Password security in Deus Ex

Deus Ex (every time you mention it, someone reinstalls it) takes place in a 2050s future world at the tipping point between dystopia and flat-out chaos. It's also a game world filled to the brim with computer terminals and numeric keypads, roughly half of which must be used to advance through the game. While it's possible to hack terminals and use multitools to bypass keypads, hacking is time-consuming and risky while multitools are in finite supply, which means you end up collecting usernames and passwords from dozens of different sources. Because so many of these logins and codes appear in the game, some interesting patterns emerge.

As is true in every aspect of videogames, making a game which is realistic is a goal totally opposed with making a game which is enjoyable to play. Player character JC Denton is improbably difficult to see or hear, even when crouching in the peripheral vision of a guard in a brightly-lit corridor. Buildings have navigable ventilation shafts; security cameras are placed nonsensically, creating networks of blind spots. And password security is unrealistic. It's both unrealistically bad and unrealistically good.

A complete list of this data can be found here. Data in this list falls into three broad categories, which overlap somewhat:

1. Information given to you explicitly while playing the game
2. Information gathered by delving into the game's code
3. Information that you can guess.

The third category is probably the most interesting one and should definitely be examined first. Technically, every code in the game is amenable to a brute-force approach, and this actually becomes a legitimate in-game approach for the two-digit codes. But some others are clearly intended to be guessed from clues, by a smart player. Here's a great example, found in Maggie Chow's apartment:

Hello Maggie! I swear I will never forget your birthday again! July 18th is
marked on my calendar forever! -- Louis

When you run into a three-digit keypad elsewhere in Maggie's apartment, guess what the code turns out to be?

Codes are the most frequently guessable, but some logins can also be guessed. Usernames across the entire game - and in every organisation, from UNATCO to MJ12 - tend to fall into the pattern of "character's first initial followed by character's surname". That leads to this, split across two datacubes hidden separately in (again) Maggie Chow's apartment:

When you have the time, May-Sung, I would suggest that you read two of my
favorite books: Insurgent and Tai-Fun. I believe you’ll find both of them as
illuminating as I have. They’re in my office if you’d like to borrow them.
-Maggie

Mr. Hundley,
It has become necessary to change my system password since it may have become
compromised; I will encrypt the new password and forward it to you shortly.
Please note that any access attempts made using "Tai-Fun" should be tagged and
traced for interrogation.
-Maggie Chow

These make for cool puzzles.

Others in the cryptic-but-potentially-guessable category include bduclare/nico_devil (only guessable after the separate login bduclare/nico_angel is revealed elsewhere) and ajacobson/calvo ("CALVO" is printed on a poster in Alex's office). There are also a few situations where you have only the password to the system, and have to guess the username, which is neat because usernames in the game tend to conform to the same pattern of first-initial-followed-by-surname.

At the next tier up in difficulty, there are logins which a player of a mere computer game would probably not have the motivation to guess, but which are still extremely insecure by real-world standards because of their relative obviousness. The freighter captain, Kang Zhao, has the login kzhao/captain (and the datacube with this information is stored right there in his cabin next to the computer!), while the free clinic secretary Alice Priest's login is alice_priest/secretary. (Amusingly, the doctor's password is apple.) Several times, multiple users can be found sharing the same password. On the username front, we find that the entire NSF are apparently sharing the single username nsf, shoddy for an otherwise well-equipped domestic terrorist organisation. Majestic-12, with a hundred times the NSF's reach and resources, are doing the same with the username mj12.

Moving out of the blindingly obvious, we find many passwords are still single dictionary words like chameleon, zeitgeist and armageddon. After that are memorable combinations of multiple dictionary words such as smashthestate, oceanguard and bionicman. Passwords only rarely include a combination of letters and numbers and are generally still pretty straightforward in this case: bravo13, 5x5 (three characters!), omega2a. Only very few passwords contain an underscore (e.g. knight_killer), which is the only non-alphanumeric character used. Probably the password that would take the most time to crack in reality is one of the last in the game, xx15yz.

The vast majority of door codes are four digits and the vast majority of door codes are much better-chosen than the passwords. 2134, 9753, 2384: these aren't too bad, although there's also a tendency of people to use year numbers (1997, 2001, 1784) and repeated digits (2577, 0909). Even so, four digits is barely enough to secure a stationery cupboard. It's far too few to adequately secure something like a highly experimental blue fusion reactor, a vault full of gold bullion or a ballistic missile silo blast door. Or three sets of missile silo blast doors, all with the same code. Which hasn't been changed since a group of scientists who used to work there went rogue. Several years ago.

And of course, important passwords are never sent by email-- that's far too secure. Instead, people tend to use datacubes, which have no security attributes; they are essentially Deus Ex's Post-It notes. Here's a typical one:

FROM: WALTON SIMONS
TO: AGENT PAUL JENKINS

During my review of security measures this morning I noticed a potential hole in
the security office of the East Warehouse. Please change this code immediately
to 2249. We will pursue a more thorough solution at a later date.
Walton Simons
Director, FEMA

Agent Paul Jenkins, this cube was lying casually on your desk. Is it possible that you are the real security hole?

What we discover, then, is that the world of Deus Ex is one of appallingly poor password requirements and equally poor overall security culture. It is a dazzling, bleak, cybernetically-augmented future in which simple door locks and the very food we eat are now powered by nanotechnology, yet the technology for decent system security has been completely lost - or, more likely, deliberately suppressed by the powers that be, in order to get people used to the idea of having no secrets. Yet, this insidious policy has even crept into these nefarious organisations themselves, and ultimately proves to be their downfall.

But from another perspective, it's surprising that the situation isn't worse still. 8456 is still the code for three of those silo doors, which actually strikes me as a highly realistic piece of ineptitude/laziness at a facility with ample physical defences. And yet, some of the other silo doors actually have been changed, which is oddly inconsistent. I also think it's a genuine anomaly that nobody in the entire game is using the passwords password or swordfish or a username of admin. The Deus Ex universe's password requirements are clearly lax enough to allow this. And those datacubes? They're usually found discarded somewhere that takes a little extra exploration to find. Only very rarely are they found right next to the secure system to which they refer, as they would be in reality.

All of these observations are of course easily justified in terms of making Deus Ex an enjoyable and challenging game to play. In truth, these passwords and codes are characterised, more than anything else, by being easy for you to memorise and reproduce when necessary. (This is done even though your character has an in-game database of all the logins he's ever received, meaning that you only have to memorise a login for the five seconds it takes to switch from your Notes screen to the computer terminal. You can even copy and paste!) Equally, the distribution of passwords across the game world is calculated to make acquiring them as enjoyable as possible, rewarding exploration and making it a legitimate approach to overcoming obstacles.

I spent a while thinking about this, and I think the major conclusion here is that overcoming security, in reality as well as in computer games, is genuinely fun. Security is a highly challenging puzzle, and breaking it is rewarding, and you only need to tweak the reality of the situation a little to make a compelling game out of the experience.