i deduced my dad's password when I was a middle-schooler. The uni micro had a teletype and although it did not echo password characters, if you mistyped your password, it would print the mistyped password, and knowing a bit about my dad, I could figure out what the correct password was. I logged in and sent himself an email reminding him to use a better password.
Our high school's library computer (in the 90s) logged failed log-ins in a file readable by anyone. Just the username, not the attempted passwords, but the return key on that computer was not reliable and a very common error was that the return key didn't register leading to "usernamepassword" being in the log.
I watched a variation on this in a lecture hall, when the head of school attempted to log into the system and types UsernamePassword into the username field with a big projector running.
That's just a bad system design, not your dad's fault really:
"You're password 'huntet2' is invalid"
unless the password is just random characters, anyone can guess how it was mistyped.
Hell, even if it was just random characters, one could just assume that it's one character-off from the real password, and try shifting each character around.
To be precise, in the case of a patterned password (i.e., dictionary word or something a human can recognize), it leaks all but about 2-3 bits, assuming the human can work out the most likely mistake as in your example, and we assume it's a simple error like a nearby key or simple character flip.
If it's a random password, it may still leave 2-3 bits per character as it becomes much harder to know where the error is (e.g., if "j9^vl4JO" is wrong, what is the correct password?), but if you have your hands on two independent errors, which is reasonably likely, that pretty much collapses to 1-2 bits tops even in the random case (e.g., if you also have "k9^vl4JP" that pretty much nails it down to either the first and last being "j P" or "k O").
>e.g., if "j9^vl4JO" is wrong, what is the correct password?
Shouldn't that remain utterly trivial to brute though? If we're assuming all the standard face keys+shifted, I think that's 94 characters. If it's fully unknown then search space is 94^8 or about 6E15, not good but if it's an adaptive hash sizable. But if it's only a one character error, wouldn't you just brute through each of the 8 one by one with only 94 each? That'd reduce it to just 752 possibilities at worst which is so low someone determined could even do it by hand, even ignoring any obvious psychology like the likelihood that the special character isn't the mistake and probably the only special character too.
Certainly not quibbling that it's an awful idea. I don't even like "password hints" so many systems still seem to have, they should be random!
Yes. I'm just demonstrating with an example that a less structured password is less damaged. It is still something I'd consider "burned" in real life, though.
>You don't think the special character could be a mistake?
Not that it makes any real difference here with such a small search space, but in this scenario (known typo, information revealed) it's less likely. Remember, we're considering a human typing something out on a keyboard, so the probabilities aren't fully random. If we're trying to use probabilities to cut down the search space further, a caret character requires shifting well away from the home row (shift-6 US standard qwerty) so it's more likely to represent active intent. Perhaps it could be % or & (shift-5/shift-7), but if you know someone is trying to type a password out and has made a typo then a left/right neighbor with shifting preserved is an easy place to start guessing.
Obviously, this whole thing is such an awful idea and breaks everything so badly that it's all kind of theoretical anyway, hopefully no software has had behavior like this for a long time. And any actual brute force program today has far more sophisticated pattern attacks based on the enormous corpus of password leaks and knowledge there now is, which is why it's foolish to try to try to be clever with passwords rather then just generating something fully randomized.
>if you mistyped your password, it would print the mistyped password,
That's incredibly useful. Stand next to someone, casually chatting, while they enter their password. Just before they hit [ENTER], stab a key -- say, a 'z'. Boom, it prints their password with an extra 'z' at the end.
Sure, they'd be aware of it and likely change their password. But still. A more common use case would be to hang around and wait for them to inevitably typo the password. If you see that enough, you'll get a really good idea about what it's supposed to be, or at least give you enough of the password to make figuring out the missing part trivial.
I've never done anything malicious with the knowledge, but I've totally learned people's passwords just by watching their fingers type. I make an effort to have passwords that would be difficult for a human to nail down while watching them typed quickly in real time. The ubiquity of cameras has me reconsidering input and/or authentication mechanisms, though.
It makes me happy to read this. I cracked the admin pass at my school for a really trivial reason, I think I wanted to adjust the audio panning. By default it was set 80% left to compensate for the school's cheap headsets.
Possibly, I also wanted to disable the spyware / remote access they had on all the computers. There no experience quite like having your control of the mouse cursor taken away by an invisible, omnipotent sysadmin. Hilariously, they wouldn't even run a logout command remotely, but actually go to the start menu to do it, I think to make a point.
