Finding The Hidden InfoSec Story

Rumpelstiltskin – A Lesson in Password Security


Andrew Lang's The Blue Fairy Book, ca. 1889

Imagine the scenario, your business offers an utterly unique service, and you have just managed to finalise an arrangement to become a third party supplier with a large return for your efforts. This is the once in a lifetime deal you always hoped for. This is the situation we can see that Rumpelstiltskin is in within the Grimms’ story of the same name.

Admittedly we would be hard pressed to feel sympathy for this villain. The deal with the miller’s daughter is to spin a room full of straw into gold, in return for her firstborn child. She has nothing more to offer after his previous dealings stripped her of other prized possessions.

As distasteful as this may be, there is still an underlying lesson to be learned. In a moment of sympathy after he has fulfilled his end of the bargain and the baby is born, the villain of the piece offers the young lady a chance to avoid the payment if she can guess his name within three days.

He is clearly extremely confident in the security of this information. He would not make the deal otherwise. Here we can draw our analogies from the story.

His confidence in the measures he has in place is clear. He knows he has a cast-iron arrangement with the daughter, who is now queen. He also knows that she has managed to rise to this new station due to his assistance. This information is confidential for the heroine, as it may affect her position if the king were to discover how she completed her given task. She is forced into dealing with the villain on his terms. Rumpelstiltskin believes he has all angles covered and that the outcome is assured.

One thing he hasn’t considered is that the young lady has many more resources available to her as a queen to find the information needed to break his system. He is so assured in the security of his arrangement that he overlooks a vital element, which is also an obvious one. He is overheard literally singing his name in a secluded area on a mountainside.

We can directly correlate this with information security in the real world. We have in place a defence-in-depth arrangement which should, we hope, provide resilience in the face of attack. A way to bypass the system (and defeat the villain of the story) is simple and sometimes overlooked.

His name is the password in this scenario. To be fair to Rumpelstiltskin, the composition of his name would normally prove hard to guess. We may forgive him for not substituting letters for numbers or special characters – password cracking software after all was not such a concern for him! He is left with a 15-character name or password that would not have been a standard word, or name in this case.

The queen’s action was analogous to a dictionary attack. She had tried every known name in her previous guesses. And though Rumpelstiltskin avoided writing it down, he did unwittingly share it. His story provides a very direct message – do not disclose your passwords, do not write them down, and especially do not sing them around a campfire when you think nobody is listening, or this fundamental error can prove to be your downfall.

Author: Paul Farmer

Share This Post On