Imagine being approached by a total stranger who, upon introducing himself, immediately proceeds to ask you for the most intimate and private piece of information you own: your password. Now, at this point you probably think you’ve either met the worst hacker in the world, or come across the only person left on Earth who still doesn’t fully grasp the concept of passwords. Surprisingly enough, neither of these scenarios are the case – you’ve actually found yourself face-to-face with New York Times journalist Ian Urbina.
A few days ago, Urbina released a feature piece in the New York Times which takes a new look at passwords, viewing them not just as private gate-keeping entities with no inherent value other than security, but as something more than that. He argues that whilst everyone finds them tedious and annoying, in reality they contain a hidden depth of meaning. Urbina’s article reveals something that many of us have implicitly understood for a long time, yet never properly explored. Passwords are something so inherently personal, that relinquishing them to the New York Times’ 1.8 million daily readers is an act that at first seems completely irrational. Yet, many seem to have done it anyway.
The truth is, people love coming clean
That sweet moment of relief when you admit that yes, it was you who dented the car, who vomited in the wastepaper bin, who ate the last slice of your flatmate’s birthday cake. And yes, it was you who had the password to their bank account set as their favourite place to defecate and a number describing a sexual act. Had? Still has. Have you ever noticed that rarely will the phrase “It’s too embarrassing” be followed by anything other than a hungry confession? We want to be known, we want to verify our internal experience with another fleshy sack to confirm that yes, this is what fleshy sacks do and we are not alone in that.
Discussing the concept, Alex and I came onto the topic of first passwords, and instantly I spewed out the obligatory “it’s too embarrassing”. At eight letters, my first password was “darkness”. I remember having to choose it for school, I do not remember why. But strangely, to my utter disbelief, Alex chose it too. Before this point, it had been one of the plethora of tiny things about myself I attributed no meaning to. But now, that tiny thing is part of a shared history that I never even knew existed. That sat in Swindon, a moody tween, one hundred and eight miles away someone I wouldn’t know for another ten years made the same insignificant choice; what does that mean? It’s irrational but I feel as though it was a hidden clue, an easter egg in the video game of my life. When I logged onto my email, my MySpace, my school computer, little did I know that my dumb password was a slow exaggerated wink across time. What I would have given then, to peer across cosmic spaghetti strands into my life today. Instead, being a mere mortal, I was sat in General Studies, adjusting the knot on my tie to be as loose as possible whilst still remaining a knot, and watching Bristol Zoo’s penguin webcam while pretending to write my C.V.
In some regard I was definitely skeptical before reading Ian Urbina’s piece, and I think too that everyone that I’ve spoken to has had some degree of apprehension. But there’s no denying there’s something in it. I frequently use the number 42, because of The Hitchhiker’s Guide to the Galaxy – a supercomputer’s answer to the question “What is the meaning of life?”. But it’s more than that, my Dad used to read me The Hitchhiker’s Guide to the Galaxy before bed when I was younger. He used to work a lot, so I didn’t get to see him as much as I wanted, and when my parents split up, I saw him less. So when I log onto Tumblr to curate my collection of animated sloths using my ‘42’ password, am I really trying to say “I miss my Dad”?
The password is in honour of the chicken, not the literary character.
Passwords from literature appear to be rife amongst our editors. Cailean Osborne, our Lifestyle Editor, describes an ill advised choice: “A few years back, when I may have been 15 or 16, I was reading Anthony Burgess’ A Clockwork Orange. I was convinced it was the best book ever written. When asked by a website what my favourite book was, as a password, of course I entered the full title with all appropriate spaces. At the time, it seemed like a good idea – but very quickly it became a nuisance. Seeing ‘What’s your favourite book?’, I think to myself, ‘Oh ffs, why didn’t I set my password as Tintin…’ ”
Figgy Guyver, our Culture Editor, set her password to be the name of the first ever chicken she had. A chicken who was the namesake of a character from The Adventures of Tom Sawyer, although she was very keen to point out, “the password is in honour of the chicken, not the literary character”.
Passwords can serve as daily reminders of distant memories
When my girlfriend was in the 4th grade (about 9 years old) and living in Santa Barbara, California she begged her parents to allow her to buy a bunny rabbit – the weather being so nice in Santa Barbara that the rabbit could sleep outside all year long, and function like a tiny, albeit peculiar looking, dog. Her parents finally caved in, and the following day she went to the animal shelter where she volunteered (appropriately called ‘Buns’ with an accompanying picture of a rabbit booty on the sign out-front) to pick out a bunny of her own. Upon entering the shop, her eyes were immediately fixated upon a rabbit who sported a particularly pleasing set of ‘helicopter’ ears (where others have ‘floppy ears’ or ones that stood straight up); for Anya, it was love at first sight. She named him Colin and they returned home to start their new life together.
