recently i have been researching social engineering and have chosen to write a bit on how companie policies on passwords, the up keep of them and sharing of them.

i have already written on the do's and dont's for keeping your password e.g.. Don't reveal a password in an email message. But want to look more into how users remember there passwords eg memory techniques and how companies view these techniques etc..

many companies have the password written or stuck to the monitor

hahhah i know but im hoping to write a paper on social engineering and want to focus on the human element involved with business systems. so anything will help :)

Funny you talk about this. I recent attended a week long course sponsored by the EC-Council on Certified Ethical Hacking, one of the big points was just this. Basically we learned that you can weasel information that is very sensitive from almost anyone in a company, including people who should know better. To give an example, our teacher had me call the office we were attending class to try and get the network admins name gateway ips or anything that would be useful to hack in. Mind you the person I talked to was one of his best friends. By simply calling and saying:
"I'm Daniel from microsoft, Chad and I were working on a problem with your firewall and I want to check if the problem is solve. Can you run tracert microsoft.com for me and read off the output until i say stop."

Of course since I said I was from microsoft he did it and gave me their internal ip structure as well as their gateway and service provider ips. Basically everything I needed to get started.

Another technique is to find Ex-employees. If they were fired or even some who quit can be very open about the companies technologies such as passwords or more. If they were a network admin, maybe their account wasn't even disabled or removed?

Other methods are simple. Our college gives all students an initial password of their student id number. Which can be found on any students ID. So that's not very secure. My passwords are all common words or names that mean something to me, but with changes. Maybe I use LEET speak on one password like this: r@g0u7 = ragout

Another good method is appending and prepending. Say my password is mydog i could make it more secure by doing this:
843myd0g911
Two things i can remember, areacode, and 911. Then leet speak the password and it's harder.

most people pick either passwords that mean something to them, not just random ones like I prefer to do. childs names, their name, a picture on their desk, a phone number. Things like that. The best password should be about 14 characters long, leet speak and completely random. I have use things that just happened to be in the room. I've done Procell cause a Procell battery was there or DeadEyes cause a book named that was there.

Hope that helped. If you want any more, I could do more on social engineering overall and not just based to passwords

I use a different password on each site, forum, blog or service. Good ol' paper and pen and you don't get in trouble.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.