One day, at the end of the semester, our female neighbor knocked on our door and asked if she could use our wifi since she was moving out the next day and had already canceled her Internet.
I would have been happy to share with her, but I couldn't bring myself to tell her the password. Instead I just said my roommate was "really weird about sharing our wifi" and apologized.
I don't think that incident ever actually made me change the password though.
I won't repeat the one we were told to remember Resistor color codes.
One of the more interesting things about reused "unique" passwords is they can serve as a fingerprint to link accounts you may not otherwise be able to attribute to the same account/individual.
It was a rude comment about a colleague.
At a former job I could not go to one of global corp Tata sites, because tata.
Seeing this news, I guessed this one on my second guess (after trying p/q2-q4!) - no brute forcing required!
Back in college I ran ToneLoc overnight and would try ftp on the successful hits. One server didn't have root set, so I telnet'ed, <Enter> when prompted for the password, and I was in.
I ran 'who', saw a user logged in. Decided to wall them a message of "You should really set your root password." and logged out.
A couple of days later, I got an email on the trash email account I would use for ftp logins - dude was super nice but freaked out and wanted to know how I found his server. I didn't reply.
Imagine the anecdote coming from the person you wall'd.
"You're password 'huntet2' is invalid"
unless the password is just random characters, anyone can guess how it was mistyped.
Hell, even if it was just random characters, one could just assume that it's one character-off from the real password, and try shifting each character around.
If it's a random password, it may still leave 2-3 bits per character as it becomes much harder to know where the error is (e.g., if "j9^vl4JO" is wrong, what is the correct password?), but if you have your hands on two independent errors, which is reasonably likely, that pretty much collapses to 1-2 bits tops even in the random case (e.g., if you also have "k9^vl4JP" that pretty much nails it down to either the first and last being "j P" or "k O").
It is a truly terrible idea!
Shouldn't that remain utterly trivial to brute though? If we're assuming all the standard face keys+shifted, I think that's 94 characters. If it's fully unknown then search space is 94^8 or about 6E15, not good but if it's an adaptive hash sizable. But if it's only a one character error, wouldn't you just brute through each of the 8 one by one with only 94 each? That'd reduce it to just 752 possibilities at worst which is so low someone determined could even do it by hand, even ignoring any obvious psychology like the likelihood that the special character isn't the mistake and probably the only special character too.
Certainly not quibbling that it's an awful idea. I don't even like "password hints" so many systems still seem to have, they should be random!
Seems plausible the correct password might be j(6vl4JO...
Not that it makes any real difference here with such a small search space, but in this scenario (known typo, information revealed) it's less likely. Remember, we're considering a human typing something out on a keyboard, so the probabilities aren't fully random. If we're trying to use probabilities to cut down the search space further, a caret character requires shifting well away from the home row (shift-6 US standard qwerty) so it's more likely to represent active intent. Perhaps it could be % or & (shift-5/shift-7), but if you know someone is trying to type a password out and has made a typo then a left/right neighbor with shifting preserved is an easy place to start guessing.
Obviously, this whole thing is such an awful idea and breaks everything so badly that it's all kind of theoretical anyway, hopefully no software has had behavior like this for a long time. And any actual brute force program today has far more sophisticated pattern attacks based on the enormous corpus of password leaks and knowledge there now is, which is why it's foolish to try to try to be clever with passwords rather then just generating something fully randomized.
That's incredibly useful. Stand next to someone, casually chatting, while they enter their password. Just before they hit [ENTER], stab a key -- say, a 'z'. Boom, it prints their password with an extra 'z' at the end.
Sure, they'd be aware of it and likely change their password. But still. A more common use case would be to hang around and wait for them to inevitably typo the password. If you see that enough, you'll get a really good idea about what it's supposed to be, or at least give you enough of the password to make figuring out the missing part trivial.
But I only made it maybe a month into my Dvorak-learning efforts. Just not enough benefit for the added hassle.
Possibly, I also wanted to disable the spyware / remote access they had on all the computers. There no experience quite like having your control of the mouse cursor taken away by an invisible, omnipotent sysadmin. Hilariously, they wouldn't even run a logout command remotely, but actually go to the start menu to do it, I think to make a point.
! is good move.
? is dubious move.
If you want to carried away double/triple those.
Could someone explain this to me, why does it slow down towards the end?
It isn’t running a single thread at 100% GPU use until the end, it has to partition up the search space and balance how it creates possible passwords on the CPU, on the GPU, and based on the kind of attack patterns you asked for - and when it’s getting to the end of the search space, some of the search space partitions are done and the remaining ones aren’t enough to load the GPU fully, so hash throughout drops.
It might also be cruft building up over time with small memory leaks or imperfect memory management.
It's more likely the explanation above of something (not heat) accumulating over time and slowing down the processing.
Password cracking often uses rule lists to modify known passwords lists in some way (adding 123 to the end, for example). These get more complicated towards the end so they take more operations.
 See also "Ken, Unix and Games" by Dennis Ritchie:
When I create hashes for systems, I actually, now create a "version" prefix for hashes... this way I can on-run upgrade to a newer hash at login (if/when needed).
Have upgraded a older systems this way... after 30 days, dumped any that hadn't changed and sent emails notifying that they'd have to use the "forgot password" option the next time they wanted to login.
