In the past decade, we’ve had the unique opportunity to see long lists of actual passwords through penetration tests for large companies. Now, initially, I didn’t know this was unique. I mean, everyone talks about what passwords people use, but honestly, nobody really knows. They are private, after all, and sometimes encrypted. Even though we all think we already know, it’s still eye opening to see what real people use for their passwords. And, as in the case of one particular job, those passwords are not always what you expect.
A Real Phishing Attack
In most cases, this is how the attack goes in a penetration test. We set up a website with a username and password field. Often, this is a complete duplicate of a real website that the employees are comfortable accessing.
We then send fraudulent emails to employees, letting them know they need to login and check some very important information. Usually, we prompt them to log in and correct some error in their healthcare package, or check a box for a time-sensitive agreement to a corporate healthcare change. We know (and social engineers know) that an urgent email with details about health insurance turns typically savvy employees into fish in a barrel.
And once the employees log in to our site, we’ve already skimmed their usernames and password before they realize anything is wrong. Sometimes, the employees never even realize they were part of an attack.
We’ve done this many times, and have gotten hundreds of usernames and passwords. In fact, some employees try four or five times with every password they’ve ever had.
So…what do you think the most common ones are? Is it, in fact, “password?” Their birthdate? Or the new darling of 2014, “123456?”
Nope. In fact, in one case, 20 -30% of the retrieved passwords were “Summer 2010.” Why? Because that company has a policy that requires employees to change their passwords every 90 days—so everyone would just uses the season and the year.
When Security Policy is the Problem
This is a real problem, for several reasons. First, those passwords are easy to guess, especially in a setting where the season (or semester) is important to the work. In addition, once an attacker guesses that password, he doesn't just know it once. He knows it forever.
But the bigger issue here is a policy problem. Companies think that, by making people change their passwords every 90 days, they’ve created an extremely secure environment. Unfortunately, as in the case above, hard-nosed policy actually lowers security.
Security policies are only valuable if they actually improve security—and every policy must be evaluated from that perspective.
Here’s another example. In some companies with which we’ve worked, policy requires all employees to leave a detailed voicemail greeting if they’ll be out of the office for any extended period of time. In one case, for a gentleman who would be out of the office for a year, that message included his title, his position, how long he would be gone, and who would act in his place. It sounded something like this:
“Hi I’m Jack Jenkins, VP of blah blah. I’ll be out of the office from Feb 2011 to Feb 2012. I will not be able to receive information. If you need help, please contact Jeff Walters.”
Bad policy. Easy pickings.
After a quick hack of “Jack’s” voicemail, we were able to receive messages full of sensitive information, impersonate Jack, and even enter conference calls and accept tasks. We had full control of Jack’s office for an entire year.
Was it “Jack’s” fault? Not really. After all, he was just following protocol.
Read the rest of the stories in our Oh, the Humanity series