Fun With Passwords?

eSims asks: "Most all SysAdmins have the pleasure of picking passwords and while we know the rules for picking good passwords we also know how to have a little fun with them as well. Password choices may be inside jokes about management, comments on the company, or just torture for the users we assign them to, but often they are funny. Without giving away the company secrets what are some of your funny stories about password selection?"

Generation tool

[Plake]

We use a generation tool to create our passwords from "/usr/dict/words". It breaks passwords down to 3 word chunks (from 3 to 4 characters) with random characters between them. This makes passwords from 11 - 14 characters which is more then safe for user accounts.

When they want to change we have another tool that works based on some of those rules so users can just reset their password to password.

Re:Generation tool

[Plake]

Oh, I missed the funny part...

You'd be amazed how many times the word "orgy" comes up for our list of passwords. :)

We usually don't set new employee passwords with simlar words in it, we'll just re-generate a new one.

Re:Generation tool

[BrookHarty]

Whats funny is one piece of software didnt like a guys name, Steve Hitty. (something like that). We use first initial last name. Username = shitty

The software would block the username. Love that pattern matching programs, "ass" was also blocked, and tons of usernames had *ass* in it. Crazy, but I understand you dont want a guy with a vulgar vanity email address.

Re:Generation tool

[Sparr0]

assman@seinfeld.nbc.com

Hey Assman!

Re:Generation tool

[BrookHarty]

More like bassfisher@domain.com

Re:Generation tool

bassfisher@domain.com

You're thinking of Sal Bass, "Salmon Rushdie's pseudonym". Kramer was the assman.

Re:Generation tool

[Kevin+Burtch]

One place I used to admin, one of the users was Jim Root!
Not kidding... always ended up having to call the helpdesk every time the root password was changed on all the servers - some dork didn't know how to write scripts that handle usernames with "root" in 'em.
He was amazingly patient with us, kinda backwards situation.

Re:Generation tool

[TheTomcat]

offtopic for the article, but on-topic for the thread:

in Quebec, our medical cards have ifentifiers. They start with 4 letters, followed by numbers (birth date representation, unique identifier, etc).

The letters work like this:
first 3 letters: first 3 letters of your last name
4th letter: first letter of your first name

Mine, for instance, is COAS(bunch of numbers).

I have a friend named Troy Cunningham.

S

NASA

[boredMDer]

I have a friend who works at NASA (not like 'Houston, we have a problem!', but a local office in MD).

He was working on deploying some APs at the office, rather configuring them after they had already been set up.

He goes to configure one of them, and finds that the default password doesn't work (that's a good thing, of course). So he yells across the room to his supervisor: 'Hey Jim, what's the password to the AP?'

Jim yells back: 'cumshot'.

For some reason I really doubt that anyone else was aware of that, or he surely would've had to change it.

Re:NASA

[ThePDW]

Is that NASA Goddard? I interned there for a while. Sweet place to work!!

Funny Story....

[Karma+Farmer]

Here's a funny way to do passwords:

• single sign on everywhere, so no-one (including the sys admin) ever has multiple passwords.
• initial passwords are generated randomly, instead of at the whim of an already over-worked sys admin.
• no-one but the user ever knows what the user's initial password is.

Ha ha ha. Isn't that funny?

Re:Funny Story....

[orangesquid]

Oooh! What's funnier is having different root passwords for every machine. Ooooh, and what really gets me cracking up is when I set it up so only a select group of users can 'su'!

Don't even get me started on setting up ssh so you always have to enter your password! Oh man! I'm rolling! ROFLMAOLOL!!! OLOLOLOLLL!!!

Re:Funny Story....

[kris_lang]

Here's a -1 Truly Tragic story:

I was at a place (up Chuck river) that was supposed to be reknowned for it's information processing savvy, Python and CORBA and other soupy-acronyms abounded everywhere. The sysadmin had the wacky idea of everyones' passwords on multiple machines being :

First Initial + last Initial + initials of Research Program + last two numerals of year.

Yes, I kid you not. Everyone had accounts on, oh about eight to ten unix machines, with all passwords immediately known by all fellow users. And before you get misty-eyed and say oh it was so long ago a trusting time, it was 1995. (which was a long time ago in internet time.)

Re:Funny Story....

Ah, the brilliance of that scheme.

Similar story: my father's employer rolled out an electronic system to allow all the employees to manage their bennies. Rather than use any sort of even vaguely secure initial password, each employee's password is set to First Initial + Last Initial + Phone Extension.

But wait! It gets better!

They didn't see fit to include the capability to change your password, so everyone's password is permanently known to everyone else not only in his location, but in any of the company's other offices.

John Smith, extension 2698, this was your life! *click*

Experiment in Password Abuse

[Nyhm]

Hypothesis:

IT staff regularly reads user passwords (for fun, profit, bogus administration, lack of professionalism, total misunderstanding of why security requires the sanctity of private passwords).

Try this experiment:

1. Change your password(s) to something abusive toward the IT staff.
2. Observe the IT staff (watch for them to become irate, agitated, angry, or any other such synonyhm).
3. Change this password everywhere you've used it across the Internet

Step 3, of course, brings into question the diligence of the user.

Re:Experiment in Password Abuse

Step 2, of course, requires that you can distinguish the effect of your experiment from their normal demeanor. Better warning signs might be weight gain and sloppy clothing -- wait, no...

Re:Experiment in Password Abuse

[Blackknight]

This won't work, since passwords are usually stored in an encrypted form.

Re:Experiment in Password Abuse

[Uplore]

Actually, as a sysadmin myself who uses Active Directory on a Win2000 system we are unable to see the users password at all. So changing the password to something nasty towards the IT staff would have no effect.

Re:Experiment in Password Abuse

[cicadia]

This won't work, since passwords are usually stored in an encrypted form.

Usually? Which passwords? For what application? In-house or commercial software?

