Mon September 17, 2012
Op-Ed: It's Time To Fix Our Broken Password System
Originally published on Tue September 18, 2012 12:09 pm
You need one password to log in to your computer, another for your smartphone, one for your email, for your bank, your music collection, your Twitter, Facebook and LinkedIn accounts. Experts tell us those passwords should be long, contain numbers, letters and symbols and not include personal information like birth dates. Oh, and you're supposed to remember them all, too.
In a piece for The Atlantic, Rachel Swaby argues, "We're required to take downright ridiculous precautions to maintain our online security, and it's not sustainable. In fact, it never was. Our password system is broken, and it's about time we change it."
Swaby tells NPR's Neal Conan that the devices we use every day — smartphones, tablets — have enabled password innovation, thanks to their touchscreens. For example, "if you have an Android phone, you can kind of make a pattern over some dots and have that as your login." And with the new version of Windows, "they allow you to look at a picture and kind of trace some dots across a picture. So if you have a picture of your family, you can connect all of the noses, and that would be your login."
But even those types of logins have possible pitfalls, she explains. Some people "are nervous about that because ... you can see the smudge on a screen, and so maybe that could be used to get into a phone."
And the biggest problem is that the password system has been around so long, which makes it hard to change. "Security experts recommend that we have 14-character passwords that don't contain dictionary words. It's kind of a random string of symbols and letters and numbers," says Swaby. "And, you know, if you do that across some 40-odd sites that [require logins], then we should be [protected], but that's hard."
So, until the death of the password, Swaby recommends a service called 1Password. It generates really tough passwords for all your online accounts, "and it will keep them for you so you don't actually have to remember them." Then, all you need to remember is one password to access the rest. "That's a good start."
NEAL CONAN, HOST:
And now the opinion page. Nearly every piece of technology we interact with requires a password. You need one to check your email, your bank account, to access your online music collection. Then there's Twitter and Facebook, news sites, not to mention the passwords you use to get onto your computer or your smartphone in the first place. To protect all that personal data, we're told these passwords should be long and complicated. We should use numbers, letters and symbols but not personal information like birth dates. No two passwords should be the same. You should never write them down, and you're supposed to remember them all.
In a piece for The Atlantic, Rachel Swaby argues we're required to take downright ridiculous precautions to maintain our online security, and it's not sustainable. In fact, it never was. We want to hear from those of you who've been hacked or had your online security compromised. What changes did you make afterwards? What's your password strategy? 800-989-8255. Email us: email@example.com. You can also join the conversation at our Web page. Go to npr.org and click on TALK OF THE NATION. Rachel Swaby is a freelance writer based in San Francisco, and she joins us now from our member station there, KQED. Nice to have you with us.
RACHEL SWABY: Thanks for having me.
CONAN: And you were sort of inspired to write this piece after the story of a Wired writer, Mat Honan, getting hacked in pretty much every way possible. Remind us. What happened?
SWABY: So his problem was a little bit different than kind of a simple password. What his hackers did is they called Amazon, and then they called Apple. And they socially engineered their way into his accounts. So with one piece of information, they were able to get another and another and another, and then they were able to get into his devices, his Gmail, his Twitter. And they were able to, like, wipe all of his information.
CONAN: Terrible story. Social engineering is a fancy term for conning, right?
CONAN: So in fact - so a good old con game worked as opposed to a technological hack. But both are used to get through our passwords. And you say it's interesting, going back to 1971, pre-Internet, pre-everything...
SWABY: I know. Yes, the study...
CONAN: ...that people realized this is not going to work.
SWABY: Right. A study out of Bell Labs was looking at passwords, and what they found is that people are just really, really bad at them. And if you gave them a choice to make up a password, they're going to think about something that's really easy to remember. And that has continued today. That hasn't changed.
CONAN: And so this is a system you suggest was broken at the beginning and has successfully - succeeded to get even worse. It was, what, some years ago that Bill Gates himself said the password is dead.
SWABY: Yeah. I mean I think people have been hoping for a new system for a really long time. I mean the problems have been clear, but with more services and more devices - and basically in order to change everything, you need people to collaborate across everything. You know, what would be easiest for us is if everyone could kind of have a meeting and get together and say, like, hey, let's all work together on a system that's better for people. But instead they work separately to try to find a system that's better for machines.
CONAN: For machines, and that's kind of the problem. And in a world where we're accessing our devices in new ways, it's not just the keyboard anymore.
SWABY: Right. I mean there are sometimes neat approaches to passwords - the touchscreen, for instance - has helped us with. So if you have an Android phone, you can kind of make a pattern over some dots and have that as you're login. But people have pointed that they are nervous about that because, you know, you can see the smudge on a screen, and so maybe that could be used to get into a phone. And Windows, the new Windows has - they allow you to look at a picture and kind of trace some dots across a picture. So if you have a picture of your family, you can connect all of the noses, and that would be your login. So there are some neat things on the horizon but kind of device specific.
CONAN: What about all that biometric data, all those biometric approaches? I'm waiting the retina scan.
