One of the things that I do as a penetration tester is crack passwords. It’s usually not difficult, but this post isn’t about that anyway. What this post is about concerns the contents of the passwords and what it might suggest about the users.
Take, for example, the following password @1coh0l!. What might we guess about this person? It’s a pretty strong bet, I think, that he’s not a teetotaler. Maybe he parties. Maybe, too, he just has a stressful job and silently expresses it in his password.
Let’s move on to another, Y@nk33sRUL3. Anyone think this person is a native Bostonian? Well, if he is, his parents are transplants who probably stayed at home a lot during baseball season. In any case, he’s almost certainly a sports fan.
Here’s another: John3:16. Most people will recognize this as a common reference to a New Testament verse. Leaving aside password quality, it’s suggestive that religion plays a very strong part in this person’s life.
And one more: RandPaul2016. Rand Paul is a Senator from Kentucky and regarded by some as a potential US presidential candidate in the next election. His positions are reportedly enough outside of the mainstream that, at this early stage, supporters will likely tend to be of the enthusiastic type, perhaps even campaign volunteers.
A few random passwords of the type that I see when passwords are broken, and a few guesses about the people who use them. We see people who may be stressed, fans of sports, religious, and/or politically active. What use is this information?
Think about a situation where the usernames or e-mail addresses and the associated passwords get out. Maybe they’re not of direct use, since the company doesn’t have an outside e-mail portal for its employees. But it could be of use in phishing attacks. (Phishing attacks are usually malicious e-mail messages targeted to a few or even one user based on some information known about the users.) Think about these subject lines:
- Happy Hour at Phil’s Grills!
- Yankees Memorabilia Sale
- Weekend Church Outing
- Balancing the Budget In Less Than Five Years
A well-crafted e-mail with the above subjects and a neutral-looking attachment that might carry a malicious payload such as a Word document or a PDF could well catch the attention of the people with the passwords listed above. Maybe it won’t catch all. It might not even catch most. But an attacker with a little information like this might send what is, for attack purposes, the same file but with different text to all four users, and if only one opens it, the attacker has a foot in the door.
We in the security field often warn people not to select passwords that are easily guessed. Given how often passwords are leaked, it’s easy to see that it’s also a good idea to select passwords that don’t give away information about you. As phishing attacks grow more common, these kinds of things will become more automated and the quality will improve such that it becomes nearly impossible for the average user to tell what is safe and what is not. Additional sophistication means that these will appear to come from people you know, making it more likely that you will trust the attachment enough to open it.
Just another thing to keep in mind when coming up with passwords (or, better, pass phrases).