I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!
She punches a button and a large list of passwords popped up on the page. “Our password policy requires 8-character passwords, so that’s why they’re all 8 characters,” she said, beaming with pride. “You can pick one on the list that’s easy to remember.”
Interesting, I said. “Generate a couple pages and save them to a file; I’d like to review the list later.” I walked away with a good chunk of officially sanctioned passwords.
Later, during a break in our meetings, I reviewed the list. I found all the passwords interesting and these few downright amusing:
tandaboy
ficaterr (for a payroll clerk)
smuditid (only techies need apply)
dragickf
dogstrou (“dog” showed up a lot, but no cats)
idahodog
dogindev (I’ve known developers like that)
doceacid
keinbrut
imockerm
sucknole (remember this one as you continue reading)
Notice anything about that list?
No numbers, uppercase letters, or special characters! And most of them contain real words.
I then asked the manager what the company password policy required for complexity. She replied, “Lowercase letters or numbers, no special characters. Some of our systems can’t handle special characters.” (There you have it, a password policy with absolutely no character.)
I smiled politely and left (after all, she was a possible client, and she hadn’t asked me for advice, nor paid for it). One question burned in my mind: why provide a random password generator to pick weak passwords in support of a weak policy?
Later, when I examined the 350 passwords that I’d collected, I noticed something else–a large number of passwords started with the same letters instead of them being spread out somewhat proportionally. Since 350 passwords divided by 26 letters = 13.4, you’d expect a mostly random generator to generate about 10-16 passwords beginning with a, a similar number starting with b, and so on.
Instead, I found this many passwords beginning with this letter:
j = 3
v= 3
k = 5
w = 5
z = 6
c = 7
g = 7
On the high end, I found this many passwords beginning with this letter:
l = 20
t = 21
i = 23
e = 25
n = 26
Either I don’t understand randomness or that password generator is about as random as the password policy is strong.
The other thing I noticed: the first list with few passwords are characters with “hard” sounds, where the second list with more passwords are “softer,” more friendly letters (except for “t”).
And if you unscramble the letters in the second list, it spells “intel”
Go figure.
Update —
For more shocking password news, see my reply to coffeeking in the comments below…
———————–
Other posts on this blog about passwords:
Password, Password on the Wall
Quote of the Weak (Special Characters)
Quote of the Weak (Trojan=Password)
Throw Password Rules Under the Bus?
Free Firewall Password (Just Ask)
ITauditSecurity 
not sure about the kind of data this organization holds, it would be a disaster for financial institution, regardless of the nature of business the random generator is a really bad idea for any orgnanization. as a user I don’t think I could feel comfortable using a password from an automated tool. More that anything the tool doesn’t sound sophisticated at all.
LikeLike
coffeeking,
Let’s just say that this organization is subject to plenty of gov’t regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in the post above. Perhaps all their security is what Bruce Schneier likes to call “security theater.”
Either way, how’d you like to be a security professional at that organization? You’d have to be very embarrassed about that site. I know if I worked there in audit or security, I’d definitely suggest it be either taken down or improved.
I forgot to mention another page they had where you could check the complexity of your password (how do you do that when no complexity is required?), and here’s some passwords that I entered that passed:
password (no kidding)
admin
letmein
12345678
querty123
abcdefghij
In fact, I could NOT enter a password that would fail. Perhaps the person responsible was an evil insider who was just gathering all the passwords entered? Just in case that was the situation, I entered this passwords in order:
ThisIsA
Really,really
pathetic
toolAndyou
MustBePath
eticToo!
HappyHunting
I guess this tool must be a sister to the random generator, an evil sister that should be locked away in a damp dungeon forever.
LikeLike
sorry that wasnt the actual list – dogstroup has 9 chars so would not have been generated, even by a shite generator like this.
LikeLike
Actually, that was the list. During editing, I probably deleted a return and the “p” from the next password got stuck with the “dog” password when I reinserted the return. I removed the “p”. Good eye, Chris.
LikeLike