How silly can people get?

This section (which I hope to expand) is a forum for learning by example; if people have a chance to read about real life (preferably silly) security incidents, it will hopefully instill in readers some of the zen of computer security without the pain of experiencing it.

If you have an experience that you wish to share, please send it to the editors. It'll boost your karma no end.


aem@aber.ac.uk: The best story I have is of a student friend of mine (call him Bob) who spent his industrial year at a major computer manufacturing company. In his holidays, Bob would come back to college and play AberMUD on my system.

Part of Bob's job at the company involved systems management, and the company was very hot on security, so all the passwords were random strings of letters, with no sensible order. It was imperative that the passwords were secure (this involved writing the random passwords down and locking them in big, heavy duty safes).

One day, on a whim, I fed the MUD persona file passwords into Crack as a dictionary (the passwords were stored plaintext) and then ran Crack on our systems password file. A few student accounts came up, but nothing special. I told the students concerned to change their passwords - that was the end of it.

Being the lazy guy I am, I forgot to remove the passwords from the Crack dictionary, and when I posted the next version to USENET, the words went too. It went to the comp.sources.misc moderator, came back over USENET, and eventually wound up at Bob's company. Round trip: ~10,000 miles.

Being a cool kinda student sysadmin dude, Bob ran the new version of Crack when it arrived. When it immediately churned out the root password on his machine, he damn near fainted...

The moral of this story is: never use the same password in two different places, and especially on untrusted systems (like MUDs).