The Big Read: Passwords unlock much more than our accounts

Like virtually everyone else caught up in the events that day, Lutnick, who had taken the morning off to escort his son, Kyle, to his first day of kindergarten, was in shock. But he was also the one person most responsible for ensuring the viability of his company. The biggest threat to that survival became apparent almost immediately: No one knew the passwords for hundreds of accounts and files that were needed to get back online in time for the reopening of the bond markets. Cantor Fitzgerald did have extensive contingency plans in place, including a requirement that all employees tell their work passwords to four nearby colleagues. But now a large majority of the firm’s 960 New York employees were dead. “We were thinking of a major fire,” Lutnick said. “No one in those days had ever thought of an entire four-to-six-block radius being destroyed.”

The attacks also knocked out one of the company’s main backup servers, which were housed, at what until that day seemed like a safe distance away, under 2 World Trade Center.

Hours after the attacks, Microsoft dispatched more than 30 security experts to an improvised Cantor Fitzgerald command centre in Rochelle Park, N.J., roughly 20 miles from the rubble. Many of the missing passwords would prove to be relatively secure — the “JHx6fT!9” type that the company’s I.T. department implored everyone to choose. To crack those, the Microsoft technicians performed “brute force” attacks, using fast computers to begin with “a” then work through every possible letter and number combination before ending at “ZZZZZZZ.” But even with the fastest computers, brute-force attacks, working through trillions of combinations, could take days. Wall Street was not going to wait.

Microsoft’s technicians, Lutnick recalled, knew that they needed to take advantage of two facts: Many people use the same password for multiple accounts, and these passwords are typically personalised. The technicians explained that for their algorithms to work best, they needed large amounts of trivia about the owner of each missing password, the kinds of things that were too specific, too personal and too idiosyncratic for companies to keep on file. “It’s the details that make people distinct, that make them individuals,” Lutnick said. He soon found himself on the phone, desperately trying to compartmentalise his own agony while calling the spouses, parents and siblings of his former colleagues to console them — and to ask them, ever so gently, whether they knew their loved ones’ passwords. Most often they did not, which meant that Lutnick had to begin working his way through a checklist that had been provided to him by the Microsoft technicians. “What is your wedding anniversary? Tell me again where he went for undergrad? You guys have a dog, don’t you? What’s her name? You have two children. Can you give me their birth dates?”

“Remember, this was less than 24 hours after the towers had fallen,” he said. “The fire department was still referring to it as a search-and-rescue mission.” Families had not accepted their losses. Lutnick said he never referred to anyone as being dead, just “not available right now.” He framed his questions to be an affirmation of that person’s importance to the company, he said. Conversations oscillated between sudden bawling and agonising silences. “Awful,” he said. Sometimes it took more than an hour to work through the checklist, but Lutnick said he made sure he was never the one to hang up first.

In the end, Microsoft’s technicians got what they needed. The firm was back in operation within two days. The same human sentimentality that made Cantor Fitzgerald’s passwords “weak,” ultimately proved to be its saving grace.

SEVERAL YEARS AGO I began asking my friends and family to tell me their passwords. I had come to believe that these tiny personalised codes get a bum rap. Yes, I understand why passwords are universally despised: the strains they put on our memory, the endless demand to update them, their sheer number. I hate them, too. But there is more to passwords than their annoyance. In our authorship of them, in the fact that we construct them so that we (and only we) will remember them, they take on secret lives. Many of our passwords are suffused with pathos, mischief, sometimes even poetry. Often they have rich back stories. A motivational mantra, a swipe at the boss, a hidden shrine to a lost love, an inside joke with ourselves, a defining emotional scar — these keepsake passwords, as I came to call them, are like tchotchkes of our inner lives. They derive from anything: Scripture, horoscopes, nicknames, lyrics, book passages. Like a tattoo on a private part of the body, they tend to be intimate, compact and expressive.

Perhaps my biggest surprise has been how willing, eager actually, people are to openly discuss their keepsakes. The friends I queried forwarded my request, and before long I started receiving passwords from complete strangers. There was the former prisoner whose password includes what used to be his inmate identification number (“a reminder not to go back”); the fallen-away Catholic whose passwords incorporate the Virgin Mary (“it’s secretly calming”); the childless 45-year-old whose password is the name of the baby boy she lost in utero (“my way of trying to keep him alive, I guess”).