Currently using pbkdf2/hmacsha512*100000 for password hashing. 16-byte salt, 32byte result... varying too far from NIST guidelines would have been a hard sell.
output base64 values: v#.SALT.HASH
root:OVCPatZ8RFmFY:Ernie Co-vax --> cowperso
daemon:*:The devil himself --> (login not allowed)
bill:.2xvLVqGHJm8M:Bill Joy --> (password still unknown)
ozalp:m5syt3.lB5LAE:Ozalp Babaoglu --> 12ucdort
sklower:8PYh/dUBQT9Ss:Keith Sklower --> theik!!!
kridle:4BkcEieEtjWXI:Bob Kridle --> jilland1
kurt:olqH1vDqH38aw:Kurt Shoens --> sacristy
schmidt:FH83PFo4z55cU:Eric Schmidt --> wendy!!!
hpk:9ycwM8mmmcp4Q:Howard Katseff --> graduat;
tbl:cBWEbG59spEmM:Tom London --> ..pnn521
jfr:X.ZNnZrciWauE:John Reiser --> 5%ghj
mark:Pb1AmSpsVPG0Y:Mark Horton --> uio
dmr:gfVwhuAMF0Trw:Dennis Ritchie --> dmac
ken:ZghOT0eRm4U9s:Ken Thompson --> p/q2-q4!
sif:IIVxQSvq1V9R2:Stuart Feldman --> axolotl
scj:IL2bmGECQJgbk:Steve Johnson --> pdq;dq
pjw:N33.MCNcTh5Qw:Peter J. Weinberger --> uucpuucp
bwk:ymVglQZjbWYDE:Brian W. Kernighan --> /.,/.,
uucp:P0CHBwE/mB51k:UNIX-to-UNIX Copy --> whatnot
srb:c8UdIntIZCUIA:Steve Bourne --> bourne
finger::The Finger Program --> (no pw but runs a program, not a login shell)
who::The Who Program --> (no password but runs a program, not a login shell)
w::The W Program --> (no password but runs a program, not a login shell)
mckusick:AAZk9Aj5/Ue0E:Kirk McKusick --> foobar
peter:Nc3IkFJyW2u7E:Peter Kessler -- ...hello
henry:lj1vXnxTAPnDc:Robert Henry --> sn74193n
jkf:9ULn5cWTc0b9E:John Foderaro --> sherril.
fateman:E9i8fWghn1p/I:Richard Fateman --> apr1744
fabry:d9B17PTU2RTlM:Bob Fabry --> 561cml..
network:9EZLtSYjeEABE:(no name listed) --> network (runs a program, not a login shell)
tty:: --> (no password but runs a program, not a login shell)
- spouses' names (jilland1, wendy!!!, sherril.)
- birth dates (apr1744 might be April 17, 1944)
- the first word that came to your mind (whatnot, foobar, ...hello)
- though a few were thoughtful (sn74193n is a synchronous binary counter from the 7400-series chip family and likely immune to dictionary attack in that era)
- easy to type patterns on a keyboard (/.,/., or 5%ghj)
- obscure words (axolotl is a Mexican walking fish)
- different languages (12ucdort is 1,2,3,4 in Turkish)
- and some people didn't care (Steve Bourne, inventor of the Bourne shell, picked "bourne")
Edit: That would be 128^8 =~ 72 quadrillion DES hashes.
Why would he not? I'm obviously missing something here.
Edit: Yes I have used a teletype, connected to an Elliott computer, I believe it was a 903 or at least it looked very much like this: http://www.computinghistory.org.uk/det/32480/Elliott-903
Also, I rememebr when FSF hosted UNIX machines at MIT that you could telnet into without a password. It was a total mess.
It's obviously a settled question these days, but back in the 70s and 80s, this was a bit of a hot topic.
For example, chat systems. Do you want an open one where anyone can get on with a minimum of fuss and participate? Or do you want an open one, with controls to manage spam and harassment so that people are able to be open while using it?
(I work at Mozilla, where we are moving off of IRC because, while it encourages participation from any rando who comes by, it is inaccessible to a number of people because they will be attacked if they log in. Many have moved over to Slack, which is very much closed (but open). Not to mention the channels that have been abandoned because they are overrun with spam, which makes them inaccessible or at least useless to everyone. As someone who does not get harassed, I don't really like either of those points on the spectrum even though IRC works great for me if I don't think about the people who are no longer there.)
It's really hard for me to understand what Mozilla's mission is these days.
However, I wonder how safe it is to take an "easy" password like /.,/.,/., and then add a bunch of exclamation points to the end, so that it's both long and not part of a dictionary.
I'm sure password crackers are advanced enough to first try taking common passwords and then adding human modifications to make them more secure.
But something like MyDogRules###########! seems like it could be very secure, actually.
The problem is, after I've committed a long passphrase into muscle memory, it probably takes me less time to type a 40-character phrase than count 40 individual keypresses of a button hoping I don't miscount.
* Assuming nobody is stupid enough to make a depth-first password cracking program. "I'm down to a billion 'a's now. I should be ready to try a 'b' any minute now!"
https://arstechnica.com/information-technology/2013/05/how-c... (OK, the passwords were hashed only with MD5)
My Fav0riT Pas%werd
is actually pretty solid compared to
because the latter is more crackable
It also doesn't require any special characters and its quite easy to remember.
Mr. Asdf sir
I don't understand the comments that describe (presumably random) 10+ char passwords as "crackable".
Easy brute force in 1989
I got in big trouble for it because I messed up the server.
How many fewer calories do I burn when typing on a low-travel keyboard rather than an old mainframe keyboard?
This means, however, that a typewriter would likely noticeably exhaust a modern keyboard jockey, though not in eight characters (hopefully). But dunno about teletypes.
(Lots of sketchy napkin math here)
I remember a teacher used the password "music". We had every user's password in plaintext. This was useful when installing a new Windows domain controller and setting all the passwords (about 30 employees in the school) instead or copying hashes or letting them set their own passwords. In hindsight, I find it batshit crazy that some stupid intern (me) walked around the school with a sheet of paper with literally everyone's password on it, logging into people's systems where necessary or potentially forgetting the sheet somewhere. I'm not saying this never happens anywhere in the world anymore, but I do think security mindset changed in the last decades.
Teacher had password written on the BACK of the clipboard they carried around everywhere.
Said teacher's password was 'qwerty'.
(Yes, it worked)
One caveat to diceware I never liked is how it wears out the keyboard over time as you have to type the same passphrase each time to open the vault (You would be surprised how many times I need to do this each day). I sometimes have to lock my database to avoid evil maid attacks when in a hotel for example. Of course I go through about three keyboards a year because of this, but I don't mind the cost if it gives me a crispy fresh keyboard each time. And did I mention I don't own merely one encrypted database, but many depending on different contexts and different devices?
This is also something I see quite often on mobile phones with a pin/pattern unlock: you can often infer the pin from the wear pattern, or the grease marks on the screen if the phone was used recently.
My keycap wear pattern more or less mirrors the letter frequency in the languages I write.
it's a notational way in the chess program (written by Ken Thompson) to describe a chess move, "pawn from Queen's 2 to Queen's 4."
A very common opening move that "puts a pawn in the center, controlling the important e5-square, and opens the line for the Bc1."
The notation is old. Modern notation would just write it as "d4" because there's only one piece (a pawn) who can move to that square as the first move and only one spot from which it can move (d2).
AHHHH thank you this makes much more sense now
See the "chess notation examples" table. The password doesn't match any chess notation, but it's close enough that it's obviously (to me) intended to be a chess move. In particular, it moves the pawn in front of the queen (in the initial position) forwards two spaces.
If you were in the next week's batch, it emailed you and told you "your password is foobar, which we discovered by cracking the password file, and it is weak. You must change it". Yes, I emailed them their password in plain text using our internal email system. Jury's still out on whether that was a good idea. :)
The next week we just disabled your account and you had to come to IT to fix it.
One guy actually got fired for his password. He was already being super creepy and making the girl who sat across from him uncomfortable, but she never told anyone. Then we cracked his password, which was a very naughty phrase about the girl who sat across from him. I reported it to HR, who asked the girl, who then said he was creepy, and so they acted swiftly on the reports and got him out of there.
It's kinda like if you got in trouble for playing Farmville or whatever while sitting on the toilet at work, which they found out about by installing cameras in the stalls. Yes, I shouldn't have been doing that, but how you found out is also a huge issue and I'd feel pretty violated.
You should probably re-read the sudo warning:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
That's why I didn't feel bad taking it to HR. I already had a sense that he was doing bad stuff, and the password just solidified it for me.
I think OP acted entirely appropriately.
To address a couple specific points:
> As an admin you have an obligation to your users to not be nosy
In the free-wheeling academic sense where your users are more of a community, sure, I think that's the accepted social contract. In the workplace, not at all. While I'm not a fan of employers spying on what their employees do on the employer's network and hardware, I fully appreciate that it is their right to do so, and in some situations, for some purposes, I might even agree with its necessity.
> reading the plaintext yourself for fun then scurrying to HR is kinda a slimy thing to do
I don't think "fun" had anything to do with it, and reporting a likely case of sexual harassment, regardless of how the information was obtained, is never "slimy". Quite the opposite.
> Just because you have the ability to peek into the CFO's mailbox and see what everyone's salary is, doesn't mean you print out the spreadsheet and take it to your boss demanding a raise.
That is indeed slimy, unethical, and likely a violation of company policy, but that is not even remotely the same as what the OP did.
> if you got in trouble for playing Farmville or whatever while sitting on the toilet at work, which they found out about by installing cameras in the stalls
Also not even remotely the same. Any reasonable person would agree that cameras in bathroom stalls would be a gross violation of privacy (and probably illegal).
As a user, you should realize that when you're on company equipment, privacy is more of a courtesy than a right. It's their equipment you're using. It's reasonable to expect them to use it in a way that furthers the company's interests. So act accordingly.
As an admin, you don't ever go digging through stuff for no reason, for curiosity, voyeurism, or for personal reasons. But again, watching out for the company's interests is part of your job, so if you run across something or have a concrete need to actively look for something (not just a fishing expedition), then lifting the veil of privacy might be the right choice or even the only right choice.
Basically, in a corporate computing environment, privacy is not guaranteed, but crossing lines should have a proper justification. In your CFO example, the sysadmin is using official powers but acting in their own interest, so that's definitely not an OK justification.
I don't find this a very good argument. Sourcing inspiration from a sibling comment, it's also the employer's bathroom stall. I might be convinced it's okay to snoop when it comes to their network usage, but this is not the argument to do so.
The difference to me is in the purpose of the two facilities. A toilet is there for the employees' physical needs and more or less no other purpose. A computer is there primarily to do business work on. The company has a clear need to be involved in how that computer is used in several ways, such as maintaining its security, monitoring its performance, making sure it isn't misused, etc. They can afford you some privacy, but only on a best-effort basis because it's not reasonable to be entirely hands off.
If you don’t want something read by your employer don’t do it with company property or on their WiFi. It’s a rule I live by and I never connect any personal device to my company’s guest WiFi.
The questionable behavior in this case is getting a guy fired for selecting a politically-incorrect secret passphrase. This is merely one step removed from reading his brain and figuring out he fantasizes about spanking coworkers while having sex with them. (I've done this, and yet we are good friends!)
We don't know all the details, maybe that guy actually harassed people, but scrutinizing someone's private thoughts without prior suspicion for offensive-but-noncriminal behavior that can be pivoted into larger accusations is how police states work.
In the best case, this encourages people to filter their private thoughts and actions by the standards of what is acceptable to advertise publicly, which is incredibly unhealthy and oppressive.
I think you're being disingenuous. The guy got fired for sexual harassment. The password merely tipped people off as to what was going on. Don't use a weasel word like "politically incorrect" to re-frame the discussion in a way that's both incorrect and more favorable to an emotional reaction in your favor.
Do you see how I took you at your word and extended sympathy, rather than questioning whether you're misrepresenting the situation? Is there something you know about the facts of jedberg's situation that lead you not to do the same?
