The Art of a Good Excuse

An open letter to Grant Shapps.

Grant:

About this ‘haxx0rs ate my YouTube password thing‘…

The thing is, I was discussing this on-line with a group of techs, last night – about a dozen of us with a combined experience in systems and network administration of a couple of hundred years or so – and the thing is… well, we just don’t buy your excuse.

Nothing personal, you understand. We just don’t.

What I mean here is that, on the face of it, the suggestion that a malicious political opponent might have guessed, or maybe even brute-force cracked, the password on your YouTube  account sounds plausible enough on paper, good enough, even, to give you the benefit of the doubt…

…but then you had to go and spoil things by asserting that the password on the account ‘1234’.

Sorry? ‘1234’? Nah, you’ve ruined it.

Don’t get wrong here. We haven’t just dismissed your story out of hand. We really did give it plenty of thought… but try as we might and with all those long years of experience of dealing with dumbass end users to draw on, none of us could recall a single occasion on which even the most moronic end users we’ve ever dealt with were idiotic enough to choose ‘1234’ as their account password.

Seriously Grant – and this is no mean achievement, by the way – you’ve actually managed to put up an excuse that simply too dumb to be believable, even by a group of techs with such extensive experience of the near inexhaustible capacity of end users to find new ways of doing complete dumb thing.

And trust me, here, we’re not short on dumb password horror stories, if fact we’ve seen pretty much everything that end users can throw at us; middle names, kids’ names, birthdays, names of their favourite pop star, actor/actress or sportsman/woman. To be honest, we actually had quite a good time swapping stories and bitching about users – it’s a techie thing. Like the one about the departmental manager who had to change his password every month – so he religiously used the name of current month. Or the one about the Senior IT manager who, as a joke, set the master password on a brand new IBM mini-computer to ‘TWAT’ no soon as he’d got it out the box and plugged in… only then to read the set-manual and discover that system took the first use master password enter and burned it permanently onto a chip as the system’s master password for life – sadly the purveyor of this particular gem of a story left the company before the system was replaced and sold on and, as a result, missed out the entertainment value of seeing the guy who set the password trying to explain it to the people buying the system.

You get the picture here? If its dumb and someone, especially an end user, can do it then, between us, we’ve seen it… and yet not one of us could recall a single instance in which anyone had ever voluntarily chosen to set an account password to ‘1234’, let alone leave such a dumb password unchanged for nine months.

Hopefully, by now, you’ll understand why your explanation of how your YouTube account has been met with widespread hoots of derision. If you’d have said that your password was something dumb but plausible, say ‘cameron,’ or ‘cchq’ for example, then you might have got off with the benefit of the doubt. You might have even got away with passing the buck on to an over-enthusiastic scutter in your constituency office and been more widely believed. But what you’re asking people to swallow here goes beyond dumb and sets a new low in the annals of end user stupidity and ID10T errors and its that that makes your ‘haxx0rz’ story just that bit too implausible to believe.

Not even a Tory MP could be dumb enough to use ‘1234’ as a password – could they?

  • Funny how it was a politically motivated Hacking too. Instead of using his account to spam people gor enerally do hackery-type stuff, this Hacker pretended to be Grant pretending to be someone else.

    If he’d said that he’d left himself logged in at a publicly accessible computer it would have been more believable. Anything would have been more believable than this.

  • zorro

    Obviously no Network admin is going to use 1234 as a password but if you seriously doubt for one minute that normal non techies use these sorts of passwords then you might have “a combined experience in systems and network administration of a couple of hundred years or so” but you and your mates know nothing at all about human nature.

    A study a few years ago showed that 123456 was actually THE most popular password at the time…

  • Jonathan M is correct of course.

    most hacks are script kiddes looking to spam fist tripe into every e-crevice possible. it’s highly unlikely that anybody who is politicly motivated would even try this sort of thing. sadly though, it can’t be completly ruled out. It would have been fantastic if the excuse he had given was completly impossible, so that the intarweb hordes could rip him apart.

  • Oh fuck is that one doing the rounds again?

    Yep, seems it is courtesy of PC Magazine who’ve sourced the information from inTechnology.com, who seem to provide nothing by way of verification of their ‘top 10’ list in terms of where and how they captured their data.

    First point of note – kicking out a list of ‘the top ten most used passwords’ is an old and venerable publicity shill – you just stick out a press release in which you perm any combination of the old favourites; password, the user name (with or without 123 tacked on the end), monkey (which seems a perennial favorite for reasons entirely unknown to anyone), date of birth, a couple of numeric sequences (123456 crops up a lot because of the number of sites that insist on a 6 character password), qwerty, the odd names of a sports team or band who happens to be popular, and if you’re trying for coverage in the US then chuck in ‘ilovejesus’ and ‘john316’ to keep the god bothers happy.

    So far as I can recall, the only authoritative reports I’ve seen citing simple numeric sequences were one from a German dating website, which analysed their user’s password but gave no info on how many of the accounts evaluated showed any patterns of actual use as opposed to being thrown-away accounts set up by teenage kids looking for a place to lurk until they figure out where to find the free porn, and a report from a university in Maryland that used fake site to analyse password guesses used in hacking attempts, which is really only a study of script-kiddie behaviour and not actual password usage.

    Oh, and in that study, the top two were ‘password’ and username + 123.

    The most recent halfway decent study analysed data from a phishing attack on Myspace, which gave this list…

    Common Passwords: The top 20 passwords are (in order): password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.

    123456 crept in 11th and we are talking MySpace users here, FFS.

    Seriously, none of us could recall ever seeing anyone use 1234 – by and large when we did come across numeric passwords they were invariable a birthday, wedding anniversary or some other date – on the odd occasion you will find some idiots using their bank account number.

    Even allowing for the inexhaustible supply of human stupidity, stuff like ‘1234’ is some obviously dumb that people avoid using it – so claiming to have used that is no real improvement on getting caught astroturfing

    To be honest, if I was going to put money on anything as being the likely truth, I’d go for the dumb scutter in the office line because that is all too plausible, especially if Shapps is operating from a base that’s up to its neck in campaign volunteers – its no great reach to imagine a scenario in which a numpty from Conservative Future decides to sneak a quick five minutes looking at Kitten vids on YouTube using the office PC, only to find that cookie data on has automatically logged then into Shapps’ personal account and forgot to log off before posting a comment on the LD’s vid

    If in doubt, always choose cock-up over conspiracy

  • Hello all. Working on a beefy post, but wanted to pop in just long enough to let you know that, while many sites require a minimum of 6 characters for passwords and/or a mixture a numbers and characters, YouTube did not at the time of Shapps’ initial registration.

    Just wanted to save anybody else the trouble of looking that up should it occur to them (as it did me) that a 4-digit password would be rejected by many websites.

  • zorro

    Unity, while I agree completely that the explanation in your last paragraph is probably correct, I would point out that although I don’t remember seeing 1234, I have encountered /numerous/ people with 123456 as a password. (I suspect I haven’t seen 1234 because most of the systems I administer have a minimum 6 character pwd)…

    Why would you think an MP should be any more intelligent than an average myspace user, most popular pwds from your own post:-(password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc) – None of these are much better than 1234 really!! 😉

  • Pingback: Bloggerheads()