Your Password Is the Worst

Season 4: Episode 2

Look, we agree with you: passwords are the worst. But you know what else is the worst? Someone hacking your account, or big security breaches that expose your email, your credit card information, your government-issued identification number, and more. We should hold companies accountable for better security, but we also need to hold ourselves accountable for having good password hygiene. So let’s tackle this once and for all. Hear from Buzzfeed’s Mat Honan, who endured a brutal hack a few years ago when hackers exploited password-recovery tools; Mark Wilson from Fast Company, who wants to ban passwords altogether (though admits it’s not the best idea); Masha Sedova of Elevate Security who says that, yes, security companies have failed us – but we have to use passwords anyway; and Matt Davey of 1Password, who offers a solution that Mozilla can get behind: use a password manager. A simple, game-changing tool that will help you take back control of your accounts, and secure yourself as best as you can.
Published: December 10, 2018

Show Notes

Your passwords protect more than your accounts. They protect every bit of personal information that resides in them. And hackers rely on bad habits, like using the same password everywhere or using common phrases (p@ssw0rd, anyone?), so that if they hack one account, they can hack many.

Password managers like 1Password, LastPass, Dashlane, and Bitwarden generate strong, unique passwords. They also store passwords securely and fill them into websites for you.

IRL listeners can sign up to 1Password and get their first three months for free. Just visit 1password.com/promo/IRL and give it a try.

And, if you use Firefox on your iPhone, try out Firefox Lockbox. It securely gives you access to all the logins you’ve saved to Firefox, in a secure app on your phone.

As we mention in this episode of IRL, Gabriela Ivens cataloged hundreds of secret recipes that were leaked during data breaches. Firefox teamed up with her to show the personal impact a security breach can have on someone. As a bonus, we let you in on those precious recipes to drive the point home. Go have a look — and be sure to try the “Exposed BBQ Spice Rub” — at dataleeks.com.

Want more? Mozilla has teamed up with 826 Valencia to bring you perspectives written by students on IRL topics this season. Zues C. from De Marillac Academy wrote this piece on managing your passwords, and managing your life.

And, check out this article from Common Sense Media, on real world reasons parents should care about kids and online privacy.

Three cheers for good passwords (and password managers).

Transcript

Manoush Z.: Okay. Here’s my first question for you, what did you recently get for the very first time?

Daughter: What do you mean? What do you mean?

Manoush Z: You got your very first?

Daughter: Oh, password.

Manoush Z.: What is a password?

Daughter: It’s a thing to get into let’s say I’m using it for Google Classroom.

Manoush Z.: What did you learn about passwords? You don’t tell it to anyone?

Daughter: Mm-mm (negative)

Manoush Z.: But how are you going to remember what the password is?

Daughter: It’s based on a song. Everyone has that.

Manoush Z.: Everybody has a song?

Daughter: Everyone has … The first letter of every word in the song. So let’s say if you were doing Let It Be, for example. L-I-B and then you do the rest of the words.

Manoush Z.: Oh, that’s cool. What are you going to do - are you going to get more passwords that you have to remember?

Daughter: I’m not sure about that.

Manoush Z.: Are you ready to have more passwords?

Daughter: Not yet.

Manoush Z.: Why not?

Daughter: Because I’m sticking to my password for now.

Manoush Z.: Oh, my sweet daughter. What a right of passage you’ve just been through. What an exciting time, your first password, your only password. In our online world, it’s really a sign of growing up. Maybe it’s kind of fun for now, so enjoy this feeling while it lasts, my dear, because it won’t be long before you find yourself swimming in an ocean of terrible, hard to remember, useless feeling passwords and cursing the system along with the rest of us. Because passwords, they suck, but we have to use them anyway. Locking down our virtual stuff, it’s a big old pain for everyone. Yet despite our best password intentions, security breaches keep happening.

In 2018 alone, we saw major data theft at Cathay Pacific, Ticketfly, Marriott, Facebook and others. Over and over again. Nearly 3 quarters of ALL U.S. companies have experienced some kind of data breach. That means that millions of us have been affected.

You’ve got to wonder whether or not our passwords really can protect us from anything, because there’s not much we can do when a company gets hacked and our personal information gets stolen.

The easiest thing to do is just blame them, the companies, for letting their guard down. But what responsibility should we take? Are passwords pointless? The answer is actually no. Because though it may feel that the quest for the perfect password is a lot like tilting at windmills, personal security is evolving and so must we.

I’m Manoush Zomorodi, and this is IRL: online life is real life. An original podcast from Mozilla.

