I was a system administrator in a previous life, and one thing that a sys admin does is creating user accounts and passwords. My boss was joking that I was taking my duties a little too seriously, so I suggested we guess the CFO’s password.
Four guesses to get in. It was his wife’s first name.
Another job before that I found myself in a similar situation, showing the problem with their password guidelines. The password of a high-ranking officer was also guessed within minutes: golf. An avid golfer, it certainly gave us a starting point. It should have been my first guess, but I started with his kids. Priorities, I guess
First of all, I’ll mention that I had permission to test the password strength in both cases. I would not recommend trying to hack any account unless you have proper authorization.
These are both examples of simply guessing a password based on some basic knowledge of the person. A research (a.k.a. personal) attack can be as simple as guessing passwords based on something you know about someone. If the person is a hockey fan, you try favourite teams, players, or sport brand names. There are entire dictionaries that can automate these kinds of attacks. A text file with several million hockey related passwords could take minutes/hours/days to crack a password. Of course, there are many counter measures to these types of dictionary attacks, but those are for another time.
Imagine someone makes an application that has a bunch of fields like this:
- First name, last name, date of birth, place of birth
- Mother’s first name, last name, date of birth, place of birth, maiden name
- Father’s first name, last name, date of birth, place of birth
- Child’s first name, last name, date of birth, place of birth
- Pet’s first name, last name, date of birth, place of birth
- Home phone, address, fax, email, pager, cell
- Work phone, address, fax, email, pager, cell
- Auto details like license, make, model, colour
- Hobbies, social clubs, pastimes
- And so on.
They could rummage through your garbage (dumpster diving), take pictures of your house and car, look up information about you on the Web (don’t get me started!) or public records like the phone book, and plug in as much as they find. (If they are up on their social engineering and/or phishing, they have even more ammunition.)
Once they have harvested some basic data they could let the software generate different combinations, word/letter substitutions, etc. to create a list of potential passwords to try. The software could do a lot of work with very little research required.
Or, you can simply make some educated guesses. You would be sadly surprised at how often this works.