one letter passwords

I was listening in on a conversation on passwords the other day. One of the people in the conversation mentioned that they knew someone whose password was "A". Just the one letter. And there was a conjecture that maybe that was a really hard password to guess since, most people would think 3 was short and no one would think that anyone would use a one letter password. This was for windows login passwords, so it's not something that would normally be attacked via brute force somehow, although in an organization with lax password controls, the same password might also be used for email, file shares, etc. In which case the situation suddenly becomes worse.

Anyway,I thought about that a bit, and yesterday the refutation came to me. A one letter password is a dead giveaway because it's so easy to shoulder surf. It's not even necessary for the shoulder surfer to actually see what's being typed. It's sufficient to see that only one character was being pressed. After that, it would be trivial (in the lax organization, more security conscious organizations would have failed password limits and timeouts) to try all the one character printable characters on the keyboard and log in.

No comments: