Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
The WebWell Podcast, Episode 6 - "Passwords and Security"
29 Plays1 year ago
Welcome to episode 6 of The WebWell Podcast, where we dive deep into the fascinating realm of passwords and security.
In this episode, we uncover the common mistakes people make when creating passwords, share intriguing facts that shed light on the importance of robust security measures, and explore a range of handy tools that make the task of creating and managing passwords easier than ever before.
So, whether you're a tech enthusiast, a security-conscious individual, or simply curious about safeguarding your online presence, join us as we unravel the secrets behind passwords and delve into the world of digital protection.
Resources mentioned during episode:
https://onetimesecret.com/
https://1password.com/
https://www.dashlane.com
https://bitwarden.com/
https://www.yubico.com
Recommended
Transcript
Podcast Introduction
00:00:06
Speaker
Welcome to the Web Well podcast brought to you by Cascade Web Development. I'm one of your hosts, Simon, along with Ben. And we can't wait to dive into all things internet, tech, web development, and web design.
00:00:20
Speaker
We'll also be discussing how we balance work and life and exploring the fascinating world of internet innovation.
Episode Preview: Passwords and Security
00:00:27
Speaker
So whether you're a tech enthusiast or just looking for some entertainment, join us on this exciting journey as we explore the ever-changing landscape of the web. Thanks for tuning in and let's get started.
Host Dynamics
00:00:41
Speaker
Welcome everyone to episode number six.
00:00:44
Speaker
Welcome, Stefan and Ben. I'm glad you guys can join us. Welcome listeners to our sixth episode titled, or at least topic, passwords and security. How's things going for you guys? Fantastic. Excellent. Nope. We're getting better at this timing thing, aren't we? Yeah. And talking over each other. That's working out. No, that's fine. Remember we, we had talked about this off mic. Stefan, I don't know if you
00:01:13
Speaker
We're, uh, we're part of that or, or Ben mentioned it, but like, just speak over someone. If you have something to say, it's fine in the podcast, not in a meeting with client though. Right. Which is fun. Cause that's something I'm, I'm always working not to do. So it's fun to reverse that and purposely try
Weak Passwords and Personal Reflections
00:01:28
Speaker
to interrupt people. It's cool. Train, train around it. Yeah, exactly. So yeah, we'll, uh, we'll kick off today's, uh, topic and just kind of dive right in the reason for this topic. Uh, I'll give a little backstory stuff and
00:01:43
Speaker
And Ben was, recently I was speaking with a client and we were doing some work for them and we had to share some passwords, we had to kind of dive into some stuff. And in doing so, discovering kind of some weak passwords, right? And so,
00:02:01
Speaker
I probably am a culprit as well of weak passwords, not for work stuff, because I'll use the automated, like I'll let our password manager kind of tell us what passwords. So those are always tough because I'll never remember. But for personal stuff, I kind of have to do a little audit after I'm sitting here preaching this, like change your passwords and then me needing to go back. So recently we had a client I was working with that just had some passwords that were
00:02:30
Speaker
too obvious. And so as I was kind of giving that email, writing that email to her saying like, Hey, maybe we should check these. Let's analyze these. Let's, let's put in some better ones. I was like, crap, I got to do that same thing for myself now. So here we are. We're going to talk about passwords insecurity.
History of Passwords
00:02:51
Speaker
You know, and, and I don't know, Stefan, if you want to share your thoughts, uh, what you thought as soon as I gave you that topic this week.
00:02:59
Speaker
I thought at first, well now that we're saying my thought as we're going through this is I hope the client doesn't know who we're talking about, but I would say at least half our clients fall into this bucket. So if you're listening, it's not you. Or maybe it is. Maybe it is. And also gold star for you for letting your password manager do the work there because that is the best way to go.
00:03:22
Speaker
Yeah, that's been a thing from the beginning. I think as a company that's been around this long, it's kind of funny to see the challenges and different edges of our business that are just timeless, and that is one of them for sure. Yeah, definitely.
Importance of Password Managers
00:03:39
Speaker
Well, before we dive into some of the obvious reasons why changing or checking your password or staying up on that and using the tools that are out there to help organize that data,
00:03:51
Speaker
I thought we could talk a little briefly about the history of passwords and then just defining what we're talking about. Not just your email password, but talking about password managers, the types of authentication that are out there that sometimes are prompting you as a user. Do you want this service or whatnot? We'll define what those are as well.
