Slashdot Mirror
Fun With Passwords?
eSims asks: "Most all SysAdmins have the pleasure of picking passwords and while we know the rules for picking good passwords we also know how to have a little fun with them as well. Password choices may be inside jokes about management, comments on the company, or just torture for the users we assign them to, but often they are funny. Without giving away the company secrets what are some of your funny stories about password selection?"
We use a generation tool to create our passwords from "/usr/dict/words". It breaks passwords down to 3 word chunks (from 3 to 4 characters) with random characters between them. This makes passwords from 11 - 14 characters which is more then safe for user accounts.
When they want to change we have another tool that works based on some of those rules so users can just reset their password to password.
Check out Mon and Mon.cgi
I have a friend who works at NASA (not like 'Houston, we have a problem!', but a local office in MD).
He was working on deploying some APs at the office, rather configuring them after they had already been set up.
He goes to configure one of them, and finds that the default password doesn't work (that's a good thing, of course). So he yells across the room to his supervisor: 'Hey Jim, what's the password to the AP?'
Jim yells back: 'cumshot'.
For some reason I really doubt that anyone else was aware of that, or he surely would've had to change it.
- single sign on everywhere, so no-one (including the sys admin) ever has multiple passwords.
- initial passwords are generated randomly, instead of at the whim of an already over-worked sys admin.
- no-one but the user ever knows what the user's initial password is.
Ha ha ha. Isn't that funny?Hypothesis:
IT staff regularly reads user passwords (for fun, profit, bogus administration, lack of professionalism, total misunderstanding of why security requires the sanctity of private passwords).
Try this experiment:
1. Change your password(s) to something abusive toward the IT staff.
2. Observe the IT staff (watch for them to become irate, agitated, angry, or any other such synonyhm).
3. Change this password everywhere you've used it across the Internet
Step 3, of course, brings into question the diligence of the user.
As in:
your password is changed
your password is invalid
One of the duties of being a Sys-admin is giving out passwords/access for vendors. You need to poke fun at them for all the outages.
g0f1x[t
Also one vendor pissed me off, so I used a competing vendor as a password. example, "3yC!sc0"
But then, its funny you spend that much time coming up with entertaining passwords and the hardware only supports telnet.
I once read a tip about website passwords where you shouldn't have the same password for all sites that need a logic. One of the best suggestions I read was to have a password of say 4 characters, and intersperse the website name into it.
e.g. if your password is 1234 and you're logging into download.com it might be 1d2o3w4l or if it's slashdot.com then 1s2l3a4s or if it's msn.com then 1c2r3a4p etc. It's different for all and harder to guess, and cos it's not a word, anyone watching the keyboard might not pick up on you typing it.
Get paid to search..It's geniune and
I use alpha-numeric passwords religiously, and usually throw a couple non alpha numerics in the mix. On more than one occasion, I've forgotten them. Nothing will humble a guy like having to break into his own box, and succeeding.
I can personally attest that Simon Travaglia on separate occasions changed my password to:
- "fuckwit"
- "ican'tremembermypassword"
Great days, great days.
We set him up, and tell him his password is blank.
Two minutes later, he comes back awfully upset, demands that we reset his password, cause it wasn't blank. So we do.
2 minutes later, he's really getting pissed. Comes back with the head of IT. We ask him if the caps lock is on? He gets furious, asking how the hell it could matter if the caps was on with a blank password. We respond with, "there is a big difference between a capital B and a little b". He is seething, but slowly the realization creeps in, and he figures out what the hell we meant. Our boss, sits there like a statue, till the sales guy leaves, and then just explodes in laughter so hard he couldn't stand.
ahh, the days of the dot-coms, how I will miss thee...
What are we going to do tonight Brain?
I once knew a sysadmin who liked doing the ol' Abbott & Costello with passwords:
User: What's my password again?
Admin: "login"
User: Yeah, that's what I'm trying to do, but I can't remember my password.
Admin: "login"
(etc)
User2: What's the username for the Reservation system?
Admin: "password?"
User2: No, I remember the password is "a$$h@t" but I don't remember that funny username.
Admin: "password?"
(etc)
Eloi, Eloi, lema sabachtani?
www.fogbound.net
At one point, my gf (a very petite woman) was using the password: #4#I!Better
A true statement, if ever there was one.
...but I once had a customer forget "unforgettable".
The lass was a walking blonde joke. Quite bright once she had everything assembled in her head, and very efficient at what she did, but if she ever got rattled it all went out the window.
