Passwords Made Them Do It

Posted by Pete Jul.02, 2014 in Passwords & Security

fb-post40A news station in Denver, Colorado, recently did an investigative report claiming that the local Department of Motor Vehicles (DMV) was biased because of a list of joke passwords that was being passed around the office. (Scroll down to watch the video.)

Here’s our anchorman:

The idea here is that you walk in and they’ve already made up their mind about you based on some of these passwords.” (Our emphasis)

First off, is that really being fair to passwords? :-)

As if people didn’t already have enough reasons to have a general dislike for passwords (Heartbleed and stories of stolen passwords in the news, hacks, forgetting passwords, trying to create strong passwords without a password manager, etc. etc.), now we’re told that passwords can make them do mean things.

We’re asked to believe that a joke with fake passwords is the reason for the DMV not being fair with applicants who appeal to have their driver licenses reinstated.

The headline suggests that these are real passwords (Do offensive computer passwords prove bias at DMV hearings?), which they’re not. And after the reporter asks the supervisor if he’s seen the joke list, he then goes on to talk about the passwords as if they were real. Note to reporter: these aren’t real passwords!

Since everyone’s sense of humor is different, we’ll gloss over the fact that most of the phrases really aren’t funny: not because they are offensive (which some are), but just because they aren’t funny (ex. ‘UrProblm’ or ‘CantHelp’ or ‘AppealMe’). Maybe the story should have been: Do bad office jokes cause DMV employees to lose sense of humor?

There’s a lot about the story that just doesn’t seem right.

If you created a list of insider jokes, would you really have to explain the jokes to the insiders that you’re sharing it with? One of the phrases is ‘ILuvGGCC’ and next to it is an explanation that GGCC is the DOR Computer system. If that’s the computer system that the DMV folks use every day, why would you need to explain that to them? That’s just strange!

The reporters tell us that this has been an ongoing joke since 2011, but when you look at the list, it also has password suggestions through the end of 2014. Think about it, if this is an evolving monthly joke, how come there are already entries that continue forward in time more than 6 months through the end of the year?

In addition, the idea that they would use a local lawyer’s name as a proposed password seems to be a red herring that something else is going on.

But even assuming that this really was a bad joke by a few state employees, is it reasonable to think that the fake passwords made the employees act a certain way? At no point does the story mention that the folks over at the DMV may be biased against drivers with suspended licenses, and that the passwords in the joke may be a result of the bias and not the cause of it!

If you ask us, this episode is weird.

The report suggests that the DMV actually does have a REAL list of suggested passwords. In order for this joke to last so long – almost 4 years! – it’s not unreasonable to think that there is some basis for the idea of an actual password list distributed by the DMV.

One question we would have asked is whether there is a policy of recommending passwords within the agency. No, not the joke passwords, but if there is an email or handout that goes out periodically recommending passwords, say for systems that allow access to multiple individuals. Instead of requiring each individual to have a unique password, does the agency recommend that they all share a password?

In our opinion, the reporter should have asked that basic question. THAT would have been much more important expose at this time when we see poor password hygiene by individuals, businesses and agencies alike.

Does the DMV recommend passwords to its employees?

Here’s the video: