The Louvre Surveillance System Password was ‘LOUVRE’
The Louvre had an alarmingly weak password for its security surveillance system when it was hit by a group of thieves, who made off with more than $100 million in jewels.
The brazen daylight heist took place on Oct. 18, triggering a massive investigation that has since revealed the suspects used power tools to bust through the second-floor window of the Apollo Gallery around 9 a.m. The entire operation took under seven minutes, and none of the robbers were at any time captured by the lone security camera outside the gallery.
During testimony before a French Senate committee last month, Laurence des Cars, the President and Director of the Louvre, said the camera had been facing west and did not cover the window the thieves used to gain access to Paris’ most popular museum.
“The security system, as installed in the Apollo Gallery, worked perfectly,” he said, per ABC News. “The question that arises is how to adapt this system to a new type of attack and modus operandi that we could not have foreseen.”
Despite touting its functionality, France’s National Cybersecurity Agency was able to access a server managing the museum’s video surveillance by cracking its ridiculously simple password: “LOUVRE,” according to confidential documents obtained by Libération. The eponymous password was initially uncovered by the agency during an audit in 2014. Additional audits revealed “serious shortcomings” in the museum’s security systems, including the use of 20-year-old software.
“The password problem isn't just a technical issue; it's a human behavior challenge that's extremely difficult to correct,” commented Darren James, Senior Product Manager at identity management and authentication solutions provider Specops Software. “Passwords, and IT security in general, are often seen as one of those annoying things that stop users from getting on with their day-to-day work. They have to remember so much these days, both for their jobs and personal lives, that they tend to take the easy route: choosing easily guessable words, reusing the same password across multiple systems, or following predictable patterns. And when everything falls apart, their defense is often, "Well, I never thought it would happen to me!“
“So, what can companies do to improve this? They should take the advice of ANSSI (France), NIST (USA), and the NCSC (UK) and change their approach to passwords:
-
Move away from complexity with lots of different character types. That only encourages predictable patterns. Instead, switch to longer passphrases.
-
Block words that relate to your organization. This is a good use of AI; ask your favorite LLM to generate a list of 1,000 words related to your company.
-
Block passwords that are already breached. If they're out there on the dark web, why would you let someone use them?
-
Remove password expiry. It doesn't help, as users just make small changes to their regular password (for example, Summer2024 to Summer2025).
-
If you do remove expiry, remember that people still often reuse their passwords. Make sure you have a solution that can continuously check your users' passwords against a constantly updated database. That way, when they do get leaked, you can act quickly.
“And finally, help your users,” James concluded. ”When they need to change or reset their password, give them the means to do it securely, and use a reset solution that provides helpful feedback.”
So far, seven people have been arrested in connection with the heist, two of whom have partially admitted their involvement.
An investigation into the matter is ongoing, and the stolen jewels remain missing weeks later.