Password Policies this Bad Shouldn’t Exist

Old No Comments on Password Policies this Bad Shouldn’t Exist 26

Netscape LogoThe 90s were a time of great technological advancement. Personal computers were just starting to show up in people’s houses, and the internet was in its infancy. You couldn’t use the internet and the telephone at the same time. Most sites didn’t require a password and if they did, it was laughable by today’s standards.  Times were simple then, and people liked it. You could create any old password you liked, and that was that. However, we quickly learned that password policies needed to be improved or it was only a matter of time before you would be compromised. While we still have similar problems today with poor password policies and users who don’t use good password practices, I generally thought that the mistakes made in the 90s were behind us. That all changed about a week ago…

Let me preface this by saying I’m ashamed it took me this long to see a huge security flaw staring me in the face. I was sitting in my Networking+ class talking with one of my fellow CS majors. We were discussing a topic that he was planning on writing his final proposal for. While we were exploring various topics when we came upon the idea of password policies. At our university you are given a username and password when you sign up for school. This username and password gives you access to the Windows domain on campus, and access to the student portal online. Where you then have access to student email, grades, homework, and various financial information.

This practice isn’t out of the ordinary for most universities, so I never really thought too much about it. However, we had a light bulb moment that terrified me. When you sign up as a new student you are issued a username and password. That username and password follow a very specific schema. Your username will be capital first name dot capital last name. The password is similar, it is capital first initial, capital last initial, and the last four of your social security number. So in my case it would be: Username: Stetson.Pierce, Password: SP****

Now, being a computer science major I changed my password the first time I logged in. However, and this is the scary realization that we had, I was never prompted or told to do so. I’ve been at this university for almost four years, and never once have I been asked/told to change my password. Which means that for the vast majority of the other students that attend my university, they have kept the original password they were given. Any IT person worth a damn should see where I’m going with this. Further on top of never prompting users to change there password my university has these posted all over the school:

Password Policy

Thankfully after fall of 2013 they changed their username policy, however, nothing about the password has changed. Being that I, and everyone in the class I was in, started prior to 2013 I started to wonder if they all had changed their password too. Allow me to elaborate on what we had just realized. Let’s say that I’m in a class with you. We’ll say your name is John Doe. If you started prior to fall of 2013 I now have narrowed down your possible passwords to 1 in 10,000. Since I know your name then I know your username is John.Doe, and your password will be in the range of JD0000 –> JD9999. The easy thing to do would be to simply try every combination until I find the one that works. However, this is a long and tedious process for me. For my computer, on the other hand, it’s easy as 1-2-3.

I figured the easiest way to try and exploit this was to login to the student website. That way I could simply run a script on the site and brute force passwords until I was logged in. Now you should be saying to yourself, “Stetson, there’s no way that will work. Surely the website has some sort of max failed attempts that will block your IP after you try and login a set number of times.” Very good point. Any decent web developer would have put a max attempt of some kind on there. However, given the huge flaw that I was now consumed by I decided to do a few tests, and leave nothing to fate. Away to the login screen I go and attempt to login to my own account. Time after time I fail until I hit about 35 failed attempts. In a perfect world I would be locked out or blocked after 3 failed attempts, so I wanted there to be no question. After the 35th time I then proceeded to use my correct credentials to login. I’m ashamed to say it let me in without issue.

I’m now sitting at the precipice of a hacker’s dream. I know your username, 33% of your password, and I know that I can attempt to brute force the remaining  66% as many times as my little heart desires. So what do I do next? I write a little bit of JavaScript that will attempt the login on the page, wait for 200 milliseconds, check for a valid login, increment the number portion of the password, and try again. I then boot up Selenium and get ready to brute force the page. I then changed my password to SP1111 for testing, and set the script loose.

After a few minutes I’m greeted with the home page of my student account. Now that I proven it worked on a control, I set out to test it on an account I didn’t already have access too. My classmate that helped me discover this flaw agreed to let me attempt the brute force on his account, as he had not changed his password at this point. I changed a few variables in the script and set it loose again. In a matter of minutes I was starting at the home page of his student account.

At this point I couldn’t help but feel a little betrayed. The only thing that was protecting students from a malicious attack was ignorance and lack of motivation. I am by no means a hacker. I’m a student who knows programming on an entry level, and I was able to break an accredited university’s password policy in under 30 minutes. This was a terrible injustice to my fellow students and was, to be frank, a complete joke. Thankfully my professor felt the same way. He then proceeded to write an email to corporate IT and the Dean of the campus telling them what we had just discovered.

Thankfully since then additional security measures have been taken to prevent problems like this in the future, but honestly I’m upset that this happened in the first place. If somebody had done this before me and had malicious intent, then could very easily have stolen the identity of countless student. And yes, while the users should be smart enough to change their passwords, 99% of people won’t do it unless they’re prompted. On top of that they’re encouraged to keep their original password in order to make the lives of the helpdesk easier.

While I can’t say I’m happy about how the situation turned out, I can say I’m happy it gave me something to add to my portfolio.

 

Author

Stetson Pierce

I work as a process engineer for KomBea Corp, where I perform general programming tasks and logical process development for various call centers. In my spare time I enjoy web design projects, and hobbyist IT projects. I’ve started putting together an educational program to get kids in my state interested in Computer Science and Technology. I love the challenge that comes with under taking new projects, and the feeling of accomplishment that comes along with them.

Related Articles

Leave a comment

Back to Top