Plenty of past ProCheckUp pen-tests have provided examples of poor password policies; however in one particular test we saw an interesting variant of this all-too-common problem.

Typical password generators these days will make some attempt to generate a pseudo-random alpha-numeric string - perhaps not always the longest of strings but still a good effort. An example we found, on a web application for financial organizations, took an unfortunate step backwards.

The application's password reset feature sloppily generated passwords by concatenating two words and a number. Two words and a number ... That doesn't sound too bad ... Ah, but it gets worse.

The pool of options amounted to a selection of 8 words for the first substring, a different 8 words for the second substring and a number between 11 and 97 for the third substring. For a financial application, this is already mind-bogglingly lazy password generation. Still, let's have a closer look at those strings:

1^st substring: apple, bach, baron, beach, cherry, oxford, pear, mozart