Password security in Deus Ex

Deus Ex (every time you mention it, someone reinstalls it) takes place in a 2050s future world at the tipping point between dystopia and flat-out chaos. It's also a game world filled to the brim with computer terminals and numeric keypads, roughly half of which must be used to advance through the game. While it's possible to hack terminals and use multitools to bypass keypads, hacking is time-consuming and risky while multitools are in finite supply, which means you end up collecting usernames and passwords from dozens of different sources. Because so many of these logins and codes appear in the game, some interesting patterns emerge.

As is true in every aspect of videogames, making a game which is realistic is a goal totally opposed with making a game which is enjoyable to play. Player character JC Denton is improbably difficult to see or hear, even when crouching in the peripheral vision of a guard in a brightly-lit corridor. Buildings have navigable ventilation shafts; security cameras are placed nonsensically, creating networks of blind spots. And password security is unrealistic. It's both unrealistically bad and unrealistically good.

A complete list of this data can be found here. Data in this list falls into three broad categories, which overlap somewhat:

  1. Information given to you explicitly while playing the game
  2. Information gathered by delving into the game's code
  3. Information that you can guess.

The third category is probably the most interesting one and should definitely be examined first. Technically, every code in the game is amenable to a brute-force approach, and this actually becomes a legitimate in-game approach for the two-digit codes. But some others are clearly intended to be guessed from clues, by a smart player. Here's a great example, found in Maggie Chow's apartment:

Hello Maggie! I swear I will never forget your birthday again! July 18th is
marked on my calendar forever! -- Louis

When you run into a three-digit keypad elsewhere in Maggie's apartment, guess what the code turns out to be?

Codes are the most frequently guessable, but some logins can also be guessed. Usernames across the entire game - and in every organisation, from UNATCO to MJ12 - tend to fall into the pattern of "character's first initial followed by character's surname". That leads to this, split across two datacubes hidden separately in (again) Maggie Chow's apartment:

When you have the time, May-Sung, I would suggest that you read two of my
favorite books: Insurgent and Tai-Fun. I believe you’ll find both of them as
illuminating as I have. They’re in my office if you’d like to borrow them.
-Maggie
Mr. Hundley,
It has become necessary to change my system password since it may have become
compromised; I will encrypt the new password and forward it to you shortly.
Please note that any access attempts made using "Tai-Fun" should be tagged and
traced for interrogation.
-Maggie Chow

These make for cool puzzles.

Others in the cryptic-but-potentially-guessable category include bduclare/nico_devil (only guessable after the separate login bduclare/nico_angel is revealed elsewhere) and ajacobson/calvo ("CALVO" is printed on a poster in Alex's office). There are also a few situations where you have only the password to the system, and have to guess the username, which is neat because usernames in the game tend to conform to the same pattern of first-initial-followed-by-surname.

At the next tier up in difficulty, there are logins which a player of a mere computer game would probably not have the motivation to guess, but which are still extremely insecure by real-world standards because of their relative obviousness. The freighter captain, Kang Zhao, has the login kzhao/captain (and the datacube with this information is stored right there in his cabin next to the computer!), while the free clinic secretary Alice Priest's login is alice_priest/secretary. (Amusingly, the doctor's password is apple.) Several times, multiple users can be found sharing the same password. On the username front, we find that the entire NSF are apparently sharing the single username nsf, shoddy for an otherwise well-equipped domestic terrorist organisation. Majestic-12, with a hundred times the NSF's reach and resources, are doing the same with the username mj12.

Moving out of the blindingly obvious, we find many passwords are still single dictionary words like chameleon, zeitgeist and armageddon. After that are memorable combinations of multiple dictionary words such as smashthestate, oceanguard and bionicman. Passwords only rarely include a combination of letters and numbers and are generally still pretty straightforward in this case: bravo13, 5x5 (three characters!), omega2a. Only very few passwords contain an underscore (e.g. knight_killer), which is the only non-alphanumeric character used. Probably the password that would take the most time to crack in reality is one of the last in the game, xx15yz.