00:04:17
Speaker
Any guess what culture civilization, excuse me, I can't even say that civilization first kind of introduced the concept of passwords. Any guesses? Egypt. No. You went with Egypt. Okay. Romans. So back in the day, the Romans, they used what they called watchwords. And so what it was is the Roman army used watchword phrases, even not just a word, a phrase that proved that they were part of that unit.
00:04:48
Speaker
So that was pretty interesting. Next one. Mainly in the States, right? Around the 1920s. Any guess of what was going on around the 1920s? I'll give you a hint. No, let's go prohibition. Oh, there it is. Prohibition, right? So prohibition speakeasies, another form of passwords, right? Of, of whether it's knocking.
00:05:12
Speaker
on the door, presenting a card. They used to present a card or a code phrase, saying the phrase would get you a ticket to get inside, right? So another one. Any guess of what college, I don't want to give it away too much, what college was credited at least where the first password, digital password was started? MIT. Oh.
00:05:43
Speaker
Gold star for Ben. Yep. Really? Yep. Hey, so 1961 MIT computer science professor named Fernando created the first digital password for a program, a problem solving program. And so that was credited as the first one, which is pretty interesting. So we'll skip over.
00:06:06
Speaker
I guess the last like web 2.0 password overload, which is kind of like starting to get into now, you know, phrases to letters to using, uh, other kind of methods, uh, within that, but let's dive into defining some of this stuff. So I had mentioned it earlier talking about password manager and Stefan, thanks for the kudos, uh, but using those prompts for a password, uh, Stephanie, you want to define.
00:06:33
Speaker
what you think, or at least what our users, listeners should understand as a password manager. Yeah, a password manager is basically an app that does a lot of the work for you.
00:06:46
Speaker
And there's various ones out there that do varying degrees of the work for you. I think there's some kind of minimum requirements, definitely including obviously storing the password securely, generating passwords for you, and recently actually handling some of the MFA work as well. I think part of the security problem has always been it's tough and it's changing all the time.
00:07:13
Speaker
And so having an app that can do a lot of this work for you theoretically helps a bit.
MFA vs 2FA
00:07:23
Speaker
Yeah. Well, you mentioned kind of the next definition that we need is MFA. I've heard another one, which is 2FA. What are the difference? Well, what are the definitions and what are the differences between the two of those?
00:07:37
Speaker
There are technical differences, but really it's, for all intents and purposes, it's largely the same for most people who are actually using them. To FA is just kind of a more limited.
00:07:48
Speaker
subset of MFA. MFA is really it's multi-factor authentication and it's two or more authentication methods. So it could be a password and a hardware key or a password and some kind of biometric fingerprint, eye scan, something like that, or all three or more. Whereas two of those things.
00:08:17
Speaker
So those would be potentially required for getting into the gateway, whatever it is, whether it's logged in the email. So it'd be password plus those potential. And then you mentioned hardware key. What's that? So there's several products out there too that I've owned are Titan.
00:08:37
Speaker
which I believe is a Google product. And my favorite YubiKey is a fantastic company just as a demonstration. I actually had mine on my key chain and just beat it up and destroyed the plastic housing on it, which is unusual from what I understand. And I think I tweeted something about that and they immediately got a hold of me and sent me a replacement for it. Really cool company. If you don't lose the device, it's pretty useful.
Hardware Security Keys
00:09:04
Speaker
So it's something where
00:09:05
Speaker
You, again, you've already got your password, you log in with that, and then you generally have a choice depending on how you have things set up to where it's gonna send you the ubiquitous text message code, or maybe you open up Authy and put in a code, or you can use this key, you plug it in and touch it, and it logs you right in. Rad. So we built, so we have a CMS called
00:09:32
Speaker
evergreen. And Michael actually gave me a hand with this with the hardware key. And we made it or assigned it to be the fingerprint, which is really a neat feature. So that was my or is my MFA for logging into evergreen, which was super handy, because yeah, it's doing the password instead of having text me which, okay, now I'm bringing up the other one.
00:09:59
Speaker
Text, is that qualified like a text message or SMS message? Is that part of an MFA?
