You Might Want To Take Another Pass At Your Passwords
Compromises of private corporate or consumer data are all too common. This month, health insurer Anthem announced its customer data was hacked.
Yet even President Obama last week poked fun at our common line of defense: the lazy password.
"It's just too easy for hackers to figure out usernames and passwords like 'password' or '123457.' Those are some of my previous passwords," he said.
In short, passwords have, in some cases, undermined their own security intent.
You'd think a librarian might have a good system for keeping track of all her passwords. But Holly Sammons doesn't. She would have 1-2-3-4 if she could.
Many passwords require a combination of numbers, upper and lower case letters or special characters. And that goes for each of the dozens of accounts and Web sites at home and at work. It's impossible to remember, so Sammons says she cheats.
"I used to keep it on a little sheet of paper behind my ID badge that I wore around at work, but it just has gotten so big," she says.
Apparently, this problem is universal at the Syracuse library where she works: "In the department I work in, we have a whole cheat sheet of passwords that we have."
Sammons says she saves her passwords in an email to herself. Still, she occasionally gets stumped. Then come the security questions.
"My favorite is what was your first car, so then I think: OK, did I say Chevy, or did I say Chevrolet? Did I capitalize it? Or is it all lower case? Or, some of them are subjective, like what's your favorite movie. So, at any given moment, what would've been the answer to that question?" Sammons asks.
Neal O'Farrell, a security and identity theft expert at Credit Sesame, a credit-monitoring site, says consumers are apathetic.
"It kind of explains why we're in this security pickle," he says. "A lot of it comes from a sense of helplessness: You know, why bother if these hackers are so good? If Home Depot and Target and JPMorgan and Anthem can't stop them, how can I?" he asks.
The core problem, security experts say, is that there's a trade-off between security and convenience. Simply making a password more complex can actually backfire because it becomes impossible to remember.
There is a whole sub-industry of services that offer to manage passwords for you. There are companies developing systems using biometric data like fingerprints or voice-recognition to verify identity. But O'Farrell estimates that fewer than 5 percent of people use those kinds of services.
Cormac Herley is in the 95 percent who don't. He's principal researcher with Microsoft Research, an arm of the software giant.
"Passwords are the worst system in the world — except for all the other systems," he says.
Herley recommends assigning different tiers to passwords. Using your best, most complex ones for work and banking, but devoting less effort to those that don't matter as much. But even that can be a lot to ask, even for him.
"I write the passwords down and have a photocopy at home and a photocopy in the office and a couple copies here and there."
But, could all that be compromising security?
"Well, I mean, um, yes," he says.
Herley argues in his own defense that there is no perfect alternative. Free password management software, for example, saves your passwords to the Internet Cloud.
But, "as soon as you upload the passwords to the Cloud, you've now introduced another form of risk, so it's not that you've made security clearly and unarguably better," Herley explains.
He says, for every password system developed, hackers often find ways around it.
"There are guessing attacks that are both online and offline, there are phishing and spear-phishing, and keylogging and malware attacks and server breaches, and we see evidence every day that these attacks succeed." he says.
O'Farrell says that should not discourage consumers.
"There is so much you can do to layer yourself in security, just to make it difficult enough for hackers not to bother with you," he says.
And he says there is still value in keeping your digital door locked with a good password.
Copyright 2020 NPR. To see more, visit https://www.npr.org.