Podcast: How Good Is Your Password?
If you have so much as an email address, you’ve probably spent a good chunk of your time changing passwords in the wake of the Heartbleed computer bug. On the off chance that you haven’t, take the advice of ProPublica’s Julia Angwin and do it now.
Joining Steve Engelberg in the Storage Closet Studio to talk about her reporting on Internet security, Angwin explained just how the bug potentially exposes information like passwords and security certificates. The key irony, Angwin found, is that even as the U.S. spends more than $50 billion a year on intelligence, the team responsible for the free OpenSSL software that ensures Internet encryption is essentially volunteering its time.
Volunteers collaborating to build software makes sense for people suspicious of, say, spying by the government’s National Security Agency. "A lot of people believe that open-code projects are more secure,” Angwin says, “in large part because they can read the code and make sure there’s no NSA backdoors in it.”
For the average Internet user, the revelation of serious security flaws in the code means changing passwords on important accounts, Angwin says: "The problem with the Heartbleed bug is that you would have to assume you been compromised, but you’ll never know."
Email is the most important to secure, as it can be used to reset passwords on other accounts. Angwin recommends using downloadable software to generate and manage passwords. “Our brains are not designed to develop passwords,” she says, "so most people make bad passwords, by default.”
What makes a solid password? Certainly not the most common ones: "123456" and "password." If you must make them up yourself, Angwin says, aim for the longest ones you can remember -- even up to 40 or 50 characters.
Meanwhile, Engelberg asks, "Is there any sign that this open-source coding world," so long underfunded, "is now going to get some support – is anybody stepping up so far?”
Donations have multiplied in the wake of Heartbleed, Angwin says, but even this year's $9,000 is "orders of magnitude" too little for what is needed: at least a half-dozen full-time programmers.