There's not much that you can say is usually true about passwords. They've been implemented thousands of times, by thousands of different developers, and I've seen plenty of systems where user passwords are stored, plaintext, in a database somewhere, or in a file readable (supposedly) by administrators.

There are good ways to do passwords, and bad ways to do passwords, and there're plenty of examples of both out there; certainly enough that I don't have any trouble believing the parent poster's claims.

Re:Experiment in Password Abuse

[Nyhm]

Of couse, you'd hope this wouldn't work. That's part of the experiment. Does the IT staff employ software that does not protect user passwords? Even if the software was written well enough, does the IT staff actively circumvent this to get your passwords (for any of the reasons listed above)?

Here's another way to conduct the experiment, with more direct results: ask the IT staff. If they have no clue whatsoever, they'll likely flat out tell you they harvest plaintext passwords - for "administrative purposes."

Another givaway is finding a sheet of paper with everyone's name and password written on it, in the clutches of an IT staff member. Has anyone ever experienced this? What is the proper business ediquite for following up on this?

Re:Experiment in Password Abuse

[caseydk]

Uh no...

The boss of my company is named "Bill". His password for *everything* is "Bill5" and it's not encrypted anywhere.

Re:Experiment in Password Abuse

[ResidntGeek]

You better not let anyone find out what company you work for. That could cause problems.

Re:Experiment in Password Abuse

[Just+Some+Guy]

The compsci department at my university had a little Linux box for students to use and a complete idiot to run it [1]. As an example, one time I ran "./configure" for some harmless program or another and he freaked out and reported me for "hacking" because it splashed files outside of my home directory (in /tmp if I remember right).

Any way, I started touch'ing files in a world-unreadable subdirectory under $HOME like "paul bender can kiss my butt" and "paul bender dates his mother". He couldn't really say anything about it because that would be admitting that he was snooping around in places that noone but me should have access to, but some of the dirty looks were priceless.

As mentioned before on Slashdot, he now works for the NSA. Your tax dollars are funding this idiot's paycheck. That's also the reason that I still have "$HOME/paul bender uses drugs" on my personal server at home. If the NSA really can break strong crypto and they've been digging through my system, then that's my way of saying "hi!".

Re:Experiment in Password Abuse

[vegaspctech]

The boss of my company is named "Bill". His password for *everything* is "Bill5" and it's not encrypted anywhere.

Please tell me that 'HGP' and 'ORNL' mean nothing to you, or tell Bill to change his passwords.

"changed" or "invalid"

As in:
your password is changed
your password is invalid

Re:"changed" or "invalid"

[MachDelta]

One of the passwords used where I work was "correct", because when you enter a bad password, it says "Password is not correct".

That was changed a while though. Now our new password is "eatass". Shh... don't tell anyone! ;)

Re:"changed" or "invalid"

[DZign]

'secret', also nice if someone asks.

And back at university (10 yr ago) the sysop just took the username and added a 1 in front of it.
So account joe had password 1joe.
Should be changed when a user logged on but many users didn't. When you went to him to ask to have your pwd reset because you forgot, the answer always was 'no prob I reset it, you know what it will be'.
And usually he created new accounts on monday morning or so, so quite a lot of people were logged in then to see what accounts were just added to the passwd file :-)

Re:"changed" or "invalid"

we used the root password "notobvious" because that's what the manual said to make sure of.

Three letter password

I know a guy who used to work at IBM. He told me that in all of their systems, the default password was... you guessed it "IBM". And this was also in systems with sensitive data. This was in the late nineties, where they really should know better, but I guess they didn't.

Hope they have changed the passwords by now.

Re:Three letter password

[mmynsted]

I am sure that post was an attempt at humor. . . If not then I assure you "that guy" is/was full of it.

Re:Three letter password

BS - the password guidelines at IBM are much more restrictive than that.

Vendor Passwords

[BrookHarty]

One of the duties of being a Sys-admin is giving out passwords/access for vendors. You need to poke fun at them for all the outages.

g0f1x[t

Also one vendor pissed me off, so I used a competing vendor as a password. example, "3yC!sc0"

But then, its funny you spend that much time coming up with entertaining passwords and the hardware only supports telnet.

Re:Vendor Passwords

[RandomCoil]

But then, its funny you spend that much time coming up with entertaining passwords and the hardware only supports telnet.

That's ok, it just means more people get to see your joke!

Re:Vendor Passwords

You must not be running the right software.

Router#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

Re:Vendor Passwords

You didnt understand, a vendor NOT Cisco. ;)

Thats the point in the password.

Re:Vendor Passwords

[lecuyerjm]

BOFH ... BOFH - I will need your username? ENDUSER - Hum , ok it's MART2102 BOFH - Here's your new password: *(]/"\!] ENDUSER - What's that ? BOFH - This is your new password and don't write it down . Because of the new solar flare, we reinforced our security policy. ENDUSER - But, but it's too hard to remember. Can you change it. BOFH - No ... but with this password no one will able to delete or access your files. ENDUSER - But what's the password again. BOFH - (HANG UP)

Not especially funny, but might be useful

[bairy]

I know this is drifting off topic but some people might find it useful

I once read a tip about website passwords where you shouldn't have the same password for all sites that need a logic. One of the best suggestions I read was to have a password of say 4 characters, and intersperse the website name into it.

e.g. if your password is 1234 and you're logging into download.com it might be 1d2o3w4l or if it's slashdot.com then 1s2l3a4s or if it's msn.com then 1c2r3a4p etc. It's different for all and harder to guess, and cos it's not a word, anyone watching the keyboard might not pick up on you typing it.

Re:Not especially funny, but might be useful

you shouldn't have the same password for all sites that need a logic.

or a grammar, for that matter, or a sense-making.

