Passwords – the Gremlins of Cyberspace
Meet Juanita Smith
On November 18th, John Smith was suddenly hit by a bus while texting to a friend about the merits of eating tuna. He left behind his wife and two children. Aside from the shock of losing a loved one, life did not stop. The wife, named Juanita, looked at a stack of bills that her husband always paid on-line. She had never accessed the bank account and she had no idea of the password. She was a co-signer of the account, she had a few checks still in the check book, but soon ran out. She solved that problem when a friend reminded her that she could call the bank for assistance.
What she did not know was that John had also paid several bills using e-mail or simply tracking his bills on-line. She was not aware that student loan payments were not paid. She missed the first notification that the cell phone bill was ready, and failed to receive notice that two credit card statements were ready for viewing. With all the trauma of sudden death and loss, she would not realize that something was amiss until two months later when her credit card was rejected at the grocery store.
Suddenly thrown into her lap was the full responsibility of managing the finances of the family. Sarah, their youngest, cut her knee requiring stitches. Juanita had no access to the health insurance account, no idea of how things were covered because, alas in this paperless economy, there was nothing in the files. Even though John had been diligent in keeping a will up to date, she had no quick way to obtain even the basic information. Fortunately they shared a password to the Wii, Amazon Prime and the router.
The situation just described happens every day. It illustrates how important it is that passwords are managed well. It not only affects your security and the confidentiality of the information you wish to protect, it also has implications for those you love.
Passwords – the word people love to hate.
Passwords. They may be too weak, whatever that means. They may be too many, each having to conform to a password standard of a particular web site. They are forgotten, confused and yet hacked by somebody out there. What is it with passwords? Can we master these little devils?
As a security geek and an economist (a behavioral science), I am intrigued about how people respond to passwords. You would think that the older people would be tripped up by passwords, but password klutzes come in all ages. And it knows no IQ standard. I have seen the smartest people do the dumbest things with passwords (like doctors or some political advisors that I will not name). Passwords are the vital signs of security, how they are handled is indicative of the security culture that surrounds a person. Yes – it is cultural. Security is not all technology. It is us. It was John Smith. It is Juanita Smith.
I recall the early days of the PC. Passwords were almost an afterthought, rarely encountered. But as the personal computer evolved into the business workstation, the password problem began to emerge. It really wasn’t all that complicated. All a person had to remember was 1) their login password to the network and 2) another password for an application they may have been using. Two passwords. Yet even at that level, I had to deal with many users who complained about two passwords, and some who rebelled by simply writing them down on their deskpad!
Then came the Internet – and the rest is history.
Today, I maintain a listing of passwords that cover 13 pages, double-columned! Passwords range from the bank to ESPN. They have been accumulated over seventeen years of Internet activity. For the person who tells me “I use the same password for everything,” I say “Impossible!” I know of people who have tried to accomplish that goal and soon learned that everyone had a different set of rules regarding the login ID and the passwords.
This article will focus on how you can manage passwords. It is like caging gremlins. You will find a lot of workable suggestions below, but you will also have your own personal demons to engage, what transforms you from the sweet person you are to a cursing, talk-to-yourself ogre. Whatever you are, the goal of this article is to avoid what happened to Juanita.
First, it is appropriate to address the problem of login IDs. It is one reason why the list of passwords and IDs grow. Some sites want your e-mail address. Others want you to use an ID, preferably your name. And there are sites where you would prefer to use an alias. All I can say is use common sense. With the advent of the cloud, your e-mail account is used more often for various services like Yelp or Uber. But your bank, the IRS, and stock trading site will usually require an ID that resembles your name. After the list grows to a certain size, however, rarely visited sites are tough to recall and you forget your login ID and/or password.
Passwords – Why Make it Complicated?
As a security specialist I can relate to the tendency of human beings to use passwords that are easy to remember, such as your grandmother’s first name or the name of your first son. Guess what. Hackers know this and have had some surprising success accessing even the most sophisticated systems, simply because they looked up a guy’s grandmother’s name! Such amateurism was soon dispelled by large enterprises, constructing what is called the “complex password.” They set up rules that would force users to create passwords of a certain length, with capital and small case letters, some numbers and symbols.
Why is that? One technique that hackers use is called a brute-force attack. There are programs out there that can guess your password, often engaging a form of brute-force referred to as a “dictionary attack.” In other words, if your password is a word, it is relatively easy to break. But when you add random small case/ large case letters and mix in numbers and symbols, the time required to guess the password lengthens considerably. Sites that enforce complexity are usually those that pertain to your finances. But it is a good rule to follow in any situation. If you have four-letter passwords, even for presumably unimportant sties, you are highly vulnerable. Some of the most interesting hacks I have observed commence with somebody breaking into a presumably unimportant site that you visit. From that intrusion they can begin to construct a profile, which only improves their ability to predict your behavior at other sites.
