Reflections on Passwords: Cracking and Log Analysis

This post on Emergent Chaos caused me to reminisce a bit.

Back in the day, one of my responsibilities was password auditing (cracking). Unlike many other password auditors, I was internal to the company, not an external auditor. I knew the people who’s passwords I was cracking.

In addition, the tools at that time (john/l0ftcrack) showed the cracked passwords along with the stats. Ultimately this means that I read many many passwords of individuals who I knew.

It became apparent very early on that people would put things that meant something to them in their passwords. They also put private thoughts in their passwords. This was wide ranging in scope:

I knew a woman that was just married and about to purchase a house so that was reflected in her password. My friend who liked cars put that in his password. An individual in my department who hated the manager put that in his password! An individual who was religious put something religious in his password.

This is not a new concept, but I can confirm that this happens. And, as an FYI, my dataset was 3000+ people done a few times over the course of three years.

Since we also monitored the logs in the organization, it’s not uncommon that people forget to hit tab and accidentally type their password in the username box. These were not just mistakes by non-technical end user, but technical people as well. One time we needed the administrator password. Guess where we found it!

Post a Comment

Your email is never published nor shared. Required fields are marked *