I found some really pathetic password help pages on a company’s intranet while I was there visiting.
This is a large company that most people would recognize, and it is subject to plenty of government regulations. Overall, I’ve heard the security is pretty tight, but since I’ve never worked there, I can’t speak from experience. Except, that is, the experience I mentioned in an earlier post, Randomly Generate Weak Passwords. Perhaps all their security is what Bruce Schneier likes to call “security theater.”
Either way, how’d you like to be a security professional at that organization? You’d have to be very embarrassed about that site. I know if I worked there in audit or security, I’d definitely suggest that password generator be either taken down or improved.
They actually had ANOTHER bad page where you could check the complexity of your password (how do you do that when no complexity is required?), and here’s some passwords that I entered that passed:
password (no kidding)
In fact, I could NOT enter a password that would fail. Perhaps the person responsible was an evil insider who was just gathering all the passwords entered? Just in case that was the situation, I entered this passwords in order:
I guess this tool must be a sister to the random generator, an evil sister that should be locked away in a damp dungeon forever.
Note: This post originally appeared as my reply to a comment left in Randomly Generate Weak Passwords. So does the fact that I’m recycling make this a green blog?