Passwords are great until you realize that they introduce a human element into your cryptographic or authorization scheme. I’m serious, no matter how secure is your system, some genius user will find out a way to totally wreck it on day one. Before you say anything, let me assure you I do not have photographic memory and I do not expect people to use 64 character non-alphanumeric, random pass phrases. I know how this whole password thing works for most people.
Most of us can remember around 5 or 6 passwords at a time. Some people use more, some use less. We tend to reuse these passwords between different services, often tacking some numbers or characters at the end or in the middle somewhere. And that’s ok in most cases. As long as those passwords are not straight dictionary words, this scheme works. It’s not perfect but it is serviceable. What I wanted to share today are some more colorful password related stories.
Lock out after 25 failed attempts
Once upon a time, I was doing my time in the IT purgatory. Wait, actually it might have been hell. I’m not sure anymore. Which one is the one where you are tormented by idiotic questions all they long? I was in that one. I don’t really remember the details (I blocked them out) but at some point someone decided to implement more better SECURITAR on the company laptops. The idea was that having full disk encryption on these machines is nice and all, but it sort of defeats the purpose when half of users have set their password to be the name of their dog or first born child and then never, ever change it. We can tell them to change it every 30 days, but they won’t until we force them. So idea which I think originated somewhere in the upper echelons of the institution, was to do exactly that. Force them to change passwords. Oh, and make the logins more hack proof because someones 16 year old nephew said he could totally brute force into one of our laptops. So we changed our policies to require people to change their passwords every 30 days, and added a rule that would lock out the user if he failed 25 consecutive login within 5 minutes.
I mean, everyone has like 5-6 passwords they use, with some variations. Plus most of them are hunt-and-peck typists, and as we discovered only the members of the IT caste actually know that you can switch between username and password field using tab and then hit enter. Most of our users mouse the fuck out of the log in form like it was fucking Farmville. So if someone is averaging more than 5 attempts per minute for 5 minutes straight then its’ probably that asshole nephew showing his uncle his 1337 hax and we should lock him out.
So we push out the policy to the users, and forget about it for about a month. Exactly 31 days from when we pushed the button, I walk into work (late) only to see that everyone’s faces are white with sheer dread. Every phone in the IT office is ringing on all the possible lines, and everyone is crashing. Apparently around 30 remote users changed their password the other day, forgot about it, and then locked themselves out of the computer via that magical 25 in 5 rule. Don’t ask me how or why it happened, but they did it. One after the other, all the accounts were being locked out. And it’s not like we didn’t test this, or that there was some bug that caused it. Most people didn’t have a problem with the new policy.
After that, the new security rule was to gently remind users to change their passwords at least once every 6 moths via email, and never ever lock anyone out no matter what they do. Yaaay security!
One day I’m sitting in my cube, chewing on my cardboard flavored lunch special from the cafeteria, extruding condensed hatred and contempt for the world out of every pore and imagining that I’m somewhere else. Suddenly a recent hire appears in my cubicle and demands that I reset the password on his computer. I look at him then glance at my food, and then back at him again hoping that maybe I can non-verbally communicate that he needs to fuck off while I eat. He doesn’t get it. I try to explain that there is a button for that, but he says he looked all morning, and could not find it. I could probably say something or just ignore this guy, but he has fierce determination in his eyes and I can tell he is not going to give up easily. Resetting a password should be quick and easy. I can get him off my neck, and still have plenty of time left in my lunch hour to wallow in my misery, hate life and all that good stuff. So I tell him to lead on, and we embark on a colorful quest back to his cubicle which is conveniently located in a fucking different hemisphere somewhere.
After waling for what seemed like days, I sit at his desk and point to a large button that says “change password”. Quest completed. Zero experience points awarded. Fuck everything that lives, I’m ready to go home.
