DAVID GREENE, HOST:
What's your favorite food? You might have a few. One of them might be the answer to a security question you typed in when you had to set up a new password. Passwords are supposed to protect us from having our information compromised. But how do you remember all the passwords and the security answers when you forget the password? President Obama recently poked fun at one of our strategies: the lazy password.
(SOUNDBITE OF SPEECH)
PRESIDENT BARACK OBAMA: It's just too easy for hackers to figure out usernames and passwords - like password.
OBAMA: Or 1, 2, 3, 4, 5 - 7
OBAMA: Those are some of my previous passwords.
GREENE: NPR's Yuki Noguchi says if you are frustrated, you are not alone.
YUKI NOGUCHI, BYLINE: You'd think a librarian might have a good system for keeping track of all her passwords, but Holly Sammons doesn't.
HOLLY SAMMONS: I would have 1, 2, 3, 4 if I could.
NOGUCHI: Many passwords require a combination of numbers, upper and lowercase letters or special characters. And that goes for each of the dozens of accounts and websites at home and at work. It's impossible to remember. So Sammons says she cheats.
SAMMONS: I used to keep it all in a little sheet of paper behind my ID badge that I wore around at work, but it just has gotten so big.
NOGUCHI: Apparently, this problem is universal at the Syracuse library, where she works.
SAMMONS: In the department I work in, we have a whole cheat sheet of passwords that we have.
NOGUCHI: Sammons says she saves her passwords in an email to herself. Still, she occasionally gets stumped. Then come the security questions.
SAMMONS: My favorite one is what was your first car? So then I think, OK, did I say Chevy or did I say Chevrolet? Did I capitalize it or is it all lowercase? Or sometimes it'll ask a very subjective question - what's your favorite movie? So, you know, at any given moment, what would the answer have been to that question?
NEAL O'FARRELL: It kind of explains why we're in this security pickle.
NOGUCHI: Neal O'Farrell is a security and identity theft expert at Credit Sesame, a credit-monitoring site. He says consumers are apathetic.
O'FARRELL: A lot of it comes from a sense of helplessness. You know, why bother if these hackers are so good? You know, if Home Depot and Target and JPMorgan and Anthem can't stop these hackers, how can I?
NOGUCHI: The core problem, security experts say, is that there's a trade-off between security and convenience. Simply making a password more complex can actually backfire because it becomes impossible to remember. There is a whole sub-industry of services that offer to manage passwords for you. There are companies developing systems using biometric data, like fingerprints or voice recognition, to verify identity. But O'Farrell estimates fewer than five percent of people use those kinds of services. Cormac Herley is in the 95 percent who don't. He is principal researcher with Microsoft Research, the research arm of the software giant.
CORMAC HERLEY: Passwords are the worst system in the world except for all the other systems.
NOGUCHI: Herley recommends assigning different tiers to passwords, using your best, most popular ones for work and banking but devoting less effort to those that don't matter as much. But even that can be a lot to ask, even for him.
HERLEY: I write most of the passwords down and have a photocopy at home and a photocopy in the office and a couple of copies here and there.
NOGUCHI: Do you think that that's sort of compromising security?
HERLEY: Well, I mean, yes.
NOGUCHI: Herley argues, in his own defense, that there is no perfect alternative. Free password management software, for example, saves your passwords to the Internet cloud, but...
HERLEY: As soon as you upload the passwords to the cloud, you've have now introduced another form of risk, so it's not the case that you made security clearly and unarguably better.
NOGUCHI: He says for every password system developed, hackers often find ways around it.
HERLEY: There are guessing attacks that are both online and offline. There are phishing and spear-phishing, and keylogging and malware attacks. There are server breaches. And we see the evidence every day that these attacks succeed.
NOGUCHI: Credit Sesame's Neil O'Farrell says that should not discourage consumers.
O'FARRELL: There is so much you can do to layer yourself in security, just to make it difficult enough for hackers not to bother with you.
NOGUCHI: There is still value, he says, in keeping your digital door locked with a good password. Yuki Noguchi, NPR News, Washington.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.