Enigma interview: hackers exploiting weak passwords is nothing new

During the Second World War, the Enigma code was one of Nazi Germany’s most important weapons, allowing German forces to send Morse Code messages between units and command centres that anyone could listen in on, but no-one could understand.  

Enigma interview: hackers exploiting weak passwords is nothing new

For years, the code was considered unbreakable until the team at Bletchley Park, led by Alan Turing, managed to crack it in a breakthrough that potentially saved thousands of lives.  

PC Pro caught up with Thomas Briggs from the Bletchley Park Museum at a special screening of Turing biopic The Imitation Game to find out how Enigma worked, how “bad passwords” led to it being broken, and how its legacy has coloured modern computing and cryptography.  

How was the machine operated? 

At midnight every day the Enigma operators would set up their machine according to a settings card that was given to them each month, which had 31 rows on it – one for each day of the month – which is how they’d be sure they were doing the same things as the other teams.

The first thing they’d have to do would be put the correct three rotors, of which there were five available, into the machine and select a supposedly random key. They would then convert it into numbers and dial them into the rotors.

The three rotors presented you with 60 different possible combinations and for the Germans that was easy, because it was all there on a sheet telling you what it was. If you’re trying to break the code, you’ve got to try and figure out which of those 60 combinations is in the machine. Aside from that, each rotor needs to have its ring setting set to a particular position, of which there were 26 for each rotor, or roughly 17,500 in total. And that’s 17,500 for each of those 60 possible combinations.


After you’ve done that, there’s a plug-board panel on the front. There are 26 double sockets, one for each letter of the alphabet, and 10 cables. You plug in the 10 cables to pair up 20 out of 26 letters, and there are about 150 trillion ways of plugging the board together just by itself, so guessing the right ten cable positions on the front of the board are significantly harder than, for example, picking the right six numbers in the lottery at the weekend.  

When you put that all together – the 60 rotor orders, the 17,500 ring settings, the 150 trillion plug board settings – that gives you 159 quintillion ways of setting the machine up. From the German Enigma operator’s point of view, it’s really easy to do that, because you’ve got it on the list. From the codebreaker’s point of view, if you’ve managed to get hold of some of the cards, you’re sorted. If you haven’t got the cards, you’ve got to find the another way and you’ve got 159 quintillion variations to sort through.  

If you wanted to try a brute force attack, which is just to try everything until you hit the right one, and were able to go through one per second, that would take you 159,000,000,000,000,000,000 seconds, which is much longer than the universe has existed. So it’s infeasible that you would be able to do it that way and the fact that there are so many potential combinations is one of the reasons the Nazis wholeheartedly believed this code to be unbreakable.  

So the codebreakers had to come up with different ways of reducing the number of possibilities that they had to try to a more manageable level, which they did using those different tips and tricks.   

What do you mean when you say a “supposedly” random key?  

Humans are terrible at randomness. We’ve evolved over millions of years to spot and make patterns so if you’re suddenly asked to go against that basic programming, you cant’ do it.   

I do take this machine to schools and before I tell students about that bit, I get them to pick their own random three-letter key. Then I ask them who picked their own initials, which of course isn’t random, and half the class will put their hands up. Other choices I’ve seen are things like “KFC” and other things that are relevant to them.


The German Enigma operators were no different – it’s a natural thing for human beings to do. But it illustrates the fact that if you have a cipher system, no matter how secure it is, if you then introduce a human element to it and you ask them to do something random, that’s a weak point.  

It’s directly analogous to problems of creating a safe password for website use today – a significant proportion of people still use “password” or “password1” online, or 1111, 1234 for their credit or debit card PIN. The way the Enigma operators worked shows bad passwords were a problem even before computers were invented.  

Was this helpful then when it came to the codebreakers at Bletchley breaking Enigma?  

Yes, it was. They had lots of tips and techniques when it came to breaking the code and one of those was that a lot of Enigma operators would use girls’ names and swearwords instead of selecting a key at random, which the Codebreakers called “cillies” after a German Enigma operator who was using his girlfriend’s name – Cilli – as the key for every transmission.  

That was the first one discovered, but there were others, such as the Herivel Tip. This was the idea that, once you’d finished typing one message, if you were feeling lazy or were under pressure, you would leave the letters where they were and just carry on typing, or you would just give each of the dials a quick flick. While this feels random, it isn’t – it just moves each number on a few spaces from where it was before, so if you’ve figured out the previous message’s configuration, that gives you a tip for what the next one might be.  

Was there anything apart from “cillies” that helped them?  

Yes, they found not only ways of reducing the number of settings they had to try, but they also found ways to speed up going through the rest of them.  

There was a lot of very complicated mathematics involved, but there was some luck, which generally came from the operators either not following procedure or following a procedure that was lacking in security.  

Another problem with the machine, that doesn’t feel like a problem when you first see it, is when you press a certain letter key, you can be certain you will never get that letter as an output. That, I would imagine, when it was created would have probably seemed like a feature, because you don’t want there to even be a remote chance of getting the same message out that you’ve put in. But as far as the Bletchley Park Codebreakers were concerned, it was actually something that they used – it was an important fault with the design of the machine.  

But they were also undoubtedly very, very hard working and they put a lot of effort into figuring out the solution to this problem – and that’s what it was for a lot of them, it was a puzzle to be solved.  

Not long before the outbreak of war, a group of Poles got their hands on a prototype Enigma machine and set about working out how it operated and how it could be decoded. How much of an influence was their work on what was done at Bletchley Park?  

As I understand it, the Polish contribution was quite large. They did a lot of work towards figuring out how the machine did what it did and, crucially, did some work into the mathematical techniques that could be used to find the settings fairly quickly. This included creating a machine that they called the Bomba, which just ran through lots of different combinations and tested them electrically very quickly. That information was shared with the allied Codebreakers.  

I would say that definitely had an influence on the work the Codebreakers did, and probably gave them a head start and sped up the process. They had to extend the work the Poles had done to the more complicated version of Enigma, but you can see how helpful they thought it was, because Alan Turing’s machine was called The Bomb, which was probably a tribute to the original machine.  

What do you think is Enigma’s legacy for encryption and cryptography?  

There are a lot of analogies that can be drawn between the breaking of Enigma and getting into the codes and ciphers that keep our information safe today.  

You’ve got the other side of the story going on and in World War II a very simplistic view of it is that, while we see ourselves as the “good guys”, we were playing the role of the hacker, and breaking the ciphers.

These days, the ciphers are there to protect our information and people go in to try and break them to access our information for nefarious purposes, or just for the hell of it.

Another analogy that comes in is essentially rubbish passwords with the message setting key and people have that problem nowadays. Ciphers and the systems used to keep our information safe these days are so strong, it’s not worth actually trying to work out how to break them. Instead, hackers go for the weak point, which is inevitably the human element, like passwords. That’s what happened at Bletchley, they went for the “password” if you like – the message settings key – which was the bit set by a human being, as opposed to the system, which was actually pretty secure. Even by today’s standards, it’s not a bad cipher, but governments wouldn’t use it today, partly because it’s slow and cumbersome and partly because there are much, much more secure systems available now. 

The Imitation Game is in cinemas nationwide now. 

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos