Jason Bittner (CEO): Hello! I’m Jason Bittner from Triple Helix Corporation and welcome to our Helix Insider podcast! I am joined in studio today with my colleagues Pedro Lopes and Sam Sheldon, our Developers.
And we’re going to be talking about security and the importance of strong passwords. So, why don’t we start with password management and why it’s important to have something and the importance of keeping strong passwords.
Pedro why don’t you kick us off with what that means to you?
Pedro Lopes: So, like in an office setting typically you know some companies that store passwords in a spreadsheet or even on paper present a security risk. So something a bit more professional is what we recommend. There’s two types of password managers. The first store passwords on the key file on your machine and that’s typically more secure but there’s also like password managers that store off site on a cloud. They are less intricate to set up.
Those are two very good options to keep in mind when picking your password manager. You want to online and make sure you research that they haven’t been hacked and haven’t had any problems before adopting them within the company or for yourself.
Jason Bittner (CEO): Why even have a password manager? Like what really drives us to needing these?
Pedro Lopes: Well, I mean, security is at the forefront. Like, you want to make it hard for people with malicious intent to access information across your system and credentials your business needs. You want to make sure data from your company and your clients are secure.
Jason Bittner (CEO): I think it’s worth mentioning that when we first started using the web and computers and accounts and all this stuff there really weren’t that many passwords to remember.
But these days we have thousands upon thousands of passwords that we have to remember and you know unfortunately because of that people tend to go with something simple like cat dog or 1234 and it obviously creates a huge problem because yes you can remember it but it is incredibly easy to break into your systems hence the idea of having a password manager.
You only have to remember the first password to get in but then the software takes care of the rest. You know what I’ve noted over the years with passwords is that there actually are a few different websites out there that help you create a password.
In fact, there are some statistics that the simpler your password is the easier it is for a program to break into it.
I was reading these articles about how like you know something that’s a dictionary word with like five characters and whatnot can be broken in a matter of seconds by computer programs.
So ideally you want something that’s long and strong and generated or that a human wouldn’t necessarily guess. I’ve actually found this website called www.passwordgenerator.net and we recommend using something like that.
If you go to that site it actually generates 16 character passwords, which is sort of what we recommend as a minimum.
A reason I like that one in particular is that it actually doesn’t generate the password over the internet. It actually generates it right there locally on the browser making it much harder to hack. I think that’s incredibly valuable.
Sam… Talk to us about some of your ideas. Like you were telling me earlier about how you have ways of generating passwords that are easy to remember but hard for anyone else to guess.
Sam Sheldon: Yeah so one of the things that I’ll do when I don’t want to go and grab, you know, a password generator or some other type of program… when I just need a quick password… what I tend to do is patterns.
I’ll look at my keyboard and I’ll say… I’m going to start from this letter or number and I’m going to do this pattern and then I’m going to pick another and I’m going to do the same pattern again maybe with some variation (hold, shift, etc).
All I have to remember is where I started. It means that I can make a password really quickly.
Jason Bittner (CEO): And to be clear, you’re not talking about like just taking your finger and sliding it across the top row of the keyboard like QWERTY?
Sam Sheldon: No, nothing like that. I’m talking about a pattern that uses 4-5 characters on the keyboard in a specific pattern that’s easy for you to remember as a person but doesn’t necessarily mean anything once it’s letters on the screen.
Jason Bittner (CEO): Right. There used to be a really great website for life hacks and I believe it was called Life Hacker actually. One of their recommendations for strong passwords was actually mashing together longer passwords from things that you remember.
So you could have like the city you were born in plus maybe the street address you grew up on plus the last four digits of the website or some unique identifier about the website or place you’re signing in on.
So you’ve created this really strong password that’s easy for you to remember but because you know your pattern, similar to what you’re talking about on the keyboard, you can actually easily create a strong password that no one would really be able to guess.
So, I think that’s pretty cool.
Sam Sheldon: Yeah. The other thing about passwords and what password managers prevent is you re-using passwords, which can get you in trouble. Because let’s say if you use a particular password on Twitter for example and you use it elsewhere and Twitter is compromised… passwords can get leaked.
And now that you’ve used it on any number of other services, somebody can easily put together what that password was and you are in real trouble.
Jason Bittner (CEO): Good point.
Pedro Lopes: Like the most important passwords that you have you want to cycle through them like at least every six months or at least once a year. Make sure you’re always creating new passwords.
Though it might be just letters and numbers and special characters and not something very unique… Those still get hacked.
Having the same password for very important things for a long period of time is just as bad as using simple passwords of things you know. You just have to keep that in mind.
Sam Sheldon: There’s also sites you can go on to check if your email address has any hacks associated with it. You plug your email in and it will tell you all of the hacked passwords that have been dumped on to the web that your email showed up among.
It’s actually kind of scary to look at because you can see like history going back years of where your email address has shown up in data leaks.
Pedro Lopes: And even Password Managers nowadays do a good job of that and checking.
Jason Bittner (CEO): Excellent point. So let’s talk about why we do this. The whole reason we secure passwords and go through all this effort is because there’s been a real movement out there among hackers who do their best to take advantage on websites we visit frequently.
You hear about data leaks all of the time.
I’ve read a statistic that said most major retailers have a password leak or flaw. They are pretty vulnerable. If you think your password is safe because it’s with a larger organization… Think again. That’s really not true.
What do you guys think about that? What things should we be thinking of? Why does password management matter?
Pedro Lopes: Well, I mean, I think password management softwares you might choose really get the bulk of the work done generating secure passwords in a secure way that’s not easy for people to access.