Re:Not especially funny, but might be useful

[SwellJoe]

I once read a tip about website passwords where you shouldn't have the same password for all sites that need a logic. One of the best suggestions I read was to have a password of say 4 characters, and intersperse the website name into it.

Ah, I get it. So that when the slashdot guys read your password 1s2l3a4s, they'll be able to guess that your yahoo mail password is 1y2a3h4o. Perfect! It's a system whereby you use a different password on every site, but still manage to make it available to anyone who has one of your passwords. In-genius. Really. I mean it.

Re:Not especially funny, but might be useful

[bairy]

logic = login. Grr I shouldn't watch tv and post at the same time.

Re:Not especially funny, but might be useful

[GTRacer]

True. But I do the same thing, except the "per-website" key isn't self-evident.

I won't tell you the "root" portion of my passwords, but try guessing what the key is for, say, my Discover.com account. My keys are usually 2 or 3 chars, depending on site PW length rules.

Have fun!

GTRacer
- The account's no good anyway

Re:Not especially funny, but might be useful

Pussies.

I just generate an MD5 hash of the websites URL
in my head and XOR the result with my password.

Re:Not especially funny, but might be useful

[Iphtashu+Fitz]

A long time ago at a company far far away we had an ftp server that had a generic account on it for downloads only. The password was "downloadfiles" but with the caveat that each vowel was replaced by an incremented number, so the actual password was "d0wnl12df3l4s"

Re:Not especially funny, but might be useful

[figge]

you shouldn't have the same password for all sites that need a logi[n].

What about sites where I don't need a login? Is it all right to use the same password for them? ;)

Re:Not especially funny, but might be useful

has anyone tried logging on to his /. account with that password? im just curious if thats his real /. password. if so, we might see some very interesing comments from "bairy" in the near future ;)

My own worst enemy

[Curtman]

I use alpha-numeric passwords religiously, and usually throw a couple non alpha numerics in the mix. On more than one occasion, I've forgotten them. Nothing will humble a guy like having to break into his own box, and succeeding.

Re:My own worst enemy

How do you hack into a computer without a password?

Re:My own worst enemy

[Curtman]

Well, if you've got Windows, you use a Windows CD, I don't remember the details, but Google's got instructions. If you've got Linux, you probably use Knoppix, mount the partition and clear the password out of /etc/shadow. If you got OS X, they were even nice enough to put a utility on the CD that lets you set the root password to blank.

If you've got access to the box, you've got access to its data.

Re:My own worst enemy

[Ycros]

Not if it's encrypted. But then you're totally screwed if you lose your password. (:

Re:My own worst enemy

[Curtman]

True, but if its encrypted, then the key to decrypt isn't on the disk, its on your USB device or whatever. And you knew better than to lose that without a backup. ;)

Re:My own worst enemy

[brunson]

Reboot into single user mode and use the passwd command to change your password. Or use an exploit to hack root and edit the passwd file. Or put the disk into another machine that you have root on, mount it and edit the passwd file.

Re:My own worst enemy

[mbadolato]

How do you hack into a computer without a password?

By sitting at the computer, looking around the desk and recalling some trivial piece of information about the owner, even though you've never had it. You're guarenteed to get in by your 3rd attempt or you movie admission ticket will be refunded.

Re:My own worst enemy

[jbrader]

on most g4 and lower you can just reboot into os9 and do whatever you want

Re:My own worst enemy

[Curtman]

Reboot into single user mode and use the passwd command to change your password

What distro is that? Every one I've used still prompts for the root password when you boot in single user mode.

Re:My own worst enemy

[andreyw]

Mac OS X

Yes, Yes I know there are solutions to this gaping wound, but AFAIK all commercial. The sysadmins at my schools just put blinds over their eyes and hoped everyone would be too clueless to notice.

I took it upon myself to hand them the cluestick.

Re:My own worst enemy

[Curtman]

I wouldn't really consider it a gaping wound, since nearly every OS is vulnerable to it in some way or another. Its a fact of life - don't let untrusted people near your box. Or take your data with you or something..

Re:My own worst enemy

[sigxcpu]

then try passing init=/bin/bash on the kernel cmdline

- if the machine's bootloader has a password, a grub boot disk will do the trick.
- that also might be blocked but there are ways around that too.

the rule of thumb is that you can allways break into a machine to which you have physical access.

Re:My own worst enemy

[Curtman]

the rule of thumb is that you can allways break into a machine to which you have physical access

I know, I said that a couple of times right up there ^^^^

Re:My own worst enemy

[mokomull]

My Fedora Core 1 (and 2, I believe ... didn't keep 2 around long enough to try, I don't think ... upgraded to DEBIAN!) installation didn't prompt.

Re:My own worst enemy

[peacefinder]

I was helping a user set up a new e-mail account last week. I got it set up to the point where it needed her to choose a password, gave her a brief refresher lecture on strong passowrds, and then stepped aside so she could enter one. I looked away from the keyboard.

As I started to hear keyboard clicks, I said "Remember, not your husband or child's name." I thought was kidding.

She stopped typing, and I looked over in time to see her deleting what she had. After a moment, she started typing again.

"Not pets, either" I said, mortified.

She stopped again.

I wasn't sure whether to laugh or cry. I know that people ignore password policies whenever possible, but still...

So I changed plans, and set up Password Safe for her, and showed her how to use it to generate and store passwords. Maybe if it's dead easy to use complex passwords, she might actually do it. She seemed grateful, so I'm hoping.

But I'm not holding my breath.

Re:My own worst enemy

[andreyw]

Well these /are/ G4s sitting cutely in a computer lab. This means one disgruntled student potentially rm -rf /'ing all the computers. And unless you want to shell-out money, there is no solution (unless something changed in the last 3 months). Thats not really acceptable. Hopefully that gets fixed in Tigger.

Re:My own worst enemy

[magefile]

"Tigger" - was that an honest typo, a jab at Apple, or a Freudian slip?

