This excuse won't pass
On passwords, bribery, and the news hook we all needed to start talking about the utterly untenable state of digital security
While under investigation for bribery and other criminal charges, New York City mayor Eric Adams claimed to the FBI that he forgot the passcode to his phone and thus couldn't unlock the phone to permit investigators to dig in. It is a claim that is at once both plausible and unbelievable.
■ It is plausible because passwords are a mess. What might have been good for security purposes in 1990 is wholly inadequate today. Every phone, for instance, should have a lock screen -- but anyone with children in the home knows that even a toddler can learn to "shoulder surf" and break those codes with only the slightest amount of attention.
■ Real passwords, meanwhile, like the ones we use on everything from high-risk activity like online banking to low-risk activity like ordering take-out, are an utter goulash of inconsistent rules and requirements. Consequently, most people either duplicate their passwords in highly predictable fashion across all kinds of services, or they get into the habit of writing or saving the passwords in places that are easily cracked. One site may require a minimum of 12 characters, while another may impose a 12-character maximum. "Special characters" are often required -- but sometimes, only a select few are allowed. And then there are the services that require password updates every 3 or 6 months, only contributing to the confusion.
■ None of these are believable excuses in Adams's case, of course. He has overwhelming reason to try to hide his tracks, and offering a phone that can't be unlocked seems consistent with such a pattern of behavior. If there's one password or code someone had be dead certain to remember, it's the one to get into a personal phone.
■ Phones are the holy grail of two-factor authentication: If you are smart enough to require more than just a password to login to any site or service, then you almost certainly need your phone to receive the second "factor" -- usually a challenge code sent either to an authenticator app or a one-time code that arrives via text or email.
■ If the mayor of America's largest city is too dumb to manage his personal phone security well enough to remember a 6-digit screen lock code, then everyone on his personal staff, executive protection unit, and cybersecurity team (especially) ought to be fired for gross dereliction of duty. Your phone can tell people where you are, it can spy on your conversations, and it is the virtually unobstructed expressway straight to your brain. Any VIP needs to have ten times the phone savvy of an ordinary person, and it's up to staffers to be sure they have it.
■ At the very least, though, Adams's folly ought to be a good news hook to get everyone talking: Everyone needs good passwords, everyone needs good screen lock codes, and nobody should trust either of those things exclusively.