23 is based on the story of Karl Koch, one of the most famous hackers ever. He was involved in a Cold War computer espionage incident and sold US and West Germany data to the KGB. There are multiple hacking scenes in the movie which we analyze in greater detail below.
The first hacking scene shows a group of hackers gaining access to various targets by password brute forcing. Even though the movie takes place in the 1980s, it still correctly identifies common security issues with passwords that are still applicable nowadays – using common words (like ‘password’) or easily identifiable information like a pet’s or wife’s name is a mistake. The movie characters use “admin:admin”, “guest:guest” and other common credential pairs successfully. They even mention the concept of having a password list with 50 entries. Such lists are used today as well, though they are way bigger and could have millions of passwords inside. They are often the product of data breaches.
The only questionable part is when the username `anonymous guest` is shown in one hacking scene, as the common practice for default usernames is one word or at least words separated by underscores instead of spaces. However, the portrayal of this hacking method is quite accurate.
Verdict: gaining access to protected systems by using common passwords is portrayed correctly and this issue is still relevant today.
Another hacking scene involves a more advanced type of social engineering. When guessing passwords for high profile government officials becomes inefficient, the characters decide to write a program that they call a “trojan horse”. Its purpose is to disguise itself as a real application and steal their credentials. When the victim is presented with the login screen for a particular application, the first attempt always seems to return an error. In the background, however, the credentials are sent to the attacker. The second attempt goes to the actual system directly and logs the user in, thus reducing the suspicious feeling that something wrong is happening.
What is missing from the movie is information about how the victims are redirected to the fake login application. This reinforces the common misconception that hacking is super simple and can be done with just a few lines of code. However, this is not a significant critique. Overall the general idea is very real. Today, you could easily find free tools that create fake login screens for popular sites like Gmail, Facebook etc. with just a few buttons. You no longer need to be a 1337 h4x0r to do that.
Verdict: the social engineering technique portrayed is presented in a simplified but very accurate manner.
Even though the movie plot has been criticized for being historically inaccurate, the hacking scenes provide a realistic view of the workflow of some black hat hackers. What's more, it emphasizes a really important tenet of cybersecurity – you need to build a culture of security in your environment to reduce human cyber risks. That would make weak passwords and common social engineering schemes a thing of the past.
Want to read more like this?
Get the latest news and tips from NordVPN