Not sure you need to worry? There’s a website called Firefox Monitor that will tell you if your passwords or your email have been compromised. Just type your email into the site, don’t worry, it doesn’t get stored, and Firefox Monitor will tell you if it’s linked to any security breaches that have been reported. I plugged in my own address and found that I’m linked to seven breaches. Yeah. Seven. Hacks that LinkedIn, Adobe, Dropbox and others.

Visit monitor.firefox.com. Find out if you’re vulnerable and see if what it tells you makes you rethink your password habits. Monitor.firefox.com. Okay. If you set one, two, three, four, five, six as the passcode to unlock your phone and then you use the same passcode to get into your Netflix, Hulu, Twitter, Slack, all of it, you have a terrible habit and you need to change it, but you are not a terrible person.

Dr. Amantha I.: It is definitely not our fault and you should not beat yourself up if you are listening and you have the same password for everything. It’s just how our brains have evolved.

Manoush Z.: Dr. Amantha Imber knows a bit about this. She’s the CEO of an innovation consultancy in Australia called Inventium. Amantha says our brains are actually designed to constantly look for shortcuts.

Dr. Amantha I.: In the case of passwords, it’s remembering your default or go to password that you have for everything because that’s the easy thing to do. Whereas if every time we were asked to set a password, our brain had to do that challenging thing of thinking up a whole new word and number set. That’s exhausting for the brain. We like to do what’s easy. Our brain saves resources for the truly tricky and important challenges that we face. Unfortunately, most of us don’t see passwords as one of those.

Manoush Z.: Okay. Biologically we don’t prioritize passwords. There was no evolutionary advantage for prehistoric humans to keep their cell phone safe. So we really have to work to build that habit. If you look around a bit online, you can find articles and links to lists of commonly used passwords. The list has passwords like flower or sunshine or monkey or ninja, which I love that word, ninja. Such a good word, but a ninja’s not going to protect you from getting hacked. Then again, some of us feel like true online security is beyond our control. In fact, some of us don’t even bother.

Christina: I have absolutely no passwords on my phone. Everything is already connected. Everything is logged in. If you were to steal my phone right now, you could absolutely access all of my social networks, my emails, my text messages without a problem.

Manoush Z.: This is Christina.

Christina: It does not give me anxiety because to be quite frank, I don’t really have anything to hide. My relationships with the people that I care about or my professional relationships would not disappear just because someone hacked through my stuff.

Manoush Z.: Christina hasn’t always lived passcode free. By the way, we’re not using her real name here because she was betrayed a few years back by someone close.

Christina: There was a point in my life where I had to create passwords. I was in a relationship for quite a bit of time where I didn’t feel like my privacy was being respected from my partner. That made me guard up, but something happened where unfortunately that seemed to backfire. The turning point was really when I would wake up in the middle of the night and I’d look over on my night table and that’s where my phone usually was and my phone wasn’t there and he wasn’t there in bed with me. I put two and two together and I could not believe it.

He had locked himself up into our office and was going through my phone and my computer and had downloaded a software that would be able to not only break through my password, but also go through all of my stuff and kind of see what I had been typing last on my computer. That was probably one of the scariest experiences of my life. It made me realize that no matter what, whether I had a password or not, didn’t really do anything.

Manoush Z.: Christina’s story kind of represents the global online security crisis writ large. Her trust was betrayed. As a result, she feels passwords are broken. Anyone is a potential target. A jealous and disturbed boyfriend went after Christina. Other people get hacked by complete strangers. You know how when you forget your password for some services you can answer a few security questions and have it reset for you? Things like your mother’s maiden name, the street you grew up on, those kinds of questions? Well, sometimes that system can also get abused. It’s the other layer of password insecurity and it’s how Mat Honan got hacked in 2012.

Mat Honan: I was at home. I was expecting a phone call and my phone all of a sudden like restarted. When it restarted, the icon came up that said, “Connect it to iTunes.”

Manoush Z.: Mat is the San Francisco Bureau Chief for Buzzfeed News and a tech journalist like me.

Mat Honan: Then I went to actually connect it to my computer and connect it to iTunes like it was telling me to do. When I opened my laptop, I saw for just a fraction of a second that an alert that said my Google Calendar password was incorrect. Then the entire screen went grey and there was a prompt on there for me to enter a pin number to stop a remote wipe. At that point, I was like, “Oh my gosh. This is not my phone crashing. This is something much bigger.” I started to think, “Am I getting hacked here?”

