STEVE INSKEEP, host:
On Wednesdays, the business report focuses on the workplace. And today let's look at one of the biggest frustrations at work: computer passwords. Most computer users now have to remember between six and eight passwords. So let's decode the problems that causes with the man known as the key master. His real name is Marc Boroditsky, and he is CEO of Passlogix, a password management company. He says all these passwords add up to more than just confusion.
Mr. MARC BORODITSKY (CEO, Passlogix): It was a serious chunk of wasted of time and many people talk about the fact that it's highly inefficient, and oh, if we can only get that time back. I'm not sure that that inefficiency is as important as other inefficiency, like when that bank teller forgets their password and the line starts to build up in front of their station, as they're having to call the helpdesk to get their password reset.
INSKEEP: Are all these passwords necessary?
Mr. BORODITSKY: You know, it's increasingly - they're increasingly necessary. I mean, take a look at the kinds of breaches organizations are facing, where data that sits in a database, if it's not properly password protected, it might mean the exposure of important consumer or individually-recognized data. It could be your Social Security numbers. It could be your medical records.
INSKEEP: You know, one possible solution is narrowing it down to a single password so that if I were an individual, say, as opposed to a company, I might have the same password for my bankcard and to get into the computer and to get into the e-mail once I'm in the computer and a couple of other things. But isn't that actually less secure?
Mr. BORODITSKY: That's the risk that the security professionals call the keys to the kingdom risk. If I had one password to go everywhere, don't I expose all those destinations to the weakness of that one password? And you're absolutely correct, Steve. What you want to have is unique passwords for every application that you use, and if in fact you are the one that has to recall them, you need some mechanism to make it easy to recall them. So in fact some kind of a system that might make it possible for you to select secure yet memorable passwords that are unique for each target system that you use.
INSKEEP: You know, PC Magazine recently put out list of the most common passwords. I wonder if you can just judge the quality of these passwords. The most popular password is the word password.
Mr. BORODITSKY: That's obviously very weak. I mean that's probably the first one that anybody would guess. Right there it says please enter your - password.
(Soundbite of laughter)
INSKEEP: There it is. And the second most popular password is 123456.
Mr. BORODITSKY: I don't even need to (unintelligible) that one. I think these are getting worse as we...
(Soundbite of laughter)
INSKEEP: Give me an example a really tough password.
Mr. BORODITSKY: A tough password is something that doesn't have a word in the dictionary in it, doesn't have any kind of name of a place or a person. It doesn't have a familiar number, like a phone number or a date. But it could be the combination of all of those, and preferably not spelled out in a way that's identifiable. So a good password following the system I use as an example might be - for eBay it might be E-B for eBay, followed by an acronym I like, N-P-R, followed by the year, 2007.
INSKEEP: Oh, there we go.
Mr. BORODITSKY: So, ebnpr2007 isn't a word in the dictionary and isn't easy to guess if you were attempting to gain access.
INSKEEP: But it's still something that I can remember that I can associate with what I'm actually using the password for.
Mr. BORODITSKY: That's correct. And hopefully apply it to all the other destinations that you may access.
INSKEEP: You know, I don't mean to suggest that they are unimportant things that are available on computers. Obviously many things have to be password-protected and there are hackers everywhere. But is it possible that there's just a ton of information that nobody really wants to steal, that wouldn't be of any value if they did steal, and yet still it's protected by passwords causing all those inefficiencies?
Mr. BORODITSKY: I mean absolutely. I mean whether or not somebody knows my password to the New York Times isn't going to make or break me. But if somebody knows my password to my e-mail, and in my e-mail messages there's sensitive information, that might in fact be a problem.
INSKEEP: Marc Boroditsky, thanks very much for speaking with us.
Mr. BORODITSKY: Thank you very much, Steve.
INSKEEP: Mark Boroditsky is the head of Passlogix, and you can get more tips for keeping your password safe by going to NPR.org.