I was at a client’s site looking for more contract work when the manager of the department started telling me about their great IT security website on their Intranet. She clicks on their random generator password page and shows me how you can generate a block of “approved” passwords, sanctioned by their security department. At the top of the page, a banner read: Select a Strong Password!
She punches a button and a large list of passwords popped up on the page. “Our password policy requires 8-character passwords, so that’s why they’re all 8 characters,” she said, beaming with pride. “You can pick one on the list that’s easy to remember.”
Interesting, I said. “Generate a couple pages and save them to a file; I’d like to review the list later.” I walked away with a good chunk of officially sanctioned passwords.
Later, during a break in our meetings, I reviewed the list. I found all the passwords interesting and these few downright amusing:
ficaterr (for a payroll clerk)
smuditid (only techies need apply)
dogstrou (“dog” showed up a lot, but no cats)
dogindev (I’ve known developers like that)
sucknole (remember this one as you continue reading)
Notice anything about that list?
No numbers, uppercase letters, or special characters! And most of them contain real words.
I then asked the manager what the company password policy required for complexity. She replied, “Lowercase letters or numbers, no special characters. Some of our systems can’t handle special characters.” (There you have it, a password policy with absolutely no character.)
I smiled politely and left (after all, she was a possible client, and she hadn’t asked me for advice, nor paid for it). One question burned in my mind: why provide a random password generator to pick weak passwords in support of a weak policy?
Later, when I examined the 350 passwords that I’d collected, I noticed something else–a large number of passwords started with the same letters instead of them being spread out somewhat proportionally. Since 350 passwords divided by 26 letters = 13.4, you’d expect a mostly random generator to generate about 10-16 passwords beginning with a, a similar number starting with b, and so on.
Instead, I found this many passwords beginning with this letter:
j = 3
k = 5
w = 5
z = 6
c = 7
g = 7
On the high end, I found this many passwords beginning with this letter:
l = 20
t = 21
i = 23
e = 25
n = 26
Either I don’t understand randomness or that password generator is about as random as the password policy is strong.
The other thing I noticed: the first list with few passwords are characters with “hard” sounds, where the second list with more passwords are “softer,” more friendly letters (except for “t”).
And if you unscramble the letters in the second list, it spells “intel”
For more shocking password news, see my reply to coffeeking in the comments below…
Other posts on this blog about passwords: