Offensive Passwords

IANAL, all comments are mine, don’t reflect views of any employer, etc. This should go without saying, but this topic requires an extra callout. Also, this is inspired by a conversation on Twitter, not by any incident, real or imagined.

Yes, somebody may actually read your work password in plaintext some day. And, yes, you may be held accountable for what it says.

Image credit: https://hullabaloo.co.uk/blog/passwords-6-tips/

There’s a certain incorrect mystique that corporate employees have towards their passwords. I’ve seen this in numerous organizations, first and second hand, and even espoused it myself at some point. The thought goes like this: “Passwords only work if they’re confidential, therefore, nobody (including my employer) can or will ever see the plaintext contents of my password.” Turns out, that’s patently untrue, and in several cases could become quite unpleasant for you.

Starting over a decade ago, the IT Security stalwarts told system designers to not store passwords in plaintext, because … duh … anyone who read the stored passwords can just use them nefariously to impersonate others.

Then the experts said “while you’re at it, don’t use reversible crypto for password storage either,” because, well, an attacker who can read the database of encrypted passwords probably can find the decryption key sitting in a config file right next to the database connection details, and just unlock the passwords. Again, duh.

So, we started hashing passwords everywhere. Then salting those hashes, because … rainbow tables. Somewhere along the line, our user base began to think that plaintext passwords don’t exist any more. They’ve been replaced with magic-crypto-fairy-dust.™

When you type your password into your operating system’s login prompt, a browser, or wherever, each keystroke is resulting in a character of your password allocated in the computer’s memory (RAM) for some moment in time. Turns out that “moment” could be a duration measured in milliseconds or it could be until the computer reboots. That’s why handy little tools like Mimikatz (Windows), Keychaindump (MacOS), and now Mimipenguins (Linux) are interesting: they demystify this notion and present your plaintext password, the same version your employer’s computer sees, to an attacker or a security engineer.

So if your password is a declaration of a racial epithet, how much you hate your boss, how you plan on inciting workplace violence, where you buried bodies, or any other embarrassing, illegal, or offensive subject or idea, go change it. Today. Right now, even before you finish reading this.

If an attacker (whether simulated by a red team or an actual adversary who breaches your employer’s systems) dumps your password, you may be held accountable for what it says. Yes, a plaintext version of your work password should be treated respectfully and professionally by IT, if uncovered. However, a “professional” reaction to your password may be to contact Human Resources or some other mandatory report hotline. Don’t plan on saying “But, you’re not allowed to see my password” when you probably click through logon banner messages or attend periodic policy compliance training that informs you regularly that “information you put into a work computer belongs to your employer” (or however the attorneys phrased it). This “my work password is private” argument is not going to fly. So, don’t try it.

Also, in any given enterprise, an average user’s password is likely in plaintext in RAM in a dozen computers per day, and some enterprises still support systems that unfortunately pass those passwords across the network in plaintext or write them to disk in plaintext. Somebody just might see it in one of those places, and no, it’s not EvilCorp with privacy infringement policies. It’s just how passwords work, even still in 2017.

“But I also use that same password to access my personal email, bank account, or social networks!” First, knock that off. Go (as in right now, you can read this later…) change all of those passwords, don’t reuse the same password anywhere, and sign up for two factor (one-time login codes sent to your phone) for the apps that support it. If a rogue employee, e.g. an IT administrator, sees your plaintext password and reuses it on those other apps, they can take over those accounts. We would all like to think we don’t work with people who might go rogue one day, but unless you work with people who aren’t human … you already know how this sentence ends.

Then there’s the worst case: your employer gets breached and the attacker publishes a dump of all user accounts and their passwords on some dodgy part of the Internet. When that happens, it will be out there for everyone to see how [Company X] has employees with offensive passwords. That’s on top of the PR nightmare of dealing with the breach itself. Don’t be “that guy” on “that list.” Respect your employer if they request that you choose passwords that meet certain complexity criteria, plus do not contain “offensive language.” Consider how you might just be making some poor PR chap’s life a lot easier some day.

If your employer doesn’t remind you to choose non-offensive passwords, choose non-offensive passwords anyway. Nobody wants to be the guinea pig that forces the new policy.

You never know — the plaintext version of your password just might end up as evidence in a deposition one day — quite possibly as public record for everyone to read.

Make your mom proud: don’t pick an offensive password.