The politically and economically safe option in the workplace is always to discard people who fall under scrutiny that exposes an employer to liability. This raises the reasonable standard of complaint for these types of issues beyond "his password, which I cracked despite design and goal to remain private to one human soul ever, was weirdly suggestive, and none of the people ostensibly involved have voiced any concerns but I must Report This to The Authorities and Start the Hammer Falling."
Suspicion and doubt are very powerful weapons, and sometimes they're used against good people in the name of heroism, saying nothing of bad motives. They also have the feature of being incredibly hard to dispel entirely once raised, regardless of the quality or scale of the evidence. If someone looked at my F-word password with the wrong prior or coaching, I'd have to break out volumes of psychotic voicemails, videos, pictures, testimony by family and close former friends, etc, to prove I shouldn't be Cancelled.
Can you think of a crackable-length passphrase that would make a normal, level-headed person suspicious enough to make efforts that almost guarantee someone is going to get fired in the worst way possible?
What leads you to believe this? You are aware, I assume, of the existence of "wrongful termination" lawsuits, many of which have cost companies millions of dollars?
> Can you think of a crackable-length passphrase that would make a normal, level-headed person suspicious
"rape Karen fun"
> fired in the worst way possible
What about this sounds to you like the worst way possible to get fired? Here are some ways to get fired that sound way worse to me:
"several frightening, anonymous calls that came into his work phone. One caller told him that [...] he wouldn’t live to see the weekend. Another said that the “fancy blue tie” he was wearing that day might wind up turning red. [...] an effort by the [company's] attorney to discredit him by falsely claiming he’d had a romantic relationship with [coworker he was standing up for]. Shortly afterward, [his employer] fired him."
"only two weeks after her hire, while she was in the passenger’s seat of [male employee]'s car returning from a business meeting, he exited the 101 freeway, stopped his car on a side street, and pulled his erect penis from his trousers. With the doors and windows locked from the driver’s side, he reached over “and pushed her head on his erect penis in an attempt to force her to orally copulate with him,” according to her complaint. He then ejaculated.
[her] horrifying depiction of sexual assault went on for pages. There was the ride back to the office after a client visit two days later, when [male employee] again tried to force her to touch his penis and “almost careened into a commercial eighteen-wheel vehicle.” Another time in the car, this time in standstill traffic, he took his erect penis out of his trousers and shoved her left hand back and forth on it, again ejaculating. In the complaint, she says she tried to free her hand but “was unable to overcome his strength.” In another incident, he called her into his office, locked the door behind her, and tried to force her to have sex. That time, the complaint says, she “managed to escape his grasp.”
A month after that frightening incident, [she] was fired by [him], purportedly for “an attitude problem, aversion to directions, resistance and resentfulness.” She told the office supervisor about [his] assaults and suggested that the “attitude problem” [he] had referred to was her resistance to his assaults. The supervisor told her that sort of workplace conduct was considered “normal”"
1. The courts are profoundly unfair. Are you comfortable forcing harassment victims to go through the courts for what are literally criminal allegations?
2. This example seems too contrived and implausible, as is anything else I could think of. The whole story just seems too magical. Maybe I'm just being hard-headed and arguing with a hero.
3. I will concede that is a more unpleasant series of events without care for semantics.
2. Someone sexually harassing his coworker and saying something sexual about her in his password seems magical and unlikely to you? You don't believe the hundreds of corroborated stories about men saying stuff like that openly? Or you think people are less likely to do that in something semi-private like a password than openly?
2. It's magical that some guy exposed a "creep" Doing Very Bad Things by looking at his password he cracked. No witnesses complained, the victim had never complained, just from a distant computer we catch this faint whiff of something wrong in the strangest (invasive, aside) way and turn out to be a hero. Or maybe we just sent a weird password to HR, and they did the default thing and fired the guy for nuisance and liability, and years later we remember the justification that he must have deserved it because he's gone. (Details? Sorry, can't!) It's easier on the conscience, too.
2. "maybe we just sent a weird password to HR, and they did the default thing and fired the guy"
You just acknowledged in the prior paragraph that an actual complaint was necessary.
"years later we remember the justification that he must have deserved it because he's gone. (Details? Sorry, can't!)"
To be clear, you have already said you have no basis whatsoever to believe that he made up the details that justified the firing.
Just like I could suggest, with no basis, that you actually dumped your ex-girlfriend in a mean and nasty way over her struggles with addiction, and while distraught over the breakup she expressed her displeasure with you in conversations with mutual friends. You weren't actually present at any of these conversations, but you're sure she called you schizophrenic, satanic, and a creep, details you made up because it's easier on your conscience. You were the only person who ever perceived her as "frenzied", her job never did and neither would the cops, but it's easier on your conscience to say the only reason you didn't get a restraining order was to keep her out of jail.
All that would be entirely consistent with the facts you've told us, if I wanted to view you in the worst possible light with no basis whatsoever. Just like you're doing to jedberg.
We don't know what that "other stuff" is and if it's right or wrong, but it's also likely not the exact same situation as your very detailed and specific story, is my point.
As opposed to the softcore kind, natch.
It was obviously wrong to be the creepy sexist.
In the abstract sense, it is wrong to invade privacy.
But then, if in your invasion of privacy you uncover a wrongdoing, the right thing to do is report it.
It would be wrong to read the CFO's email inbox, and probably illegal. But then if you uncover they are committing fraud, you need to report it to police, as well as confess your own crime.
Unfortunately, there's never easy rules for these things.
>In the abstract sense, it is wrong to invade privacy.
You have no real expectation of privacy when using company owned equipment. This was almost certainly spelled out to the employee in question in the acceptable use policy he agreed to upon being hired. Companies have to operate this way so they can investigate computers if compelled to by court or law, and so they can recover important information off computers when the user exits the company.
