Software is available for most operating sys-tems which looks through the computer's pass-word files, analyzes user passwords and decides how secure they are. Unsecure passwords will be changed, or prevented in the first place. This is one area where your prior research should help you. Generally you will know which of these programs your target has installed, and what passwords the software will not allow.
Regardless of how clumsy-brained or brilliant a person is, all people tend to think alike. It is only through learning that they begin to think in crea-tive ways. Even then, initial assumptions and first conclusions are similar for a given peer group. What this means is that when a person logs onto a computer for the first time, and is prompted for a password - especially if that person is under stress of time or place - that password is likely going to be a variation on some common themes. Imagine some of the situations people are in when they are asked to create a secret password for themselves. They may be calling a remote com-puter over a long distance phone line, or sur-rounded by a group of technicians who are there to teach them to use the system. In any case, the prompt is there on the screen and with it, a sense of urgency is brought to mind.
People type the first thing they think of, the first thing they see, or hear, or are hoping to do once they get past the login procedure. The password is entered quickly, and rarely is it changed to a better, more secure one.
Thus, many passwords relate to top-of-the-mind thoughts, such as job, family, possibly current events, possessions, environment, hobbies or interests. If you can either find out or guess any of these traits of a valid system user, the number of potential passwords you will have to guess will decrease significantly. Get catalogs from the companies that make wall posters, humorous mugs and other novelty items one finds around offices. How many times have you seen that tired phrase, "You don't have to be crazy to work here... But it helps!"? I guarantee the word "crazy" gets picked off that mug every day as a password. Think about the age and life-styles of the average user whose account you are attempting to breach. An office in a corporate set-ting probably wouldn't have a nudie poster hang-ing up - but a college dorm would, and so you may get passwords such as "playmate," Nictoria," "body," or "month."
The easiest way to get a password is to enter it yourself for the user, or to supply the password to the user who is logging on for the first time. You might be acting the role of computer tutor to a novice, and while showing him or her the ropes, downplay the security aspects and allow him or her to tell you the password as they type it, either because they spell it out loud, or because you watch the person's eyes light up as his or her gaze falls upon the wall poster with the word It surfboard" written across the top. (Or they say, "Gee, what's a good secret password? Oh, I know - " and proceed to spell it out to you as they hunt and peck at the keyboard.) Most often you will be hacking away at user ac-' counts that have been long-established. On these ou will have to use some kind of either brute force method, observation, social or technical method of password retrieval. Most passwords are dictionary words, like "subway," "table," "chocolate" or "hotdog." Hon-estly, can you imagine any computer novice sitting down and entering "fMm6Pe#" as a password? Of course not!
Scrabble rules do not apply here: proper names are allowed in password creation, as are misspellings, abbreviations, non-words and foreign terms. Thus a person who likes watching Star Trek may have the password "enterprize" instead of the cor-rect "Enterprise." Whether that's due to bad spell-ing habits or because he or she simply likes it better that way is unimportant. What is important is that you have to be aware that misspelled words exist in passwordland. You are going to find the letter "k" used in place of hard "c," as in "koka kola." You will find N" for "ks" (thanx), and other phonetic substi-tutions, like "lether," 'Tone" and "stryker." Some hackers will go through every word in the English language until they find something that works as a password. If the password they seek is a real word, but isn't spelled correctly, they are going to be wasting vast amounts of time. Complete brute force dictionary attacks are often fruitless, useless, adolescent ways of doing things.
Many words recur frequently as passwords, and examples are given in the appendices. However, there are many words that you would almost never expect to find as a password on a system. Is it reasonable to suspect a person will enter an adverb for a password? Words of this sort would be the last ones to try. Real-word passwords will generally be nouns, ("eyeball," "drums," "kitchen"), verbs, (usually obscene ones), and perhaps adjectives ("purple," of great, " "happy").
Girl friends, boy friends, and the cute pet names they give each other are popular passwords; these you would have found out from prior re-search. Also semipopular are passwords with the word "sure" embedded inside them, as in "forsure" or "fursure," "surething" or "asb" (short for "a sure bet"). Besides dictionary words,
you can expect to find names of relations, streets, pets, sports teams and foods; important dates and ID numbers, such as social security numbers, anniversaries, or birth-days; and keyboard patterns. Examples of key-board patterns include 'Akjkjk," 700u," 11WXYZ,11 it ccccccc," "0987654321," "asdfgh" or 'I qazwsx." Look at the location of these letters on a keyboard if you are confused about these last two examples. Keyboard patterns will usually be simple repetitions of characters, portions of columns or rows or every-other-letter designs. Keyboard patterns may be wholly unguessable and yet fully logical when you know what's going on at the other end of the phone line. For example, "05AP may seem a funny thing to pick
up from a keyboard, but when you know the computer in question has a special hexadecimal keypad attached, the whole thing starts to make sense.
A hexadecimal keypad, used by some computerprogrammers to allow fast entry of numbers in
base 16. The keypad illustrates a principlesmart hackers will follow: That what you
see on your side may be different fromwhat they see on theirs.
base 16. The keypad illustrates a principlesmart hackers will follow: That what you
see on your side may be different fromwhat they see on theirs.
Some keyboard patterns I've actually seen being used on systems: "abcdef," "qwerty," "12345," foxxxxxx " "opopopopp." If you know the minimum password length is six characters, don't expect patterned passwords to go much beyond that minimum.
On the other hand, you can't reasonably try out every possible pattern: there's an infinite number. Beyond a certain point, guessing keyboard patterns is strictly reserved for amateur hour.
