Locks and passwords are social agreements more than effective barriers to access.
Two different times passwords did not stop me:
In reverse chronological order we have incident number one:
This first story takes place about 20 years ago or so (statute of limitations: 5 years).
I had this patch I bought from thinkgeek that looked like a name patch someone at a service station would wear except it read, “Hacker” it was sewn on the chest of a brown Dickies brand work shirt. I was at a mall and went in Hot Topic. A snot nosed (script) kid(die) working there sees my shirt and asks in a condescending tone, “are you a REAL hacker?” I admit I was taken aback, but answered in the affirmative which was met by an eye roll. He clearly didn’t believe me.
So I broke into his email account.
See this was before I got into therapy and worked on my anger issues. It wasn’t the first time someone doubted my “M4D 5K1LL5” which led me to demonstrate them on the doubter. But see this was about 5 or 6 years into me hanging up my black hat when I became a parent and realized the risk of prison was not worth it. But this was also not the first time falling off the black hat wagon. I thought it was just one email account and my ego was bruised. After reading his email, I went back to the mall and when I saw him, I let him know the personal details about his life I learned. His attitude shifted immediately. He became an admirer. He tried to impress me with his script kiddie exploits. He wanted me to teach him (I never did). So here is the secret sauce: how did I get his password?
Simple, he told his ex girlfriend his password when they were dating and she told me. Weak link: human failing.
Story 2:
Back in the dial-up days around 35 years ago (statute of limitations 5 years) when I still was a skid, and looking for someone to teach me someone on a hacker BBS gave me the assignment to wardial the exchange an electronic appliance store was on and “see what I could find.”
I found a few interesting systems but one that intrigued me was just this LOGIN: prompt on a terminal my software could not quite emulate correctly that would allow infinite attempts but anything I tried would just give me the LOGIN: prompt again. I tried a few defaults of the era and no luck.
One day I was at a record shop and I ran into one of my computer nerd friends from my high school days. We caught up and we walked back to my place so I could show him some of the stuff I was working on while attending TechSchool™️. After showing him some coding projects I had done I turned on my modem to show him this “weird system” I had found. Upon seeing it, my friend said, “wait a minute” and typed in his name. Then something happened I never encountered before with this system, a PASSWORD: prompt.
He typed in something to fast to shoulder surf and got in! Followed by a millisecond later saying “oh shit!” and disconnecting.
“Johnny, lose that number. You don’t want to mess with this, that’s a government system.”
I knew my friend got some job with “the state” and I found a system he used.
I assured him I would leave it alone, but really I was more determined than ever to crack this system. I finally had the login schema: first names.
With some experimentation, I learned names associated with an account would follow with a PASSWORD: prompt. No account? Get LOGIN: again.
So started guessing names and noting which ones had accounts. While wracking my brain and memory for names I just started doing characters from TV shows. Greg, Peter, Bobby, Marcia, Jan, Cindy and so on. Some would be accounts most would just give me LOGIN: again. Then I got to Leave it to Beaver: Theodore, Wally, June, Ward…
Ward was a hit, but instead of a PASSWORD: prompt, It logged me in and I had full access.
The secret sauce: Ward didn’t bother with a password!
The first thing I did was find and send the user list to my printer, and went down the list testing each account and found a few more that didn’t bother with a password.
It turned out to be a messaging and scheduling service for some organization that I wasn’t sure what they did. I never vandalized or deleted anything, I just poked around following my curiosity and having cracked it, lost interest and didn’t login again…
UNTIL many years later as a new parent we got referred to this state program that had a familiar name. It was the same agency I had cracked as a skid, and here I was barely a year or two in my retirement from Black Hat Shenanigans. I just had to see if it really was it.
I dug out my old hard copy “hacker files” found the notes and printout of accounts and dialed in. I got met with a familiar LOGIN: I typed, “WARD” he still had an account and still didn’t have a password.
I looked ourselves up and read our files and saw that I had access to our worker’s calendar.
I realized I could schedule our own appointments for whenever we wanted. But I didn’t. I still had a “leave no trace” rule. I disconnected and with curiosity sated, I never dialed that number again.
END OF LINE
This article originally was a thread on Bluesky.