Grab a coffee and take a read: crypto haiku and the emotional stories behind passwords

Colleagues in my different jobs over the years know me as the one who can get a little bit fanatical about password security, mocking obvious passwords, proselytizing about using password safes, picking up on passwords left in plain sight on post-it notes and even sometimes replacing said post-it note with an apparently identical one, but with the wrong password written on it.

One reason for all this is security. Another is convenience. People are off ill, away on holiday or uncontactable, and if a password is locked up in their memory or in their wallet when someone else needs it that can and does cause problems. Not so with a shared team password safe.

Such safes have come in useful countless times, though I hope I never encounter anything like the moving story the New York Times has told of the problems with passwords in the wake of 9-11:

Howard Lutnick, the chief executive of Cantor Fitzgerald, one of the world’s largest financial-services firms, still cries when he talks about it. Not long after the planes struck the twin towers, killing 658 of his co-workers and friends, including his brother, one of the first things on Lutnick’s mind was passwords. This may seem callous, but it was not.

Like virtually everyone else caught up in the events that day, Lutnick, who had taken the morning off to escort his son, Kyle, to his first day of kindergarten, was in shock. But he was also the one person most responsible for ensuring the viability of his company. The biggest threat to that survival became apparent almost immediately: No one knew the passwords for hundreds of accounts and files that were needed to get back online in time for the reopening of the bond markets. Cantor Fitzgerald did have extensive contingency plans in place, including a requirement that all employees tell their work passwords to four nearby colleagues. But now a large majority of the firm’s 960 New York employees were dead. “We were thinking of a major fire,” Lutnick said. “No one in those days had ever thought of an entire four-to-six-block radius being destroyed.”

Hours after the attacks, Microsoft dispatched more than 30 security experts [to help]. Microsoft’s technicians, Lutnick recalled, knew that they needed to take advantage of two facts: Many people use the same password for multiple accounts, and these passwords are typically personalized. The technicians explained that for their algorithms to work best, they needed large amounts of trivia about the owner of each missing password, the kinds of things that were too specific, too personal and too idiosyncratic for companies to keep on file. “It’s the details that make people distinct, that make them individuals,” Lutnick said. He soon found himself on the phone, desperately trying to compartmentalize his own agony while calling the spouses, parents and siblings of his former colleagues to console them — and to ask them, ever so gently, whether they knew their loved ones’ passwords. Most often they did not, which meant that Lutnick had to begin working his way through a checklist that had been provided to him by the Microsoft technicians. “What is your wedding anniversary? Tell me again where he went for undergrad? You guys have a dog, don’t you? What’s her name? You have two children. Can you give me their birth dates?”…

In the end, Microsoft’s technicians got what they needed. The firm was back in operation within two days. The same human sentimentality that made Cantor Fitzgerald’s passwords “weak,” ultimately proved to be its saving grace.

The full piece is well worth a read, especially as it goes on to talk about the emotional personal stories wrapped up in so many passwords. The author also comments on how easy it can be to get people to tell you about their passwords – something that other research, involving chocolate, has also found.

And remember, this is not how to keep your passwords safe. There is a much better approach to password security.