SMS Authentication Concerns
00:10:04
Speaker
It's just another form of it. Absolutely, absolutely. There's all kinds of different forms of it. Email is another one. It's pretty easily arguable that text messaging is probably one of the weaker forms depending on your email provider. Generally, and this is all very arguable and is argued often with great emotion.
00:10:27
Speaker
But I would say most primary email providers give you the choices to be pretty secure. You can make your Gmail very, very secure. And so if the code's getting sent there and you've got that secured, you're pretty safe. Text messages, while, again, very ubiquitous, there's ways around that. There's SIM jacking.
00:10:53
Speaker
Some phone companies still, and hopefully this stops pretty quickly now with the advent of some of the AI technologies, but they really don't have much verification beyond your voice. You call some companies and they'll verify with your voice. And so there are definitely ways where you can get a hold of somebody's phone number and receive those texts on their behalf.
00:11:18
Speaker
Yeah, it's funny you mentioned the AI part of that. Now that I could actually have like about 30 seconds of your voice and I could recreate a sentence with AI,
AI and Password Complexity
00:11:28
Speaker
that kind of starts to be a little scary, right? Of like, do I want it to be a voice confirmation? You know, it may not be me, right?
00:11:40
Speaker
So in the news recently, there was some hackers that were jumping in with, with AI to try to see if like how that was working. And just a real quick, interesting stat. So AI service, I won't name what it was, but it was able to crack 51% of the passwords that they scanned in under a minute using AI. And I was mentioning to this, like to Ben yesterday, it was like, oh shoot, like
00:12:07
Speaker
If AI knows everything about me that's on the web, that's digital, right? Cause that's really what it's doing is it's, it's calculating, it's pulling in all that data. I need to make sure my, my passwords aren't like my son's name, right? Like obvious ones, my hobbies, you know, like I love fishing one, right? Like that may be not a good one, which is pretty funny. So what I did is.
00:12:37
Speaker
I dove in and did some homework on this and started to look up some of the common passwords. Ben, we'll get you to jump in on this. In the US, what is the most hacked password? What is the password for it? The password for it is password. Yeah. The most hacked password in the US is password. Two for two.
00:13:05
Speaker
All right. Let's see. We get three out of you. Okay. I'll come back to you on this next one. Uh, Stefan, what do you think the most hacked one is in Germany? I don't know a lot of German, so I don't know. One, two, three, four, five, six. He just counted it out. Yeah. Oh, wow. Yeah. Yeah. I thought that was an interesting one too. And then the other one was Russia.
00:13:32
Speaker
which is a big culprit for a lot of hacking. Theirs was another pattern here. Ben, you wanna take a stab at it? So we got password, we got just counting up to six. Hmm, drawing a blank. My Russian intuition is low right now. Right.
Common Hacked Passwords Globally
00:13:51
Speaker
It's literally, I'm gonna watch probably how you say it's QWERTY, right? It's Q-W-E-R-T-Y, which is those letters in your left hand on your keyboard.
00:14:03
Speaker
Right. So if you were just to go like that, you basically got their number one hacked password. That's pretty wild. Actually, uh, just a quick story. A friend of mine grabbed my phone one day and he just tapped on it. Seven, seven, seven, seven. Is that it?
00:14:20
Speaker
Hold on. Are you giving everyone right now? It's no longer, it's no longer current, but he tried to log into my phone and he's like, he just found the middle row, middle number on the keypad. And he's like, I don't know. You're a busy dude. I assumed you'd just try and make it as easy as possible on yourself to get in your phone. And I'm like, wow, first try too. So yeah, to your point, just that, that, you know, ease of access to it is, uh, makes sense. Wow. That's yeah, that's funny.
00:14:49
Speaker
So yeah, ease of access, knowing us, getting to know us, social media, whatever, just pulling that data is pretty interesting. So one of the biggest tips that I was reading up on was just a list of things. We'll go through them pretty quick, but how to create a long, or not a long, I just botched the first one, how to create a strong password, right? So Stefan, what would be your number one tip? And I may have just hinted to it, which is terrible.
00:15:18
Speaker
What would be your number one tip to making a strong password? Well, it could possibly be length. But I can tell you, for me, again, let the password manager do the work for the most part. And I have certain preferences within that that I will set it to do. But length and having that do the work, I think right now at least is key. Yeah.