You’ve got to have a system in place to secure your passwords – whatever it is. Hackers can steal your identity, the identity of your company and really cause serious harm to your business.
But even more so, it goes beyond you, to your clients or your family even. Hackers can cause irreparable harm it won’t be easy to recover from (if you recover from it).
Jason Bittner (CEO): Some companies will even have hacks where hackers try to spoof. You know here at Triple Helix we had an incident where our staff received emails from a person trying to pretend they were me.
The emails said, “Hey, I’m going into a meeting and I need you to go to Walmart and buy some gift cards and take a photo of the back of the card and send it to me.”
It seems so outrageously crazy but people do it! They don’t know any better. The best protection from something like that is obviously, you know, not to actually do it unless you have a verbal because it’s SO common. Sam – what were you going to say?
Sam Sheldon: Oh, I was going to say that… The other risk is that if your company gets hacked your internal emails and whatnot, hackers can email your customers and ask for something that would normally be completely legitimate.
“Hey, can you make a payment?”
But, then re-direct said payment to themselves.
Jason Bittner (CEO): We’ve read about this. I’ve heard stories about this. And it happens in companies to normally quite secure people.
Sam Sheldon: Yes. Customers say, “Oh, this company I’m working with surely has not had a data breach! This thing they are asking me for is completely reasonable.” And they send whatever information along.
Suddenly, they are in trouble because it wasn’t a real email.
Jason Bittner (CEO): Excellent point.
Pedro Lopes: I mean once they have your credentials it’s pretty much done. You know it’s really hard. You’re going to have to go through a lot of hoops to recover. There’s going to be data lost and likely irreparable damage.
Sam Sheldon: And how do you reset your passwords for most services? You go through your
email. So if someone gets the credentials to your email, by extension, they can reset many
other passwords through your email unless two factor authentication is set up.
Jason Bittner (CEO): That’s actually a great point! Can you tell our audience what two factor authentication means? Because that’s a fairly recent thing. It’s been around for a while, of course, but not a lot of people are using it yet.
So what does that actually mean?
Sam Sheldon: So two factor authentication is pretty much what it sounds like. There’s two things that you use to authenticate. One of which is your password. So you go to say, your email, and type in your password.
Then, it will send a code to your cell phone and you have to put in a one time code within a certain amount of time.
Which means that if someone has your password… They also have to compromise whatever you’re using as your second authentication.
Jason Bittner (CEO): Excellent point.
Sam Sheldon: They have to get their hands on that code in addition to the password and often that code is time sensitive.
Jason Bittner (CEO): Excellent point. I know a lot of websites that will actually do two factor authentication and then they will say “should we recognize you on this device?” Then not do the two factor authentication going forward because it is a bit annoying to have. But you know, we highly recommend NOT doing that.
Because even though it is your personal device and like what are the chances of someone actually you know using that device and not invoking the two factor… These guys will figure out ways of getting around it and actually high jacking your information.
These measures are there to protect you and we highly recommend keeping them on no matter what. You know the importance of strong passwords is you know we have so many of them out there that a password manager can help us keep them straight so you don’t jeopardize your security by using a simpler password.
You should be rotating passwords regularly just because if you assume that larger organizations like banks and whatnot are not vulnerable to these things… it’s so not true. These things really matter. You need to protect your data and keep it safe.
Sam Sheldon: I actually have one thing I wanted to talk about and that’s fishing. Because a lot of hacking is actually not you know brute force.
A lot of it is social engineering. You get an email that looks legitimate from a company you think you know or a friend or something like that and it directs you to a website.
You know a recent article I read was somebody who basically experiment hacked a friend. I think he sent them a resume reaching out as a recruiter for some company that they previously worked with saying, “Hey, I have this resume from so and so.” They said they worked with them and asked them to review something, giving a reference and link.
The link was designed to capture their password.
This person did it without a thought. They didn’t have to hack anything.
Jason Bittner (CEO): That’s an excellent point. I’ve actually seen recreations of popular bank sites. In fact, I got these emails where the hacking group had meticulously perfectly re-created the Bank of America website and login. So you went to this thing and you thought you were logging in… and it said username not found or whatever.
Sam Sheldon: That’s actually a really common trick too because one of the things people will do if you don’t remember the password for you know, some site, is try another password. “Oh, I didn’t use this one on this site… maybe I used this other one.”
By the time you’ve realized the site is never going to let you in, you’ve already given up half a dozen passwords.
Jason Bittner (CEO): Yeah. The key there is when you’re logging into any of these services… especially if you think the link is actually not right… you need to check it. This is a popular tactic. They’ll send you an official looking email and say, “click here to login.”
When you take a closer look, it’s a completely different link to another website (often in some other country).
Some of these the very act of clicking the link is actually invoking a pay load on a virus into your machine… so it’s very important to check those links and not click on them. Hover over them and read to see what the actual link says.
Sam Sheldon: Honestly if you get a communication from your bank in your email, don’t click the link. Just go to their site and log in normally… navigate to try and find whatever it is the email was warning you about.
Jason Bittner (CEO): Or call them. Go to the website and call the phone number.
Pedro Lopes: I think the two things that companies need to keep in mind most is the emails and following best practices. If they have a corporate account for you know, like phone services, where people within the company or executives use it…
Two factor authentication.
Making sure they are following best practices and are not vulnerable to people who may be high jacking their phone systems or whatever.
Jason Bittner (CEO): Awesome. Excellent point. Well I think that’s all the time we have for today so I want to thank my two special guests Pedro Lopes and Sam Sheldon for giving their insights into security and why it matters. I’m Jason Bittner from Triple Helix and thanks. We’ll talk to you next time. Bye bye.