Re:My own worst enemy

[hunterx11]

Using vim to mark the console as insecure in /etc/ttys is hardly "commercial" :)
Better yet, use OpenFirmware protection (which is really a must-have for schools imo).

Re:My own worst enemy

I wouldn't really consider it a gaping wound, since nearly every OS is vulnerable to it in some way or another. Its a fact of life - don't let untrusted people near your box. Or take your data with you or something..

If the attacker has physical access to your machine, it's over... period.

The only possible defense is an encryption key that is not physically stored with the machine (Windows EFS doesn't not count).

(I use PGPDisk along with a long passphrase to protect stuff that I'd worry about should the laptop get stolen. Windows EFS gets used for everything else where I merely want to make it difficult for the attacker.)

Passwords are kept in plain-text files in my home folder. Except that the contents of the text files are encrypted with PGP (encrypt current window command).

Makes it dead simple to backup your password list. Works well for storing website passwords (of which you'll probably collect a few dozen in the space of a year as you register for new sites).

Re:My own worst enemy

[jrockway]

YOU handed them the cluestick? I recall you yelling at me (and walking away very quickly) as I was running mkfs.ext2 on the root partition :D

Thanks for the idea though :)

Oh, and to the system admins reading this, I... uh... DIDN'T do that.

Re:My own worst enemy

[jrockway]

That's my cat's name and I was just discussing with andreyw why I can't name my powerbook that. Because the next release is Tiger. Tiger box named tigger just doesn't work. So now it's called powerwire. Dumb name *sigh*.

Re:My own worst enemy

[andreyw]

uh no you didn't... since ............. there is no mkfs.ext2

Actually you fucked with SOMETHING, so I had to clean it up and reboot the G4...

Re:My own worst enemy

[CAlworth1]

No, there are options other than commercial to fix this. The easiest by far is from apple - the Open Firmware password utility. As far as I can tell, it renders the computer nearly invincible to easy workarounds - you can't boot off of a cd w/o the password, you can't boot into single user mode w/o the password, etc.

The trick is, if the user can open the box, and remove any amount of ram, it resets something in the mobo, and the password is eliminated. So don't advertise that fact, or else lock your boxes

Re:My own worst enemy

[Karma+Farmer]

Wow. You should install metal detectors at the enterances to the labs, so that no-one is able to bring in a really big magnet and erase the hard drives that way, too.

BOFH

[judd]

I can personally attest that Simon Travaglia on separate occasions changed my password to:
- "fuckwit"
- "ican'tremembermypassword"

Great days, great days.

Re:BOFH

[tonyr60]

Oh my god! That is like Moses giving me an autographed copy of the ten commandmemts, or Andy Bechtolscheim over clocking my calculator.

Re:BOFH

[Errtu76]

really? Last time i asked i ended up with no files in my homedir, my gf gone, house sold, parents divorced, cat died and i'm in jail.

Re:BOFH

How about (after some user forgets is password):

imaginebeingsostupid

Re:BOFH

[Pantheraleo2k3]

The official BOFH passwords are 'goshimaplonker' and 'imaginebeingsostupid' from, IIRC, the New Bastard Menu from Hell (available at bofh.iinet.au IIRC)

Re:BOFH

[gandalphthegreen]

Or "knobhead". Alternatively, to get the boss in trouble with the automated, voice-activated computer support that acts like the PFY, "Yew-Anchors," "Ute Ossers," and "Far Queue." Or "WONKER"

Oh, and does the PFY have a name anyway? I've always wondered about this. The only lead I have is "Sir Steven of the Daisy Wheel Printer."

Re:BOFH

[Pantheraleo2k3]

I was referring to what the PFY used to change user passwords to, before something happened (I think he fell in love again). I have to commend you for your knowledge of BOFH tho, I never knew anyone else was so obsessed

Also, Sir Steven is the only lead I have ever seen of the PFY's name. He is always referred to as The PFY, often with the T in 'the' capitalized.

Finally, in the first episode of BOFH 2001, the PFY does this to confuse users:

"You can't remember your password over the break?" The PFY cries happily into his headset, "OK, I'll change it to 'tomorrow' for you, one 'm', two 'r's... Oh, don't mention it."

One hour later

"You can't remember your password after the break," the PFY cries into his headset, "I've changed it to 'thedayaftertomorrow' for you. Bye"

One hour after that

"You can't remember your password after little more than a week?!?" the PFY snorts into his headset. "I suppose we're lucky you found your way to work...I'll change your password the day after tomorrow. >click"

sometimes I get bored

[QuantumRiff]

and a bored sysadmin is a dangerous one. My all time favoritte was at an old Dot Com we worked for. New VP of sales comes running up to us needing an account quickly. (of course, nobody had told us he was hired, and in fact, just accepted the job 5 minutes before he was in our office.). So he demands a new account so he can check his portfolio on the web.

We set him up, and tell him his password is blank.

Two minutes later, he comes back awfully upset, demands that we reset his password, cause it wasn't blank. So we do.

2 minutes later, he's really getting pissed. Comes back with the head of IT. We ask him if the caps lock is on? He gets furious, asking how the hell it could matter if the caps was on with a blank password. We respond with, "there is a big difference between a capital B and a little b". He is seething, but slowly the realization creeps in, and he figures out what the hell we meant. Our boss, sits there like a statue, till the sales guy leaves, and then just explodes in laughter so hard he couldn't stand.

ahh, the days of the dot-coms, how I will miss thee...

Re:sometimes I get bored

[QuantumRiff]

Forgot to mention, the other best password for laughs is "why"

whats the password to the file server?

why

Cause i need the password to do work

why..........etc...

Re:sometimes I get bored

[homerjs42]

We had a system where the admin password was none. That was a fairly good one.

Re:sometimes I get bored

[Gudlyf]

Forgot to mention, the other best password for laughs is "why"

Even meaner: "y".