Manoush Z.: Sorry to interrupt you, but you are a tech reporter and you didn’t know what was going on. Do you think like … I am also a tech reporter, but I would have thought that the problem was with me, that I was screwing something up, not that I was being attacked in some way.

Mat Honan: Right. Well, I mean that was initially what I thought. It was just a phone, but when I saw all of my devices were in this state, especially that my laptop was being wiped, like someone was wiping it remotely. It was like remote wipe in progress. I knew at that point like I didn’t do anything to cause this. This has to be someone who did something. I didn’t even want to use anything on my network, and so I went to my next door neighbors and just asked him if I could use their computer. I wanted to see what else is going on. When I did, I discovered that someone had kicked me out of my Google account and changed that password and that someone had taken over my Twitter and now was posting all of this just …

I mean like filth on my Twitter like just profanities, like racist stuff, homophobic stuff, like all kinds of just really vile things. I was able to figure out pretty quickly who they were.

Manoush Z.: Who were they?

Mat Honan: I’ve never like given their identities, but they were not sophisticated. These were teenagers who were using exploits that were at the time were pretty … I was shocked to find were pretty commonly known. All they really wanted was my Twitter handle. My Twitter handle was @Mat. Just @Mat. They knew someone else named Mat and they’re going to try and get this Twitter handle and either sell it to him or trade it for something. The thing that was so shocking to me was that I couldn’t believe that they were able to actually delete my physical data from my drive.

Manoush Z.: How much of that experience do you blame on it being about good passwords versus bad passwords?

Mat Honan: I had really good passwords and really strong passwords. My Google password I believe was 21 characters.

Manoush Z.: Wow.

Mat Honan: The passwords were good.

Manoush Z.: They were good, but am I wrong in thinking that like after the hack, immediately after, you became kind of a password nihilist? You’re like, “What was the point of having these good passwords?”

Mat Honan: You’re not wrong. I think that I still feel that way. I mean I’m a pretty paranoid person now about digital security, and I use all kinds of various two factor things. I do think that passwords are fundamentally flawed and I think we keep seeing it. I think that using what amounts to like this thing that’s a secret is not a really robust way to secure your accounts.

Manoush Z.: Hey, just stepping in here for a second, listeners. So Mat just mentioned two factor things. He means two factor authentication or 2FA. When you use 2FA, you get sent a verification code if you log into an account from an unrecognized device or location. It’s like an extra layer, a second factor to prove you’re you. Okay. Back to Mat. All right. Well, can we just talk about like the future for consumers with their passwords? I have heard like weird, weird ideas. One was like a pill that you would swallow that they would log into wherever you were. I don’t know if that one idea is still around or a ring that you wear. What do you think the future of password technology looks like?

Mat Honan: Man, I hope I don’t have to swallow anything. Like I really don’t want to swallow something to log into my stuff. I think it’s going to continue to be a mix of stuff like it is now and it’s just hopefully going to get easier because I may want more security than someone else does.

Manoush Z.: Right.

Mat Honan: Or someone else may want more. I do think like having a national government identity database would be kind of freaky to most people.

Manoush Z.: Yeah.

Mat Honan: You see that starting to happen. It seems bad.

Manoush Z.: Yeah, that’s interesting because India has a biometric ID database that has been hacked before. On the one hand, it’s a chance for people who certainly don’t have the means to carry around an expensive phone or something like that to have access to their information. I guess it also means though that you have to be able to trust the company to have that for you. I worry about giving up privacy to be secure.

Mat Honan: I do too. I definitely don’t want there to be a world where I just like walk into the store and pay with my face, right? Where everything’s … Right?

Manoush Z.: If you put it that way, that sounds terrifying.

Mat Honan: Everything is based on facial recognition and our iris scanning and it’s all kind of beyond your control.

Manoush Z.: Yeah. Earlier we heard Christina’s story. This is a woman who sort of thrown up her hands and said, “I would rather have no security at all. That makes me feel more free.” Do you kind of think Christina’s onto something?

Mat Honan: I clearly think that different people have different security need, but I don’t agree that like you just shouldn’t worry about your passwords. I think you should. I think that there’s all kinds of unforeseen things that can happen that you’re not going to be able to predict. For example, the Equifax hack. People can use that to try and open up credit on your name. Yeah, that’s out of your control, but if you’ve got … If something happens in one place, you can maybe stop it happening somewhere else by having decent security.

