Aaaaah… Passwords! Why write a blog article about them. Everything has alreay been said about passwords. Everybody hates them because they are hard to remember, because we should change it regularly, because we have way too much of them. They are often present in security awareness campaign (see the article introduction picture). And despite this, people are still managing their passwords no matter how! I won’t repeat the same blah-blah about how to take care of your passwords, how to generate them, stop! Here is just another proof that human behavior won’t change.
A friend of mine got access to a huge (read: containing millions of credentials) leaked database as we can find on obscure websites, nothing brand new. The database contains the following fields: ID, user (the email address), encrypted password and a field called “hint”. Usually, when you register on a website, you must provide a hint (a tip) in case of a password recovery is required. The hint can be based on a list of standard questions that you must select in a drop-down list. Common questions are:
- In what city dod you meet your spouse/significant other?
- What is the name of the company of your first job?
- Who was your childhood hero?
- Where were you when you had your first kiss?
- In which city did you meet your spouse/significant other?
Some of them are good, others are weak because the answer can easily be found on public resources! But there is a worst case: when the website lets people choose their own hint!
I asked my friend to search for interesting corporate email addresses (from a big Belgian company) in the database and extract the information. 64 email addresses were found and hints chosen by the users were really interesting (most of them are in Dutch – I translated them):
- Wie? (Who?)
- Beste bier geboorte (best brewed beer)
- Paswoord werk (corporate password)
- Daughter
- Vorig werk (previous employer)
- Happy birthday
- Hotmail
- Zoals gewoonlijk (as usual)
- What falls in the month of December
- t zelfde als anders (the same as others)
- first nick multiple
As you can see, just be reading the dumb hints, it could be easy for an attacker to search for publicly available information and build a good (small) dictionary of passwords! No need to loose time in decrypting the passwords…  Sometimes, the hint is also disclosed on the password recovery page just after submitting the email address (which is very easy to guess). No need to have access to a leaked database! When you register on a website, it is important to choose a good hint (or better, don’t use one) and save your passwords in a password manager. Keep this in mind!