You Might Want To Take Another Pass At Your Passwords | KUOW News and Information

You Might Want To Take Another Pass At Your Passwords

Feb 17, 2015
Originally published on February 17, 2015 9:24 am

Compromises of private corporate or consumer data are all too common. This month, health insurer Anthem announced its customer data was hacked.

Yet even President Obama last week poked fun at our common line of defense: the lazy password.

"It's just too easy for hackers to figure out usernames and passwords like 'password' or '123457.' Those are some of my previous passwords," he said.

In short, passwords have, in some cases, undermined their own security intent.

You'd think a librarian might have a good system for keeping track of all her passwords. But Holly Sammons doesn't. She would have 1-2-3-4 if she could.

Many passwords require a combination of numbers, upper and lower case letters or special characters. And that goes for each of the dozens of accounts and Web sites at home and at work. It's impossible to remember, so Sammons says she cheats.

"I used to keep it on a little sheet of paper behind my ID badge that I wore around at work, but it just has gotten so big," she says.

Apparently, this problem is universal at the Syracuse library where she works: "In the department I work in, we have a whole cheat sheet of passwords that we have."

Sammons says she saves her passwords in an email to herself. Still, she occasionally gets stumped. Then come the security questions.

"My favorite is what was your first car, so then I think: OK, did I say Chevy, or did I say Chevrolet? Did I capitalize it? Or is it all lower case? Or, some of them are subjective, like what's your favorite movie. So, at any given moment, what would've been the answer to that question?" Sammons asks.

Neal O'Farrell, a security and identity theft expert at Credit Sesame, a credit-monitoring site, says consumers are apathetic.

"It kind of explains why we're in this security pickle," he says. "A lot of it comes from a sense of helplessness: You know, why bother if these hackers are so good? If Home Depot and Target and JPMorgan and Anthem can't stop them, how can I?" he asks.

The core problem, security experts say, is that there's a trade-off between security and convenience. Simply making a password more complex can actually backfire because it becomes impossible to remember.

There is a whole sub-industry of services that offer to manage passwords for you. There are companies developing systems using biometric data like fingerprints or voice-recognition to verify identity. But O'Farrell estimates that fewer than 5 percent of people use those kinds of services.

Cormac Herley is in the 95 percent who don't. He's principal researcher with Microsoft Research, an arm of the software giant.

"Passwords are the worst system in the world — except for all the other systems," he says.

Herley recommends assigning different tiers to passwords. Using your best, most complex ones for work and banking, but devoting less effort to those that don't matter as much. But even that can be a lot to ask, even for him.

"I write the passwords down and have a photocopy at home and a photocopy in the office and a couple copies here and there."

But, could all that be compromising security?

"Well, I mean, um, yes," he says.

Herley argues in his own defense that there is no perfect alternative. Free password management software, for example, saves your passwords to the Internet Cloud.

But, "as soon as you upload the passwords to the Cloud, you've now introduced another form of risk, so it's not that you've made security clearly and unarguably better," Herley explains.

He says, for every password system developed, hackers often find ways around it.

"There are guessing attacks that are both online and offline, there are phishing and spear-phishing, and keylogging and malware attacks and server breaches, and we see evidence every day that these attacks succeed." he says.

O'Farrell says that should not discourage consumers.

"There is so much you can do to layer yourself in security, just to make it difficult enough for hackers not to bother with you," he says.

And he says there is still value in keeping your digital door locked with a good password.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

What's your favorite food? You might have a few. One of them might be the answer to a security question you typed in when you had to set up a new password. Passwords are supposed to protect us from having our information compromised. But how do you remember all the passwords and the security answers when you forget the password? President Obama recently poked fun at one of our strategies: the lazy password.

(SOUNDBITE OF SPEECH)

PRESIDENT BARACK OBAMA: It's just too easy for hackers to figure out usernames and passwords - like password.

(LAUGHTER)

OBAMA: Or 1, 2, 3, 4, 5 - 7

(LAUGHTER)

OBAMA: Those are some of my previous passwords.

(LAUGHTER)

GREENE: NPR's Yuki Noguchi says if you are frustrated, you are not alone.

YUKI NOGUCHI, BYLINE: You'd think a librarian might have a good system for keeping track of all her passwords, but Holly Sammons doesn't.

HOLLY SAMMONS: I would have 1, 2, 3, 4 if I could.

NOGUCHI: Many passwords require a combination of numbers, upper and lowercase letters or special characters. And that goes for each of the dozens of accounts and websites at home and at work. It's impossible to remember. So Sammons says she cheats.

SAMMONS: I used to keep it all in a little sheet of paper behind my ID badge that I wore around at work, but it just has gotten so big.

NOGUCHI: Apparently, this problem is universal at the Syracuse library, where she works.

SAMMONS: In the department I work in, we have a whole cheat sheet of passwords that we have.

NOGUCHI: Sammons says she saves her passwords in an email to herself. Still, she occasionally gets stumped. Then come the security questions.

SAMMONS: My favorite one is what was your first car? So then I think, OK, did I say Chevy or did I say Chevrolet? Did I capitalize it or is it all lowercase? Or sometimes it'll ask a very subjective question - what's your favorite movie? So, you know, at any given moment, what would the answer have been to that question?

O'FARRELL: It kind of explains why we're in this security pickle.

NOGUCHI: Neal O'Farrell is a security and identity theft expert at Credit Sesame, a credit-monitoring site. He says consumers are apathetic.

O'FARRELL: A lot of it comes from a sense of helplessness. You know, why bother if these hackers are so good? You know, if Home Depot and Target and JPMorgan and Anthem can't stop these hackers, how can I?

NOGUCHI: The core problem, security experts say, is that there's a trade-off between security and convenience. Simply making a password more complex can actually backfire because it becomes impossible to remember. There is a whole sub-industry of services that offer to manage passwords for you. There are companies developing systems using biometric data, like fingerprints or voice recognition, to verify identity. But O'Farrell estimates fewer than five percent of people use those kinds of services. Cormac Herley is in the 95 percent who don't. He is principal researcher with Microsoft Research, the research arm of the software giant.

CORMAC HERLEY: Passwords are the worst system in the world except for all the other systems.

NOGUCHI: Herley recommends assigning different tiers to passwords, using your best, most popular ones for work and banking but devoting less effort to those that don't matter as much. But even that can be a lot to ask, even for him.

HERLEY: I write most of the passwords down and have a photocopy at home and a photocopy in the office and a couple of copies here and there.

NOGUCHI: Do you think that that's sort of compromising security?

HERLEY: Well, I mean, yes.

NOGUCHI: Herley argues, in his own defense, that there is no perfect alternative. Free password management software, for example, saves your passwords to the Internet cloud, but...

HERLEY: As soon as you upload the passwords to the cloud, you've have now introduced another form of risk, so it's not the case that you made security clearly and unarguably better.

NOGUCHI: He says for every password system developed, hackers often find ways around it.

HERLEY: There are guessing attacks that are both online and offline. There are phishing and spear-phishing, and keylogging and malware attacks. There are server breaches. And we see the evidence every day that these attacks succeed.

NOGUCHI: Credit Sesame's Neil O'Farrell says that should not discourage consumers.

O'FARRELL: There is so much you can do to layer yourself in security, just to make it difficult enough for hackers not to bother with you.

NOGUCHI: There is still value, he says, in keeping your digital door locked with a good password. Yuki Noguchi, NPR News, Washington. Transcript provided by NPR, Copyright NPR.