Monday, March 07, 2011

Tell me your password...

And I'll tell you who you are, where you work, and what kind of work you do. Not that you would ever lie about your password of course. :-)

I saw an online article on March 4 at Computerworld Norway, entitled "Bryter seg inn i norske bedrifter" (Google translated to English). At a recent security seminar held by Norwegian ISF, a previous colleague of mine held an interesting presentation. Read the 2-page article at Computerworld first, notice some of the statements from Christian Jacobsen (now at Secode).

Although his presentation was on social engineering, he mention seeing passwords that can somewhat identify what type of organisation they originate from and things like gender balance among employees. A high percentage of men will show "men" words (hunting, fishing, sports), while with women one will see names of children, birth dates and names of spouses.

Of course I'd like to challenge Christian with "show me some proof, or at least some statistics!".

I've thought about doing word analysis related to gender, age, type of position/role/organisation etc myself, and now I see that I've got to move forward on this subject. I've got data to analyze on this, and then some.

As for the readers of this blog, if any, do you have or know about any statistics ever done on something like this? And please, no questionnaires or simple surveys but hard facts based on real data?

It's late. Time to sleep. Good night.

1 comment:

  1. Christian JacobsenMarch 8, 2011 at 1:16 PM


    First of all, I believe that, in many cases, the assumption I made to CW is correct: a persons password often tells us something about that person, if the person has chosen the password themselves. This is a personal observation, made by me and my colleagues.

    However, as one would be right in pointing out: this is an obvious generalization and is of course not applicable to all, but to what I believe is a majority, or on general terms at least a representative minority, of «regular users».

    For the last two years, we have harvested several hundred Norwegian user names and passwords as a part of Social Engineering testing. I'm afraid I can't give out details to what, who, when or how, and of course I'm bound by confidentiality agreements preventing me from disclosing the actual passwords (to avoid any unnecessary confusion: harvested passwords are always reset immediately afterwards).

    As for general statistics, however, I hope we can provide you with an update in May :-)


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.