00:15:42
Speaker
it is interesting because you mentioned that and when I have it pop up, if I took a look at it and you gave me like 20 seconds to like read it and then I look away and you asked me to say it again to you, like repeat it back, couldn't do it, right? Capital H, lowercase, you know, E, like I just, there's no way I'd remember it, you know? So one of them, so length is definitely it. So this was a stat that I had told Ben and I totally didn't know it right, but I kind of implied what it was
00:16:13
Speaker
was passwords with 10 to 12 characters minimum is better, right? So longer is better, but don't always use the minimum that a website will give you, like minimum maybe eight characters, right? So an eight character password, according to the study, comprised of lowercase and uppercase takes about 22 minutes to crack, okay? A 12 character password, including symbols,
00:16:42
Speaker
how long do you think that would take to crack? I recuse myself from answering. Yeah, it depends on the day. I think there's solid sounding answers to this, but as computational power increases, that time goes down dramatically fast. Sure. And the reality to this too is I don't know how they could actually predict this number that I'm about to say, but the point being that it's exponential, right? So 22 minutes to do a 10, a 12,
00:17:12
Speaker
including symbols, they calculated out to 34,000 years. Who knows? That just can't be right. The point being, it's a lot more than 22 minutes just to make it slightly longer and include a symbol or symbols.
Creating Strong Passwords
00:17:28
Speaker
I think that's a really good one. Is it hard to guess? That's an easy one. We talked about that. Stephan actually before this call listeners, Stephan that is microphone.
00:17:40
Speaker
Or was it microphone? Oh, it was in your background. You had your like your wifi in the camera shot. And I hope I'm not like spilling the beans. It's not in the shot now. So good luck anyone looking, but just, is it easy to guess? Is there information, you know, that I'm already giving on a camera that potentially could give some of that away, right? I had mentioned using my son's name, like he's not in any of my passwords. So, you know, there, um, do you use
00:18:07
Speaker
varied character types, right? So again, uppercase, lowercase symbols. Let's see, what would be another good one?
00:18:16
Speaker
Phrases talk about that stuff and like changing it from just like a word number symbol or whatever variation to like a phrase You know you yeah, that's that's So so to be honest that is something I have done Generally in those situations where for whatever reason I don't have access to a password manager or it's not working or whatever I mean it does happen and I just need to come up with something really quick
00:18:42
Speaker
I will use some kind of a phrase that I'm going to remember divided by something that I'm going to remember, followed by
00:18:50
Speaker
a set of random characters that again, I've used before and I'm going to remember. And so it's kind of a combination of things, but frankly, that occasion rises less and less and less. And I am pretty good about going back and resetting those pretty quickly too, because to me still the best is as long possible, random as possible string that the manager comes up with.
00:19:15
Speaker
which I think is maybe the heart of what we're all saying is like, if you can't come up with something that someone will not guess, let the tool do its job and randomize the heck out of it, right? Like I think that's-
00:19:28
Speaker
Yes, to that. And then going back to what you talked about before, why use a password manager, I found that to the extent that I have a password manager, I can do that. If you use something random and completely unlikely anyone would ever hack it, I'm never going to remember that again. So just again, reinforcing the need for that manager to support using those types of passwords. Yeah. Yeah. And another important factor that we haven't at least touched on yet is, and again, using a password manager enforces this is uniqueness.
Password Reuse Risks
00:19:59
Speaker
if you've got the best password in the world, you still got a big problem at some point if you're using the same one everywhere. And I could go into a little bit, I guess, something that that touches on as well as something else that we didn't go in earlier when we were talking about MFA. We've had clients who, when we turned on MFA protection by default, weren't happy about it. And the argument was, hey,
00:20:30
Speaker
I've got my password, it's a good password and that should be good enough. Or I don't really have anything that important on my website or I'm not holding customer information or credit card information or anything like that. And I think arguments for MFA and uniqueness are that in, I think every one of those cases where a client told us this, I used a tool called Have I Been Pwned, which we'll post a link to.
00:20:59
Speaker
to show that their email address that I had access to had been compromised, and that secure password was out there on the dark web already. And so that, again, lends itself to passwords need to be different, which password managers help you with, and MFA, even if those passwords are different, MFA means that somehow those get out, you still got that extra layer of protection, and so they're still really important.