Sometimes the passwords were playful. Several people said they used “incorrect” for theirs so that when they forgot it, the software automatically prompted them with the right one (“your password is incorrect”). Nicole Perlroth, The New York Times’s cybersecurity reporter, told me about the awkward conversation she had not long ago, when, locked out of her account, she was asked by the newspaper’s tech-support staff to disclose her password: a three-digit code plus an unpublishable epithet — a reference to a funny exchange she overheard years earlier between a store clerk and a thief.

Often, though, these disclosures had an emotional edge to them. One woman described the jarring realisation that her sister’s name was the basis for all of their mother’s passwords. Another, Becky FitzSimons, recalled needling her husband, Will, after their wedding in 2013 because he was still using the digits of his ex-girlfriend’s birthday for his debit-card PIN. “I’m not a jealous person,” FitzSimons said. “But he changed it to my birthday the next day.”

Standing at the park watching my 11-year-old son climb on the jungle gym, I struck up a conversation with a woman walking her dog, and I told her about my keepsakes idea. Like most people, she did not want her name used in my article, because she said her vignette was too personal; she also feared being hacked. But she proceeded to tell me that several months after her son committed suicide, she found his password written on a piece of paper at his desk: “Lambda1969.” Only then, after some Internet searching, did she realise he had been gay. (Lambda is the Greek lowercase “l,” which some historians say stands in gay culture for liberation. The number, “1969,” she explained, referred to the year of the Stonewall Riots — the protests that followed a police raid on the Stonewall Inn in Greenwich Village.)

Some keepsakes were striking for their ingenuity. Like spring-loaded contraptions, they folded big thoughts down into tidy little ciphers. After being inspired by Sheryl Sandberg’s book, “Lean In: Women, Work and the Will to Lead,” Cortni Kerr, a running partner of mine, began using “Ww$$do13,” which stood for “What would Sheryl Sandberg do” plus “13” for the year (2013) of the password’s creation. “TnsitTpsif” was the password of another friend, a computer scientist who loves wordplay. It stands for “The next sentence is true. The previous sentence is false,” which in philosophy is called a liar’s paradox. For my friend, it was a playful reference to the knots that language can tie. When I described keepsake passwords to Paul Saffo, who teaches engineering at Stanford and writes often about the future of technology, he coined the term “crypto haiku.”

Rachel Malis, 29, a friend’s former house-mate, heard about my password fixations and e-mailed hers to me: “Odessa,” the Ukrainian city of her father’s birth. It seemed unremarkable to me. But she said there was more to it. So I suggested we meet for coffee. We sat for an hour while Malis nursed a latte and explained what gave her password its power for her.

“Odessa,” she said, referred not just to her lineage but also to a transformative trip she took there in 2008 with her father. In a sense, it was a place that had always separated them — it embodied a language, a regime and a past that she could never share. Her father fled Ukraine in 1980 when he was 28, and he vowed never to return. Even in America, old habits, like his KGB-induced scepticism of the police lingered. Malis said that during her childhood in Trumbull, Connecticutt, near New Haven, he would close the living-room blinds whenever he wanted to discuss anything “sensitive,” like summer travel plans or family finances. The city loomed large in her father’s consciousness when Malis was growing up. She once asked why there was no fleck of green anywhere in their house — not in the wallpaper, pictures, dishes, throw rugs — and her mother explained that it was because the colour reminded him of painful early years spent in the army.

ASKING strangers about their passwords is a touchy proposition. Push too hard, and you come off as a prospective hacker. Go too easy, and people just rant about how much they hate passwords. Still, it’s not

every day that you stumble across a conversation topic that teaches you new things about people you’ve known for years.

I discovered, for example, that my father - a recently retired federal judge and generally a pretty serious guy - derived his passwords from a closeted love for goofy, novelty songs from the late ’50s and early ’60s (“The Purple People Eater,” “Monster Mash”).

The “4622” that my wife uses in her passwords was not just the address of her own father’s childhood home but also a reminder of his fragility and strength. Apparently when the former 270-pound football standout, a scholarship athlete and the pride of his working-class neighborhood in west Tulsa, was a small boy, he had to sing his home address (“4622 South 28th West Avenue”) in one full breath rather than try to say it normally; otherwise, his debilitating stutter would trip him up.

My young son revealed that his password was “philosophy,” because, he said, several years earlier, when he created it, he took secret pride in knowing the meaning of a concept that big. The disclosure had an interesting echo for me, because one of my first childhood passwords was a play on “ontogeny recapitulates phylogeny,” an evolutionary theory from a high-school biology class that I found especially captivating. (The hypothesis, now unfashionable, posits that the physical or intellectual development of each individual passes through stages similar to the developmental stages of that individual’s species or civilisation.)