If he was using a BYOD computer I'd have a different opinion on the matter.
I don't know, but I imagine that such considerations could easily extend to your password.
Btw, how did the sysop know that what he recovered was the actual password? I mean, it's unlikely, but at least theoretically possible that it was a false positive. The password hashes in those days were pretty weak... Just a thought; I don't think it realistically was a false positive.
As far as it being the actual password, a false positive AND the fact he had been creeping on a coworker at the same time seems extraordinarily unlikely to me.
Acceptable use is cracking passwords in an investigation with just cause.
Acceptable use is a script to automate the checking of weak passwords, and notify users.
Unacceptable use is an admin browsing cracked passwords, without just cause.
I personally think acting on the information obtained afterwards is acceptable, but some would disagree.
Remember even in some courts, evidence obtained by police illegally cannot be submitted for trial.
I maintain these moral problems are hard ones.
Ultimately, I think it's a case-by-case on this type of thing.
Btw, I find it very interesting that e.g. most EU courts will consider "tampered-with" evidence, but obviously take into account that it may have been tampered with and so accord it much less weight than "pristine" evidence. Whereas US courts will absolutely throw out anything that's shown to be even mildly "tampered-with". I don't know what the right answer is, but it's an interesting question to ponder.
 Maybe this is wrong; I'm not a US-ian, so I may not have perfect insight into the court system :|.
It's not obvious as we haven't heard his side of the story.
"Don't be snarky."
So don't be so arrogant about someone being "creepy" when they are not mentioned as doing anything specific in public...
I agree with this. Everyone deserves due process.
It sounds in this situation like they got their due process. (HR didn't fire them based on the password report, but rather used diligence and due process to investigate/corroborate and only then terminate them.)
Browser and search history, email passwords, diaries, and a list of medical professionals that I can contact to vouch for your mental stability should suffice.
We will reach out in the next few days to conduct a character assessment review. Thank you for your cooperation!
If you have any questions, do not hesitate to fill out a form with the Health and Safety Commission offices. Our hours are 10 AM to 3 PM every other Tuesday of every other month.
Remember, your health and safety is important to us.
And nothing you do on a work computer is secret from your employer. It's not a "private diary" if you're using your employer's hardware.
The password as evidence of private creepiness lends credence to the accusations of harassment, and the accusation of harassment demonstrates the the creepiness was probably not just private. Together they create a case stronger than either alone.
OP is vague on what this guy actually did. Note that they only went to the girl after cracking the password, and she said he was "creepy" towards her.
"Creepy" in this context might just mean FWU (flirting while ugly).
That's not "flirting" (even if said guy thought that's what he was doing), it's straight up threatening behavior.
> He was already being super creepy and making the girl who sat across from him uncomfortable, but she never told anyone.
The OP actually did mention that there was prior bad stuff that had gone unreported (quite possibly due to a power imbalance). In the end:
1. Nobody is getting fired over a password alone.
2. Traditionally it's been very balanced against women reporting such things.
And you shouldn't be flirting at work.
Because we use this standard, it is natural for people to look for reasonable doubts when talking about accusations.
That is how western society works. And for very good reasons.
Since it's quite long, I'll summarize. An 18-year-old woman, "Marie", whose had been in foster homes since the age of 6 or 7, reported having been raped. Her two previous foster mothers, both of whom she was still friends with and whom she told about the rape, suspected she was fabricating the report and, after discussing the matter with each other, said so to the police. Despite the significant forensic evidence, the police persuaded her to recant and ultimately charged her with filing a false report. A couple of years later, a serial rapist with a penchant for photographing his victims was caught. Among his effects was a photograph of Marie.
What does this story tell us? First, that even someone who has just been raped may have difficulty relating the event in a coherent and consistent way, and may not seem to be feeling the emotions one would expect of someone to whom that had happened. (The implications for the Brett Kavanaugh affair are obvious.) Second, that even female friends of the victim might be led by such inconsistencies to doubt the veracity of the report — a sobering observation. And third, that the slogan "Believe Women", though it cannot be taken as an absolute, is still important to repeat, because it's still far more likely that a true report will be doubted than that a false one will be believed.
Justice system administered by a state where the repercussions include imprisonment and death - absolutely. But HR is not a judicial system and should not be viewed as one. I think I take your point to be just a descriptive observation of "our social discussion reflects a habit based on our exposure to judicial systems" and not a normative statement. Even if it's the former, I think it's naive and ignores a very real culture of doubt and victim-blaming exclusive to sexual violence.
Call it a bad cultural fit if you prefer. Someone who cannot navigate the social work environment, and makes others feel uneasy and lowers their moral is not as good an employee as someone who'd have no issue doing so, and makes everyone else motivated and confident.
As an employer, I'd probably quickly try and replace such an employee, with someone who's just as good technically, but also has better social work ethics and collaboration skills.
This is totally fair to me. Being good at your job also involves being good with coworkers and promoting a healthy work environment which boosts everyone's productivity. If you have deficiencies there, try working on it. It'll be good for your career.
Now I know what's going to happen... But what if someone totally fabricated a case against you and brought it up to your employer and now your employer falsely believes that you're a big bully and harasser and that you hurt the work environment and they fire you over that?
And I think that's a bit of a fallacy counter-argument honestly. Some kind of reification fallacy. Yes in the abstract hypothetical, this would be unjust, and you can deduce that it was in fact the accuser who was being unprofessional and fabricating an environment of blackmail. But give us any concrete case, and we can now observe the facts of that case and see if employers did an unreasonable assesement or not. For example, we might see in real cases, there is always more than one complaint made, or there are recorded behaviors like emails, chat logs, naughty passwords, etc. Or there's repeated offense, or there was prior knowledge, etc.
