Password requirements can be complicated. Some minimum and maximum number of characters, alpha and numeric characters, special characters, upper and lower case, change frequency, uniqueness over the last n passwords and different rules for different systems. It’s enough to make you revert to a PostIt in your desk drawer to keep track of it all. Some companies have brillant employees who feel that they can do better, and so they create a way to figure out the password for any given computer – so you need to neither remember nor even know it.
History does not show who created the wizard algorithm, or when, or what they were smoking at the time.
Barry W. has the misfortune of being a Windows administrator at a company that believes in coming up with their own unique way of doing things, because they can make it better than the way that everyone else is doing it. It’s a small organization, in a sleepy part of a small country. And yet, the IT department prides itself on its highly secure practices.
Take the password of the local administrator account, for instance. It’s the Windows equivalent of root, so you’d better use a long and complex password. The IT team won’t use software to automate and keep track of passwords, so to make things extremely secure, there’s a different password for every server.
Here’s where the wizard algorithm comes in.
To determine the password, all you need is the server’s hostname and its IP address.
For example, take the server PRD-APP2-SERV4 which has the IP address 18.104.22.168.
Convert the hostname to upper case and discard any hyphens, yielding
Take the middle two octets of the IP address. If either is a single digit, pad it out to double digits. So
22.214.171.124 which yields
8010. Now take the last character of the host name; if that’s a digit, discard it and take the last letter, otherwise just take the last letter, which gives us
V. Now take the second and third letters of the hostname and concatenate them to the
8010 and then stick that
V on the end. This gives us
8010RDV. Now take the fourth and fifth letters, and add them to the end, which makes
8010RDVAP. And there’s your password! Easy.
It had been that way for as long as anyone could remember, until the day someone decided to enable password complexity on the domain. From then on, you had to do all of the above, and then add
@!#%&$?@! to the end of the password. How would you know whether a server has a password using the old method or the new one? Why by a spreadsheet available on the firm-wide-accessible file system, of course! Oh, by the way, there is no server management software.
Critics might say the wizard algorithm has certain disadvantages. The fact that two people, given the same hostname and IP address, often come up with different results for the algorithm. Apparently, writing a script to figure it out for you never dawned on anyone.
Or the fact that when a server has lost contact with the domain and you’re trying to log on locally and the phone’s ringing and everyone’s pressuring you to get it resolved, the last thing you want to be doing is math puzzles.
But at least it’s better than the standard way people normally do it!
thanks you RSS link