back to article Sysadmin tells user CSI-style password guessing never w– wait WTF?! It's 'PASSWORD1'!

Can you feel it? The weekend's just over the horizon, so it's time for On-Call, The Register's Friday column in which we share readers' tales of literally incredible jobs that produced improbable feats of sysadminnery. This week, meet “Ron” who told us he used to work for a government agency and sent us a story about how, on “ …

Silver badge

Re: something from his past that wasn't common knowledge

I don't *think* anyone ever typed in "RedFordFocus"...

We had a sysadmin who used that method for new users' first-time passwords. People would get new accounts with initial passwords of "BigRedBus" or "PoliceCar"

5
0
Silver badge

Re: something from his past that wasn't common knowledge

"Window?WhoTheFlockHasAWindowFFS?"

10
0
Silver badge

Re: something from his past that wasn't common knowledge

"Window?WhoTheFlockHasAWindowFFS?"

Not every company I've worked for as put the techies somewhere without natural light and away from normal people.

Just most of them.

8
0
Anonymous Coward

Re: something from his past that wasn't common knowledge

My second to last job was in just such a broom cupboard. Two us squashed into a room that wad smaller than the office toilets. Or the server room.

So just after getting used to it being cramped we got a new manager in... then they added a door out onto our warehouse. So it was now even more cramped and used as a shortcut. Though it did mean I'd occasionally work in the warehouse just to get some breathing room.

1
0

Re: I had a boss that kept forgetting his password.

For people with that poor a memory, put the password on a business card and stick it in your wallet.

Most people do a decent job of protecting their wallet. Anything in said wallet will be protected as well.

3
0

Re: I had a boss that kept forgetting his password.

Dialog re: bluetooth

me: use the 'phone # of the girl that would have been your girl firiend if only she had said yes

Turner Whitted (yes, him!): 722...

Me: hey that's a Seattle 'phone #!

Turner: I didn't specify the area code ...

This was the home 'phone of young Kathy Pappas, who is now (&has been for a while) Kathy Whitted.

0
0

A certain non-technical individual standing within brick throwing distance of me keeps all his passwords to everything on an unencrypted file on his iPhone.

13
1
Anonymous Coward

Conficker

Circa 2011, Conficker all over my network, ficking things. Microsoft advise is to enable password complexity (duh).

Response from the CAB: We can't do that, because managers aren't able to use complex passwords. In other words, people who have a driving licence and are able to vote in elections are nevertheless too stupid to come up with a word and stick a couple of digits and a percent sign on the end.

28
0
Bronze badge

Re: Conficker

Just for shits and giggles, Password123 meets the Active Directory password complexity requirements. It's not all that complex...

11
0

Re: Conficker

For a lot of my POC stuff (mainly on VMs on my laptop) where I don't care about security but can't be bothered fixing the complexity rules, I use "Passw0rd" which meets the necessary complexity requirements. "Password1" will generally get past most rulesets as well.

4
0
Anonymous Coward

Re: Conficker

Microsoft's password complexity rules on my dev account are so extreme I have no chance at all of remembering them. In a good month it takes just a few attempts to find words I've never used before and guess what rule I've broken inserting numbers and non alpha chars. Bonus points if I remember it lies about the current rules if you use Firefox.

So every month my pinboard gets another new password written on it just above the monitor. I think they secretly hate security.

5
0
Silver badge
Happy

Re: Conficker

Something along the lines of Password123 is my go-to "I need an initial password to give to the user before they change it" password.

Which of course means it's used as the sole password all over the place. I drove past my old employers recently, and while they've moved offices since I worked for them, it's still the password for their guest wifi.

(Actual password changed to preserve some of my anonymity)

6
0
Anonymous Coward

Re: Conficker

Recently went back to the boozer which was next door to the company I used to work for. Whilst there and waiting for a mate to turn up I watched updates finish on my phone. It is supposed to update over wifi only not celluar and was doing so because it had connected to the company wifi The password was very easy to guess and before leaving I said they should change it to prevent unauthorised access. Obviously following best practice they hadn't bothered and had just left it.

4
0
Silver badge

Re: Conficker

> "I need an initial password to give to the user before they change it" password.

Only acceptable if you ALSO set "force password change at next login"

Personally, I do that every time I have to set a new pass for a user, even with some randomness in it.

It means they can't blame me for the non-secure password they _do_ choose.

0
0
Silver badge
Happy

rtfm

I used to keep unimportant passwords in a file called README.TXT on the assumption that nobody is ever going to read it.