And again, no crime here. An employer for their business sake, might prefer to lean on better be careful rather than sorry. That makes total business sense to me.
Something obviously bad happens, and everyone falls over themselves to correct and defend not the bad thing that just happened, but a thing they just imagined might happen.
It's a very peculiar (and fairly revealing) thought pattern.
No, that's how justice systems in western society (and many others) work. Because guilty/not-guilty is a binary choice, there's no in-between option.
I don't have the same binary restrictions when I form an opinion based on the information available to me. As we all do.
The fair way is to withhold judgment (while presuming innocence) when there's a charge against someone but it hasn't been investigated. That's fair whether we're talking about courts or society. Society pronounced its judgment on O.J. after evidence was presented and witnesses testified.
The problem comes when people presume guilt based on a charge alone. Unfortunately, that's often what happens when high-emotion charges are leveled against someone.
So, in the eyes of the criminal courts, yes, OJ is still innocent. But would you have him babysit your kids based only on a reasonable doubt he's a multiple murderer?
That's true, but it doesn't make my opinions morally justified.
But my point wasn’t about the verdict--the court’s, mine, or the public’s. It was that it is wrong to presume guilt anywhere—in court or in personal opinion—on the basis of a charge alone. (In OJ's case, we're all far past that, so I think bringing it up is a bit moot.)
I'd try to do neither. The reality is, no one is equally qualified because no one is identical to anyone else. There are always tradeoffs.
But I'd try to weigh those tradeoffs without being swayed either way by the fact that someone was once accused and later acquitted. Personally, I'm not even sure whether I'd be more or less likely to want to hire a person on the basis of that detail; I really think it's not evidence of anything.
It's like the influence of an independent variable Y in the logical formula "X implies Z", or like a "don't care" cell in a Karnaugh map -- it signifies nothing.
I suppose we can all agree that any individual should at least first know the facts before forming their opinion.
HR doesn't fire on a whim. I'd default to saying this guy got due process.
"Innocent until proven guilty" and "beyond a reasonable doubt" are critically important for a government-run judicial system, because they ultimately have control over your freedom, life, and death. While a job is certainly important, the loss of one job will not ruin your life unless you are particularly unlucky. So the burden of proof is much less.
Regardless of all that, it's just really saddening to me that the default seems to be that people assume that the victim is lying or overstating the harm done to them. This seems to be something very specific to sexual harassment cases that doesn't crop up as much or as universally with other accusations of wrongdoing. We clearly have a long way to go before we get rid of our knee-jerk biases about this sort of thing (and I'm no exception; I have them too).
Is the implication that non-Western societies don't work that way? Or that somehow it's only Western societies that came up and all of them practice this behavior?
Presumption of innocence traces back to roman law (hence "occidental" from the latin, meaning the going down/setting of the sun, or "western", referring to European countries) . It has propagated at various rates through various cultures. Other cultures (including germanic, which could also be classified as "western") did not have the presumption of innocence centuries ago. China (latin "oriental", rising sun, or eastern) has been moving toward it in the last 50 years.
This doesn't say that no other culture has independently developed the presumption of innocence principle, but that the idea of it in modern judicial systems around the world traces back to the roman culture, and is generally associated with a body of ideas collectively called "western culture".
A bit more clarification from the researchgate link above, talking about the movement toward presumption of innocence (POI) in China (emphasis added to the statements that Western societies came up with this behavior and that at least one non-Western society doesn't work that way):
"As POI is a legal principle originating in the West, its acceptance in the criminal justice context of China is a gradual and longstanding process. The CPL’s first revision, in 1996, adopts the clause ‘no person shall be found guilty without being judged as such by a People’s Court according to law’, but the protection guaranteed to criminal defendants under Article 12 of the CPL (2012) is different from the classic concept, which, according to the International Covenant on Civil and Political Rights (ICCPR), requires POI. Article 12 focuses on who has the power to issue a guilty verdict rather than on the presumption of the accused’s guilt or innocence during the investigation and trial."
Some people evidently want that, because they're "not a witch" themselves.
It's really awful that in some/many cases, accusations of rape or sexual assault or sexual harassment or creepiness end up reducing to one person's word against another, when there's no good objective evidence either way.
You should doubt everyone. You should doubt the accuser. You should doubt the alleged harasser's claim of innocence. Without evidence, you can't adjudicate it, and unless it's a matter of rape or sexual assault, the compulsion to adjudicate it in the absence of evidence is unhealthy. What you can do is try to engineer the environment or counsel the people so the alleged behavior by the accused or negative perception by the accuser is less likely to occur; most obviously, by separating them and ensuring they rarely/never have to interact.
If you can't keep the two people from communicating or interacting, and you have to fire one, and that one should be the accused, that is precisely a witch trial, but without a declaration of being a witch. The accused might not be a witch, but we're going to burn them anyway, because the social fabric depends on it!
And of course, criticizing witch trials can make you a witch, because there's evil in the world and therefore the witch trials must go forward! To do nothing is to enable witches, and who would want to do that except a witch? "Cui bono?"
 And in serious cases, you can try to take it to court, but it'll fairly likely end up unsatisfactorily for the accuser unless they're particularly persuasive or the defendant is obviously creepy or there's some other evidence. Even a string of accusers, although it means something, is not necessarily good evidence. Again, see the witch trials.
Studies bear out that false accusations of sexual misconduct are exceedingly rare. If you go just by the odds, the likelihood is that when someone accuses someone of misconduct, it probably happened.
That doesn't mean you just accept an accusation at face value, but it does hopefully set the stage for you to be sympathetic, and committed to be thorough and to actually listen to what the accuser is saying. You of course do an investigation. You talk to the involved parties. You talk to witnesses, if there are any. Some of these witnesses may not have been present for any of the alleged offenses, but might speak to the involved parties' character. Does the accused act creepy around other people? Is the accuser constantly making up false stories about people?