Manoush Z.: At the risk of sounding like too theoretical, I get upset when I hear people say, “I have nothing to hide. It doesn’t matter,” because I think it’s not just about the individual. I think it’s about us as a society. We have seen that the right to privacy is about protecting people’s fundamental human rights in many ways. It’s hard to draw that line from an individual’s experience to like a country’s way of existing, but I think we live in times where we have to do that.

Mat Honan: I think you’re right. I mean it’s a little bit of herd immunity, right?

Manoush Z.: Yes. Yes.

Mat Honan: I mean it’s everything from like making sure that you’re not authorizing some app that turns out to be a Cambridge Analytica type thing that sucks up all your friend’s data, although again that wasn’t the people’s necessarily fault that they know it’s going to do that. To not being the person who I get a Facebook Messenger alert from that says, “Hey, I’m stuck in London. Can you text me or can you send me 20 bucks,” or whatever and it’s really like some scammer somewhere who’s not in London and it’s not your friend. They’ve just taken over their account. When you let your security lapse, it does. I mean it can have consequences for other people.

Manoush Z.: Oh, I love that term that Mat used, herd immunity, because we’re all in this together. The more connected we become online, the more one person’s security vulnerability becomes a backdoor into everybody else’s data. The question isn’t just do I need a strong password to protect all my family photos? No. Now the question is do I need a strong password to protect my kids, my partner and everyone else on the platform?

Mark Wilson: No. The solution to bad passwords doesn’t need to be hard. Just ban them.

Manoush Z.: Of course, yeah, I suppose we could try the nuclear option and like this guy says, just ban passwords.

Mark Wilson: Hey, I’m Mark Wilson. I’m a senior writer at Fast Company magazine.

Manoush Z.: Mark wrote an essay making his case for getting rid of passwords.

Mark Wilson: You know, the story idea actually came from one of my editors. What really drove him crazy was that he was prompted to create a password to order a salad. I mean think about that. Like you just want to buy a salad and all of a sudden you have to create this alphanumeric thing that if you do it securely, you should basically never be able to remember or recall. Like that to me is totally insane.

Manoush Z.: Okay. Fair enough. When he puts it that way, it does sound crazy. But banning passwords? Come on. That also sounds insane.

Mark Wilson: What I mean is look, I feel like I need a password for my bank account, right? Because there’s really private information in there. I don’t want someone else to spend my money. I get it. I need a password. But do I need a password for my say Spotify? All of my data is “password protected,” but then that same company is saying, “Hey, you want to share everything you play to Facebook publicly?” Right? Why do I need this password for Spotify other than to protect Spotify, other than to make sure other people aren’t streaming my music for free? Honestly, I feel horrible that passwords are our best answer to security in 2018. We are fighting … Yeah, we are Don Quixote fighting windmills.

Manoush Z.: I know. I know. Most of us can relate to Mark Wilson’s exasperation and yet…

Masha Sedova: Passwords still matter because unfortunately we haven’t figured out a way to get rid of them. It’s one of the best ways we have right now to authenticate you into an application.

Manoush Z.: Masha Sedova understands our grief. She’s the co-founder Elevate Security.

Masha Sedova: It’s unfortunate that it does have to be up to us as average citizens and consumers to secure our accounts. That is something that I think the security industry has completely failed the average consumer, but the trade-off is having your account hacked, right? It’s the reality of where we are.

Manoush Z.: Masha’s company is a startup that tries to improve security behaviors for companies and, well, everyone. While she labors to get companies to pick up the slack on the security, she wants us to practice good password hygiene, and she echoes something Mat Honan mentioned earlier. There’s a simple tool that can help passwords rule.

Masha Sedova: What should be king is two factor authentication because when you have something physical, like a token, it’s so much harder for an attacker in a foreign country like Russia or China to steal than your password, which is leaked constantly and available for sale on the dark webs.

Manoush Z.: You’ll find that more and more of your apps and services are offering two factor, so go check it out. If you find a service that isn’t using it, well.

Masha Sedova: What I recommend is that people vote with their dollars and their attention and their clicks by using applications that do have security inherently built in.

Manoush Z.: Okay. You’ve turned on 2FA. You’ve committed to building a beautiful password future where you are not Don Quixote. It still leaves you with dozens or hundreds of passwords to remember, right? We know that our brains don’t have the horsepower for that kind of heavy lifting, so here’s one more tip.

Matt Davey: I am Matt Davey. I am the COO of 1Password.

Manoush Z.: Matt Davey’s company is one of a handful of password manager businesses. I’m going to dig into what that is in just a sec, but first, Matt, you should be a bit of a password expert, right? So I’m going to quiz you.

