Last week I was pre-paying for my gas at the local station and the cashier asked me what type of gas I wanted. I told him “regular.” He looked a little confused and then asked me if I wanted “unleeeded” gas. I hesitated for a second, smiled, then answered “yes, I want unleeeded.”

This clerk was maybe nineteen or so and clearly a native English speaker. So how does one go through life in the United States not knowing how to pronounce unleaded? And how does someone work at a gas station–where the word is likely spoken all day long–and still not pick up on that? He was the only one there running the place so this certainly was not his first day on the job. Has he really never heard anyone else say that word?

So I was looking over the files from the recent Los Angeles County Police Canine Association hack and while there are many newsworthy elements of this story, there is one that stood out to me in particular. In the file admin.txt, which presumably contains system admin information, I found the following:

All the passwords are "password"

Now this organization and some of its members have already experienced an untold amount of embarrassment from all of this, but we should not let that overshadow this: they have all set their password as password!

We already know just how common password really is, but I like to think that most people, let alone administrators, have at least figured out how to make their passwords even slightly stronger than that. And I would hope that most software applications would not even allow someone to set their password as password.

After nearly fifty years of using passwords with computer systems, you’d think we would have evolved to some collective security baseline that would preclude us from using password as a password. You really can’t set a password many places without being scolded for not using capital letters or numbers, so how does one not just naturally pick up on these things? Isn’t password security mentioned enough in news media for someone to just pick up on this as common sense?

Certainly people know the difference between a poor password and a strong password, but the real issue here is getting people to actually do it. It’s almost as if user involvement in security is some impenetrable area of the human brain that we have yet to comprehend. There is some mysterious detachment that keeps everyone oblivious to the fact that they personally are a hacker target. There are false metaphors people impose on digital communications that give them a huge sense of false security, leaving so many asleep at the switch.

Public shaming seems to have no affect. Policies are seen as annoyances that are okay to circumvent. Everyone has a favorite password they use everywhere.

I have always despised sensational news headlines that say that some new technology will make passwords obsolete. No matter what we come up with, there will always be some knowledge element the user must provide.

But maybe the problem isn’t with passwords, it is that we let users pick and manage their own.

As I walked out of that gas station I laughed at myself, wondering why I didn’t correct the clerk and even jokingly repeated the mispronounciation back to him. I guess I figured eventually someone else would eventually point out his error.


Yubikey Token        LastPass password manager