Tuesday, February 6, 2018

Dolphins

Recently I’ve done some harmless trolling. I’ve opened a PR to SecList to remove “my password”, “dolphins”, from all of the common passwords lists. Or in simple English, there is a public list on the internet of the most common passwords people use and I’ve asked them to remove the password “dolphins” from all lists so hackers won’t be able to hack my account. Of course this is ridiculous, and that’s why it’s funny :)
Anyhow, the post got more attention than expected
Most surprisingly, on the recent Meltdown paper at https://meltdownattack.com/meltdown.pdf  there is an example of stealing browser passwords, and one of the passwords is "Dolphins", I wonder whether it's a strange coincidence or that the author was impressed with my PR.
I would like to explain here how I got to this silly idea. From time to time, I get to consult developers and admins about security. Whenever we talk about passwords I have a few guidelines such as, use 2FA everywhere.I always advise to check if the password is found on any of the lists of SecLists GitHub project. Clearly, if you find your password there it's not a good enough password.
Recently I’ve found myself guiding a SysAdmin that didn’t seem like the brightest tree in the forest. As a security researcher that got me thinking, again, what could go wrong. When I imagined that person might try to solve his problem by attempting to remove the password from the lists, instead of changing it, I thought it’s so hilarious, I must do it.
Apparently, GitHub users liked it too, and got too many comments. Sometimes when I try to load the comments page of the PR I get:

If you appreciate the joke please approve the PR to help me make sure it's the most approved PR on GitHub (https://github.com/danielmiessler/SecLists/pull/155).

Cheers,
Assaf