NPR logo Password Security Is So Bad, President Obama Weighs In

Password Security Is So Bad, President Obama Weighs In

President Obama meets at the White House on Tuesday with members of his national security team and cybersecurity advisers. Pablo Martinez Monsivais/AP hide caption

toggle caption
Pablo Martinez Monsivais/AP

President Obama meets at the White House on Tuesday with members of his national security team and cybersecurity advisers.

Pablo Martinez Monsivais/AP

You've heard it before. Change your password. Change. Your. Password. But now, Americans are getting that message from the top. Password security is in such a sorry state, our commander in chief is weighing in with a call to action.

On Tuesday, the White House released a sweeping cybersecurity plan, proposing to boost next year's federal budget for computer protection by 35 percent to $19 billion — an aggressive spending increase that will face scrutiny by a Republican-controlled Congress. President Obama also issued an executive order to create a new Federal Privacy Council, to protect citizen privacy.

But Obama didn't stop there. He made a grass-roots call, too. Reflecting the granularity of his approach, Obama is literally asking citizens to please take basic steps, and use available technology to protect their data.

In a Wall Street Journal op-ed, Obama says he wants to "encourage more Americans to move beyond passwords — adding an extra layer of security like a fingerprint or codes sent to your cellphone." It's a message you'd expect from IT support, not from the leader of the free world.

Given how many Social Security numbers have been stolen — one leading analyst estimated 60 to 80 percent as of mid-2015 — the White House also says it wants to reduce its reliance on that once-unique identifier.

To oversee cyberdefense across agencies, the White House proposes to create a new position: a chief information security officer for the country.

Rahul Kashyap with the security firm Bromium says that's a great idea, though he's not sure the salary will attract top talent. The job posting is offering six figures, up to $185,100 to be exact. But, Kashyap says: "At that rate, they'll end up getting a bureaucrat. The role [of chief information security officer] is one of the hottest right now. Every large corporation is trying to hire one."

The plan overall is a timely move. The administration is increasingly demanding that the private sector clean up its act, protect data and invest in technologies that find hackers inside networks. To carry weight, Kashyap says, the feds can't be in such an embarrassing state themselves.

Like the old saying goes, "He who lives in a glass house should not throw stones."