61
0
Silver badge

Re: rtfm

I used to keep unimportant passwords in a file called README.TXT on the assumption that nobody is ever going to read it.

:-)

My practice has kind-of evolved over the decades, from a few passwords barely better than PASSWORD1 to many passwords I have to keep in a special directory called passwords. All my stuff there, from unimportant things like my login at El Reg, to others like my bank, stockbroker, and HMRC.

Lots of files there you really couldn't mistake if you were looking. Like, for instance, "theregister.gpg".

4
0
ROC

Re: rtfm - password logging

I usually make up the password in an email draft that is not normally sent. Note that is on a local POP3 account, so no IMAP replication, and not sent unless it is a convenience account (such as discussion fora like this one).

That is for private use nowadays since I retired a couple years ago. When I was working, I would put it in my phone's "Notes" section for my own contact info in some cases, or a post-it that I kept around my desk at home as I worked from there 90% of the time my last 10 years or so. Considering how many post-it scraps littered up my home "work" desk with my random filing system of paper piles, it was fairly safe in obscurity mode as it was scruffy looking with no mention of which password it was...

1
0
Silver badge

" I allowed my altruism to win over my cynicism, took off my jacket and sat down to help.”"

Yeah this used to happen to me when a good looking person was struggling with an IT problem and I offered to help, in the attempt to wow them with my technical prowess.

Never worked though.

28
0

ALWAYS, ALWAYS ALWAYS assist with any issue that affects your salary getting paid on time.

51
0
Bronze badge

You need an entirely different sort of prowess if you're looking to wow non-IT staff.

13
0
Silver badge
Pint

I worked on a contract at a naval dockyard and filled in the vetting paperwork, but I was a last minute addition to the team rolling out the new personnel and payroll system.

If the vetting isn't complete, you get 3 daily passes and that's it...

On the fourth day, I turned up at the gate and the security guard didn't want to let me in. I pointed out that my vetting was being processed, but I had to come on site. That didn't impress him.

Then I informed him, that I was working on the new payroll system and if I didn't come on site, his bank account would be suspiciously empty at the end of the month... I got a 3 month temporary pass.

56
0
Silver badge

There was a time when I had to rush down to the local Police HQ every now and then to help out with problems with the folks who did the overtime payments. I sort of wanted to get stopped on route but it never happened:

Cop: What's the hurry

Me: problem with the overtime payments at **** ****

at this point I imagined a high speed escort!

19
0
Holmes

I spent 6 years in the Navy, 3 groups of people you don't piss off...

The folks who process payroll, the folks that process mail....

or anyone in Medical.... your shot records might go missing....

15
0
Silver badge

ALWAYS, ALWAYS ALWAYS assist with any issue that affects your salary getting paid on time.

Three departments to *never* annoy: HR[1], Finance[2] and IT[3]. Because they *will* get their revenge.

[1] Fancy getting paid the right amount this month?

[2] Fancy being able to buy $STUFF?

[3] Fancy being able to log in this week?

11
0
Bronze badge

I usually add the facilities and security groups to that list, the former because they keep the roof from falling on my head (most of the time) and the latter because they'll bend some of the more petty rules for you when you are nice to them. :D

10
0
Silver badge

Exactly J. Cook. I am always nice to the security guards and / or receptionist when I go somewhere new. They know their way around, they can help you out and they know the short cuts to get you what you need.

If you rub them up the wrong way or are snooty to them when you first come on site, you will find your time there very difficult.

10
0

I would add to that list;

The Tea Ladies

The Canteen Staff

(back in the days when they existed)

5
0
Silver badge

Ah, Plessey canteens. They were great.

I also worked at GEC/Plessey Telecoms in Coventry. The managers could take guests to the on-site company Golf Club for lunch. Great food, silver service. The manager I was visiting was upset one day, when I said I would grab a sandwich in town, because I had to go to the bank, he thought about letting me go to the bank on company time, so that he could get his free lunch.

1
0
Silver badge
Pint

Favourite

If I have to put a password on a file that really doesn't need the password but some numpty insists I password protect the file I like to use something like "What password" or "There is no password"...

When the user asks what the password is I look at them blankly and repeat the password. It takes some of them ages to realise that I am telling them the password. Some will argue for ages that there is a password and don't get the joke... I just keep repeating the password.

28
1

Re: Favourite

My favourite is blank as in "The password is blank".