Re:sometimes I get bored

[gstoddart]

A friend in University had an account for a course (semester long accounts for some courses) which was shared among several people.

Someone asked for the password, and he said "figure it out for yourself ... it's obvious".

It took the person trying to get the password a *long* time to figure out how to log in.

Most funny.

I Had Mod points

[TubeSteak]

And i was about to mod your comment... but I wanted a "-1 Tragic" to go along with "+1 Funny"

Abbott & Costello

[angst_ridden_hipster]

I once knew a sysadmin who liked doing the ol' Abbott & Costello with passwords:

User: What's my password again?
Admin: "login"
User: Yeah, that's what I'm trying to do, but I can't remember my password.
Admin: "login"
(etc)

User2: What's the username for the Reservation system?
Admin: "password?"
User2: No, I remember the password is "a$$h@t" but I don't remember that funny username.
Admin: "password?"
(etc)

l33t speak

[Alizarin+Erythrosin]

If I need a general password for a service to share with others, I typically take a word and l33t-ize it in a simple manner so it's not a dictionary word.

For example: wh4t3v3r or w1r3l3ss

Re:l33t speak

[wonkavader]

Yes, that's classic. I see that a lot.

And it's terrible.

Play with crack sometime, if you haven't already. How many rules do you have to go through to cover all likely L33T'ing up of a dictionary? Five? Maybe Ten?

Compare that to adding ONE stinking punctuation character into the middle of a word. That's (number of punctuation marks available * positions) = at least 250.

So adding a single punctuation mark in a word means a dictionary attack needs about 7,500,000 tries, whereas L33ting it up means the dictionary attack needs 300,000 tries.

Stoping l33ting. It's infantile, hard for users to remember, and not helpful for security.

You know what works many times better? MISPELLING A WORD.

GF Pass

[HerbieTMac]

At one point, my gf (a very petite woman) was using the password: #4#I!Better

A true statement, if ever there was one.

Re:GF Pass

[andfarm]

Pound For Pound, I Bang Better?

*ducks*

Re:GF Pass

[Bazman]

Hash for hash, I'm Not Better? That makes sense, if that's really good hash...

Re:GF Pass

<British>

Hash for hash, I exclamation Better?

</British>

"enter", "nothing", yah, yah...

[leonbrooks]

...but I once had a customer forget "unforgettable".

The lass was a walking blonde joke. Quite bright once she had everything assembled in her head, and very efficient at what she did, but if she ever got rattled it all went out the window.

Not as secure as you think

[gazoombo]

I used to do the same thing, but then stumbled across a number of password crackers that take this into account. They run dictionary attacks, but they also try every possible 'l33tsp34k' variation. It takes a while to run this kind of attack, but not quite as long as a plain ole brute force. I advise using password generating tools to create truly random passwords.

Re:Not as secure as you think

[WuphonsReach]

I advise using password generating tools to create truly random passwords.

The easiest is to keep a random word generator (or a dictionary) handy. Trying to come up with random words off the top of your head is an iffy proposition. You probably only use a few thousand words regularly, yet a good word file with have a few hundred thousand entries.

For example, here's an output from a very basic generator:

innatelyagouti0
unpredacious!rah
snowwhiterawly0
betulaceae35fave0
pandani&aerocyst>
schorlous-mondos0
exteriorise!derig0
trophied+unthrust0
essoin+coblenz*
crottels&autumn
ungarter3trudger0
tragicaster75saws=
inemuloussnubber%
synapsed11steichen0
permalloys*bergh0
vakia$czaritza?
upstater*slubs/
predictablefeif0
unbuskkataplexy0
outcrossing!ilona!

And it's kind of amusing that "predictable" is in there... (I swear I didn't put it there on purpose).

id10t

[slashjames]

enough said :)

The problem of the slow moving admin

[thedave]

I work as a consultant within a Fortune 100 manufacturer.

During our projects we have to set up a simulation lab and run our project for a few months prior to installing at the factory.

For one project, the lab servers were administered by a person who either did not understand the purpose behind the lab, or simply did not care about our priorities. And, his delays were causing us to run behind schedule.

After some political wrangling, I assumed administrative responsibility of the machines in our test environment.

The months passed, we restored the schedule, and were packing up to head to the job site to install the system, and it was time for me to turnover the systems back to the original admin.

But, he flaked on the meeting, so I'm standing there with root on the lab systems some of which are trusted by outside networks. And, he did not bother to show for the meeting that he called.

So, I set the passwords, and put them in a sealed, unlabeled envelope, and handed them to one of the other admins with whom I had become friends.

The only instructions I gave him were: "You'll know what to do with this when the time comes."

A few weeks later, I got the phone call from my friend talking about the other admin, "He came in here shouting and cussing about how that damn consultant had locked him out of his own systems, then took off without turning over the passwords. I new then that it was time to use the envelope."

Written on the piece of paper in the envelope was one word in block letters: 1nc0mp3t3nt

Re:The problem of the slow moving admin

[Maestro4k]

• A few weeks later, I got the phone call from my friend talking about the other admin, "He came in here shouting and cussing about how that damn consultant had locked him out of his own systems, then took off without turning over the passwords. I new then that it was time to use the envelope."

I just want to know if this resulted in the idiot admin losing his job. :)

Re:The problem of the slow moving admin

[thedave]

Nope. He actually came around, and stayed pretty on top of it.

They've switched platforms, so he switched companies.

When he left, they lost a powerful player.

Forgotten Passwords

[brunson]

The only cool thing about Netware was the length of passwords you could use. I was in the habit of resetting forgotten user passwords to things like 'Icantbelieveiforgotmypassword' or 'boydoIfeellikeanidiot'.

shhhh!!!!

[hatrisc]

i know of a company...which uses either 'xxx', 'x' or 'xxxxxxxxx' for their passwords on all their production servers.

