What’s your password?

So since I still can’t blog about the stuff I want to blog about, I’ve decided to post some thoughts on a recent news article I stumbled across.

Sony and Adobe are among the most recent multinational companies to suffer security leakage on a large scale. Whether from vengeful hacking or poor security practices, the personal data of millions is floating out there somewhere for anyone to use or misuse. Aside from credit card information and addresses, affected users were understandably upset and concerned about their passwords being compromised. Why? Well, as we have recently learned, because most people use the same password for everything.

The only positive way to look at these recent security breaches is as a learning experience- not only in terms of how to build a more secure site, but also in that they provide insight into how humans interact with machines at their most intimate moment of trust. Humans, as it turns out, are extraordinarily predictable and lazy. Or are we?

This morning, Kotaku reported on the results of the Adobe hack last October. Analysis of the released password data has resulted in some interesting modalities. The top 5 Adobe passwords are reportedly the following:

  1. 123456 
  2.  password
  3. 12345678 
  4. qwerty
  5. abc123 

If you have ever worked in IT, you probably could have predicted these results. They are common. We know they are common. We know they are easy to guess, and yet, we still use them. Why? Well, some have proposed it is because we are lazy. We either mash numbers, look around our desk for inspiration, pick the name of a pet, or even the colour of the website’s logo. Quite predictable behaviours which result in predictable passwords. The security expert interviewed by the BBC, Per Thorsheim, claims people pick such predictable passwords that ‘brute forcing’- using a computer to run through every possible character combination to crack a password- is more inefficient than just guessing!

Even more interesting is the frustration expressed on the internet when users have been confronted with new protocols. In an attempt to save us from ourselves, new password fields often require a combination of letters, symbols, and numbers. To this the general internet has reacted with exasperation, as evidenced by memes:

Although most of us likely relate to the above images and think of passwords as an annoying-but-necessary hurdle to overcome, they also represent something more. They are an artefact of an extremely personal and private moment shared between human and computer. Although it may be used to protect secrets, passwords are also a type of secret in and of themselves. But if this is the case, why don’t we take their creation more seriously?

A quick Google search reveals the word ‘password’ is defined as:

  1. a secret word or phrase that must be used to gain admission to a place.
Interesting that the online definition still makes reference to an offline context. Of course ‘place’ is generic enough to refer to a cyber/virtual location just as easily as a physical/’real’ world locale, but it calls up imagery of the passwords of olde.
  • Leaning into the door of a prohibition-era Chicago speakeasy and whispering a word to gain entry into an gin-soaked basement…
  • Giving a special handshake which, if the receiver is in the know, will demonstrate membership in the Stone Masons…
  • Twisting a combination lock to three numbers in a sequential order to access the goods inside a safe…
  • Knowing the which stone door to approach and the correct phrase to say in Skyrim to gain entry to the Dark Brotherhood…
These are all forms of passwords- all secrets passed down and on through shared communication. And each of these example passwords allow access to even more secrets through their ability to serve as identifying markers of members of a community. When we reflect on the origin of passwords, and their contemporary use in anachronistic fantasy role playing games today, we notice they are usually shared and a part of- or barrier of access to- social groupings.
In some cases they are shared to be social- speakeasies need customers. Sometimes they are shared for practical reasons- secret orders need members. In other cases, they are shared as a type of additional security measure. If the code to a lock is forgotten, knowing someone with the combination is useful for retrieving goods without damaging property. Still, other times passwords are shared as a type of play with the secret and mysterious. And actually I (and Huizinga, probably) would argue that there is an element of play present in most uses of passwords for the secret and mysterious. I’ve seen it argued that there is also an element of playfulness within hacking communities, but I won’t get into that discussion here.
So are passwords so predictable because people are lazy? Maybe. Or maybe they are so predictable because, as social animals, we want to share them. Years ago I owned a t-shirt from J!NX which said “Social Engineering Specialist” on the front. I liked the shirt because it married my love of social behavioural science with technology. Additionally, the shirt’s description on the website mirrored my own experience. It reads:
 How can you hack a person? You can often save loads of time by simply asking for the information you want (ie. passwords, access, etc), rather than hacking in via a computer.
My personal experience has found this to be the case. Not that I have ever abused this privilege, but I am often shocked at just how eager and willing people are to give up their passwords. This experience, along with the current news articles popping up, is what got me thinking…
Passwords represent a convergence of intimate human-computer interaction and also an aspect of human social interaction. Passwords allow us to not only experience technology, but also to experience each other and connect to secret and mysterious groups (which can surround themselves with play- to bastardise Huizinga). Passwords, in my view, can be:
  • an inconvenient and prohibitive barrier
  • a semoitic identification for social groupings
  • a means to gain access to a place
  • a type of secretive play

Considering these modalities, is it really so shocking that our passwords seem to coalesce around simple and familiar themes? It is almost as though we want to share them.

Until next time,
PS Yes I am still obsessed with Skyrim. I finally got all 24 Stones of Barenziah over the weekend.