The vast majority of door codes are four digits and the vast majority of door codes are much better-chosen than the passwords. 2134, 9753, 2384: these aren't too bad, although there's also a tendency of people to use year numbers (1997, 2001, 1784) and repeated digits (2577, 0909). Even so, four digits is barely enough to secure a stationery cupboard. It's far too few to adequately secure something like a highly experimental blue fusion reactor, a vault full of gold bullion or a ballistic missile silo blast door. Or three sets of missile silo blast doors, all with the same code. Which hasn't been changed since a group of scientists who used to work there went rogue. Several years ago.

And of course, important passwords are never sent by email-- that's far too secure. Instead, people tend to use datacubes, which have no security attributes; they are essentially Deus Ex's Post-It notes. Here's a typical one:

FROM: WALTON SIMONS
TO: AGENT PAUL JENKINS

During my review of security measures this morning I noticed a potential hole in
the security office of the East Warehouse. Please change this code immediately
to 2249. We will pursue a more thorough solution at a later date.
Walton Simons
Director, FEMA

Agent Paul Jenkins, this cube was lying casually on your desk. Is it possible that you are the real security hole?

*

What we discover, then, is that the world of Deus Ex is one of appallingly poor password requirements and equally poor overall security culture. It is a dazzling, bleak, cybernetically-augmented future in which simple door locks and the very food we eat are now powered by nanotechnology, yet the technology for decent system security has been completely lost - or, more likely, deliberately suppressed by the powers that be, in order to get people used to the idea of having no secrets. Yet, this insidious policy has even crept into these nefarious organisations themselves, and ultimately proves to be their downfall.

But from another perspective, it's surprising that the situation isn't worse still. 8456 is still the code for three of those silo doors, which actually strikes me as a highly realistic piece of ineptitude/laziness at a facility with ample physical defences. And yet, some of the other silo doors actually have been changed, which is oddly inconsistent. I also think it's a genuine anomaly that nobody in the entire game is using the passwords password or swordfish or a username of admin. The Deus Ex universe's password requirements are clearly lax enough to allow this. And those datacubes? They're usually found discarded somewhere that takes a little extra exploration to find. Only very rarely are they found right next to the secure system to which they refer, as they would be in reality.

*

All of these observations are of course easily justified in terms of making Deus Ex an enjoyable and challenging game to play. In truth, these passwords and codes are characterised, more than anything else, by being easy for you to memorise and reproduce when necessary. (This is done even though your character has an in-game database of all the logins he's ever received, meaning that you only have to memorise a login for the five seconds it takes to switch from your Notes screen to the computer terminal. You can even copy and paste!) Equally, the distribution of passwords across the game world is calculated to make acquiring them as enjoyable as possible, rewarding exploration and making it a legitimate approach to overcoming obstacles.

I spent a while thinking about this, and I think the major conclusion here is that overcoming security, in reality as well as in computer games, is genuinely fun. Security is a highly challenging puzzle, and breaking it is rewarding, and you only need to tweak the reality of the situation a little to make a compelling game out of the experience.

Back to Blog
Back to Things Of Interest

Facebook Twitter Reddit Email Hacker News StumbleUpon

Discussion (12)

2013-01-04 04:04:19 by NuAngel:

Genuinely entertaining article! Haha, I never thought of it this way - but then again, I never finished Deus Ex a decade ago and haven't even played the reboot.

2013-01-05 08:38:02 by Zarkonnen:

My girlfriend and I were talking about Deus Ex passwords just yesterday, noting how realistically terrible and lazy the passwords tended to be. It's also worth noting that you can often acquire passwords via some very basic social engineering - passing homeless people have often overheard a password or code, or corrupt or disenchanted employees can be cajoled or bribed into giving you information.