00:21:28
Speaker
We didn't mention it, but it just came to mind, single sign-on. Like, is that different? What you're talking about is single sign-on. So I can be signed into Google and I can access Google, like my Gmail, and then I could pull up Docs. I'm already logged in, right? That's the premise. Is that different? It's...
00:21:48
Speaker
I think it's different from what we're talking about, but it's, depending on your settings, hopefully it's using all of these things. So yes, you can sign into multiple properties with one single sign-on set of credentials, but the hope is that you have that set up securely to where you're using MFA or something to get in there. OK, that makes sense. Well, again, going back to the client interactions, we're going to talk about how that relates to our work history with clients.
00:22:17
Speaker
What we're seeing and what we're really suggesting clients do but also listeners, you know If you're in our industry, you know what your clients are doing what they're sharing with you. I think is really important Recently and I am I guess raise raise your hand if you have a Netflix account You guys Netflix,
Netflix Password Sharing Policy
00:22:36
Speaker
yep. Okay, so we all have Netflix. Okay, so recently actually starting this year They're gonna be doing some password sharing crackdown so
00:22:47
Speaker
without ratting out my family who uses my Netflix, I do have the family account where I can have X amount of IP addresses, I think is how they track it, but making sure that they have their own user account without having to share my password. Just in the last few months, Netflix restricted Canada, Spain, Portugal, New Zealand, and is now starting here in the States to do this.
00:23:14
Speaker
Only people who live under the same roof can share accounts, and I assume it's probably IP addresses how they're tracking that, right? So bringing this back to clients, what would be the biggest suggestion to our clients that are like, or not just our clients, but any client-partner relationship of sharing a password? What would be the best solution for that, Stefan? If I need to give you, my developer, access to my account, how do I do that?
00:23:43
Speaker
A don't, I think if you can, if you can set up a separate account, set up a separate account account and delegate that to us, that's, that's the best way to go. Um, I really, yeah, I don't want your credentials in the real world. That does come up. There's, there's a lot of services out there who don't let you create accounts and delegate password management systems again to the rescue. And a lot of situations, a lot of those have features now to where you can, you can share those.
00:24:12
Speaker
Uh, but I can tell you so far, it's unfortunately rare that we come across clients who are using a password management program. What, uh, I prefer to do in those situations is send them a link to a one-time secret, which, uh, I think I already mentioned, we'll, we'll put that, put a link to that. And that gives you a fairly secure way to, to send somebody a secret, you know, password, definitely qualifying is that in a way that expires and you can even give somebody a password or the phone to access the password.
00:24:42
Speaker
So not perfect because again, perfect is just don't, but certainly, certainly worlds better than, than sending somebody an email with, with the password and plain text, which is something I think clients want to do probably 90% of the time.
00:24:57
Speaker
Well, we, I think we talked to about, or unless that's just what you said, but adding them as a user, right? So then you're not actually having to share the account where the email gets invite and then I have to create it or, or actually in this case, the story you would create it. So I have no clue what your password is. You said it, right? Yeah. Yeah. And a lot of services had that, uh, you know, we'll, we'll, uh, we'll go down that road a lot with GoDaddy where somebody's got a GoDaddy account and we need to access it. And it's, it's fairly easy.
00:25:27
Speaker
to give another GoDaddy account access to yours. And so that's the ideal workflow for those situations for sure. Okay, okay. So we'll talk about that. The impact on that is huge recently. So I looked up recent attacks, like what are some of the most recent ones.
Recent Security Breaches
00:25:48
Speaker
And hackers apparently this last year broke into AMD. So Silicon Valley chip maker, right?
00:25:56
Speaker
And this came down, which is funny that apparently their IT department, their security department didn't have like these policies in place, but it came down to employees allegedly using passwords like number one and two on our list, password, one, two, three, four, five, six, right? Like how much are these password management systems, then you pay our bills, like,
00:26:26
Speaker
for the team, do you know how much, like, I mean, is it an arm and a leg for password management systems for like small organizations to use? No, and I think the reality is, you know, the alternative to getting hacked is way outstripped any concern along those lines. So yeah, what is a couple hundred dollars a year? And when you think about the core of our business is protecting our clients and, you know, using a bunch of services to do so.
