Friday, January 04, 2008

How to guess passwords

Often people's passwords are things they are passionate about and can be guessed using inference.


their own name first, last, middle or maiden. their children's, their pets, nicknames, their spouse, or person they are dating, their parents or other family or friends names.

often the names are abstratct, like babygirl, my2girls, ourboys, myboys, my1stborn
often parts are initialized: hsimpsons (for homer simpsons)

hobbies, or sport: marathon, guitar, fishing, nascar, soccer, softball, football, golf
sports team, or sport slogan: rolltide, bamafootball, wareagle, gosteelers
alma maters, the name of their band, league, fraternity or any thing they are a part of: harvard, chiomega
a city, state or community they want to travel to, like, have lived in, we married in or are from: florida, newyork, sanfran, tampafla, africa, hoover

favorite movie, tv show, or book: oceans11, seinfeld, mobydick
favorite fictional characters: luke, vader, yoda, gandolf, mickeymouse, hawkeye, superman
favorite people, sports stars, and celebrities: dalejr, maddona,
favorite band or album: beatles, imagine
favorite brands: mercedes, drpepper, xbox360
favorite color or things: purple, flower, tattoo, apples

random stuff
astrological signs: aries, cancer (especially their own)
dates: historic events, anniversaries, birthdays: august11, november, jfk1963
religious slogans or scriptures: jesus, jesuslives, havefaith, jesussaves, godisgood, john316

adding numbers
people often add numbers to the end of their passwords: auburn31
for numbers they chooose: years they were born, their age at the time they made the password, area code, phone numbers, zip codes, etc.
simple numbers like 1, 123, 1000
adding 1 is very common because some systems require alphanumeric.

common name/numbers:
alma mater and the year of gradation: harvard93, clemson2002
child's name and year of birth: tommy1983
sports team and year of championship: bama92
their own name and year they will graduate: brittany2009
their car and year it was made: honda03
favorite sports figure and their number: jackson34

also some systems that force you to change your password people change it like...thomas1, thomas2, thomas3. so even though the system forces them to change their password, it essentially stays the same for them.

the completely obvious
using the word "password" as the password.
using their login as their password.
no password, (if the system allows it)
default passwords. like linksys routers u:admin, p:admin

guessing pins
if you ever need to get in a secure building, no doubt someone's code is 1111, or 1234, or something equally obvious.

people reuse the same passwords.
If you a person's password for one thing, you probably have the password for their other stuff
if you get access to someone's email, you can search for the word password and find other passwords.

There are oher low tech ways of getting passwords:
social engineering: asking them under a false pretext where they trust you.
Shoulder surfing: watch them type it in over their shoulder or with a camera.
also people write their passwords down all the time. especially on post it notes.

There are also more high tech ways of getting passwords.
key catchers: capture all keystrokes. hardware and software versions are available.
trojan horses, phishing, etc.

Do you know other common passwords or methods? If so leave a comment.