NPR logo

Farhad Manjoo Makes Your Passwords Secure

  • Download
  • <iframe src="https://www.npr.org/player/embed/113619478/113623911" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Farhad Manjoo Makes Your Passwords Secure

Digital Life

Farhad Manjoo Makes Your Passwords Secure

Farhad Manjoo Makes Your Passwords Secure

  • Download
  • <iframe src="https://www.npr.org/player/embed/113619478/113623911" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

Read Farhad Manjoo's piece for Slate, "Fix Your Terrible, Insecure Passwords in Five Minutes"

Recently, 10,000 email passwords were exposed online. The phishing scheme exposed some of the most commonly used passwords. Farhad Manjoo of Slate offers his foolproof techniques on creating a unique password to keep your accounts protected from computer hackers.

NEAL CONAN, host:

Yesterday in North Carolina, Nevada and California, law enforcement officials launched Operation Phish Phry and netted 33 arrests. The culprits aren't haddock, perch or walleye. They were after online scam artists, identity thieves, men and women who convince you that it's okay to click and enter your password to your email or your bank account. Recently, 10,000 Hotmail, MSN and Live.com passwords were exposed online, a huge security breach.

And what turns out to be the most common password? 123456. So, what makes a good password, and how do you protect your computer and yourself from phishing? In just a moment, we'll talk with Farhad Manjoo, technology columnist at Slate.com. If you have a question for him about password security and phishing, our phone number is 800-989-8255. Email us: talk@npr.org. And you can the conversation on Web site. That's at npr.org. Click on TALK OF THE NATION.

Farhad Manjoo is technology columnist at Slate.com. You can find a link to his column on password security on our Web site, npr.org. And he joins us from KQED, our member station in San Francisco. Farhad, nice to have you back on the show.

Mr. FARHAD MANJOO (Technology Columnist, Slate.com): Hi, good to be here.

CONAN: And for those who don't know, what is phishing? For one thing, it's spelled PH.

Mr. MANJOO: Yeah. So phishing is when somebody sends you to a Web site that kind of looks like a legitimate Web site, say, it looks like your bank account or PayPal or something like that. And you think it's a legitimate site and you enter you password and your username in it, but actually it's a sort of just masquerading a legitimate site. It's actually run by some nefarious person who's trying to get your information.

So you enter that in, they get it, and then have, you know, they have access to all your stuff.

CONAN: And I get these, well, I think, every day. But one of them says, your PayPal account, we have questions about security. Just to make sure everything's okay, just enter all your information here. And, of course, I don't have a PayPal account.

(Soundbite of laughter)

Mr. MANJOO: Right. I mean, usually, these attacks are kind of unsophisticated. You'll notice bad grammar. You'll notice misspellings. You'll notice them - the - when they go to the Web site, they don't look exactly like PayPal or Wells Fargo. But sometimes they can be very sophisticated, and people fall for them all the time.

CONAN: And this, it turned out, was being run not just in this country, where some of the arrests were made, but in Egypt, as well.

Mr. MANJOO: Yeah. I mean, I think this is another hallmark of these attacks. Like, they're often run from foreign countries and - where, you know, law enforcement has little jurisdiction. And they're run by, you know, in this sort of drive-by way, where people will setup a Web site, and it'll stay up for a little while, then go down. So it's really had to take down.

CONAN: And one of the things your column makes clear is that once people get your password to an email account from that, they can probably derive the password you use on your bank account and other accounts, too.

Mr. MANJOO: Yeah. I mean, that's the thing. Most people run their email - It's sort of the keys to the kingdom. It has everything in there about you, because we kind of live out of email these days. So, the key to all of this, the key to sort of stopping all of this is to follow, you know, a few very simple password rules. You should change your passwords often. You should not use the same password for several different sites. And you should use passwords that are not readily guessable.

Those are simple rules, but it turns out they're kind to follow because, you know, changing your passwords often, choosing passwords that are easy to remember, that's very annoying, and very few people actually follow these simple rules.

CONAN: And, indeed, it is annoying because it's hard to remember passwords.

Mr. MANJOO: Yeah. It's difficult to remember passwords, especially if you have to - if you have to change them often. So, you have to come up - basically, the rule is you come up with a hard password, something that's hard to remember. But if it's hard to remember - I mean, something that's hard to guess. But if it's hard to guess, then it's hard to remember. And that's the trouble.

CONAN: Let's see if we get some callers in on the conversation. 800-989-8255. Email: talk@npr.org. We promise it's our real site. Josh is on the line from Lansing, Michigan.

JOSH (Caller): Hi, guys. My question is, how do you keep track of all these passwords? Because, for instance, I'm in the military. I've got about 15 different Web sites and they all have different requirements -one special character, two capitals, two lowercase, or whatever. Is there any kind of way to keep those passwords in a secure file so that you can access them, or - besides write them down on your keyboard or...

CONAN: Now, that's probably a bad idea too.

(Soundbite of laughter)

Mr. MANJOO: Yeah.

CONAN: Yeah.