If it does boil down to taking one person's word against the other, then I don't think the default should be to just separate the people and hope nothing happens again. Just as in a civil law case, part of the determination (both the direction of the judgment itself, as well as the magnitude of any penalties) is based on who is more persuasive about any available evidence, not strictly about whether the evidence alone is more or less damning.
It's not cut and dried. It's not clear. It's fuzzy and muddy. That's unfortunate, but happens to be the reality of dealing with humans.
See how this works? "Believe the victim" is circular reasoning, all it does is calcify your priors. Truth-seeking demands that one must keep an open mind and consider competing interpretations of an event.
1: "One guy actually got fired for his password."
This is a statement of fact, which we can initially accept as true.
2. He was already being super creepy and making the girl who sat across from him uncomfortable
This is a statement of opinion with the appearance of a fact. The phrase "super creepy" is quite vague, to the point of being meaningless without further specification. Also, how jedberg can know that she was feeling uncomfortable should be in question.
3. "but she never told anyone."
This unsubstantiates claim #2. If she never told anyone, then there was no way to determine the truth of the claim that he was "making the girl across from him uncomfortable." Note that even this statement may be false, as she could have told many people already without informing jedberg, and if so, would help to substantiate the previous claim.
4. Then we cracked his password, which was a very naughty phrase about the girl who sat across from him.
Note that "we cracked his password" is a statement of fact, mixed with opinion that the phrase was "very naughty". Whether the password was "naughty" or not, I don't think anyone is disputing that the password was cracked.
5. I reported it to HR
This is a factual claim.
6. who asked the girl
This is a factual claim, and most probably true, with the exception that it could be hearsay if jedberg wasn't in the room at the time when it happened, which has not been specified.
7. who then said he was creepy
This is a statement of fact. Assuming that jedberg heard this directly from her, we can call this statement true. The important bit, however, is the word "then". She only said that he was creepy _after_ approached by HR. If HR's question was "Don't you think that guy across from you is creepy?", then that would be considered leading and deceptive. If HR's question was "what do you think about the guy across from you", then that question would be leading. If HR's question was "what do you think about your fellow employees", then that question would be neutral and acceptable. Since the manner in which the question was asked was not specified, there is no way to know how this question affected her response. It is not reasonable to assume the question was leading or not leading without further confirmations, and this unfortunately makes the claim moot.
8. so they acted swiftly on the reports and got him out of there.
This statement appears to be a reiteration of claim #1, I don't see anything additional here that affects the previous claim.
Later, jedberg said this:
9. he got fired for sexual harassment.
This is a statement of fact; however, this appear to directly contradict the first statement that jedberg made, which was that he "got fired for his password." So, if we can accept that he got fired for sexual harassment, then he didn't get fired for his password, and the original claim is untrue.
In summary, 1) a guy got fired for sexual harassment. 2) The accused also had a password that may have mentioned something "naughty". 3) That password was noticed by an IT group and may or may not have had some impact on the termination. 4) The interviewing of the alleged victim may or may not have influenced her testimony.
Those are the specific facts that we're dealing with in this case. Dismissing this with the idea that "there are no facts in this case" is incorrect. The fairness or unfairness of the case is framed around these facts, with opinions given on both sides throughout this thread.
There's a mile wide difference between being a weirdo mouth-breathing creep, and actually sexually harassing someone.
Otherwise we're getting dangerously close to thoughtcrimes.
The system being managed here is a professional one. Keep your professional passwords professional.
It's no different than using your work email for naughty discussions.
Antidisestablishmentarianism is the longest English word I can think of##
"But thankfully I took Kim Kardashian's advice, and everything worked out for the best."
But yeah, I knew a woman that said anyone who smiled at her was creepy if she didn't like them
The point is, treat your coworkers the same, regardless of gender.
The rule of thumb is sort of in line with telling a risque joke. Is that ever OK in a workplace? Sure, but if there's any doubt whatsoever how it will be received by the audience then you probably shouldn't be doing it.
I don't know if I'm too normal or what, but my gut feeling is that yes it's really creepy. And all these things have different creepiness to them. Thinking a naughty thing is the least creepy. A private naughty diary is starting to be creepy. If it's just a passage in a normal diary, it's not too bad, if there's a whole book just about this one girl it would get super creepy. Making your work password a naughty phrase about the girl working in front of you, definitely super creepy.
Some of those I'd start to consider beginning signs of harassment honestly. The password one, it's like slowly trying to bring to the girls attention your thoughts. What's happening, are you hoping they see you typing it out one day? Everytime you type it do you stare at her and imagine whatever you typed? So ya, if there was all kinds of other similarly creepy small behaviors they'd add up to a pretty bad environment for that girl to be working in.
Just my opinion. Maybe I'm overreacting, but I wouldn't do that, and so I find it very surprising and creepy that someone else does. Are they harmless, innocent, didn't know better, just have a cute crush, nice guys, maybe, but doing something unexpected to me, that I'd never think of doing, is pretty much the defining characteristic of creepy, and it naturally puts me on my guard. It's just strange behavior, and that's scary.
Note: I'd like to hear some replies that are like... oh no, it's not creepy, way more people have naughty passwords or big naughty diaries of their coworkers than you think. I know I do. It's a totally normal behavior, you're the actual outlier here if you never did any of that. Otherwise I will continue to believe this is strange and creepy behavior which warrants suspicion, and possibly a good indicator that someone makes others feel uneasy and unsafe when around them.
I'm more saying that having your work password be a naughty fantasy involving your coworker is just plain creepy. I've never heard of this. I mean, even having a naughty fantasy involving your partner as your work password is creepy. How can anyone think this is totally normal and appropriate behavior? I know my wife would find it real weird if that was my password.