This is where the story takes a comedic turn for the worse: after taking Colin home, she and her entire family slowly started to realise that Colin was a demon spawn from the lowest level of Hell. You could not pick him up without suffering a barrage of painful and unexpectedly deep scratches and bites. It became painfully obvious that Colin wasn’t a people bunny. When they tried to get Colin a new bunny friend named Rebecca to help with his searing temper, he tried his best to immediately make it known he wasn’t a bunny bunny either; indeed, Rebecca once accidently fell too close – and consequently became trapped – near his cage, and spent an excruciating afternoon at the paws and teeth of Colin’s furious wrath before Anya’s dad was able to set her free. Rebecca did not make it past the night.
Colin wasn’t a bunny bunny either.
After pondering her initial attraction to the reincarnation of Patrick Bateman as a bunny, Anya asked the owners of Buns whether he had any attitude problems whilst he lived there. Their response could not have been more enlightening: “Colin used to be a perfectly well-behaved Bunny, but then we featured him in the shelter’s TV ad. He wasn’t the same after that”. Suddenly, it all made sense: Colin was a diva. The fame and fortune went straight to his head, and thus, Anya realised she had her own little Charlie Sheen on her hands. This revelation gave birth to the password she uses (a variation, of course) today: ‘ColinwasonTV’. Every time she goes to log in to her computer, she’s reminded that next time she buys a pet to make sure its ego is in check.
No matter the subject of the password, sentiment overrides sensibility
A girl I’ve known for many years told me the story behind hers – her previous password had been ‘candyfloss’, followed by a number. She told me that she chose it at age 11, when creating an email account the evening after her Dad had taken her to the circus and bought her the snack. She kept the password in various forms up until last year, a total of nine consecutive years. Whilst relatively mundane, this example perfectly highlights the large degree of sentimentality that influences people when choosing their passwords. There’s something quite beautifully contradicting, if irrational, about the way in which the human psyche chooses to forgo its understanding of the science behind passwords and instead opts for sentimental and insecure passwords.
As discussed earlier in the article, when we were writing Charlotte and I discovered – much to our disbelief – that we’d actually shared the same password as teenagers. The pure mathematical improbability of this coincidence seems staggeringly huge at first (two people both using one word, out of all the possible words in the English language, before meeting at university and ending up working as Editors-In-Chief together?) – yet it really isn’t; it merely highlights the predictability of people.
Social engineering is by far the easiest way to gain access to a system.
Coming from an information security background, it becomes starkly apparent when trying to penetrate a system that the weakest links in computer security are the people that use them. Social engineering is by far the easiest and most powerful way to gain access to a secure system, because people are fundamentally much more predictable than we like to believe. Trying to bruteforce a password (use a computer to run through every possible combination of characters) can take anywhere from several hours on a laptop for very weak passwords, to trillions of years for very long and complex passwords (even if you had near-infinite processing power). Yet, guessing the name of the target’s pet/children/first love and the date they were born/met their significant other/their first child was born can often yield worryingly good results.
It really is the case that the human aspect of computer security is the weakest, and consequently the point most targeted by government agencies and hackers alike – for those trying to exploit weaknesses in a system, it’s infinitely easier to prey on the gullibility or sentimentality of human users than it is to try and attack the system’s architecture or the mathematical basis of modern encryption standards head on.
In a world where our online privacy is continually under attack, shouldn’t our fleeting sense of security make us vicious in our attempts to guard what is dear to us? Surely announcing our passwords to the world in such a manner is representative of a flagrant disregard for our online security?
“I figured it might just be an extension of the oversharing culture that the Internet has created.” says Urbina.
“Maybe my very hunt for significance in passwords and people’s general eagerness to help in that endeavour says more than any particular meaning I might actually find in the passwords themselves. Humans aren’t the only ones who solve puzzles. We are, however, the only ones who make puzzles simply so that we can solve them.”
Have a password story of your own? Let us know in our comments section or email firstname.lastname@example.org . You can read Ian Urbina’s original piece for NY Times magazine here.