Would you give out your password?

Wed 20th Jan 10

While at a recent training course I decided to try an experiment I'd been wanting to try for a while, here is the setup and the results.

The course was teaching sys-admins and other IT professionals about IT security and penetration testing. We were in the middle of a 5 day course where we had covered reconnaissance, social engineering and a mix of online and offline password cracking. The setup was performed after coming in to a class after a break and giving the following spiel:

"At break I was talking with one of the other instructors and we were debating whether you as professionals would have better passwords than a normal user. I said you would have better passwords as you know the risks and how to generate a good password, he said the admins he knew were usually complacent and so had weaker passwords than the normal user. I've torn up some paper and put a piece on each desk, please write on it one of your usual passwords, just the password, nothing else.".

I gave them the option to not join in and stressed the anonymity of the experiment.

While they were out I'd taken two pieces of paper and on one written the names of everyone in the class then put the two together and torn them up so I had a collection of blank pieces of paper and a "solution" which would map the paper back to a user.

I gave them a few minutes then went round with a box and collected the results. While collecting the papers one person had realized something odd was going on and asked if I was doing recon against them but also a couple of people asked if I wanted usernames as well.

Just before the next break I asked the rhetorical question, "What should you never do with passwords?" and gave them the answer "Share them". At that point they all realized what I'd done. There was a look of shock on the faces of at least a couple of people and comments from others that they had suspected a setup. I then revealed the jigsaw solution where I could also map the individual pieces of paper, and so passwords, back to the person and explained that as they were on the course I had a good amount of information about them - name, company, email address etc - because of course registration forms.

In a class of 9 people I think I'd got at least 2 real passwords from users I could identify.

I'm not claiming that this is a unique experiment, I know it has been done before, many times, but to do it myself with such an audience was real proof of the previous results and a good way to remind myself, and the students, that social engineering can affect everyone, even people who you would expect to have a heightened sense of awareness.

I'd recommend trying this experiment to anyone else out there who has access to a group of people as it was an eye opener to both myself and the class.

I'd like to finish by saying I'm not wanting to put down anyone in the class, hopefully everyone learnt something, I know I did.