Really, the icing on the cake would've been if you could switch into a delivery man's or electrician's uniform and wander into secure areas by looking like you're meant to be there. The fact that you're a stone-faced trenchcoated cyborg does put a bit of a limit on the social engineering.

2013-01-05 09:16:30 by PunchmasterJenson:

RE: Zarkonnen

In part of the new prequel I bluffed my way past a security check by telling some armed guard or other I was there to fix a gas leak in the top-secret part of the building.

2013-01-05 10:17:31 by Arik:


Unfortunately, the poor password selection and credential sharing is all too similar to reality, as well as the practice of selecting common objects in the terminal's surroundings and/or adding a contact to your phone with the password.

Choosing 4 digit keypads to protect assets I would personally post an armed guard to protect is also not unheard of. Those proximity cards that look very cool are also quite easy to duplicate; yet they seem to be the de-facto standard for "secure" installations.

I've seen worse.

-- Arik

2013-01-05 16:49:25 by ChrisTodd:

I was one of the writers on Deus Ex and responsible for almost all of the datacubes, books, e-mails, etc. You have no idea how difficult it was to keep coming up with semi-plausible reasons why everyone kept leaving their password information out in the open everywhere. :) And yes, real-world password best practices definitely took a backseat to wordplay. We had to keep ourselves entertained somehow. :)

2013-01-06 16:43:23 by P:

3 digits was deemed enough for the door to the Chemistry prep room at school. I started brute force at 100. The code was 147. Free magnesium ribbon for experiments!

2013-01-13 16:04:40 by Chutney:

Interesting article. Most of my universities user names follow a similar and very predictable format. Passwords have to contain both numbers and letters, but can often be guessed for logins that are surposed to be used by multiple individuals because they are usually some reference to the building, or group name, followed by a number or 2.


I also do some research work for a utilities company. Its quite easy to break in to their systems too. You just wander into the office (follow someone else through any electronic locks) pick a computer and use the phone next to it to call IT and tell them you forgot your password. If you can give them a user name (standard across the company, forename surname) they will reset your password to something very basic like Hello123. This system exists because many modern companies require everyone to change their password every month. So everyone forgets their passes easily and needs resets very often.

This sort of setup is not uncommon.

2013-01-13 17:13:19 by Lith:

The true test of a Deus Ex user/pass junkie is...

...what is wgibson's password, and why is this cool?

2013-01-14 13:09:21 by stkaye:

One of my favourite moments from Deus Ex: First playthrough, early level where you need to get into the terrorist hideout in Castle Clinton in battery park. Three-digit code on a ramp leading down. Just heard a tramp muttering about hell on earth, or a trooper about how it's hell down there, something like that. Just about to save and quit. Tried, without expectation, 666.

Played for another 4 hours.

2013-01-15 16:42:01 by rapchee:

Lith: cyberspace? sprawl? neuromancer? if it was a genuine gibson pwd, probably it'd be impossible to guess

2013-01-16 08:47:12 by lith:

SPOILER!

rapchee: so close! It's entirely more appropriate for the game - it's "idoru". All Gibson's works are appropriate for DX, yes, but this one slightly more so.

I loved that egg. It wasn't easy to find, but it also didn't involve delving into the game's code. In Versalife, if you hack one of the computers, you see the user lists, and one of the names is one not found anywhere else - wgibson. (It's not any computer, by the way - it's only one of the dozens in the building.) I did have to guess the password, though.

It gives you some nice insight into the guys like Chris Todd who wrote the game.

2014-08-26 21:58:25 by Ashley Pomeroy:

I'm playing through this again - fourteen years on - and I've noticed that one of the passwords in the freighter ship is "reindeer flotilla". Which is from TRON! So obviously someone still remembers TRON in the far far future of forty years from now. Hey, it's Chris Todd! I've always been struck by the line from one of the computers, something to the effect that life is a question answered by death.