As the New York Times relates, it was far too easy to reconstruct passwords after the attacks of September 11, 2001, killed 658 Cantor Fitzgerald employees at the World Trade Center.
The financial firm had a policy that all employees had to tell their passwords to four nearby colleagues – but now most of the firm’s 960 New York-based employees were presumed dead.
Just hours after the attacks, Microsoft sent more than 30 security experts to Cantor Fitzgerald’s temporary headquarters in New Jersey. Many of the missing passwords were of the type considered “secure” – mixtures of letters, numbers, and symbols like “JHx6fT!9” – as recommended by the firm’s IT department.
To crack those passwords, Microsoft techs used so-called “brute force” tactics – working through all possible combinations of elements. But even with the best computers, that could take days. The company couldn’t wait that long – the bond markets would be re-opening sooner than that.
According to the company’s CEO, Microsoft’s techs knew that many people use the same password for more than one account. Also, passwords are often “personalized.”
So the CEO spent the 24 hours after the attacks calling his employees’ family members, to ask if they knew the passwords, or to ask for personal data that might lead to the passwords – such as their wedding anniversaries or pets’ names.
The effort succeeded:
The firm was back in operation within two days. The same human sentimentality that made Cantor Fitzgerald’s passwords “weak,” ultimately proved to be its saving grace.
Mantras, Insults, and Shrines
The author of the Times article began to collect passwords from family members and friends – and even strangers — several years ago.
He was surprised at how willing people were to reveal their passwords to him. He also discovered:
Many of our passwords are suffused with pathos, mischief, sometimes even poetry. Often they have rich back stories. A motivational mantra, a swipe at the boss, a hidden shrine to a lost love, an inside joke with ourselves, a defining emotional scar — these keepsake passwords, as I came to call them, are like tchotchkes of our inner lives. They derive from anything: Scripture, horoscopes, nicknames, lyrics, book passages. Like a tattoo on a private part of the body, they tend to be intimate, compact and expressive.
Passwords he collected included:
- A former prisoner’s identification number
- A lapsed Catholic’s homage to the Virgin Mary
- The name of a childless woman’s stillborn son
Some people even used the word “incorrect” for their password – so that when they got it wrong they’d be reminded “your password is incorrect.”
Others use passwords as affirmations, inspirations, or reminders: “Forgive@h3r,” for example, to help a divorced man forgive his ex-wife.
While “password therapy” is an interesting idea, it’s also a dangerous one – most “therapeutic” passwords are far too easy to crack.
Passwords are not the problem — static passwords are the problem. The problem with any static password – no matter how life-affirming – is that once it’s cracked it’s cracked for good.
Feeling good about yourself when you enter your password is no compensation for the horrible feeling of having your bank account cleared out by a hacker.
To learn more about PACid’s BoSS and why it should be an industry standard, click here.