This is purely hypothetical… un-proven, and simply my own mind at work. I have no stats to back up my claim, nor pretty graphs. I have not tried this, and will not try this. I am purely doing a brain dump and hope some people enjoy.
I’ve been one of those people that are arm-chair psychologists… thinking you know how different people act and think (when you really don’t). Usually grouping people into stereotypes (albeit it un-PC – it tends to be true… even though I am usually wrong).
I’d also like to make a disclaimer that I love the UFC, so what I am going to write below is purely hypothetical, grouping people into stereotypes is wrong an unfounded. No insults are intended for anyone. I only picked UFC because I love it, and know more about the fighters than I would any other ‘celebrity’ (which this theory would also work on, maybe even better)
As IT security professionals, you often laugh at some people’s passwords. In fact, there have been very good recent ‘analysis’ on password dumps online (complete with pretty graphs and pictures). It seems stupid to us, because we ‘know what we are doing’ (as IT professionals… well I would assume so). But for a normal user – password complexity is not a priority (if not a hindrance for social productivity i.e throttling the speed in which you can post about what you got your puppy for Christmas).
Repeat this again… “But for a normal user – password complexity is not a priority.”
With that in mind – think for a second about celebrities on TV. It might be ‘Pauly D’ from Jersey Shore, it might be the ‘Fat Kardashian’ or it might be ‘Iron Mike Tyson’. As you sit on your couch, inhaling junk food, laughing at the glowing box in front of you, you start making witty remarks like ‘they are so stupid’… and ‘my god I can’t believe they get paid for this’. (the fact that you are wasting away in front of the telescreen… living vicariously through others never enters in to your head)
Repeat this again… “they are so stupid’… and ‘my god I can’t believe they get paid for this.”
With that also in mind; Using the art of stereotyping (which I have been shunned for doing), one would ‘assume’ that these type of celebrities are dumber than the average Joe. The average Joe was the guy we were laughing at for having a shitty password, remember? (If you thought IT issues were a low priority for the average Joe, imagine what it would be like for a popular, socialising, B-Grade celebrity.)
Hopefully by this point you will start picking up what I’m putting down.
**Player 2 has entered**
The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion. http://www.darknet.org.uk/2009/01/the-associative-word-list-generator-awlg-create-related-wordlists-for-password-cracking/
There are a few of these tools available online, but the above is an example. There are scripts that will scour the Internet (or blogs, public profiles on social networks that you specify) and input every word into a text file, which you then use when attempting to crack/break in to accounts due to the high probability of someone using a password to something they have posted online (This strategy has been proven to be very useful when attacking ‘the average Joe’ due to their ‘shitty passwords’ which are usually ‘something to do with their life’ which they will probably ‘have online for all to see’.)
Holding that thought…
**Player 3 has entered**
I always wanted to be a professional fighter when I was younger… but then I hit primary school and accidentally developed a brain.
But using some profiling (or un-founded stereotyping) of ‘jocks’ or ‘muscle heads’ – think for a second about what that jocks password could be? Could it be the name of his college football team with a number at the end? Could it be the name of his pit-bull? Maybe the license plate on his Ford Mustang? Maybe something to do with sexual prowess and conquests?
Probably not…but maybe? By using profiling and stereotyping on various groups of people, you will dramatically increase the chance of success of guessing a right password. (Provided the victim is indeed that stereotype and not smarter than he appears)
So with the above example… if one was to use a tool like AWLG (listed before) – which you set to scan the victims public twitter feed, personal blog, all web sites relating to him, all associates, friends and family, news articles, high school/college websites, employer’s website… using these tools and some mangling… I think your chance of getting that password is pretty damn good. – Provided he matches my un-founded stereotype and isn’t secretly an IT security enthusiast by night.
Another stereotype of testosterone driven males is ‘ego’. I once saw a member of the IT team with a domain admin password of ‘ITPRO2007’… IT PRO? REALLY??? So when you have an ego… your password (stereotyping) will follow close by.
Do you think Brock Lesnar’s password would be ‘Molly’ or ‘Beast’? ‘Bitch’ or ‘Boss’? (Brock doesn’t actually tweet himself, so it won’t work on him – more on that later). Truth is if I was a betting man, I’d think his password would be related to his family and home town. This is only due to seeing him on TV and documentaries, and with that building a picture of what sort of personality he has. He recently announced his retirement from UFC due to health issues, and was about crying when talking about his wife and kids… then the TV showed him being a family man on his country farm. Maybe his password could be one of those? Wife… kids… farm… name of his gym (all of these would be picked up by scouring websites related to Brock). Shoot off a tool and make a wordlist based on those assumptions and find out. (Don’t actually do that – it’s just hypothetical).
I even checked Brock’s twitter feed out of curiosity when I was writing this post… but it was obvious Brock’s feed is being handled by a marketing agency/manager and not himself personally – so it would not apply.
Then I stumbled across my homie ‘Sugar Rashad Evans’. This guy is a spectacular athlete, but I just don’t like him for some reason. So I use him as an example.
Unlike Brock, Rashad does his owns tweets… as is pretty obvious in the below image:
So if you are playing along at home… by looking at his language… where he is from… what type of person (and ego) he has… do you think he would be using complex passwords? Do you think he looks smarter than the average Joe? (You could even go so far as using mangling rules to replace normal characters in words with ‘homie speak’ like above for better results).
With everything said… do you also think there would not be a good chance these ‘targets’ wouldn’t use the same password for most of their online services?
If you are still reading this… and think my stereotypes or politically incorrect and unfounded (which they are)… I intrduce to exhibit B.
More Americans Google ‘Gang Violence’ than any other country.
In Australia… bogans do more searches for ‘Muscle Cars’ thean the rest of the world
The next one speaks for itself…
So although using stereotypes for people is politically incorrect, when you have a mind of a criminal (which I don’t) – results will appear. That was a random thought I had in my head, and I put to paper. Obviously this goes deeper but I feel that I don’t need to hold people’s hands when using their own brains. Hope somebody enjoyed!