Non-Random
Machine-Generated Passwords
Finally, let's consider randornless machine-made passwords. Often users are entered into a computer system before their first logon. Then, unless the sysops can relay information to users off-line, the password must temporarily be something that the user already knows, such as their Social Security number (SSN), date
of birth, or other personal data. Users are supposed to change this easy-to-guess password to a more secure one, but unless they're specifically shown how or required to do so, it is unlikely they will follow through.
Here's a non-computer example which demon-strates this weakness. In April of 1992, students at a New Jersey university received a memo, informing them of new over-the-telephone class registration procedures. The memo stated that the Personal Access Code (PAC) assigned to authenticate one's registration was the first four digits of one's birthdate (month and day), entered in conjunction with one's nine digit student ID number (essentially, one's social security number).
What got me was that first of all, they told students that their top secret PAC was their birth date. This violates all the security precautions they're trying to maintain. After all, how difficult is it to find out someone's birthday? But the PAC is only half of the "password" - the other part is a student ID.
Again, it's a piece of cake to find out someone's ID. lDs are publicly or semi-publicly available at the student health centers, on computer room sign-up sheets, on identification cards, class rosters, housing lists and elsewhere! The memo does say that those concerned with security can come into the registrar's office to change their PAC, but who's going to go out of their way to do that?
Anyway, changing just those four numbers doesn't do much to stymie the determined hacker. Following a change of PAC there are 10,000 minus one possibilities to try. This is as opposed to the mere 366 possible PACs before that security-aware person changed his or her number. Sure, ten thousand is a lot of
numbers to try, but it's certainly not impossible. A touch-tone auto-dialer can phone through all of those in about seven minutes, given unlimited PAC-entry retries per phone call. In any case, I'm using this story to illustrate the principle of least resistance: Users are not going to go out of their way to change access codes if
they don't have to. And even if they do, it doesn't matter much. After all, we are hackers.
Let's move back to our discussion of non-random passwords which are generated by computer; or rather, passwords decided upon by the programmer or administrator and selected from data files by the computer.
Computers will select passwords any time a large number of passwords must be assigned at once. During the first week of a college semester, thousands of new accounts must be created for students enrolled in computer classes. For the most part, these accounts are going to be set up with username equal to some truncation or bastardized form of one's real name, and the password will be either one's Social Security number (SSN) or student ID number.
So if you want to hack a college system, start early in the semester - before those passwords get changed by the user to something more secure. Social Security numbers may be easily hacked by brute force, especially when you know how they are distributed.
Social Security (or other ID numbers) may also be obtained through social means (see the chapter on Social Engineering) or by other forms of chican-ery. I've sat in on college classes where the instruc-tor hands around a sheet of paper, on which the students are asked to write their name and ID number. This sheet is then
handed to the teaching assistant, who enters this information as accounts into the computer system. If you happen to find some classes that operate like this, make sure you sit in the back of the class, where nobody will no-tice you copying other people's private data. A hand-held scanner/copier makes life easier at times like these.
You can also get names and SSNs from atten-dance sheets, or class rosters, which usually list both pieces of information for every individual in the class. If the professor doesn't make the roster available for student perusal, make up some excuse to swipe a look at it. For instance, say the registrar had your name incorrectly spelled on your last transcript, and you want to make sure they've corrected the problem. Professors will love any excuse that points out slip-ups in the bureaucracy of the school system. Use their mindset against them!
Several court battles have ruled that use of one's Social Security number in conjunction with one's name in a public environment is unconstitutional, as it is an invasion of personal privacy. Therefore, we may see a trend starting, with SSNs getting used less and less for identification purposes, and an organization-defined
ID number being used in its place. If that's the case, you will have to rely more on brute force to access the array of ID numbers assigned to a person.
Pre-usage passwords won't always be Social Security numbers or other ID numbers. If some non-computer communication is possible between the sysadmin and the user, other words may be as-signed as temporary passwords (to be changed when the user logs on).
There might be a generic "new user" password which is given to all accounts, which shouldn't be very hard to crack. Or the password might be something very obscure and security-conscious, like some long string of random characters. It may be necessary to intercept the new user's physical mailbox for that envelope which
contains the as-signed password.
