These are not passwords

Updated Wednesday 4/22 11pm

This is in addition to the information about passwords found here and our recommendations to groups here.

On the “technology in AA forum” site (TIAA-Forum.org) there is a 3rd tradition debate raging over the use of “passwords” to “protect” our meetings.

If it helps – try to not think of these as “secret passwords” and instead just an inconvenience necessary to trip up trolls trying to disrupt our meetings.

One reason these “passwords” became necessary is that Zoom’s “security through obscurity” system broke down

A “hacker” can very quickly test every meeting id 0000000001 through 9999999999 to find all running meetings (called a “brute force” attack) they would then automatically post them to twitter or other sites where trolls with no technical know-how could easily click on a link and drop into a running meeting.

This is only about 10 billion possible meeting IDs and for an experienced hacker this takes less than a day – and it runs continuously picking up new meetings all the time.

This is STILL happening – meetings without passwords are still being auto-listed on twitter and bombed.

So they added a “password” to effectively increase the number of digits

They added a 6 digit “password” so that in-essence the number of possible meeting IDs becomes ten quadrillion – which takes a significantly longer amount of time to brute force (~2000 years). You can also add a 6 character alpha numeric password which gets the possible combinations to 568 quintillion – which takes ~ 180 million years to brute force.

Even with these measures twitter posting of meetings of all types and bombing is STILL happening… just with less frequency and more focus on unsecured meetings.

So… really, they aren’t passwords – they are “secondary meeting IDs”

If instead of calling it a password Zoom could have called it a secondary meeting ID… would we have batted a “traditional” eyelash? No… we would have complained about the inconvenience and moved on.

So let’s move on.

First – you can vote with your feet – choose a new service and move your meeting there – Skype, Google meet and new services called “Jitsi” and “8X8” are all ready to get your “business” and they are offering a lot for free right now. WAIA will post any type of meeting app your group chooses to use.

If your group decides it has the capability to follow all the recommendations for security – you can choose not to have a password! – just tell WAIA you don’t have one so we can put that in the notes.

If your group wants the extra layer of security so that your meeting most likely won’t make it on a troll’s hit list – institute a simple numeric password and let WAIA know what it is.

I hope this article helps folks understand why passwords are important but also why they should only be an inconvenience – and not a traditions issue.

Please let tech committee know what you think: tech@aa-dc.org

The online resource for Alcoholics Anonymous in the nation's capital.