Re:shhhh!!!!

Everyone knows thats the password Valve uses, duh!

short password reset story

[bersl2]

Computer teacher [yelling across crowded a computer lab]: "OK, [name], your new password is 'temp.' That's T-E-M-P 'temp.'"

As you can imagine, much fun was had with this one.

I use the same password on all my systems

[Glonoinha]

The password I use on all the systems I access is ********

Re:I use the same password on all my systems

[Marxist+Hacker+42]

You don't access any systems that require passwords greater than 8 characters?

Re:I use the same password on all my systems

[troon]

Yeah, I know. I read it over your shoulder.

Re:I use the same password on all my systems

[RobertB-DC]

The password I use on all the systems I access is ********

That reminds me of a bash.org conversation (that I can't seem to find):

foo> You know, when you type your password in IRC, it comes across as stars. Here's mine: ********
foo> Try it!
bar> pass4win
bar> what did you see
foo> I saw ********
bar> You pass4win pile of stinking pass4win
foo> You ******** pile of stinking ********
foo> Whenever you type "pass4win" I see ********
bar> but why do I see my password when you type it?
foo> Because IRC knows it's your password and lets you see it.
bar> kewl

Webmaster's Password

No bs, our webmaster's password is 'webmaster'. Of course so is her username and email addy.

The Wrong Password

[(MB)2]

In a Testing Lab that I ran, which access to some of the servers and equipment was to be had by several people, I created a common password. The password was "TheWrongPassword". That way when they would forget it, and would come running to me for it. I would say outloud, "did you use The Wrong Password when you logged in?" Then they would sheepishly walk away, knowing that I had given them the password while at the same time I dissed them. What was even funnier, was when they would ask again for the password, because they didn't realize that I had given them the password.

Not exactly a password story, but ...

[magefile]

The techs at my school are fairly lazy. However, they're too arrogant and power-hungry to give anyone onsite (say, the computer lab person, a CS teacher, or the principal) root privs. They also sometimes take Friday off.

It's a Windows network, and all locked down. So imagine our surprise when they fsck up the CS classes' brand-new JDK installation, pop the JDK in C:\ of the network (to save time, they said later), and give it root privs. We started file I/O that week, so we figured we'd see what the JDK's home dir was. Whether it's supposed to be the directory javac is in, or whether they misconfigured it, I don't know. But we had root privs on the network until Monday. Good times ;-).

Re:Not exactly a password story, but ...

[lachlan76]

Exact opposite at my school (I'm in year 9 now).

Usually there were about 5 nerds at my school in year 6/7 (including me) who had root privs. Then the new tech guy came, and conveniently changed the passwords without telling anyone. Including the IT coordinator. And left for the rest of the week. I always wondered why there couldn't be an admin there more than 1.5 days a week. Two years later, at high school, I found the tech working there for the rest of the week. No root privs anymore though, and I can't stand not being able to fix my problems myself.

Re:Not exactly a password story, but ...

[magefile]

It's not that people don't have root privs ... it's that people don't officially have root privs. We used to tell the techs about vulnerabilities we stumbled into, but they got pissed off and told us to stop, because they'd installed a new IDS that would take care of it for them.

US public school, but the techs are low-bid contractors who have nothing to do with the district. Hence, no incentive to care about anything. They've done a nice job spreading FUD, though. The computer club gets shut down everytime the network goes down; after about 5 groundless accusations of sabotage in the 3 years I've been here, it gets old, particularly since all 5 breaches were by non-computer club people. The few breaches by computer club people don't bring the network down.

Re:Not exactly a password story, but ...

[lachlan76]

I'm just a little Aussie, and over here, when you get the admin password, you suddenly have to fix every little problem with the network. Which I can do, I guess. And judging by the state of the network after Nimda went loose, I can tell that patches weren't high on the agenda of the real IT people.

I knew that spending 2 hours a week of my school week when I was 7 learning to use a mouse would make me good at computers. I would be a perfect computer user, if just I didn't have the winmodem, and I could download some Fedora ISOs ;)

My idiot highschool comp teacher...

The password for his internet account was simply his home phone number...

Password for passwords

[eingram]

My important passwords I commit to memory, but ones that aren't so important I toss in a little program I found a few months ago called Whisper. Whisper stores usernames/passwords, will generate random passwords, and allows you to copy a password to clipboard quite easily. Anyway, the program lets you password protect your password file, so I did that. A few days go by and I open my password file and type in my password. "Wrong password. Failed to open document."

Yeah, that sucked.

Re:Password for passwords

[jbarr]

That reminds me of when I registered PGP keys way back in 1998 on the PGP servers. I stopped using them about four years ago, and though they are still there, for the life of me, I can't remember the passphrase! Major bummer!

Re:Password for passwords

[krosz]

http://keepass.sourceforge.net/ is an open source equivalent.

Re:Password for passwords

I also have a little app that stores my passwords at work. It's called notepad.exe

I figure since my company requires different usernames/passwords for each of the dozens of apps we use, it's the IT depts job to keep outside hackers out of my workstation.

I can't be fscked remembering all the stupid passwords.

Posting anon because my bosses read /.

Posting anonymously for obvious reasons

I used to work at a well-known computer company in Austin around 1993. One day an under-occupied programmer in my building hacked the company email server and ganked a list of everybody's passwords. You can learn a lot about your co-workers from passwords they don't think you can see.

The company's name rhymed with HELL, but for whatever reason, the most commonly re-used password was JESUS.

Books

[chrysalis]

Passwords I assign to users are always extracts from books, magazines or anything on a nearby sheet of paper.

Out of context and with only 3 or 4 words, it often sounds absurd.

Wow!

[NEOtaku17]

Nice I just added everyones passwords from their stories into my personal dictionary. Who knows it might save me tons of time when trying to crack a system and the dictionary attack actually works!

Re:Wow!