Got time? Spend some of it coding or testing
I used to do the same thing, but then stumbled across a number of password crackers that take this into account. They run dictionary attacks, but they also try every possible 'l33tsp34k' variation. It takes a while to run this kind of attack, but not quite as long as a plain ole brute force. I advise using password generating tools to create truly random passwords.
John Hancock
I work as a consultant within a Fortune 100 manufacturer.
During our projects we have to set up a simulation lab and run our project for a few months prior to installing at the factory.
For one project, the lab servers were administered by a person who either did not understand the purpose behind the lab, or simply did not care about our priorities. And, his delays were causing us to run behind schedule.
After some political wrangling, I assumed administrative responsibility of the machines in our test environment.
The months passed, we restored the schedule, and were packing up to head to the job site to install the system, and it was time for me to turnover the systems back to the original admin.
But, he flaked on the meeting, so I'm standing there with root on the lab systems some of which are trusted by outside networks. And, he did not bother to show for the meeting that he called.
So, I set the passwords, and put them in a sealed, unlabeled envelope, and handed them to one of the other admins with whom I had become friends.
The only instructions I gave him were: "You'll know what to do with this when the time comes."
A few weeks later, I got the phone call from my friend talking about the other admin, "He came in here shouting and cussing about how that damn consultant had locked him out of his own systems, then took off without turning over the passwords. I new then that it was time to use the envelope."
Written on the piece of paper in the envelope was one word in block letters: 1nc0mp3t3nt
[
Computer teacher [yelling across crowded a computer lab]: "OK, [name], your new password is 'temp.' That's T-E-M-P 'temp.'"
As you can imagine, much fun was had with this one.
The password I use on all the systems I access is ********
Glonoinha the MebiByte Slayer
My important passwords I commit to memory, but ones that aren't so important I toss in a little program I found a few months ago called Whisper. Whisper stores usernames/passwords, will generate random passwords, and allows you to copy a password to clipboard quite easily. Anyway, the program lets you password protect your password file, so I did that. A few days go by and I open my password file and type in my password. "Wrong password. Failed to open document."
Yeah, that sucked.
I don't have any fun/funny password tales to share, but I can share a story about true password protection.
The year was 1999. I was working at a computer-related company, I won't call it a "startup" or a "dotcom" but it was similar. There were three sysadmins, and the owner didn't trust any one admin with the ability to login as root by himself. So a compromise was reached.
Each of the three admins chose a password. The three passwords were combined into one monster, master, root password. In order to login as root, all three admins needed to be present, to type their portion of the password in the correct order. Once all three admins typed in, a root login was achieved and whatever duty was necessary would be performed.
So, what if one of the 3 admins got hit by a bus on the way to work? There was a contingency plan. Each of the three of us entrusted our password to one of the other two. In the event of an emergency, assuming two of the three admins were present, the full password could be reconstructed. For example,
Admin A's password was apple, and he told that to Admin B
Admin B's password was blueberry, and he told that to Admin C
Admin C's password was cherry, and he told that to Admin A
So if Admin B got runover by a train, Admin A and Admin C could still login as root (because Admin C knew Admin B's password part), change the root password, and do whatever needed to be done.
The benefit was that, unless there was some sort of conspiracy, no one admin could ever login as root by himself and do anything crazy.
--
Rate Naked People at FuckMeter! (NSFW)
I was consulting at a company called "ESP", and we needed to look at some data in an Excel file. For whatever reason, the employee who created the file decided to password-protect it, and he had gone home for the day. Important fact: This employee had previously treated me very poorly.
So the company's owner (we'll call her "Dee") calls him up, and asks him for the password. He says, "I'd rather not say." Then he asks her to put another employee on the phone, and he'll tell someone else.
So while she's arguing with him, I try to guess the password. Knowing this employee, though, I don't try his dog's name, I tried "fuckdee" and "fuckesp". The latter turned out to be correct, and I told her I was in. She told the employee not to come to work the next day.
The moral of this story MIGHT be to be smarter in password selection, but I'd LIKE to think it's to not piss off the IT staff - I always could have lied about the password.
I read a funny password anecdote (maybe from Jon Bentley's Programming Pearls). A user rushed into his cube, quickly typed his credentials, and was told that his password was invalid. He sat down, entered his password again, and it was fine. Curious, he logged out, stood up, and tried again. No access. When he was standing up, logging in always failed. When he was seated, he always succeeded.
How could the computer possibly know whether he was standing or sitting?
It turns out that somebody had switched a couple of the (physical) keys on his keyboard as a joke. When the user was standing at the keyboard, he used "hunt-and-peck" typing. When he was seated, he was touch typing.