News: 0179977398

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

The Louvre's Video Surveillance Password Was 'Louvre' (pcgamer.com)

(Wednesday November 05, 2025 @10:30PM (BeauHD) from the would-you-look-at-that dept.)


A bungled October 18 heist that saw $102 million of crown jewels stolen from the Louvre in broad daylight has [1]exposed years of lax security at the national art museum. From [2]trivial passwords like 'LOUVRE ' to decades-old, unsupported systems and easy rooftop access, the job was made surprisingly easy. PC Gamer reports:

> As Rogue cofounder and former Polygon arch-jester Cass Marshall notes on Bluesky, we owe a lot of videogame designers an apology. We've spent years dunking on the emptyheadedness of game characters leaving their crucial security codes and vault combinations in the open for anyone to read, all while the Louvre has been using the password "Louvre" for its video surveillance servers. That's not an exaggeration. Confidential documents reviewed by [3]Liberation detail a long history of Louvre security vulnerabilities, dating back to a 2014 cybersecurity audit performed by the French Cybersecurity Agency (ANSSI) at the museum's request. ANSSI experts were able to infiltrate the Louvre's security network to manipulate video surveillance and modify badge access.

>

> "How did the experts manage to infiltrate the network? Primarily due to the weakness of certain passwords which the French National Cybersecurity Agency (ANSSI) politely describes as 'trivial,'" writes Liberation's Brice Le Borgne via machine translation. "Type 'LOUVRE' to access a server managing the museum's video surveillance, or 'THALES' to access one of the software programs published by... Thales." The museum sought another audit from France's National Institute for Advanced Studies in Security and Justice in 2015. Concluded two years later, the audit's 40 pages of recommendations described "serious shortcomings," "poorly managed" visitor flow, rooftops that are easily accessible during construction work, and outdated and malfunctioning security systems. Later documents indicate that, in 2025, the Louvre was still using security software purchased in 2003 that is no longer supported by its developer, running on hardware using Windows Server 2003.



[1] https://it.slashdot.org/story/25/10/20/1957202/louvre-museum-security-outdated-and-inadequate-at-time-of-heist

[2] https://www.pcgamer.com/software/security/post-heist-reports-reveal-the-password-for-the-louvres-video-surveillance-was-louvre-and-suddenly-the-dumpster-tier-opsec-of-videogame-npcs-seems-a-lot-less-absurd/

[3] https://www.liberation.fr/checknews/louvre-en-mot-de-passe-logiciels-obsoletes-mises-a-jour-impossibles-dix-ans-de-failles-dans-la-securite-informatique-du-premier-musee-au-monde-20251101_RD5YGV6WMVAXLL6U3SRGVFBIBY/


Holy cow! (Score:2)

by registrations_suck ( 1075251 )

Man o man. What a good time to be a criminal!

That museum deserves to lose its entire collection.

Re: (Score:1)

by davidwr ( 791652 )

That museum deserves to lose its entire collection.

If it were a privately-owned museum I might agree with you.

As a publicly owned museum owned by the people of France, I can't agree with you.

I will say that more than one person involved in the Louvre's security needs to be sacked if not prosecuted for criminal negligence, assuming any such laws apply.

Re: (Score:3)

by pixelpusher220 ( 529617 )

I'm guessing the Security Supervisor's personal banking password was 'bank'?

Re: (Score:2)

by sarren1901 ( 5415506 )

1 2 3 4 5

It's the exact same code as my luggage!

Re: (Score:2)

by drnb ( 2434720 )

> 1 2 3 4 5

> It's the exact same code as my luggage!

I think that's your bank PIN. Your luggage would be 1 2 3, or the TSA compatible key from Ali Baba. :-)

Re: (Score:2)

by Drishmung ( 458368 )

[1]00000000 [princeton.edu] I'll see your luggage and raise you nuclear armageddon.

