Password protected email correspondence

Friday evening there was an email from the bank with a document in attached password-protected archive. The new security rules “for our safety” require that bank officers never send potentially sensitive information to outside world without reasonable security measures. Makes sense? At the same time the protection is nothing but a burden to both sender and receiver, especially that both personnel and perhaps most of the customers have not faintest idea about communication security.

So what my bank does is the following. No they hardly know about certificates and things like email encryption, PGP etc. They use RAR to password protect a document and then attach the archive to the email. The recipient is supposed to communicate over different channel, such as over a phone call, and obtain the password to decrypt the contents.

Having received the document off the business hours, I was curious as for complexity of the chosen password. Yes I would call on Monday, but curiosity won at that time and the thing I was absolutely sure of was that the password is ridiculously simple and the whole safety is a fiction. Because there is a great deal of clients who can barely write down the password spelled on the phone because they are not familiar with Latin alphabet in first place. Then they might be messing characters that look or sound similar, put them in wrong case etc. And they are still respected customer the bank has to deal with. Now from the standpoint of bank clerk it is a pain to deal with a set of passwords so it is highly probable that in order to minimally meet security requirements, the person and even the whole department would apply the same password onto all the outgoing correspondence.

A dozen of obvious attempts with 1, 123, 111, 1234, 12345 did not work out well, so I scheduled brute force analysis tool to crack the thing.

It did not took much of time actually: the password was 111111.

Leave a Reply