The dictionary and hybrid tests were “not very successful”, the report said, with a less than five per cent success rate of a compromise occurring for each of the four agencies.

Security consultant Chris Gatford, of Hacklabs, said he'd like to see more information about the methods used by the audit office to crack the passwords, as this would determine why passwords could be easily cracked.

Despite this, he said the simple passwords that corporate Australia used to protect sensitive accounts and systems never ceased to amaze him. "The security industry has been telling organisations for years to use complex passwords however it seems to fall on deaf ears."



Some "standard security settings" - such as a lock‐out after a number of unsuccessful password attempts - "would mitigate some of the risk associated with a brute force attack", the report said.



Departments tested were the Australian Office of Financial Management, ComSuper, Medicare Australia and the Department of the Prime Minister and Cabinet.



Entitled The Protection and Security of Electronic Information Held by Australian Government Agencies (PDF), the report said that in an ideal world there would be “little or no compromise of passwords using such a test".



It did, however, say that it had received advice saying that a 20 per cent result compares "reasonably favourably" with some private sector and state government agencies.

The report also said that one agency wasn’t blocking access to Gmail and Hotmail service, which it said could "provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure".

"The recent 'Wikileaks' release of government information has demonstrated the importance of maintaining appropriate protective security frameworks and the risks of failing to adequately protect electronic information," the report said.