Mr. MANJOO: Well, so, I mean, that's the thing. We have to remember so many that people often write them down, which is not really a good idea. So, there are, kind of two ways to try to keep track of your passwords. There are some software programs that are kind of called password lockers or password keepers that kind of take - you put in all your passwords there and then you have kind of a master password. And that software will kind of keep all of your passwords hidden.

The other way is to choose passwords in a way that it makes them both difficult to guess and easy to remember. And so, I talked to some security experts and came up with what I think is a pretty simple way of doing it, and it involves - basically involves a technique we've all used in school, mnemonic device. So what you do is you come up with a sentence that's easy to remember. So, something kind of bizarre. For example, I came up with one: I like to eat bagels at the airport. And then, what you do is you take each of the first letters of that sentence and you turn it into an abbreviation. And, for example, the word at, you can turn into an at sign. And I, the capital for the first person pronoun, you can capitalize that. And so basically, that easy to remember sentence - I like to eat bagels at the airport - becomes a pretty hard password. Capital I, lowercase l-t-e-b, at sign, t-a, you know, something that no one's going to guess.

CONAN: Because everybody remembers mnemonic devices, you know, from music, all good boys deserve fudge, or something like that.

Mr. MANJOO: Right, exactly. And especially if you come up with one for yourself that, you know, is kind of unique to you and tells something about yourself, it becomes easy to remember.

CONAN: So, Josh, you could take one of Napoleon's dicta, perhaps, the moral is to the physical as three is to one.

I think Josh has left us, anyway. Okay. But...

(Soundbite of laughter)

Mr. MANJOO: He's off working on his passwords.

CONAN: He's off working on his passwords. But I was fascinated to read in your article that there is a company that - it sells services cracking passwords.

Mr. MANJOO: Yeah. I mean, people often need to crack passwords: when it's court ordered, when law enforcement has to break into computers, or when a company - somebody who has all the passwords at a company dies unfortunately. They need to get into their computer systems.

And so, there's this company access data that basically breaks into computer systems legally and tries to guess passwords. And after doing this for a while, they've come up with basically a lot of insight into how people choose passwords. And what people do is they usually choose a readable word, you know, not necessarily something that you'd find in the dictionary, but something, you know, like a first name perhaps, or something like that. And when asked to add a symbol or a number, most people add the number one, the numeral one to the end of it, or they add an exclamation mark. And it turns out, these are very easy to guess. It just takes a computer trying to guess many attempts, and usually, they can find it.

CONAN: Let's get another caller on the line. This is Bachar(ph). Bachar from Charlottesville in Virginia.

BACHAR (Caller): Hello. How are you doing today?

CONAN: Very well, thank you.

BACHAR: Good. It is very interesting when you guys brought this topic up, because just yesterday I was thinking about changing my password because, at least, I change my password three or four times a year. And what I normally use is I use my native language because I'm from Africa. I use my mother's native language because I speak different languages. And my mother's native language is Themne. And what I do is I use one of the words in Themne language to make up my password here in the United States.

I will give you an example. A long time ago, I used one of my password. In my native language, the word tamaraneh, T-A-M-A-R-A-N-E-H, it means let's help each other. So here, it will be very difficult, but somebody to think about stuff like that because this is a foreign language. In fact, I don't believe many people have heard about the language Themne, you know?

CONAN: Farhad, is that a good technique? Obviously, not many of us speak African languages or obscure languages. But is that a good technique?

Mr. MANJOO: Yeah. It sounds good. There's one sort of shortcoming to it, which is that if somebody does get ahold of his computer and they notice, let's say he's written emails or other things in that language, it's - what they do is they come up with a list of things that are -with a list of words that are found in the computer, and then they try to use each of those words as a password. So if he's written that word before, or permutations of that word, then it could be easy to find on the computer and then guess the password.

BACHAR: Thank God I have never used a language. As a matter of fact, the Themne language is not a written language right now. I know some people who have been in Europe and in America and other places, are trying to make it a written language. But right now, it's not a written language. So, thank God for that. In fact…

CONAN: Unwritten language sounds like a pretty good code to me.

Mr. MANJOO: Yeah.

CONAN: But another thing he said - Bachar said that is very important, and according to your column, he changes it every once in a while.

BACHAR: Right.

Mr. MANJOO: Right. I mean, that is a very good practice and it's - he's in the minority there. Very, very few people actually change their passwords very often, and that could be, you know, sort of like a great thing to keep your accounts more secure.

BACHAR: If I have time, can I say something?

CONAN: Very quickly if you could.

BACHAR: Yes. The reason why I started changing my password - because I remember this one time, I have an account with eBay, PayPal account, and I was - few months later, I was going to buy something on eBay and they told me they can't accept my account anymore because my complete name sounds like a name that somebody had used before. So, since then, I just said, you know what, I'm going to close my accounts up on eBay and stop using my other - my alias to get my goods, you know?

CONAN: All right.

BACHAR: So that's reason why I start using - yes.

