When the PR folk got together and said “let’s do a day-in-the-life of Prince William in the Royal Air Force photo diary,” it no doubt sounded like a great idea, however with the benefit of hindsight, it may have been best to get someone with keen eyesight to give the resulting pictures a good going over prior to release.
The photo diary was being used to promote Prince William and Kate Middleton’s new website, and therefore gained not only plenty of press attention, as the pictures were sent to many large publications too, but also a large amount of visits from the public.
Except sadly, amongst the images of the Prince making a cup of tea and about to take off in his search and rescue Sea King helicopter, four of the photos contained details that the RAF would have preferred to stay private.
These included computer screens and documents with information, including login details, on the Prince’s colleagues and perhaps worst of all, a big notice taped to the wall with the username and password used to access a military website written on it. That’s the picture you see above, and you can check out the full-size picture here in its post-investigation form.
According to reports, the images weren’t cleared by the Ministry of Defence before being published, forcing the RAF to reset all the relevant logins, then edit the remaining snaps to remove any more sensitive information before giving them the OK.
What makes this story particularly interesting is that according to security experts Sophos, having viewed one of the unedited images, the password was “extremely obvious, easy to guess and — frankly — a diabolical choice.”
While the publication of the pictures is a silly oversight, can a military organization really be forgiven for using substandard passwords? It appears the site in question, Milflip, contains unclassified information on flight details, but that’s beside the point. Just because it’s not classified, doesn’t mean it warrants poor security.
Thankfully, reports of lost or stolen military passwords are rare, leaving the headlines to be grabbed by sites such as LinkedIn, Sony, and Blizzard instead. Perhaps they all need to have a read of our guide to choosing a strong password?