12
1
Silver badge

Re: Favourite

Who's on first base...

(Youngsters may need to Google it)

15
0
Silver badge

Re: Favourite

The password is "secret" was always a good one as well...

6
0
Bronze badge

Re: Favourite

It all depends who's on first....

Or what's on second.

4
0

Re: Favourite

There are quite a few low-security systems around me where the password is "I already told you that."

2
0
Bronze badge

password is secret

Happened to me. Bought some surplus industrial-control systems (Idris. Ask grandpa). Had to call the vendor to get the root password. yep.

1
0
Silver badge
Thumb Up

Re: Favourite

Who's on first base... (Youngsters may need to Google it)

As always, there's an SMBC comic to subvert that one.

3
0
Anonymous Coward

Re: Favourite

Or set the password to something like - Idontknow

"What's the password?"

"I don't know"

1
0
Silver badge
Mushroom

Not a patch on the time Richard Feynman took only a couple of guesses to open the set of safes containing a complete copy of all the data for the Manhattan Project.

He put a note in one of them saying "Guess Who" and locked them again.

33
0

...Followed by Feynman becoming quite unpopular with the secretaries and personal assistants due to a directive from On High that if he has spent any time at all in their offices, they needed to immediately change the combination of the filing cabinet and safe.

10
0
Bronze badge

Feynman's Rule

Actually what he did was put "Wise Guy" in one, "Same Guy" in the second, and "Feynman" in a third. The hapless victim opened "Same Guy" first and declared "It's the Same Guy! The one who's been trying to get into Area X!" (actually the result of a lot of false alarms by dozy guards). He then opened "Wise Guy" and panicked all over again. Finally he opened the last one and hugged his tormentor out of relief.

5
0
Silver badge

A client for whom I used to do occasional work got so pissed off with the support from a package vendor* that he cracked the licensing file in order to not have to keep paying their "maintenance" charges. On the basis that I really wanted to keep my distance from that I didn't pay too much attention to how he did it - I think it was simply a matter of resetting some text every few months or updating some date related number.

*He had my sympathy. One gem was that I ended up having to edit the Informix sysindexes table to bring it into line with the actual indexes their C-ISAM S/W had created.

1
0
Anonymous Coward

I have had to crack fully licensed software with dongle protection several times just so it actually becomes usable.

Either it's old and the dongle is lost/broken, the check simply doesn't work on some computers, or it needs to work on thin clients without USB ports.

3
0
Silver badge
Facepalm

Movie hacking is based on the idea that people are idiots.

Turns out that in the real world, people are idiots.

Who knew?

27
0
Gold badge

That's often how Bletchley Park did it.

One of the breakthroughs (on the Lorenz code I think) was because some radio operator had mistyped one word in a signal. So with identical machine settings he re-sent the entire message with just that one letter corrected.

This gave them a message that started identically and then diverged - giving lots of lovely clues on how it worked.

19
0

That was the work of Bill Tutte on the reverse engineering of Lorenz. Boggles the mind how they worked that one out.

https://www.codesandciphers.org.uk/lorenz/fish.htm

15
0
Gold badge

As I was typing it I was thinking, "and how the hell does that help exactly?" All it means is that you've now got two incomprehensible gobbets of letters, instead of one. So you've actually made the job harder as you've now got more work...

It helped them to spot mathematical patterns, of course. Which would be no bloody use to me, being a bear of very little brain.

What's even more astounding is that they had an Enigma machine to play with, smuggled out of Poland, and then later got some from captured subs. Whereas they never got a physical Lorenz machine, and had to work everything out from just the signals they saw.

Damned clever chaps!

17
0

Lorenz break

The actual story is the radio operator broke several rules. First by sending the wheel settings in clear text at the start of the message (HQIBPEXEZMUG), second by resetting back to the same starting position to re-send the message that hadn't been received, third by abbreviating words (the second message was almost 500 letters shorter than the first).

These two messages directly led to the breaking of the Lorenz cipher and the building of the world's first electronic computer.

10
0

I recall listening in despair on the radio as some numpty of a reserve officer - in a combat zone - gave his unit's map location in clear. Then realizing his error, he gave the same map location again, in code.

12
0

Simple statistics

Not to brag, but guessing the right password is just a matter of simple statistics really.

"In the fragile reality of Discworld, and with the gods who like to play games, a million-to-one chance succeeds nine times out of ten."

(Why is the "Discworld" icon missing?)

10
0

Pft, amateurs

Ours are Password123

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017