I asked Andy Miah, a professor of science communication and digital media at the University of Salford in England, for his thoughts on passwords, and he offered an anthropological outlook. Keepsake passwords, he suggested, ritualise a daily encounter with personal memories that often have no place else to be recalled. We engage with them more frequently and more actively than we do, say, with the framed photo on our desk. “You lose that ritual,” Miah said, “you lose an intimacy with yourself.”

For some people, these rituals are motivational. Fiona Moriarty, a competitive runner, told me that she often used “16:59” — her target time for the 5,000 meters in track. Mauricio Estrella, a designer who e-mailed me from Shanghai, described how his passwords function like homemade versions of popular apps like Narrato or 1 Second Everyday, which automatically provide its user with a daily reminder to pause and reflect momentarily on personal ambitions or values. To help quell his anger at his ex-wife soon after their divorce, Estrella had reset his password to “Forgive@h3r.” “It worked,” he said. Because his office computer demanded that he change his password every 30 days, he moved on to other goals: “Quit@smoking4ever” (successful); “Save4trip@thailand” (successful); “Eat2@day” (“it never worked, I’m still fat,” Estrella wrote); “Facetime2mom@sunday” (“it worked,” he said, “I’ve started talking with my mom every week now”).

Keepsakes also memorialise loss or mark painful turning points. Leslye Davis, the New York Times reporter who produced the video series that accompanies this article online, said that “stroke911” was her original Facebook password because she happened to create her page on the same day that her cousin had a stroke. My friend Monica Vendituoli’s keepsake was “swim2659nomore” — a reference to a career-ending shoulder injury in 2008 that prevented her from hitting the 26.59-second qualifying time in the 50-yard freestyle she needed for a championship meet in high school. But the effect of typing this password had shifted over the years, she added. What started as a mourning ritual, she said, was now more a reminder of how “time heals all.”

THESE personal tributes vary widely, I found. Stuck on a tarmac last year, I sat next to a chatty man who, judging by his expensive watch and suit, seemed to have done well for himself. We made small talk about our jobs, and eventually I told him about my interest in passwords. After a long, silent look out the window, he turned to me and said that he typically uses “1060” in his passwords. This was his SAT score, he explained. He liked reminding himself of it, he said, because he took a certain private satisfaction in how far he had come in life in spite of his mediocre showing on the standardised test.

I got an email from a college student, Megan Welch, 21, who described having been trapped several years earlier in a relationship with a physically abusive boyfriend. She recounted how he routinely spied on her email. When she tried to change her password, he always either guessed or got her to tell him the new one. “I was so predictable,” she said. After finally deciding to break up with him, she used for her new password the date of her decision, plus the word “freedom” — a deviation, she said, from the cutesy words that had been her norm. In being uncharacteristic, her password became unhackable; it was at once a break from her former self and a commemoration of that break.

Keepsake passwords are so universal that they are now part of the fabric of pop culture. I noticed, for instance, that on Showtime’s “Dexter,” the main character (a blood-spatter analyst for the police by day, vigilante serial killer by night) forgot his work computer’s password. He was soon visited by the ghost of his adoptive father, Harry, who killed himself after witnessing Dexter’s violent tendencies. The visit reminded Dexter of his password (“Harry”) and the viewer of the longevity and depth of his personal torment.

Googling for more examples, I came across Jack Donaghy, Alec Baldwin’s character on the NBC sitcom “30 Rock.” He convinced himself that a high-school crush still had feelings for him after he learned that her voice-mail code, “55287,” stood for “Klaus,” the name Jack used in the high-school German class they took together. I found George Costanza from “Seinfeld” nearly driving his girlfriend mad, and maybe even killing a guy, by refusing to share his A.T.M. password, “Bosco,” a reference to George’s weakness for the chocolate syrup.

But perhaps the most bizarre one I found was Jerry Seinfeld’s A.T.M. code — “Jor-El.” On the simplest level — as the episode explained — this was the name of Superman’s Kryptonian father. It served as a nod to the fictional Jerry’s love of the comic-book character. But in digging a bit further, I found that the real-life Jerry’s father was of Eastern European-Jewish descent, and his first name was Kalman, a.k.a. Kal. This is why one of the actor’s two sons, born long after the episode was made, has Kal as his middle name. Though most people know Superman as Clark Kent, his Kryptonian name is Kal-El. What Jerry hid in his PIN looped between fact and fiction, past and present; and comic book, sitcom and real life.

