I was doing some routine sysadmin work for a client when I had to read mail in the system administration mailbox. This mailbox is used for cron job email, communication with ISPs that run servers for the company, and other important things. I noticed that the account was subscribed to some mailing lists related to system administration, the following is from one of the monthly messages from a list server:
Passwords for sysadmin@example.com:
List Password // URL
---- --------
whatever-users@example.org victoria3
That doesn’t seem terribly exciting, unless you know that the password used for the list server happens to be the same as the one used for POP and IMAP access to the account in question, and that it is available as webmail… Of course I didn’t put the real password in my blog post, I replaced it with something conceptually similar and equally difficult to guess (naturally I’ve changed the password). The fact that the password wasn’t a string of 8 semi-random letters and digits is not a good thing, but not really bad on it’s own. It’s only when the password gets used for 3rd party servers that you have a real problem.
I wonder how many list servers are run by unethical people who use the passwords to gain access to email accounts, and how many hostile parties use such lists of email addresses and passwords when they compromise servers that run mailing lists.
Now there would be an obvious security benefit to not having the list server store the password in clear-text or at least not send it out every month. Of course the down-side to doing that is that it doesn’t give someone like me the opportunity to discover the problem and change the password.
Reminds me of Alec Muffett taking the password file of AberMUD at Aberystwyth (plain text passwords), adding it as a wordlist to one of his releases of Crack and publishing it. A friend of ours at the Uni was on a year out at an IT company as a sysadmin, ran the new version on his systems and found it spat out his AberMUD, er, root password.. ;-)
Wow – that’s a few years ago now, must be, umm, 1990/1991!
Chris: That is wrong in so many ways. Taking a list of live passwords and publishing it is not something that should be done.
@russell: I take your point, but would you object to publishing dictionaries of “probable” passwords, then?
And if not that, then dictionaries of “plain words”?
Where does one draw the line?
By example:
echo victoria3 | perl -nle ‘setpwent;crypt($_,$c)eq$c&&print”$u=$_”while($u,$c)=getpwent’
…to see who else uses that word on your system. It’s trivial.
The problem is the password paradigm, just as it was when someone centuries ago wrote of Ali Baba hiding behind a rock and overhearing the words “open sesame”…
ps: a different spin:
the passwords i published were never live at my site by the time the software was published; so why would it be my responsibility if they were in use elsewhere, on the other side of the world perhaps?
how would i know?
alec: I agree that passwords alone are not good for security.
If the passwords were not live on your site when you published it then it’s not a big deal. It’s still something that I would be very hesitant to do.
To resurrect a long dead post – at the IEEE SuperComputing conference in the US each year the SCinet folks (the volunteers who build and run the conference network plus its multiple 10 & 100 Gbps links) run password sniffers and have scoreboard of the most popular passwords visible on their booth along with a link to the OpenSSH website.