PARIS — In what cybersecurity experts are calling "the most French approach to password security since the invention of surrender," the Louvre Museum's security audit has resurfaced following October's spectacular theft, revealing that the institution protecting humanity's greatest artistic treasures secured its entire CCTV network with the password "LOUVRE"
The server managing 460 cameras across 37 hectares of priceless art required the kind of advanced credential that most people outgrow after their first WiFi router. Security software from defense contractor SecurVision was similarly impregnable: the password was "SECURVISION" "It's actually genius," explained François Dubois, a cybersecurity consultant we made up. "No one expects passwords that obvious. It's a double bluff. The thieves probably wasted weeks trying 'M0n@L!sa2024' when they should have just typed the building's name." The French information security agency ANSSI, which conducted the audit obtained by Liberation, recommended perhaps upgrading from what one analyst called "a Post-it note stuck to the monitor."
In response to the Louvre breach, museums worldwide have pivoted to tactical misdirection. The Smithsonian reportedly now uses "SMITHSONAIN" (missing the 'i'), while the British Museum has adopted "BRITTISH_MUSEUM" with a tactical use of incorrect spelling.
The Guggenheim, showing particular sophistication, went with "GUGGENHIME" a password so wrong it feels right. "We're exploiting attackers' assumption that institutions spell their own names correctly," said a Metropolitan Museum spokesperson, confirming their password is definitely not "METOPOLITAN."
Between 2018 and 2024, the Louvre spent €105 million on new artworks while allocating €27 million to security infrastructure. Security upgrades recommended in 2015 won't be completed until 2032; a timeline that assumes nothing else gets stolen.
Culture Minister Rachida Dati initially told lawmakers that security "didn't fail" before admitting days later that "security failures did indeed occur." Museum director Laurence des Cars offered to resign. No one accepted. No one was fired.
The passwords, presumably, remain a closely guarded secret that everyone knows.
About the Author
Subscribe before we're patched
Like a vitamin you ingest with your eyes. The best cybersecurity parody, delivered.