00:26:53
Speaker
And heck, just the inconvenience we've all felt as, you know, company credit card gets compromised as, as frequently as it does. Like the, yeah, again, the cost is so nominal considering the downside of, um, you know, getting hacked in one, let alone multiple areas. Yeah. Yeah. And another thing with, with password management systems, uh, there, there are generally.
00:27:16
Speaker
kind of a general public version, and then with most of the big ones, there's a corporate or business version. And all the business versions I've tried so far have an administrative interface for somebody like me to look at them and kind of hound people, hey, you're using bad passwords. I can't see your passwords are, but I can see a score. And I can see when users are
00:27:39
Speaker
maybe don't have some best practices. And for situations like that, you know, the AMD or I hesitate to mention some of the other ones, because I don't know if that exactly was the cause for those, but that's important for an organization, especially if that organization has kind of spiders out into other organizations, which leads to supply side attacks, all sorts of fun stuff.
00:28:02
Speaker
Yeah, we could talk about all the types of like hacking, right? So phishing being a pretty common one, right? A company, a software company I used to work for, their IT department, about once a month would send phishing emails out to employees. And it was like, it was always all of us who were like, guys, guys, come look at this. Is this one of them? Like we're like looking at each other's email, like this really looks phishing. I'm not even open it, screw it, I'm not touching it.
00:28:30
Speaker
Cause I don't want to get that email from like my managers talking about like, Hey, something really shouldn't have opened that email. Like, you know, so that's, that's definitely one. Uh, there, there was another study talking about password managers against how many people have actually used it or use it. Uh, any guess, uh, between the pair of you, what percentage of us adults 16 to 50 plus age use a password manager, according to the study, Google, uh, in 2019.
00:29:00
Speaker
19 probably being key. 19%. I would, I would be shocked if it was about 5%. Really? So again, according to the state, I'm not saying that's true. It's what I found 24%. So that's don't believe that. Don't believe it. Well, okay.
00:29:22
Speaker
So use a password manager, I guess maybe we'd have to define that, right? Like they have one, does that qualify as use, right? And is there a password manager, just a notes file in their phone? And that can also qualify as, what is the iCloud password manager that's on your Mac by default or your Chrome password manager?
00:29:48
Speaker
Yeah, if we can stretch that far, I can I can I can start to buy into that a little bit. But I know in my personal experience, getting people especially outside, you know, if I have no authority to to push it, like I like I do at Cascade, you know, in my personal life, getting people to use it that some of them very tech savvy is like pulling teeth. It's like it's like offering to pull their teeth for them. It's it's not an easy sell.
00:30:15
Speaker
Well, that same study said that about 55% of them could even correctly define what a password manager was. So half of the people surveyed could even define what it was. That was pretty interesting. All right. So in that same survey, 80% of those people said they were actually concerned their password had already been compromised, yet only 48 of them actually changed their passwords. Right? Wow.
00:30:46
Speaker
Again, moral of the story, these are some simple things to do and often free for just an individual user or nominal for an organization, small organization, even like ours, right? Yeah, for whatever reason, I'm the guy my friends come to when their Twitter or their Facebook or something gets hacked. And 100% of the time, I can look that email address up and show them, well, here's your password.
00:31:14
Speaker
that you are, you know, using in 10 different places and here's how it got hacked. And I think that is part of reaching a lot of people is they don't quite understand some of these specifics and you tell them don't reuse a password. Well, why? You know, it's easy to remember. Use a password manager. Why? That's one extra step. Why'd my Facebook get hacked? Why'd my Twitter get hacked? That's why. Yeah.
00:31:37
Speaker
Well, I'm a sucker for challenges. And so when we recently changed ours in our company, and, oh, Stefan, I'll let you decide if we want to tell anyone what we use, but we use a password manager, that's safe enough to say, that has a score that you were talking about. And I remember the message you sent, like, all right, Simon, what's your score? And I was like, oh, shoot, like now I'm worried. I did it. It wasn't terrible. But what was great about it, like you said, is it was telling me, hey,
00:32:06
Speaker
you're using redundant passwords or it's too short. It gives you all the tools to really go back and update those and identify what you really need to do better. I really liked that. And again, the challenge of just like, I got up this score. I need to be better than Stefan.