“It wasn’t there before” – he explains quite seriously, suggesting it’s probably some bug in our shitty software. Of course it wasn’t there. We hide buttons from our users all the time. We also put proximity detectors in all their computers so that they don’t break or do weird stuff, and show all the missing buttons when an IT person is present. Yep – we are crafty and mischievous bunch.
The guy proceeds to hand me a crumpled up sticky note. “Change it to that” he orders authoritatively. The note has a common female name followed by a two digit number, which I assume belongs to his wife, daughter, underage mistress or perhaps a dog. It’s not a good password, but whatever. I have cardboard flavored sandwich with my name on on the other end of the building – I don’t give a fuck at this point. I change it for him, shake his hand and try to get away as fast as possible. The guy seems pleased so he quips:
“Now, I trust you buddy! That password is like they key to my life. I use it for everything. So don’t go snooping in my bank account or nothing… Har har har… *unwanted shoulder pat*”
That very moment was when the rational part of me committed ritual suicide, and died. Apparently the guy just changed passwords for all his work accounts (save the one I helped him with) to the same one that he uses for his Yahoo, Ebay, his bank account and everything else. You know – the password he is going to be typing into every phishing form on the internet.
I’m not sure what happened next. I am pretty sure an evil which appeared and turned me into a newt. I got better though.
Here is a word of advice: don’t tell anyone you work in IT. In fact don’t tell anyone you work with computers. Or near computers for that matter. I am serious about this. I think there is some sort of memetic wetware virus going around that hacks people’s language centers. When you say “I worked in IT once” the infected hear “I provide free tech support to everyone who asks”. It is quite disturbing.
I tried lying about my profession but people see through it right away. I guess it’s the lack of exposure to the sun, bags under the eyes and caffeine addiction that tips them off. Needless to say I get wrapped up into these “Free Tech Support” scenarios all the time though. One of the biggest requests next to disinfecting machines from their meticulously collected spyware is networking. This is slightly unrelated rant, but most people don’t know how to fucking work a router. They treat it like some arcane boxes full of evil magic that must be coaxed by a specialist. IT person is good, but if they can get a programmer they usually feel better. Cause, you know – programming is like configuring things, but better.
So a router-less acquittance of mine tasks me with setting up wireless network for them. Free of charge of course. And naturally, the implicit part of the deal is that I take personal responsibility for anything going wrong with any computer that anyone brings into their house. Cause you know, I set up their wireless so if shit breaks, it is automatically my fault and I better fucking fix it. I really love how these deals turn out. Don’t you?
To make a long story short, I help them buy a router, dig out their dusty cable modem from the gigantic tangle of cables underneath their “computer desk”. It takes me about half an hour to actually get to the router, because it has been encased by a network of cabling so dense, it almost has it’s own gravity pull. Once I dig it out, I connect the router, power it up and go: “tada!”
Then of course I get a stupid, stupid idea to introduce them to WPA. So I set it all up and ask a simple question: what do you want your pass phrase to be. The answer? “Can we make it the same as SSID?”
“Oh, how about 67 Poopersmacker Street – you know, like the address here?”
“Ok, let’s put Joe – that’s my youngest one’s name”
How do you explain to a proud parent that a 3 letter name is not fucking good enough. Not to mention that the kid runs around the yard like a maniac, so the neighbors and any passers by hear his name being yelled out every 3 seconds on any given day. We go back and forward like this for half an hour, at which point I give up and settle on using the cats name plus someones’ date of birth. I wrap everything up, say my goodbyes and as I’m walking out the door I hear the couple I just helped have this exchange:
Her: “So what’s the password again?”
Him: “I told him to use Fluffy1234″
Her: “Oh, good. That’s what I use for my email, facebook and pretty much everything else”
Him: “Yeah me too…”
Shit! That’s the same combination I have on my luggage! Fuck my life.
Passwords suck because people will always find a way to make them as insecure as possible.
Post your own password related horror stories in the comments. We had some great stories in the previous IT horror thread so I’m counting on you guys to deliver again. Don’t let me down.