SWABY: Right. So some of them kind of weirds people out. And, you know, researchers know that. There's a researcher at NYU, Nasir Memon, and he's been kind of trying to figure out how that biometric data could be not as weird for us. So, like, if we would turn a dial on our touch screen, the way that our fingers press against the screen and the space between our fingers, they can capture that instead of, you know, an actual kind of fingerprint or an eye scan, which seems really strange. And so they're working on getting that better.
SWABY: It's not quite up to 14-character password strings.
CONAN: What happens if you catch your finger in a vice, and you have to wear a bandage on it?
CONAN: If any, you're in trouble. You can't get into any of your accounts.
SWABY: Well, yeah. So there are problems, clearly.
CONAN: It's interesting as you - there was - during a - it's quite familiar. Operators of Morse code could always tell who was on the other end of the key by what - there was their fist. There was characteristic clicking pattern, that everybody was different.
SWABY: Yes. So DARPA has thought about this and they actually have a call from researchers to think about how just the way that you interact with your computer could be the log in. You know, like the way that you could swipe across your touch pad or the rhythm of the way that you tap the keypad, like that could be a continuous way that's - that your computer could tell if you're the one sitting there. Because if you log in to everything and you walk away and someone walks up, that's clearly a problem. And so it's kind of neat that they could capture that signature.
CONAN: Yeah. If...
SWABY: So they're looking into it.
CONAN: If you log into your computer and walk away and let somebody else walk up, it's clearly a sign that you're an idiot.
SWABY: Right. Well, DARPA is clearly a little more worried about this than kind of the average user would.
CONAN: We should pay attention to them since they invented the thing in the first place.
SWABY: Mm-hmm. Mm-hmm.
CONAN: So as you look at these promising technological advances, they all have one overwhelming problem in that all these businesses that now use passwords have an invested - an investment, well, inertia.
SWABY: Right, right. I mean, it's just really hard to change a system that's been around so long, and it works for them. It just doesn't work for us, which is the problem.
CONAN: So we're talking about passwords with Rachel Swaby, a freelance writer based in San Francisco. Her piece, "The Password Fallacy: Why Our Security System is Broken, and How to Fix It," ran in The Atlantic earlier this month. And as - if these other systems aren't going to be released or not in the offing, no immediate solution or immediate panacea, if we're stuck with passwords, what do we do?
SWABY: So security experts recommend that we have 14-character passwords that don't contain dictionary words. It's kind of a random string of symbols and letters and numbers. And, you know, if you do that across all 40 - some 40-odd sites that we are required log ins, then we should be good, but that's hard. So there are some (unintelligible)
CONAN: Yeah. What do we do with the rest of the day?
SWABY: Right, right. So there's service probably, you know, one password and that will keep all of these - and it will generate these kind of passwords for you, and it will keep them for you so you don't actually have to remember them. So that's a good start.
The other thing is, you know, you can make passwords that are not, you know, dictionary words are bad and so are kind of your birth date because those are easy to guess and substituting numbers for letters is not great either. But, you know, one of the security experts I talked to said, you know, he takes a line from a favorite song, and he takes the first letter of each word in that line.
CONAN: Hmm, that might work if you can remember the song.
SWABY: I know.
CONAN: Let's get some callers in on the conversation. We want to hear from those of you who've been hacked or had your security compromised in some way. What's your new password strategy now? 800-989-8255. Email: firstname.lastname@example.org. And Mack's(ph) on the line with us from San Jose.
CONAN: Hi, Mack.
MACK: There a quick - hi. I was actually commenting on a password program that will remember your passwords for you, and I think the lady mentioned that right now. But my - I used a couple of different programs. One of them that I used is called Google Forum or LastPass. Basically, I have over 200 passwords that I have to remember, and I don't remember them. I only remember one password. Those programs synchronize the passwords spoke across everything that I use: the Android phone, the desktop, the laptop at work, everywhere. So it's a really cool thing.
CONAN: And there's a password to get into this program, presumably.
MACK: Yes, and it has to be pretty hard to - so nobody else can guess it, number one. Number two, with these programs, they avoid the keyloggers. There can be viruses that are called keyloggers that basically take a snapshot of the website where you're at, and they send over the Internet with the password that you're typing in. So if you have this sort of a password program, manager program, they'll simple paste the password in there and it's not traced as a keystroke. So it cannot be hacked that way either.
CONAN: Rachel Swaby, is that what you were talking about, these kinds of programs?
SWABY: Yeah, yeah. That's great. And also the two-step verification were possible is really hard to...
CONAN: Like many bank accounts have?
SWABY: Bank accounts Gmail, Dropbox, they offer these services.
CONAN: Thanks very much, Mack.
MACK: Yep. Thanks.
CONAN: Email from - this is from Michael: All devices are working towards having a webcam-type camera in them tied to facial recognition that would result in natural passwording. Is that right?
SWABY: Yeah. So that's a possibility. You know, when, I think, the Android phone came out, there was a picture recognition, but it could be - but you could open it with a photograph. So they're still having some problems with it, and I think it needs to get a lot better before that becomes the thing that's going to allow someone into all of your data.
