The Secret Lives Of Passwords

HOWARD LUTNICK, the chief executive of Cantor Fitzgerald, one of the world’s largest financial-services firms, still cries when he talks about it. Not long after the planes struck the twin towers, killing 658 of his coworkers and friends, including his brother, one of the first things on Lutnick’s mind was passwords. This may seem callous, but it was not.

Like virtually everyone else, Lutnick, who had taken the morning off to escort his son, Kyle, to his first day of kindergarten, was in shock. But he was also responsible for ensuring the viability of his company and the support it provided for employees’ families. The biggest threat: No one knew the passwords for hundreds of accounts and files that were needed to get back online in time for the reopening of the bond markets. Cantor Fitzgerald did have extensive contingency plans in place, including a requirement that all employees tell their work passwords to four nearby colleagues. But now a large majority of the firm’s 960 New York employees were dead.

Hours after the attacks, Microsoft dispatched more than 30 security experts to an improvised Cantor Fitzgerald command center. Many of the missing passwords would prove to be relatively secure—the JHx6fT!9 type that the company’s IT department implored everyone to choose. To crack those, the Microsoft technicians performed “brute-force” attacks, using fast computers to begin with a, then work through every possible letter and number combination before ending at ZZZZZZZ. But even with the fastest computers, brute-force attacks, working through trillions of combinations, could take days.