I loved the Seinfeld password story because it was so convoluted that in retelling it I could barely follow it myself. Its circularity inspired a certain awe in me — the way you might feel when you first see an optical illusion by Escher. That got me thinking about the intricate and self-referential patterns famously described in Douglas R. Hofstadter’s 1979 classic “Gödel, Escher, Bach: An Eternal Golden Braid.” The book is a beautiful and personal musing on how we mold both language and our sense of self from the inanimate material around us.

I wondered if there might be some (modest) parallel between what I saw in keepsakes and the elaborate loops in music, math and art that he described in his book. Like a fractal running through human psychology, maybe we have a tendency not just to create keepsakes but to create ones with self-referential loops in them.

So I called Hofstadter to get his take. He was reserved but intrigued. I suggested that many of these passwords seem to be quiet celebrations of things we hold dear. Hofstadter concurred. His primary password, he said, was the same one he has used since 1975, when he was a visiting scholar at Stanford. It consisted of a sentimental date from his past coupled with a word problem.

“Might there be something deeper at work in these password habits and in the self-referential loops you studied?” I asked.

Some of these patterns we discover, Hofstadter said, others we create. But above all, “we oppose randomness,” he said. “Keepsake passwords are part of that.”

The Internet is a confessional place. With so little privacy, passwords may soon be tomorrow’s eight-track player, quaintly described to our grandchildren. Ten years ago, Bill Gates announced during a tech-security conference in San Francisco that “people are going to rely less and less” on passwords, because they cannot “meet the challenge” of keeping critical information secure. In recent years, there has been a push for machines to identify us not by passwords but by things we possess, like tokens and key cards, or by scanning our eyes, voices or fingerprints. This year, for example, Google purchased SlickLogin, a start-up that verifies IDs using sound waves. iPhones have come equipped with fingerprint scanners for more than a year now. And yet passwords continue to proliferate, to metastasize. Every day more objects — thermostats, car consoles, home alarm systems — are designed to be wired into the Internet and thus password protected. Because big data is big money, even free websites now make you register to view virtually anything of importance so that companies can track potential customers. Five years ago, people averaged about 21 passwords. Now that number is 81, according to LastPass, a company that makes password-storage software.

Partly this push is being fuelled by a growing and shared hatred of passwords. The digital era is nothing if not overwhelming. The unrelenting flood of information. The constant troubleshooting. We only just master one new device before it becomes outmoded. These frustrations are channeled into tantrums over forgotten passwords.

There is scarcely a more modern sense of anomie than that of being caught in the purgatory where, having forgotten a password, we’re asked personal trivia questions about ourselves that we can’t seem to answer correctly. The almost-weekly stream of news stories about major security breaches makes it tough not to feel as if privacy on the Internet is unattainable.

It’s enough to make the conscientious objectors seem sane. These are the many people I interviewed who said they had given up on the whole notion of online security, opting instead to adopt intentionally insecure passwords.

Digital nudists of sorts, these people throw all discretion to the wind, leaving themselves naked to hackers and identity thieves; they are protected only by the hope that they might disappear in the crowd. Their humble acts of rebellion seem to suggest that maybe the reason people were so willing to tell me their keepsakes was that it offered a small, private catharsis from the pent-up pressure that we all feel to police our online security.

IN DECEMBER 2009, an Eastern European hacker trolling the Internet for vulnerable targets stumbled across the mother lode: a database of 32 million passwords for a company called RockYou that runs a network of online games. Several weeks later, the hacker published the database, which remains among the largest such archives ever released.

The digital nudists were well represented. At least one of every 10 users chose a name or a name plus a year for his password. Two of every thousand passwords were the word “password.” But the RockYou breach had bigger lessons to offer. Most password research is focused on security, rather than on psychology or anthropology. Few modern activities, however, are more universal than creating a password. Rich, poor, young, old, virtually all of us are confronted daily by some kind of registration-demanding technology: wire transfers, prepaid cellphones, online banking, email, calling cards. The RockYou database could show how, when and why words gather weight — existential, personal weight.

In our authorship of passwords, in the fact that we construct them so that we (and only we) will remember them, they take on secret lives. Many of our passwords are suffused with pathos, mischief, sometimes even poetry.

