Skip to Content

You might want to take another pass at your passwords

February 17, 2015

Compromises of private corporate or consumer data are all too common. This month, health insurer Anthem announced its customer data was hacked.

Yet even President Obama last week poked fun at our common line of defense: the lazy password.

"It's just too easy for hackers to figure out usernames and passwords like 'password' or '123457.' Those are some of my previous passwords," he said.

In short, passwords have, in some cases, undermined their own security intent.

You'd think a librarian might have a good system for keeping track of all her passwords. But Holly Sammons doesn't. She would have 1-2-3-4 if she could.

Many passwords require a combination of numbers, upper and lower case letters or special characters. And that goes for each of the dozens of accounts and Web sites at home and at work. It's impossible to remember, so Sammons says she cheats.

"I used to keep it on a little sheet of paper behind my ID badge that I wore around at work, but it just has gotten so big," she says.

Apparently, this problem is universal at the Syracuse library where she works: "In the department I work in, we have a whole cheat sheet of passwords that we have."

Sammons says she saves her passwords in an email to herself. Still, she occasionally gets stumped. Then come the security questions.

"My favorite is what was your first car, so then I think: OK, did I say Chevy, or did I say Chevrolet? Did I capitalize it? Or is it all lower case? Or, some of them are subjective, like what's your favorite movie. So, at any given moment, what would've been the answer to that question?" Sammons asks.

Neal O'Farrell, a security and identity theft expert at Credit Sesame, a credit-monitoring site, says consumers are apathetic.

"It kind of explains why we're in this security pickle," he says. "A lot of it comes from a sense of helplessness: You know, why bother if these hackers are so good? If Home Depot and Target and JPMorgan and Anthem can't stop them, how can I?" he asks.

The core problem, security experts say, is that there's a trade-off between security and convenience. Simply making a password more complex can actually backfire because it becomes impossible to remember.

There is a whole sub-industry of services that offer to manage passwords for you. There are companies developing systems using biometric data like fingerprints or voice-recognition to verify identity. But O'Farrell estimates that fewer than 5 percent of people use those kinds of services.

Cormac Herley is in the 95 percent who don't. He's principal researcher with Microsoft Research, an arm of the software giant.

"Passwords are the worst system in the world — except for all the other systems," he says.

Herley recommends assigning different tiers to passwords. Using your best, most complex ones for work and banking, but devoting less effort to those that don't matter as much. But even that can be a lot to ask, even for him.

"I write the passwords down and have a photocopy at home and a photocopy in the office and a couple copies here and there."

But, could all that be compromising security?

"Well, I mean, um, yes," he says.

Herley argues in his own defense that there is no perfect alternative. Free password management software, for example, saves your passwords to the Internet Cloud.

But, "as soon as you upload the passwords to the Cloud, you've now introduced another form of risk, so it's not that you've made security clearly and unarguably better," Herley explains.

He says, for every password system developed, hackers often find ways around it.

"There are guessing attacks that are both online and offline, there are phishing and spear-phishing, and keylogging and malware attacks and server breaches, and we see evidence every day that these attacks succeed." he says.

O'Farrell says that should not discourage consumers.

"There is so much you can do to layer yourself in security, just to make it difficult enough for hackers not to bother with you," he says.

And he says there is still value in keeping your digital door locked with a good password.

Copyright 2015 NPR. To see more, visit

Our lives have changed ...

CPR will not compromise in serving you and our community. Vital news and essential music are made possible by member support.


Experiencing and Confronting Bias

Recently on the national program The Takeaway, former CPR journalist Lee Hill shared his experience from his time here. Hill’s story, as well as feedback from our current staff, has led to deep introspection at Colorado Public Radio. These are hard lessons about the harmful effects of white privilege and implicit bias.
Read the full statement from our President & CEO.

Celebrate Summerfest!

CPR Classical's 10-week summer festival features a star-studded concert series of today's greatest performers and Colorado's own world-class festivals and musicians. We're providing a front row seat in your own home or your lawn to the best soundtrack for your summer.

B-Side Fridays On Indie 102.3

The B-Side Summer Music Series is going virtual this year. Indie 102.3 has partnered with MCA Denver to bring you the rooftop performances virtually. Watch every Friday at 7 p.m on Indie 102.3's Facebook page or listen at 9 p.m. each week.