Here are a few more for you:

ZT7V*630$1#
Y9$s8&57
F#!&eVP^a
te7_2E$9W$i5
ri8e)7a3+
wwDvU21_

Re:A word not common in most dictionaries

[4nd3r5]

NAKKE OST... I know thats it.. it has to be it.. am i right ?

when password list is encrypted...

[The+Jon]

We had an old ICL running a bespoke cobol billing system which took a 5 character alphanumeric password. The admin screen would show the password as is when entered, but when reviewing a user record, or listing users, it showed the password encrypted by using a simple letter substitution.

I managed to brute-force crack the encryption one afternoon, and created a spreadsheet which used a set of lookups to allow you to enter a word, and unencrypt it into a string for the user password. By doing this you could set up a password like "td4jq" for a user, and they would have no idea that when the sysadmins reviewed the lists of users, it would read "wanka"!

Then you could (with relative impunity) select any descriptive word for the user and give them a seemingly random password.

Help desk staff like nothing more than the abuse of power...

Fun, no, prudent, yes

[FuckMeter]

I don't have any fun/funny password tales to share, but I can share a story about true password protection.

The year was 1999. I was working at a computer-related company, I won't call it a "startup" or a "dotcom" but it was similar. There were three sysadmins, and the owner didn't trust any one admin with the ability to login as root by himself. So a compromise was reached.

Each of the three admins chose a password. The three passwords were combined into one monster, master, root password. In order to login as root, all three admins needed to be present, to type their portion of the password in the correct order. Once all three admins typed in, a root login was achieved and whatever duty was necessary would be performed.

So, what if one of the 3 admins got hit by a bus on the way to work? There was a contingency plan. Each of the three of us entrusted our password to one of the other two. In the event of an emergency, assuming two of the three admins were present, the full password could be reconstructed. For example,

Admin A's password was apple, and he told that to Admin B

Admin B's password was blueberry, and he told that to Admin C

Admin C's password was cherry, and he told that to Admin A

So if Admin B got runover by a train, Admin A and Admin C could still login as root (because Admin C knew Admin B's password part), change the root password, and do whatever needed to be done.

The benefit was that, unless there was some sort of conspiracy, no one admin could ever login as root by himself and do anything crazy.

--
Rate Naked People at FuckMeter! (NSFW)

Re:Fun, no, prudent, yes

[lachlan76]

The benefit was that, unless there was some sort of conspiracy, no one admin could ever login as root by himself and do anything crazy.

Or work in a different room from another admin.

Re:Fun, no, prudent, yes

[FriedTurkey]

So if Admin B got runover by a train, Admin A and Admin C could still login as root (because Admin C knew Admin B's password part), change the root password, and do whatever needed to be done.

Unless Admin A is on the same train as Admin B. Then Admin C is fucked.

Re:Fun, no, prudent, yes

[The+Zody]

Human RAID5 password storage?

bingo

[RMH101]

...we have a winner.
to add to this: you have separate, "priviledged access" admin accounts - so you NEVER logon to a box for admin work with an account that has a roaming profile to pull down, internet access or email account. this is more important in a windows farm.

unless

[RMH101]

...you're using l0phtcrack or similar to test the integrity of user's passwords...

Re:A word not common in most dictionaries

[fabio]

you know, im from denmark, that word is kinda gross here! a rough translation is neck cheese

Sysadmin slam on end-users

[LouCifer]

At one of the companies I worked for, the admin password on the end user systems was rather appropriate:

ur2dumb

Best user name ever...

A programmer on our in house software created a swipecard with the name Butt Fucker. When it was used in the test machine it was invalid (it was supposed to be that way). So it said, "Invalid user Butt Fucker."

What? No Spaceballs reference yet?

How about "12345"?

Obligatory bash.org link

[zyche]

Passwords

There you go. All the password related stories you could want.

Non-English Passwords

Since most (if not all) dictionary attacks use an English dictionary, just choose passwords from your favourite foreign language. My wife uses Welsh (and then converts to leetspeak). I prefer Japanese. "Aikotoba" is a fun one. ;)

Paul

Someone I know got fired for this once...

[JonToycrafter]

I was consulting at a company called "ESP", and we needed to look at some data in an Excel file. For whatever reason, the employee who created the file decided to password-protect it, and he had gone home for the day. Important fact: This employee had previously treated me very poorly.

So the company's owner (we'll call her "Dee") calls him up, and asks him for the password. He says, "I'd rather not say." Then he asks her to put another employee on the phone, and he'll tell someone else.

So while she's arguing with him, I try to guess the password. Knowing this employee, though, I don't try his dog's name, I tried "fuckdee" and "fuckesp". The latter turned out to be correct, and I told her I was in. She told the employee not to come to work the next day.

The moral of this story MIGHT be to be smarter in password selection, but I'd LIKE to think it's to not piss off the IT staff - I always could have lied about the password.

back in the days of Windows NT

[craqboy]

i had mine set to NT1sh1ty!

and then at one point i worked with a guy that was always hacking my windows workstation. His name was mikey so i set my password to mikeysucks and he used l0phtcrack one day to crack the sam file ......probably the most funny thing when l0pht spit out the password for him.

New Company Policy

[MikeDawg]

Passwords, are becoming trickier and trickier. We now have a new company policy that requires all servers, internal, external, etc, to have a password that is > 7 characters long, must contain alpha characters of mixed case, at least one number, and at least one punctuation mark (ie. .,!?`~, etc). It becomes quite a pain trying to remember all our servers passwords, and usernames. All I can say, is thank heavens for PassKeeper.

Oblig.

[spuke4000]

"12345?!? That's the combination to my suitcase!"

Re:Oblig.

[magefile]

It's not suitcase, it's luggage. And that's the kind of mistake an idiot would make (the kind of idiot who would use 12345 as a combo).

Default Passwords ...