CONAN: Okay. Thanks very much. Appreciate the phone call. We're talking about phishing and our terribly weak passwords with Farhad Manjoo. You're listening to TALK OF THE NATION from NPR News.

And let's go now to Mandy(ph). Mandy with us from Atlanta.

MANDY (Caller): Hi. How are you?

CONAN: Very well. Thanks.

MANDY: I really laughed whenever I heard this topic today. I was a phisher whenever I was about 13 years old. I'm…

CONAN: Really at 13?

Mr. MANJOO: Wow.

(Soundbite of laughter)

MANDY: Yeah. And I'm 26 now, to give you a perspective. And now, I'm actually in information assurance and security. So I've seen both sides.

(Soundbite of laughter)

CONAN: Huh.

MANDY: But the one thing I wanted to mention was that one of the most effective techniques is people forget their passwords and they go through that whole form, and you have those three security questions. Well most people use the same screen names. And so, let's say you use the same screen name on eBay, for example. Then you can figure, well, they either have Yahoo! or AIM or GTalk, whatever. And you go through, you find them and you talk to them and you can actually get the answers from them by having a conversation and reset the password.

CONAN: Is she right, do you think?

Mr. MANJOO: Yeah. I mean, that's one of the, actually, the main ways that people break into accounts and it happened, you know, in a few famous incidents. Someone hacked into Sarah Palin's Yahoo! account one time and they did that because they could guess, you know, information about her. And it also happened to Paris Hilton's cell phone account the same way. You could guess her pet's name.

CONAN: Mandy, have you atoned for your sins?

MANDY: Well, it's past the limit for me to get in trouble for it, so, I hope so.

(Soundbite of laughter)

CONAN: Okay. Well, maybe working in security is punishment enough.

MANDY: Yeah. It's just really the funniest thing because these days, I'm like, no, no, no. I've been there and I did it much better.

(Soundbite of laughter)

CONAN: All right, Mandy. Thanks very much for the phone call.

MANDY: All right. Thank you.

CONAN: And we have this email from Topari(ph), I think. Topani(ph), excuse me, in Helsinki. I use a paper and pen address book where I can check rarely used passwords if I need to log on to npr.com. I find the password under N.,. Best of all, he says, it's impossible to hack. However, again, it involves being written down which can be a problem.

Let's see if we can go next to - this is Steve(ph). Steve with us from St. Louis.

STEVE (Caller): Yeah. Hi. I try to help out people with this type of thing. And I know that so many people have multiple emails addresses when they don't necessarily need it. And sometimes, people will just forget that their address is out there. I try to encourage people to pick a professional-sounding email address and stick with that and pick a good password instead of having 10 different email addresses that they use for 10 different things. Because maybe one address, they'll stop using and forget the password but somebody else might find it.

CONAN: Hmm. Is that good advice, Farhad?

Mr. MANJOO: Yeah. I think so. I've heard of sort of attacks occurring that way where people break into one account that people haven't - don't remember that they've had and then it sort of leads them to information that allows them to sort of break into the - all the other accounts.

The other thing to remember is that, you know, we're supposed to keep different passwords for different sites, but you don't need that many. You can sort of get by with about four or five just on - you need kind of the strongest level passwords on the main sites. So your email password should be distinct and unique and not repeated on any other site. And probably, your bank account should be the same.

But for - if you have an online account at, for example, an online news magazine, like you read the New York Times. You have to log on there. You don't really need a very strong password for that. And you could use the same one for all your online news accounts because if someone breaks in there, they're not going to find very much about you.

CONAN: Okay. Steve, thanks very much.

All right. Here's an email from Gerrianne(ph). I have fubar on my computer. My husband has one in his, too. I have more than a hundred passwords stored in it and I have it at the very top of my computer screen. All I have to do is click on it and access the list of my passwords, and she says, it works great.

Is that one of those software programs you were talking about?

Mr. MANJOO: Yeah. It sounds like that's what that is. And there are many, you know, both for Mac and PC. I don't really use one. I find - I haven't found one that is especially easy or fast to use. But I know some people who swear by them.

CONAN: I like your idea of the mnemonic phrase. My favorite of yours that you mentioned in the article is: My first Cadillac was a real lemon so I bought a Toyota.

(Soundbite of laughter)

Mr. MANJOO: Yeah. And that leads to a very long, long password that could be very secure. I won't even read it now because it's very complicated.

CONAN: All right. There was a character in the Superman comics in the old days. You can't possibly pronounce it but Mr. (unintelligible), maybe that would be a good password, too.

Mr. MANJOO: Yeah.

CONAN: Farhad, thank you very much for your call.

Farhad Manjoo, thank you very much. And Farhad Manjoo joined us today from our member station in San Francisco, KQED. He is, of course, the technology columnist at slate.com. You can find a link to his column on password security at our Web site, npr.org.

This is TALK OF THE NATION from NPR News. Tomorrow, it's SCIENCE FRIDAY. TALK OF THE NATION: SCIENCE FRIDAY.

I'm Neal Conan. We'll see you again on Monday.

Copyright © 2009 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.