.
"We are still finding that agencies are not taking the risk to information system security and capability seriously enough."
Ms Spencer said the Office of the Auditor General (OAG) had been raising similar concerns for a decade, expressing frustration that more was not being done sooner.
The report also raised concerns about remote access for systems being vulnerable to hacking, when they did not require multi-factor authentication.
"Relying only on passwords leaves these key systems vulnerable to attacks and increases the risk of unauthorised access," the report stated.
Top 20 weak passwords
| No. | Password Used | Accounts | No. | Password Used | Accounts |
| 1 | Password123 | 1,464 | 11 | Spring2017 | 155 |
| 2 | Project10 | 994 | 12 | password2 | 142 |
| 3 | Support | 866 | 13 | August2017 | 141 |
| 4 | password1 | 813 | 14 | sunday1 | 132 |
| 5 | October2017 | 226 | 15 | Welcome1 | 132 |
| 6 | Monday01 | 225 | 16 | Password01 | 118 |
| 7 | Spring17 | 198 | 17 | Summer01 | 102 |
| 8 | Sunday01 | 188 | 18 | Logitech1 | 98 |
| 9 | password | 184 | 19 | support1 | 96 |
| 10 | abcd1234 | 176 | 20 | Summer17 | 96 |
(Supplied: OAG)
Security performance 'improving'
ICT Minister Dave Kelly said the report indicated Government information security performance was improving, with the number of agencies reaching the required standard rising from 39 per cent to 50 per cent.
"It was clear when we came to Government that cyber security had been ignored by the previous government, and agencies needed help to improve their practices and capabilities," Mr Kelly said.
"That's why since March 2017 we have announced a number of measures to address issues identified by the auditor-general.
"This includes the State Government's first ever cyber security team within the new Office of Digital Government (OAG)."
The OAG said many of the passwords complied with industry standards for password complexity and a length of at least 8 characters, but indicated merely applying those parameters was insufficient to guard against inappropriate access to networks and systems.
