9:19am

Mon July 25, 2011
All Tech Considered

Hunting For A Password That Only You Will Know

Passwords — almost everyone's got one, or two, or 10.

But are passwords really the best way to protect your digital identity? Computer scientists have been trying to crack the code on the next generation of passwords, and one researcher says all you may need is a squirrel.

Security expert Markus Jakobsson says, just imagine that you went jogging in the forest, and you stepped on a squirrel.

That's one way to create a strong password, he says.

"Think of a story," he says. "Turn it into three important words of the story."

A Bizarre Combination

And instead of punching in a random series of characters on a computer or a smartphone, users just need a three-word combination from a story they will remember.

Jakobsson says the more bizarre — jogging, forest, squirrel — the less likely a hacker will be able to get into your account. And the more likely you'll be able to remember it.

That's a good thing because technology writer Clive Thompson says our memories are lousy.

"Everyone knows that they should have a password that is harder to guess, but the truth is we humans are pretty bad at remembering characters that make for a really strong password," he says.

How bad are we at passwords?

Earlier this month, Hotmail announced new e-mail users will be banned from using passwords like "password," "123456" and "ilovecats."

Weak or even non-existent passwords were at least partly to blame for security breaches of voicemail accounts in the recent UK phone hacking scandal.

Other Options

There are other options for authentication. Ed Felten, chief technologist for the Federal Trade Commission, says security researchers group all the different ways a user can prove his or her identity into three categories.

"Something you know, like a password; something that you have, like some kind of an object or a physical key, like we unlock our doors with; or something that you are, that is, some aspect of your body or your physical person," he says.

Our memories are bad with passwords, and we can easily lose a key, so some researchers have turned their focus to biometrics — that is, using parts of your body as an ID.

Engineering psychologist Kelly Caine says there's a reason we haven't seen a wide use of biometrics instead of passwords.

"Your credentials, so your face, your iris, or your fingerprint, can't be re-issued if they get compromised," she says.

Multiple Layers

So Felten says the best way to protect your digital identity is using multiple layers of security with passwords.

"The familiar passwords are ... not perfect. They're far from perfect. But they are the easiest alternative for now," he says

And that means for the time being, passwords are here to stay.

Web companies and the Commerce Department are trying to develop ways for users to log in online with just a single password that would open all their accounts.

Remembering just one password would certainly be easier, but Felton says it could also be dangerous.

"All your eggs are in one basket," he says. "You better protect that basket really well.

Of course, you could always come up with a good story. Just make sure it doesn't involve jogging, forests or squirrels.

Copyright 2011 National Public Radio. To see more, visit http://www.npr.org/.