This is partly why, for the past several years, a small team of computer scientists at the University of Ontario Institute of Technology has studied the RockYou database for lexical patterns. Among their more interesting finds: “Love” was by far the most common verb among the passwords — about twice as common as conjugations of the verb “to be” and roughly 12 times as common as conjugations of the verb “to hate.” By far the most popular adjectives used in the database’s passwords were “sexy,” “hot” and “pink.” Men’s names were about four times as likely as women’s names to appear as the object of passwords that start with “I love.”

Christopher Collins, one of the group’s lead researchers, explained that affection even appears in disguised forms. What at first looked like a disproportionately frequent use of the word “team,” for instance, turned out to be versions of the Spanish words “te amo,” or “I love you,” Collins said. The number “14344” appeared unusually often, and the researchers at first figured that it referred to a date: March 14, 1944. After consulting the urban dictionary, they soon found out that the number actually is popular code for “I love you very much.” (Count the letters in each word.)

In my own conversations, I, too, noticed that love (familial, unrequited, Platonic, failed) seemed to be a common source of inspiration for keepsakes. Perhaps my favorite of these anecdotes came from Maria T. Allen, who wrote that in 1993, when she was 22, she used for her password a combination of the name of her summer crush, J. D., with an autumn month and the name of a mythological female deity (she wouldn’t tell me which) to whom he had compared her when they first met. The fling ended, and they went their separate ways. But the password endured. Eleven years later, out of the blue, Allen received a message through Classmates.com from J. D. himself. They dated for several years, then decided to marry. Before the wedding, J. D. asked Maria if she had ever thought of him during that interim decade. “About every time I logged in to my Yahoo account,” she replied, before recounting to him her secret. He had the password inscribed on the inside of his wedding ring.

Granted, passwords harbour humanity’s darker side too. Joseph Bonneau, 30, who was among the first computer scientists to study RockYou’s archive, said he was amazed that tens of thousands of people would choose to introduce messages like “killmeplease,” “myfamilyhatesme” and “erinisaslut” — not to mention a slew of obscenities and racial slurs — into their lives multiple times a day.

In studying the database, Bonneau’s focus was not on the meaning of passwords but their security. And the further he dug into it, he said, the more he worried about the fate of privacy as so much of life moves online. “What the database made clear,” he said, “was that humans really are the weak link when it comes to data security.”

But precisely what made passwords so flawed is also what Bonneau said he found uplifting. “People take a nonnatural requirement imposed on them, like memorizing a password,” he said, “and make it a meaningful human experience.”

I later recounted Bonneau’s comment to Collins, who agreed. “We don’t just make it a meaningful experience,” he said. “Statistically speaking, at least based on the data, it’s most often an affectionate experience.”

THERE is something mildly destructive about collecting people’s keepsakes. Observers disturb the things we measure. But with passwords, or other secrets, we ruin them in their very discussion. Virtually all the people who revealed their passwords to me said they planned to stop using them. And yet they divulged them all the same.

Over the course of a half-hour, Hossein Bidgoli, a management information systems professor at California State University, Bakersfield, and editor of The Internet Encyclopedia, told me about the many dangers of using personal information in passwords. He fell silent, however, when I asked him whether he thought keepsakes were a bad thing.

Then he began to tell me about his life. He grew up in a small town near Tehran, he said, where he lived until he left Iran in 1976 to pursue his doctoral studies. He described his high school, which was named Karkhaneh, and the roses and rhododendron at a nearby plantation where he and his parents used to picnic. He recalled the distinct taste of the freshly made olive oil that his father, an engineer, used to bring home from the olive-processing plant where he worked.

“What you’re calling keepsake passwords,” Bidgoli said, “mine is ‘Karkhaneh.’ ”

Translated from Farsi, the word means “the place where people work,” he said. But for him, the name conjured a past happiness, time spent with his parents and the place that shaped his work ethic and his ethnic identity. “It’s a pretty memory,” he said, sotto voce.

I wondered why someone so concerned about security would be willing to tell me his password. I figured it might just be an extension of the oversharing culture that the Internet has created. Maybe my very hunt for significance in passwords and people’s general eagerness to help in that endeavour says more than any particular meaning I might actually find in the passwords themselves. Humans aren’t the only ones who solve puzzles. We are, however, the only ones who make puzzles simply so that we can solve them.

Bidgoli said he wasn’t sure why he disclosed his password. “It just seemed like your keepsakes are true,” he added after a long pause. “I wanted to contribute to that.”