CONAN: We're talking with Rachel Swaby on the Opinion Page this week. There's a link to her piece that was published in The Atlantic at our website. Go to npr.org, click on TALK OF THE NATION. This is TALK OF THE NATION from NPR News.
This from AJ in Berkeley: When I'm prompted to create a password, I decide whether I'm annoyed by it or not. If not, I chose a phrase a Grateful Dead song. But if I am annoyed, I pick something from the Three Stooges. I have half a dozen, three for each, and rarely have trouble remembering which is which.
So I guess different mnemonic devices have different solutions. So let's if we can go to - this is Kurt(ph). Kurt with us from Dayton, Ohio.
KURT: Yes. I'm in the military medical system, and I just wanted to comment that there are many instances where you not only have a lot of different passwords that you have to come up with, but you cannot re-use the passwords that you had in the past 20 times. And they require you to change them every three to six months. And for all these different systems, it gets to the point where you have to think of something that is so common that if somebody whenever does discover it, they'll probably going to discover, you know, being able to crack a whole bunch of different accounts that you have.
CONAN: Is that an approach they can work, do you think?
SWABY: Right. So there - that's only that works for companies, but it's really hard on employees. And what tends to happen is that employees go with something that's really, really simple and - or they're just taking slight variations on the last password that they had to reset, or the last password they had to reset. So it's actually - again, it's not great for users, and it doesn't kind of encourage this strong password because if you have to change it every three months, why invest in something that's really hard to remember?
CONAN: Hmm. Well, Kurt, good luck with you.
MACK: All right. Thank you.
CONAN: Thank you. Appreciate it. This email from Mary: Passwords are just irritating. My responses to use Gaelic words were to take a phrase that has meaning to me, little brown house and use Babelfish to translate it into a foreign language and stick a number in between words. It seems to me that's still going to leave you remembering difficult things.
Let's go next to - this is David. David calling from Pittsburgh.
DAVID: Thanks for taking my call.
DAVID: A big fan of show. I care to comment because unfortunately over the last few months, I had a - my banking and credit information was stolen online, and it was used by a group of individuals to buy up thousands and thousands of dollars worth of luxury hotel stays and resorts stays all over the planet so...
CONAN: And did you end up having to pay for that?
DAVID: No. I was lucky enough that the banking information was sort of just like limited. And as they tried to use it, you know, my - the securities locked them out, which is I was very fortunate for. But I spoke with the security counselor at my bank, and they said, they advised me, really, just to limit what they said was my digital footprint online. So I had to sort of just rethink about what I was doing online. I eliminated a lot of social networking information from online and was just a little bit more careful about what I do on the Internet, what I purchase and things like that, so. And I'll take the comments off the air.
CONAN: OK. Thanks very much.
CONAN: And thank you. And, Rachel Swaby, that's sort of reducing your digital and online footprint is sort of surrendering a little bit.
SWABY: Yeah. It doesn't seem like that's sustainable.
CONAN: Here's an email from Eric(ph): The key is to stop thinking password and start thinking pass phrase. Phrases are much easier for us to remember and more difficult for programs to crack. Is that - everybody says you should have 14 letters, but pass phrase, that's - you're getting on to a lot more than 14 letters.
SWABY: Right. So if you use several words in a row, I mean, that gets exponentially harder to crack. But if you use - I mean, even computers can run through several different dictionaries from several different languages as one suggested before.
CONAN: Babelfish, right.
SWABY: So the word itself doesn't protect you, but, yes, if it's long enough, that helps. If it's 14 characters or longer, that's great.
CONAN: It's interesting. Through this - and I assume through much of the industry, you say, this is a six-character strong solution. This is an eight-character strong solution. In other words - meaning, six is pretty weak, so is eight.
SWABY: Right. I mean, at some point, six was fine, but it's not anymore and neither is eight. So really, I guess, for the moment, the companies should be asking people to enter much longer passwords.
CONAN: And what's your strategy? What do you do?
SWABY: Well, before I wrote the article, I got two-step authentication on everything I could.
SWABY: And I think one password is the way to go.
CONAN: And so is that something you use yourself?
SWABY: It's something that I need to be using myself.
CONAN: See, there's the problem.
SWABY: Exactly. It's not sustainable. It's really hard for people.
CONAN: It is. As you point out in the piece, ultimately, we're human beings who don't want to be mess with this. We want something simple and short.
SWABY: Well, I feel like, you know, we already put so much work into our kind of online lives. It just seems that putting more time into it is tough, but it's necessary for the moment until we come up with a better solution.
CONAN: Well, Rachel Swaby, good luck getting that two-tier authentication and the one-pass system. We appreciate your time today.
SWABY: Thank you.
CONAN: Rachel Swaby, a freelance writer based in San Francisco with us today from member station, KQED. You can find a link to her Atlantic piece, "The Password Fallacy," at our website. That's in npr.org. Click on TALK OF THE NATION.
Tomorrow, we'll talk about some of the ways law enforcement uses DNA, facial recognition and other high-tech tools, but also about civil liberties. This is TALK OF THE NATION from NPR News. I'm Neal Conan in Washington. Transcript provided by NPR, Copyright National Public Radio.