[1] https://sgs.princeton.edu/00000000

Re: (Score:2)

by drnb ( 2434720 )

> I'm guessing the Security Supervisor's personal banking password was 'bank'?

"Banque". Note they do mix lower and upper. :-)

Re: Holy cow! (Score:2)

by reanjr ( 588767 )

I really want a slick produced show where an international team of non-European thieves engages in operations to repatriate stolen relics.

Would be difficult to get rights to film in the museums, though, in all likelihood.

Re: (Score:2)

by Koen Lefever ( 2543028 )

It is not a show, but a game: [1]Relooted by Nyamakop [nyamakop.co.za].

[1] https://nyamakop.co.za/relooted/

Re: (Score:2)

by drnb ( 2434720 )

> I really want a slick produced show where an international team of non-European thieves engages in operations to repatriate stolen relics.

Why? So Isis/Dash/Taliban can destroy the pre-Islamic art?

"Built in the 6th century, the Buddhas of Bamiyan were two monumental size statues, standing at 115 and 174 feet tall, carved into the sandstone cliffs of the Bamiyan valley in central Afghanistan. These statues best exemplified the Gandharan Buddhist art school, as well as the greater cultural landscape of Buddhism and its influences during the 1st to 13th centuries. In 2001, the statues were destroyed by the Taliban over the course of 25 days. A

They used both upper and lower case (Score:2)

by drnb ( 2434720 )

Come on, they used both upper and lower case. Give them a little credit. :-)

No wonder I couldn't get into their systems (Score:1)

by davidwr ( 791652 )

I thought the password was ervuoL.

Windows Server 2003 belongs in an museum (Score:3)

by Joe_Dragon ( 2206452 )

Windows Server 2003 belongs in an museum

The Operational Museum Piece. (Score:3)

by geekmux ( 1040042 )

> Windows Server 2003 belongs in an museum

Technically, it was.

The display just happened to be warehoused in the operational wing. Attached to a power plug. Connected to a wall socket. Powered on. And configured with a slightly insecure password policy, given the server name of "Louvre", the username of "Louvre", the passwo, yeah it's one hell of a museum piece.

Even the ILOVEYOU architects were impressed.

Re: (Score:2)

by Rosco P. Coltrane ( 209368 )

I trust Windows Server 2003 more than I trust Windows 11. It's less stable, but Microsoft isn't in control of your machine.

Cyber Audits must be a good business (Score:2)

by Whateverthisis ( 7004192 )

This isn't my field so I kind of mean this sarcastically and kind of not, but I feel like cyber security audits must be a good business to be in. Get hired to find the vulnerabilities, list out the most basic things and write up a report with recommendations to fix it, then get hired 2 years later to do the same thing and find the exact same stuff. (I'm referencing the fact that the Louvre had an audit in 2014 and then another in late 2015 that found the most basic logic security flaws, which obviously in

Re: (Score:3)

by rta ( 559125 )

> which obviously in 2025 weren't fixed per the article

That's not what the article says, it merely wants to give that impression, because it's easier for them to get clicks that way.

Note the the only claims made as of the 2025 report are that they're using Windows Server 2003 and some old security software in some capacity. The stuff about the passwords is all from 2014 and 2015.

Re: (Score:2)

by sarren1901 ( 5415506 )

Unless that's an incredibly locked down Windows 2003 server, it's basically criminal negligence to be running such an out of date operating system. The fact it was setup with lousy passwords makes me believe it probably wasn't locked down either. They were asking for trouble with such poor security practices.

More info (Score:2)

by reanjr ( 588767 )

Check out the Hank Green interview with Sherri Davidoff on YouTube for a pretty nuanced look into the failures and successes of this heist.

[1]https://youtu.be/NIGbQ9NHFEg [youtu.be]

[1] https://youtu.be/NIGbQ9NHFEg

Ssshhhh! Don't tell everyone your password! (Score:1)

by RightwingNutjob ( 1302813 )

Now we'll just have to locate every copy of the web page and have it dipped in acid to make sure no one can break in at a later date.

