A Tale of Insecurity
by JMT
I am not a hacker.
I once dumpster dived at a bank, but found only coffee grounds and empty coin wrappers. I wardialed in the 1990s, and had an interesting conversation with a man who *69'ed me and accused me of sleeping with his wife.
I am sure that if I had met the right person at the right time, things would have gone very differently for me. There is certainly an alternate universe in which I'm in jail for violating the CFAA, and another where I'm a CISO. But in this one, I am just a guy with a strong password and a subscription to 2600.
In the mid aughts I worked at a law firm. We had an incompetent IT manager who outsourced all the real work of running an office IT department. The one thing he did himself was routinely email all staff demanding that we report our passwords to him. As abhorrent as I found this practice, I enjoyed the ability to pay my rent. So I always dutifully complied, and then promptly changed my password.
One night I was working late and wandered into a conference room where an office-wide desktop refresh project had been underway for a week. Our outside IT consultants had commandeered this room as their base camp, and the large table was covered with Dell OptiPlexes in various stages of being reimaged and configured for their new users. At 9 pm on a Thursday, the conference room was now deserted, and I was one of only two or three people in the entire office. Reasonably confident of my privacy, I took my time looking around.
I didn't expect to find anything. I wasn't up to no good. I was just looking. Just curious. In time, my eyes landed on a single sheet of paper in the middle of the table. As a paper it was unassuming, but it stood out amongst all the cables and molded plastic. I looked closer, focused, and nearly fell over in shock.
Lying in the middle of the table in an unlocked conference room was a printout listing every employee's name, login, and plaintext password. Everyone. Me, my boss, his boss, their secretaries, the partners. Everyone. In one of the fastest decisions I've ever made in my life, I grabbed it and walked confidently to the nearest copy machine. I made a single untraceable copy (no employee keycode required), returned the original to its dubious home, and went back to my desk to examine my booty.
The average quality of my coworkers' passwords was absurdly low. Simple alphanumeric strings like password1, qwerty, and their children's names protected nearly every account in the firm. One after another, I read down the list and realized that I could have guessed half my coworkers' passwords in less than five minutes, had I ever tried. A proper dictionary attack would have cracked most of the rest instantly.
But the biggest surprise was the strongest password. It didn't belong to the IT manager, or to a young, tech-savvy attorney. It belonged to a 76-year-old founding partner, and I'll never forget it: purplecow
A dictionary attack would have made short work of this one, too, of course. But you wouldn't guess it. It was only in context that it became impressive - a Dachshund among Chihuahuas. But at least he tried.
That night was exhilarating for entirely juvenile reasons. I had no use for it, but possessing such forbidden knowledge just felt so cool. Had I become 1337? Was I about to be "in?" No, I had no interest in reading my boss's email, finding out what my coworkers really thought of me, or losing my job.
I never did anything with my sudden god-like powers, though I kept that paper for years. I loved having it for its own sake, and I still love telling the story of my greatest near-hacking experience.