The secret life of passwords




my passwords say that i use a random password generator and am somewhat paranoid.


Mine is an extremely oblique reference to mid 80’s comics that nobody would ever understand but me. But for me it has deep meaning from my formative years.

It’s not “Excelsior!”


The passwords I use typically looks like this Bl]zbv9FE!@e%W^oG7_a$_88-4CP4" Dunno if that means I have a very secret inner life, or that I’m a robot?

At least as surprising as their hidden stories has been peoples' willingness to tell me them. There was the former prisoner whose password included what used to be his inmate identification number (“a reminder not to go back” he explained); the fallen-away Catholic whose passwords incorporated the Virgin Mary (“it’s secretly calming”); the childless 45-year old whose password was the name of baby boy she lost in utero (“my way of trying to keep him alive, I guess”).

A catalog of doing it wrong.


This, so much this.

Which meaningful memory was my password this month? I know, the one about my wedding day, the story I’ve blogged about and told so many people about? or the name of my kid?
Whatev’s, I’ll just change it and use my mother’s aunt’s birthday, in reverse!
I’ve already used it? Shit.


In the end, Microsoft’s technicians got what they needed. The firm was back in operation within two days. The same human sentimentality that made Cantor Fitzgerald’s passwords “weak,” ultimately proved to be its saving grace.

I’ve got a few IT security classes on my transcript, and the only thing I’ve got on Github is a random passphrase generator, so my reflex reaction is to be critical of the use of passwords that have personal meaning. Yet the article brings up two problems with this.

The first is the simple, practical problem, that it can be a serious problem if there’s no way to recover a password. More than once, I’ve been able to solve a computer problem because I guessed that a friend or relative just used the same password they always use, or because they left it written down in plain sight. And I know that in many workplaces, sharing passwords is a practical necessity, even though it’s universally condemned as a bad practice and often an explicit violation of corporate security policies.

The second problem, more interesting, and more in line with what the article discusses, is that the constant use of meaningless passwords is dehumanizing. Humans create, cultivate, and share meaning; that’s fundamental to our construction of identity, our dignity. Asking us to accomplish important tasks with a tool that is, by design, meaningless, is alien to how our minds work. And using passwords that have personal meaning, rules be damned, is an effort to remain human in dehumanizing conditions.

I’ve sometimes joked that I can’t remember birthdays, because I’m busy remembering 33c425f352bcfa49. It’s less funny right now.


It’s about the threat model.

An important password that if compromised has serious consequences has to be strong. A main server or a bank account are examples.

A password to something meaningless can be weak and guessable, if, if compromised, nothing happens. Online newspapers are an example.

Writing down the password opens a vulnerability, but it has to be weighed if the benefit of password not guessable/bruteforceable from anywhere in the world is worth the risk of having it locally readable by anyone who flips the keyboard upside down. (Writing a wifi password on the bottom of the router/AP is a good habit.) In cases where the physical access gives you full control anyway it is a no-brainer to have it written on/near the equipment.

You can push this to an extreme. Some of my office servers (think lots of small offices) had the root console without password at all; you had to just be physically at the machine and attach a screen and a keyboard to gain access. But you could do that with a bootable CD anyway, and this way I did not have to dictate passwords over the phone when I needed someone to enter a command in order to avoid traveling over half Europe to type one line of code. Less downtime (often minutes instead of a day), lower costs (phonecall instead of flying there), and security not impaired - if you can take over the box physically, it is all lost anyway. Counterintuitive but saved my posterior quite a number of times; and, with console interface, just about anybody can be your eyes and hands at the terminal over a phone. (Try that with a GUI. Much less easy.) Usually it was a branch manager.

(You could of course go with encrypted disks, BIOS password, and so on, but then you’re more likely to cause expensive downtime and a determined attacker will just work around that all with social engineering.)

Or you can “encrypt” easy passwords with a substitution cipher. A simple Caesar cipher will do the job well enough.

Being humans is overrated. And an illusion, too. Often a dangerous one, security-wise.

Don’t let your users choose passwords. Generate them.


The password I use for some things that I care about somewhat but not too much is my initial misreading of the randomly generated password from my first university account that I was forced to change upon first log in.

Another password I use sometimes is the password my late mother used at her work which was randomly assigned.

So I guess I have keepsake passwords that are also randomly generated. Does that saying something about me?

(and, as @shaddack says, it’s a question of the value of security. I use the same passwords for multiple things but not for things that I am really very concerned about)


The day I gave up trying to make passwords up, I felt liberated, I actually find it harder to come up with a meaningful password, remember the meaningfulness and the way I then codified it into a password, than a random series of characters that have only one meaning.


Years from now you will correctly guess that I used 33c425f352bcfa49 as a password and steal my secret information.

And come on, we were never remembering those birthdays anyway, were we?


I don’t trust random password generators…


Is this another good time to reference Passwordcard?

As for a password that really was a word, I have to go back to 1985, when my password to log on to the university’s mainframe was “pertwee”. Says a lot about the sort of geek I was back then.


I can remember every postcode I’ve ever had, but not my mother’s birthday. Personally, I prefer to consider it’s a hardware issue.


Have you ever considered coming up with a cipher that converts one of your old postal codes to your mother’s birthday and then memorizing that?

Only half joking here - I used to remember how old I was by remembering how old my oldest brother was an subtracting the appropriate number of years. (Now I conveniently just remember how old my spouse is, though since I usually forget their birthday, there are about 30 days of the year I’m not sure in)


I have a genius method of using an uncrackable, yet easy to remember password.

First, I take my favorite celebrity, and my favorite book, and interleave the letters together. Then, I replace every I with a 1, and every OTHER O with a 0. Then, I take my favorite number and put it at the beginning and the end. Then, to make it unique from other sites, I put the acronym of the site name (like here it would be BB) at the end. Finally, just to add a little randomness, I add a % mark in the middle.

Now, while the crackers are busy trying to figure out all THAT and guess my password, I pull a last minute feint and make ‘drowssap’ my actual password. Never gonna forget that!


This topic was automatically closed after 5 days. New replies are no longer allowed.