No Connection with Heist (Score:1)

by Anonymous Coward

There seems to be no actual connection identified between poor passwords and the heist. No connection identified between out of date technology and the heist. But it makes a great story. It sounds a bit like worrying about the bad lock on the door when somebody put a chair through the window. Its not a trivial point. They are likely going to spend a lot of time and money "improving" their outdated security technology instead of evaluating their real security needs.

12345 (Score:2)

by glowworm ( 880177 )

Clearly the Louvre should have used the higher security ERVUOL.

( /s )

Re: (Score:2)

by 93 Escort Wagon ( 326346 )

Alternatively, they at least could've gone with "Louvre2".

Re: (Score:2)

by fabioalcor ( 1663783 )

123@Louvre

Numbers, symbols, and at least one capital letter. Very strong password.

Didn't Matter (Score:3)

by PleaseThink ( 8207110 )

The criminals effectively just did a smash-and-grab (plus guard threatening) while pretending to be construction workers. None of that poor IT security mattered. In other words, it doesn't matter that their new password was changed to "LOUVRE!".

Remember? (Score:2)

by fabioalcor ( 1663783 )

When it was acceptable that historical artifacts would be "moved" (more like stolen) from African and Eastern countries to European museums like Louvre, so they'd be safer there? Yeah.

Re:Remember? (Score:4, Informative)

by test321 ( 8891681 )

It might be ethically unacceptable by today's standards, but the state of the world still makes it technically correct. Museums of poorer countries get ransacked during wartime. Compare one spectacular heist at the Louvre and thoroughly looting the entire 100,000 piece collection of the Khartoum museum in Sudan last year.

1) Sudan National museum was looted and ransacked in 2023/2024; it contained 100,000 pices of art from the different cultures from the Nile Valley [1]https://www.theartnewspaper.co... [theartnewspaper.com]

2) Destructions during the 2015 Syrian war [2]https://en.wikipedia.org/wiki/... [wikipedia.org]

3) Destruction of religious and historic relics of Timbuktu, Mali during the 2012 war [3]https://en.wikipedia.org/wiki/... [wikipedia.org] ; the International Criminal Court (The Hague) sentenced an Al Quaeda associate [4]https://www.icc-cpi.int/mali/a... [icc-cpi.int]

4) Looting of Iraq Museum in 2003 [5]https://en.wikipedia.org/wiki/... [wikipedia.org]

5) The very long list of cultural destructions by the Islamic State everywhere it passed by [6]https://en.wikipedia.org/wiki/... [wikipedia.org]

[1] https://www.theartnewspaper.com/2025/04/01/heritage-authorities-express-sorrow-sudan-national-museum-looted-ransacked

[2] https://en.wikipedia.org/wiki/List_of_heritage_sites_damaged_during_the_Syrian_civil_war

[3] https://en.wikipedia.org/wiki/Battle_of_Gao#Destruction_of_shrines

[4] https://www.icc-cpi.int/mali/al-mahdi

[5] https://en.wikipedia.org/wiki/Archaeological_looting_in_Iraq

[6] https://en.wikipedia.org/wiki/Destruction_of_cultural_heritage_by_the_Islamic_State

That does it! (Score:2)

by PPH ( 736903 )

Pack up the entire collection and move it to Llanfairpwllgwyngyll, Wales.

PC Gamer reports: ? (Score:2)

by ForkInMe ( 6978200 )

Am I the only one that didn't read anything past "PC gamer reports:"? How sad the world has become that this is probably one of the most accurate and nuanced articles our current news media can produce. I'll go back and read it in a bit - just had to put this out there.

budgetary blame? (Score:1)

by Venova ( 6474140 )

could not some of these shortcomings be due to long term budget cuts? or poor allocation thereof towards important security measures for the most famous irreplacable artifacts on display in the world? cyber or not- many things could and should have been improved after a decade+

There's an old proverb that says just about whatever you want it to.