00:32:26
Speaker
Yeah, I think that's really important. I think for organizations, again, it's just like you mentioned before with AMD, it's hugely important for organizations that you get your people on board with these things. I think gamifying it a little bit like that is pretty helpful. I can tell you the password manager we switched from
00:32:45
Speaker
being LastPass, they had some of that in there. It wasn't quite as in your face. And so I don't think it was successfully gamified that much. But again, it did have those management capabilities where you could see the people that were doing maybe a better job than others. And at that point, as a manager, you can gamify it externally at that point. Yeah. And I don't want to out LastPass, but weren't they recently hacked?
00:33:14
Speaker
They were, they were, uh, relatively recently hacked and, and they weren't in my estimation, terribly forthcoming about the circumstances or the fact that they'd really been hacked or the depth that they'd been hacked. Um, I definitely don't want to, don't want to pile on them. So I won't go too far into it. Uh, good products, but you know, some of that, some of that just kind of scared me away. And I think we have to be responsible to our clients.
00:33:42
Speaker
and do things in the most secure way possible, and things were done in a way there to where I didn't feel like we were doing our duty by sticking with that. Yeah. Well, I was looking at data breaches for this year. Shoot, we're in May, so five months in, right? I actually didn't see them on the list, so it must have been at the end of last year, I think, right? We have T-Mobile in January.
00:34:10
Speaker
They were hacked, pins, full names, full numbers of about 800 clients, which in the scheme of it, that's not a lot. I mean, it's sub-thousand considering they probably have a million, maybe, I don't know how many clients they have. Yum, yum, or Yum, not Yum, Yum, Yum Brands, which is KFC Taco Bell and Pizza Hut, right? They in April had a hack that actually gave up
00:34:38
Speaker
identification or IDs of users in there. Chat GPT in March was hacked. Chick-fil-A in March. Activision, which is the Call of Duty franchise, was hacked in February. And again, the hackers used an SMS phishing
00:35:03
Speaker
on an HR employee to gain employee data, including emails, cell numbers, salaries, and work locations.
LastPass Breach Discussion
00:35:13
Speaker
Google Fi in February. MailChimp in January. Norton LifeLock in January. I mean, and the list can continue. So there it is. There's LastPass. So August 25th and 22. So last late summer was LastPass.
00:35:33
Speaker
Yeah. Shoot. Yeah. It's going to happen. And that's the other side of this is if you're doing this long enough, you're going to experience some kind of a breach, but don't, don't make it easy by using password as your password. Or one, two, three, four, five, six. Yeah. Yeah. Yeah. I think.
00:35:55
Speaker
For the most part, we can probably sum it up there in talking about the tools. Like we had said, listener Stefan will provide those and we can put some links of not necessarily ones we suggest or endorse, but just ones that we're either familiar with or using. The ultimate, and I think you guys would just agree, is just doing something proactive about your password, changing them often. That is something that I think our password manager actually reminds us as well.
00:36:25
Speaker
which is a good one. Stefan, the repeated use ones. I was thinking of that one too. I had in the past, use the same password for multiple. Then it occurred to me, if someone was to get in access to that, if they just knew what other services I signed up for, that would be the first guess. The first guess would just be to use the one that they used for the other. I'll close on this. I found this pretty interesting. I think we'll all agree.
00:36:54
Speaker
But Robert Morris, a father of Robert Morris Jr., an author that wrote the Morris Worm.
Final Password Security Advice
00:37:02
Speaker
So the Morris Worm was the first internet worm in one of the oldest computers to be distributed via the internet. And again, this came from a college, but it was basically written at Cornell University and distributed using the MIT network, right?
00:37:24
Speaker
rule of thumb when it came to passwords was, there's three golden rules to ensure computer security. Okay, they are one, don't own a computer. Two, don't power it on. And three, don't ever use it. So if that's not an option, if that's not an option, then maybe just secure your passwords, use a password manager, right? All right, well,
00:37:52
Speaker
Thank you, Stefan, just for your insight and Ben jumping into, I think that kind of concludes episode six on passwords, name of the game, update them, long, add some numbers, use a password manager, right? Absolutely. Excellent. Yeah, thanks guys. Great, thank you. All right, thanks for joining. Catch us in another two weeks and we'll get episode seven going. Thanks everyone.