Matt Davey: Okay.

Manoush Z.: I’m going to read you one word clues and then you try to guess the secret password. It’s from a list of the most common passwords used. You ready?

Matt Davey: Yeah, sure.

Manoush Z.: Royalty.

Matt Davey: I’m going to guess queen straight away.

Manoush Z.: Close. Here’s another clue, Mario.

Matt Davey: The princess. Yeah.

Manoush Z.: Yeah. That’s right. Okay. You want to try one more?

Matt Davey: Okay.

Manoush Z.: Kryptonite.

Matt Davey: Superman. I definitely know that one’s a popular password. I had to persuade a friend of mine that that was not a good password.

Manoush Z.: Really? Your friend used Superman as a password?

Matt Davey: Yeah. You know, he just came to me and he was like, “Oh, I hate it when these things ask me to like add characters. I can never know whether I’ve capitalized the super or the man in my password.” I was just like, “Oh, okay. So you need to change that now for two reasons. One, I now know it. Two, it was poor in the first place.”

Manoush Z.: Did he change it?

Matt Davey: He did, yeah.

Manoush Z.: Okay. Like I said, Matt’s solution to our password problem is to use a password manager.

Matt Davey: A password manager basically allows you to generate strong unique passwords for every website. This is key because if one website gets compromised, that password for that website is compromised wherever you’ve used it. Like 1Password will run in the background and automatically save all of these things and all they need to remember is their one master password to unlock all of these.

Manoush Z.: For some people, having to remember a single master password is life-changing. You just let the app do all the thinking and the remembering for you, all while making everything that much more secure. Facebook gets its own password. Etsy gets its own password. Your online bank gets its own password. Everybody gets a password.

Matt Davey: Back in the ‘90s when you needed to remember the AOL password and that was about it? It wasn’t such a problem, but now I have 90 accounts or so that are my daily, right? Those ones I use nearly everyday. I then have like 500 or so accounts that I use maybe monthly. I think it’s one of those things that people realize that they need, but it takes a bit of time to kind of gestate and like, “Oh, okay. This is to a point where I press the forgotten password link 10-15 times a day. It’s like there’s nothing else I can do. I need to google and find a product that does this.”

Manoush Z.: Matt Davey is the COO of 1Password. Now I should say it’s one solution among many, but it’s a pretty good way to help you get better at the password game. You’re using tech to solve a tech problem, but you are also minimizing your risk. We can do better and how hard is it really to do better than flower, ninja, princess or Superman? You know what another popular password is on that list? Password. The word password used as a password. Okay.

Here’s something simple to take away, did you know four random English words, a phrase like beetle unlock salad windmill, four random words are actually harder to hack than if you use one word with all those wacky symbols and numbers? Just pick four random but memorable words that only make sense to you. It’s easier and it’s better. Make that one your master password and then use the password manager. We like 1Password, LastPass or Dashlane, but actually IRL listeners can sign up to 1Password and get their first three months for free. Just visit 1password.com/promo/IRL and give it a try. 1password.com/promo/IRL. We’ll throw in the link the show notes too.

Online security, data security, it’s not a problem that we can wait for others to solve. Yes, we should be asking companies to do more and yes, we can avoid companies that share our data with third parties for example, but it’s also on us to do our part. If you need one more bit of convincing, let me ask you this. Do you have a secret family recipe that you only share with people you trust like, I don’t know, a special barbecue sauce or mom’s famous cheese risotto? Well, artist Gabriela Ivens cataloged hundreds of secret recipes that were leaked during data breaches. Firefox teamed up with Ivens to show the personal impact a security breach can have on someone.

As a bonus, they let you in on those precious recipes to drive the point home. Go have a look at dataleeks.co. That leeks spelled like the vegetable. Yeah. D-A-T-A-L-E-E-K-S.com. IRL is an original podcast from Mozilla, a not for profit that answers to internet users, not shareholders. Mozilla is the company behind the Firefox browser. Download it for free at Mozilla.org. You can find IRL on Apple Podcasts, on Google Podcasts, on RadioPublic or anywhere you find your favorite podcasts really, and at irlpodcast.org. I’m Manoush Zomorodi. Thank you so much for listening and I’ll see you back here in a couple of weeks.

You know my weirdo … I think I’ve told you what I do. It’s really embarrassing. I write messages to the tech companies. Like keep your hands off my data or F-U hacker, like just messages, like little fortune cookies in a password form that I-I mean, it’s lame, but it makes me like kind of giggle every time, so look, you gotta find the small things in life, right?