The Secret Lives of Passwords

Howard Lutnick, the chairman and CEO of Cantor Fitzgerald, one of the world’s largest financial services firms, still cries when he talks about it. Not long after the planes struck the World Trade Center twin towers in 2001, killing 658 of his co-workers and friends, including his brother, one of the first things on Lutnick’s mind was passwords. This may seem callous, but it was not.

Like virtually everyone else caught up in the events that day, Lutnick, who had taken the morning off to escort his son Kyle to his first day of kindergarten, was in shock. But he was also responsible for ensuring the viability of his company and the support it provided for employees’ families. The biggest threat: no-one knew the passwords for hundreds of accounts and files that were needed to get back online in time for the reopening of the bond markets. Cantor Fitzgerald did have extensive contingency plans in place, including a requirement that all employees tell their work passwords to four nearby colleagues. But now a large majority of the firm’s 960 New York employees were dead.

Hours after the attacks, more than 30 security experts dispatched from Microsoft arrived at an improvised Cantor Fitzgerald command centre. Many of the missing passwords would prove to be relatively secure – the JHx6fT!9 type that the company’s IT department had implored everyone to choose. To crack those, the Microsoft technicians performed ‘brute-force’ attacks, using fast computers to begin with ‘a’, then work through every possible letter and number combination before ending at ‘ZZZZZZZ’. But even with the fastest computers, brute-force attacks, working through trillions of combinations, could take days.

Microsoft’s technicians knew that they needed to take advantage of two facts: many people use the same password for multiple accounts, and these passwords are typically personalised. The technicians explained that for their algorithms to work best, they needed large amounts of trivia about the owner of each missing password, the kinds of things that were too specific, too personal and too idiosyncratic for companies to keep on file. “It’s the details that make people distinct, that make them individuals,” Lutnick said. He soon found himself on the phone, desperately trying to compartmentalise his own agony while calling the spouses, parents and siblings of his former colleagues to console them – and to ask them, ever so gently, whether they knew their loved ones’ passwords. Most often they did not, which meant that Lutnick had to begin working his way through a checklist that had been provided to him by the Microsoft technicians. “What is your wedding anniversary? Tell me again where he went for undergrad? You guys have a dog, don’t you? What’s her name?”

“Remember, this was less than 24?hours after the towers had fallen,” Lutnick recalled. Families had not accepted their losses. Conversations oscillated between crying and agonising silences. “Awful,” he said. Sometimes it took more than an hour to work through the checklist, but Lutnick said he made sure that he was never the one to hang up first.

In the end, Microsoft’s technicians got what they needed. The firm was back in operation within two days. The same human sentimentality that made Cantor Fitzgerald’s passwords ‘weak’ ultimately proved to be the company’s saving grace.

 

Several years ago, I began asking my friends and family to tell me their passwords. I had come to believe that these tiny personalised codes get a poor deal. Yes, I understand why passwords are universally despised: the strains they put on our memory, the endless demand to update them, their sheer number. I hate them too. But there is more to passwords than their annoyance. In the fact that we construct them so that we (and only we) will remember them, they take on secret lives. Many of our passwords are suffused with pathos, mischief, sometimes even poetry. Often they have rich back stories. A motivational mantra, a hidden shrine to a lost love, an inside joke with ourselves, a defining emotional scar – these keepsake passwords are like trinkets of our inner lives.

My biggest surprise has been how eager people are to openly discuss their keepsakes. There was the former prisoner whose password includes what used to be his inmate identification number (“a reminder not to go back”); the fallen-away Catholic whose passwords incorporate the Virgin Mary (“it’s secretly calming”); the childless 45-year-old whose password is the name of the baby boy she lost in utero (“my way of trying to keep him alive, I guess”).

Sometimes the passwords were playful. Several people said they used incorrect for theirs so that when they forgot it, the software automatically prompted them with the right one (“your password is incorrect”).

Some keepsakes were striking for their ingenuity, folding big thoughts down into tidy little ciphers. After being inspired by Sheryl Sandberg’s book Lean In: Women, Work, and the Will to Lead, Cortni Kerr, a running partner of mine, began using Ww$$do13, which stood for “What would Sheryl Sandberg do” plus “13” for the year (2013) of the password’s creation. TnsitTpsif was the password of another friend, a computer scientist who loves wordplay. It stands for “The next sentence is true. The previous sentence is false”, which in philosophy is called a liar’s paradox. For my friend, it was a playful reference to the knots that language can tie.

Often, these disclosures had an emotional edge. One woman described the jarring realisation that her sister’s name was the basis for all their mother’s passwords. Another recalled needling her husband, Will, after their wedding in 2013 because he was still using the digits of his ex-girlfriend’s birthday for his debit card PIN. “I’m not a jealous person,” she said. “But he changed it to my birthday the next day.”

While asking strangers about their passwords is a touchy proposition, it’s not every day that you stumble across something that teaches you new things about people you’ve known for years.

The 4622 that my wife uses in her passwords was not just the address of her own father’s childhood home but also a reminder of his fragility and strength. Apparently when the former 120 kg football standout was a small boy, he had to sing his home address (4622 South 28th West Avenue) in one full breath rather than try to say it normally; otherwise, his debilitating stutter would trip him up.

While computer scientists would prefer that our passwords be a hard-to-crack jumble, precisely what makes passwords so flawed is also what computer scientist Joseph Bonneau finds uplifting. “People take a nonnatural requirement imposed on them, like memorising a password,” he said, “and make it a meaningful human experience.”

In 1993, when she was 22, Maria Allen used for her password a combination of the name of her summer crush, J.D., with a month and the name of a mythological female deity (she wouldn’t tell me which) to whom he had compared her when they’d first met. The fling ended, and they went their separate ways. But the password endured. Eleven years later, out of the blue, Allen received a message through classmates.com from J.D. They dated a few years, then decided to marry. Before the wedding, J.D. asked Maria if she had ever thought of him during that interim decade. “About every time I logged in to my Yahoo! account,” she replied, before telling him her secret. He had the password inscribed on the inside of his wedding ring.

New York Times (November 23, 2014). © 2014 by The New York Times Co., nytimes.com.

Never miss a deal again - sign up now!

Connect with us: