Hiding behind a password

What do your passwords say about you?

It’s surprisingly personal. User generated passwords can reveal more than you might expect, including frustration, humour, and even how someone feels about their job.

My password manager database has over 350 entries. I have chosen or generated all of them with a particular purpose and context in mind with the vast majority being long and random.

As a security professional, I have extracted, cracked and analysed a large amount of other people’s passwords as part of client engagements. This type of task enabled (sometimes required) reading or at least statistically analysing the sample of extracted plain text passwords, which for the most part were not random.

It’s all fun and games until someone… reads your passwords?

Cracking passwords produces a fascinating (scary?) insight into people’s minds and the workplace culture and mood.

Imagine if a group of people in a workplace were asked to think but not disclose of a single meaningful word that is completely honest and true to their person: this is what surfaces when analysing a set of plain text passwords in the context of an engagement.

Our password auditing service Papa, cracks over a million passwords a year. I am sure most examples that you could guess will be found. Without going into detail or sharing actual examples, some of these concern personal interests like sports or work-related matters referring to colleagues or managers or the product of the business. Mentions of family members are common, as well as holiday destinations, etc.

The actual content ranges from the most offensive expletives to the sweetest compliments; things that people would probably never say out loud. Interestingly, some of these themes appear in batches and I would bet they could be grouped by demographics [but let’s not go there…]. A set of cracked passwords can clearly profile a workplace environment (usually in a negative way).

But passwords are secret?

Passwords are in principle a secret. Users assume that nobody else will ever see them and that they will not be shared, shown, or leaked publicly.

In the security world, we all know and appreciate the requirement to use complex passwords, which ultimately makes them very difficult to guess and crack, but also to remember.

Password managers fix this issue for the most part, but given the fact that not everybody uses a password manager and password managers are not available for all use cases, there is always a portion of passwords that must be remembered. This means they are likely to be less complex, which makes them easier to crack or guess by hackers or for an ethical audit.

We frequently come across very simple passwords structured around obvious keywords – days of the week, calendar months, calendar years, numeric suffixes, the name of the business, weather seasons, the word ‘password’ or ‘secret’ or a variation of ‘youwillneverguess’.

The general format or structure of selecting passwords can be established in certain departments or procedures, but this cannot extend or be strictly enforced for individual accounts or for external contracted staff or services. Therefore, a reasonable inference is that every organisation has a portion of weak passwords with no multi-factor authentication safety net.

However, It is also interesting to observe how staff in certain positions of critical responsibility (Senior managers, CTO, IT operators and managers, Security or network architects, etc.) can have the weakest passwords, sometimes going against the established password policies and procedures, and in some cases unchanged for years.

Learning points

This has been a light-hearted discussion about passwords and the insight that they bring to industry professionals. It is not necessarily a fundamental or high-risk issue, but there are learning points to consider, for organisations and people alike:

• Use password managers to create and store long random passwords.
• Use multi-factor authentication.
• Passwords are secrets. But it is possible that they will be read – with whatever implications that may bring to your or your employer. Will it reveal a pattern?
• Avoid using predictable key words – calendar days of the week, month, year, name of business, name of office building, variations of ‘password’ or ‘secret’ or ‘guess’.

Multi-factor authentication and password managers

There is an argument to be made towards reducing the pressure of complexity to facilitate the use of passwords which is offset by the security benefit of multi-factor authentication. In an environment where multi-factor authentication is deployed consistently and thoroughly on all systems this can be a reasonable compromise.

From the individual’s perspective, this would be only one out of hundreds of other passwords that require handling. Therefore, relaxing the complexity policy makes a small difference to the individual.

Using a password manager is still a critical point, but… with this in mind, relaxing the complexity policy loses relevance because passwords will still be used from the password manager.

Password managers reduce the pressure of having a strict password complexity policy for individuals. The usability impact of using a password manager ends up being higher than relaxing complexity because of enforcing MFA.

Further reading

• https://www.pentestpartners.com/security-blog/password-policy-guidance/
• https://www.pentestpartners.com/security-blog/8-ways-to-be-great-at-password-management-and-protect-your-customers/