Why settle for (stealing) one password?

This is just a quick thought I had at work today – actually, I had it in November, but just got around to posting it now. Common story, but eh? Anyway, I was having trouble logging into our issue-tracking solution today in November. It had been awhile since I’d logged in, since I generally go through the Helpdesk to raise issues, so I wasn’t sure exactly what I used for a password. So I tried my throwaway password I use for useless work stuff, but it didn’t work. So I tried another throw away password, and another. No luck. Then I reset it and life moved on.

My point? If you’re an attacker and want to collect passwords for internal systems, even if you only have hashes, replace the passwords and start logging requests. I’ll bet people try the same password twice, then a couple others. Suddenly, you have a bunch of passwords to try on other systems. You might even get a couple varied usernames.

Of course, that can be considered evil. But eh?

Comments