[Tux2000]

... well known to my co-workers, for a web-based application:

Some day, all my co-workers at the main office seemed to have to work on my development machine (remote office), so I changed the master password. A phone call some time later: "Please tell me the password." Told him. Machine blocked again a few days later. Wash, rinse, repeat. Finally, I changed the password to "never". Phone call: "Please tell me the password." - "Never." (*klick* speaker on) - "Oh, come on. Tell me the password." - "Never." - "I really need the password." - "Never." And so on for ten funny minutes, with my local co-workers ROTFL.

The default master password was a stupid six-letter word, and often no one bothered to change it when installing the software at the client's site. All attempts to get some attention for the unchanged default master password failed. Now it is a long sentence about insecure default passwords, easy to remember but hard to type. Perhaps that will force them to change the f*ing default password.

Tux2000

At college

[Cro+Magnon]

One of the admins caught someone who forgot to log out at the end of the day and changed his password to UraDope.

Re:At college

[magefile]

How did that work? Don't most systems require you to verify the current PW before entering a new one?

Re:At college

umm

Password advice from sales team

[wmshub]

At a large company where I worked, the sales team (or maybe some department of coporate motivation, don't remember exactly) emailed out - companywide! - the advice to "use a word for your password that will motivate you. For example, make your password 'sales' so that every time you log in, you are motivating yourself to sell!"

This was followed up about 24 hours later with a letter from the IT department, which said pretty much "ignore sales, they are idiots, do not ever take their advice on passwords."

Fun with ART

[Wise+Dragon]

At a school I once attended, art students were issued ART-NNN accounts, where NNN is a three-digit number. These accounts came prepassworded with dictionary words, which the instructor would communicate to you. Unfortunately, an instructor threw away a printout of the spreadsheet correlating accounts with passwords, which I retrieved from the lab wastebasket.

This school also used to have passwordless novell shares with sensetive data on them.

VMS

[Aidtopia]

VMS had a password generator that made nonsense words that were (supposedly) pronounceable and thus memorable. As a result of the algorithm, it would often pick a real word (or a real word plus some extra syllables). Sometimes, the real word would be offensive.

So the folks at DEC kindly put a naughty word filter into the generator (in many languages). But then there was the risk that people perusing the source code (it was available on microfiche) could be offended if they stumbled upong the naughty word table.

So the folks at DEC obfuscated the naughty word table with something trivial like ROT13.

That inevitably led to somebody circulating a program to decode the naughty word table, and a Usenet thread that taught us how to cuss in a dozen languages.

Re:VMS

[JDWTopGuy]

This is slightly offtopic, but running "strings" on 4x4 Evolution 2 (at least the Mac version) reveals all the words you can't say when using the internet play feature.

I've never heard of anybody getting called an uncle f***er...

psychic passwords

[Aidtopia]

I read a funny password anecdote (maybe from Jon Bentley's Programming Pearls). A user rushed into his cube, quickly typed his credentials, and was told that his password was invalid. He sat down, entered his password again, and it was fine. Curious, he logged out, stood up, and tried again. No access. When he was standing up, logging in always failed. When he was seated, he always succeeded.

How could the computer possibly know whether he was standing or sitting?

It turns out that somebody had switched a couple of the (physical) keys on his keyboard as a joke. When the user was standing at the keyboard, he used "hunt-and-peck" typing. When he was seated, he was touch typing.

Re:psychic passwords

[bhtooefr]

Model Ms... Make the KB a Dvorak layout (or even a random layout), but with a QWERTY keymap, and you've thrown off all hunt-and-peckers. Leave it as a QWERTY layout, but make it a Dvorak or random keymap (harder, because you have to relearn touch typing), and you've thrown off EVERYONE, especially if you've used a random keymap.

OT: Uncle F***er

[|<amikaze]

It's from the South Park movie. http://www.emptybottle.org/glass/2003/12/uncle_fuc ka_exegesis.php

Flänsost!

[empaler]

But close ;)

His last name is BENDER?

[Guru2Newbie]

Any way, I started touch'ing files in a world-unreadable subdirectory under $HOME like "paul bender can kiss my butt"

Then tell him to kiss his OWN shiny metal butt!

the best pw i've seen...

[slustbader]

pb4ugo

(it's pretty good advice, too)

Re:the best pw i've seen...

[skiman1979]

Funny... I've used pb4ugo2bed as a username in chat rooms in the past. Some people didn't get it, but it got some laughs out of some people.

My password...

[Hapless+Hero]

is "Crt+Alt+Del". Okay, not really. But that would be awful funny if it were...

Customer password = 'wonttellya'

[monty.ch]

Back in 1997 when I was doing phone support for the ISP I'm working for, I had a customer calling us who had troubles with his mail account. It was monday afternoon and one of those days that would never end, I already had a lot of unfriendly customers on the phone that day and I was quite a bit bad mooded.

The conversation went like this:

Customer: "I'm having troubles with my mailbox"
Me: "OK, what's your username?"

Customer: <tells me his username>
Me: "OK, and what's your password?"

Customer: "Won't tell ya"
Me (getting upset): Now listen, how am I supposed to help you if you won't tell your @*#! password?! <angry>

Customer: "Sorry, you don't understand, my password _IS_ 'wonttellya'"
Me: <duh!!!>

--
sHIFT hAPPENS

Re:Customer password = 'wonttellya'

[skiman1979]

I've never quite understood this, but then again I've never worked for an ISP. Why do they always seem to need the user's password? One time I called my ISP to find out how to change my password, and they asked me what I want it to be. I had to tell it to them over the phone to change it, rather than there being a system for me to do it myself.

Re:love u

[andrew4love2]

hello, how are u doing well i am andrewv from nigeria how are u? i really want to know u more and i am a male a student of a university here in my country Nigeria.u can mail me andrewblessing4real@yahoo.com call..+2348056407812