If you do that, and are starting to feel like other people find you creepy or are suggesting you might be, and you're confused why they think that.. I just don't know what to say. If you were under the impression having such a password is common, I'm afraid you were mistaken.
But, like I said, I'm giving people an opening here.. maybe I'm the one that's mistaken, and naughty sexual fantasies with coworkers as work passwords is a very common and normal choice of password. Presented with such evidence, I'd reconsider.
But to be fair, I wouldn't do that today. I would just shut off the account on the second pass.
It's very legitimate for a company to want to protect themselves from a massively damaging and costly security/privacy incident by policing against the use of weak passwords.
edit: And back to technical concerns - someone knowing my password leaves a hard-to-audit window in which I am even less secure. Force-resetting the password in automation instead of revealing it would be better. Sharing it more widely before the problem is fixed increases the risk.
As an imperfect analogy, let's say I write something in a plaintext document, a big rant about how I'm pissed off at one of the executives, and in that rant I make a (not serious, but certainly worrisome) threat against the exec. I foolishly decide to store this document in my company-provided storage on their servers. (Or let's say I stick it in Google Docs in the company's GSuite account.)
Should I have a reasonable expectation of privacy there? I'd say no. I get that some might have the feeling that passwords are different because their entire function is to be private. From a security perspective, yes, I agree. But form a "what you do on company property/resources is visible to the company if they want it to be" perspective, I don't.
And running to HR over perceived creepyness sounds like a dick move.
Who cares how many uppercase letters I used or the last time I changed it? What matters is how crackable it is. v#ja&zp is better than P@ssword1
Although I don't think it's PII if it's all internal company data, especially if it is known that IT will crack your password.
If a company is cracking passwords, it should stop that to protect IT from liability. Example: someone reuses a password, and an IT employee sees that during a cracking operation, and that person's account by chance is hacked, now that person can accuse IT of misusing the password.
Maybe those disclaimers will protect them, but it's always smarter to avoid liability entirely than rely on fine print that a court can disregard.
At this company, it was public knowledge that IT will crack your password.
At the vast, vast majority of companies, it's public knowledge that they are looking at your data and email as well. If you are under the impression that your employer doesn't, you should double-check because you are almost certainly wrong.
It could have been that you reported to HR a romantic fling between two consenting adults, while they had no intention of their private lives spilling over into the public eye.
Disapprove of your actions, and further disapprove of your schadenfreude at someone's firing
For (1): This is similar to any other private info stored on company equipment. The employer shouldn't actively access it in most cases, but it is generally expected that the employer will access if it has a good reason (in this case, detecting a weak password is a good reason).
For (2): This is similar to accidentally overhearing someone's private conversation. Normally the polite thing is to stop listening, but if you have reason to believe it indicates harmful behaviour (like in this case), the right thing to do is to report it.
Jack sets his password to "ImgoingtokillyouKaren".
Tyler is talking with Jack in his cube and sees Jack type in the password and goes to HR. Is that an asshole move, in your opinion? Is the violation the reveal of the password or something else?
In my opinion, he has an obligation and responsibility to say something if he thinks someone is in danger or being harassed.
Do the sales guys and C-level execs get an expectation of privacy to snort coke in the bathroom?
"Reasonable explanation of privacy" doesn't necessarily apply to "at will" employment.
Every company, large or small has some form of acceptable usage policy for their systems. Anything you type in can and will be used against you if necessary.
People have some expectations of privacy and it's not normally considered acceptable to violate this.
Sometimes this stuff is untried in court or falls into a definite legal grey area and usually the policy is to err on the side of caution and simply assume that if something is commonly expected to be private, then it's private and should be kept so.
If we were investigating a user for XYZ and came across a file named "Personal Diary 2019.txt" or whatever, I can assure you that HR would not want us to open that file. Possibly if HR found out they'd declare the investigation tainted and want to stop it right there.
First off, putting cameras in restrooms is illegal in most places.
Regardless of that, it boils down to a legitimate company need. Ensuring that users aren't using passwords definitely passes that test. Ensuring that employees aren't sexually harassing other employees also definitely passes that test. Yes, it's unusual that a password tipped people off to bad behavior, but if you see possible evidence of bad behavior, even if it comes from a strange source, you are ethically obligated to look into it. And for a company, not doing so could create legal liability.
Now, bathrooms? Well, for starters, you said "use of work bathrooms being made public". There was nothing "public" about this password case. The password was shared, privately, with HR and the guy's manager. The closest possible bathroom analogy I can think of might be someone reporting to HR that they see someone going into the bathroom multiple times a day, coming out with white powder residue under their nose, and subsequently acting very strangely, like they're on drugs. Which... seems like an entirely appropriate thing to notice and report.
On the other hand, going to the bathroom is completely ancillary to your job. It's not a work-related duty; it's just something that humans have to do because we're made out of meat.
Do you believe it has not been tested in the courts that cameras in bathrooms are illegal? Do you believe that if you polled office workers about whether bathrooms are private and whether they expect cameras to be in there, you would get any result other than widespread belief that bathrooms are private and there cannot be cameras in there?
Do you believe it has not been tested in the courts that anything you write on a work computer is the property of the employer? Do you believe that if you polled office workers about whether they think what they do with their work computer is audited or private to them, you would get any result other than widespread understanding that employers own everything you do on your work computer?
I prefer the don't trust anything on your work machines or work equipment to be private, especially if it's synced with a server or directly from a server.
If it was his individual laptop or something it might be slightly different but the etc directory was remotely accessible and his password clearly matters to the company's security. Like a rented apartment a heads up beforehand might be a good courtesy not a requirement though.
So, he never did anything specific to call for, but just "was creepy" (which can often mean he was not very pretty and/or awkward socially / in expressing his feelings, as opposed to someone who would assault or anything close). And he had a password (in private) that was lewd or whatever, which he did not intend to share with anybody.
Yeah, let's fire the guy...