Another thing I need to dispel is that the brute-force attacks that you see on such shows like NCIS are purely fiction, much to the tragic realization of “script-kiddies” who try to break into a city government network to control stop lights. Networks not only regulate the length and complexity of your password, they can also establish how many attempts you have to enter the correct password. Most high-security sites give you three attempts before you are locked out. Another thing to note is that most high-security sites have intruder detection systems that flag unusual behavior, like repeated attempts to access a particular account.
In conclusion, get in the habit of using passwords of about 12 characters in length. Mix up small case and large case letters, add numbers and symbols.
Dividing Passwords into Groups
The protests would be loud and frequent if I required my family to enter a highly complex password whenever they wanted access to the home router, Wii or family e-mail accounts. To avoid that problem, reserve the most difficult passwords for your financial sites. Recognize that family members ( and some guests ) will appreciate passwords that are relatively easy to remember. I call this grouping.
Easy passwords are what you encounter at the local coffee shop. They are simple enough for the barista behind the counter to share and for the customer to apply. On the opposite end of the spectrum are passwords that are not easily remembered because of their complexity. In the middle are lower risk sites that may or may not warrant highly complex passwords. The important thing is to have passwords that are different based on risk. If you are using the same password to access your router as you do the bank, you are highly vulnerable. One exploit of that password, and your goose is cooked. Imagine sharing with your twelve year old son the router password so he can tell his friend, and using that same password to access your bank.
How Often Do I Change Passwords?
Another cause of complexity is that everyone has a different set of rules regulating how often you need to change your password. As a consumer I rarely encounter a request to change my password. But most intranet operations ( i.e. business enterprises ) have expiration dates on passwords. Another cause of forced password changes may be when a company or government agency is compromised and there is concern that hackers have obtained your login ID and password. When that happens, they send you notification that your account may be at risk and the best way to resolve that problem is changing your password.
Most security experts recommend changes every 30 or 60 days. The average human being will find that advice as insane. They will keep using the same passwords to get into their e-mail or sports network account until the day they die. How can we improve on this?
First, make it a point to change passwords of critical accounts at least annually.
Second, change your password whenever you receive a notification that your account may have been compromised.
Third, get in the habit of changing passwords to ALL accounts on a regular basis, at least annually.
One suggestion is to keep a spreadsheet that lists the account description, the login ID, the password, the frequency of a password change, and last date of a change. You can create a formula that will calculate the next scheduled date for a password change. You can then sort the list of passwords by change date. Once a month you can go over the list and change passwords that are scheduled for a change.
Fourth, keep your eyes open regarding login failures after you change the password. If you change your password and shortly after receive an alert from that web site, you may have had your account compromised before you made the change. If that occurs you may need to contact the site and report the incident. If it is financially related, you may want to look over your financial records to assure that no damage was done.
Is it Safe to Write Down your Passwords?
Yes – if you read the rest of this article. Hackers use a social engineering trick I call desk surfing, also known as eavesdropping. I recommend that supervisor’s enact the “janitor test.” If I were a janitor, working in the evening, what could I discover without touching a thing? You would be surprised. Read Alan Henry’s blog on The Most Common Hiding Places for Workplace Passwords and you will get a good laugh – probably at yourself!
The simple truth is this – there are too many passwords to relegate them all to memory. It is impossible. People write them down. So the question is whether there is a safe way to write down passwords. There are a number of tools out there that enable you to record passwords such as encrypted password vaults that come with browsers, and several apps that provide password storage services.
Whatever you do – DO NOT RECORD PASSWORDS IN PLAIN TEXT, UNPROTECTED FILES. Word processors and spreadsheets have password protection options. Use them. Studies have shown that this level of password protection is not considered high-level, most particularly subject to brute-force attacks. A hacker can download the file and conduct unlimited attempts to break into the file. But it is better than no protection.
Below is an example. In prior versions of Word, the password option was provided under the “Save As” screen. But recent versions of Word place the password controls under “Tools” and then “General Options.”
While password storage apps may provide the best protection, I have found they do not store other information that may be handy to write down, such as your bank account number, PIN used for the bank card, airline frequent flyer numbers, etc. And then there are the security questions that they want you to use. As you can see, it can get messy.
Here is an example from the Firefox browser, where you can save passwords.
Another trick is to only record the first and last few letters of a password. This will require some discipline on your part because it depends on something that only you know. But if you build complexity at the ends of the password, the center can be a pattern you know. So you would record in the document something like A@C …. 789. Only you know what lies between C and 7. So in the event someone obtains your password file and cracks the password and gains access, they will only get a hint of what the entire password may be. They may eventually discover the password, but you have made the effort much more time-consuming and complex and have increased the odds of detection by security considerably.
What Happens if you Die?
We now return to the sad fate of John and his surviving spouse, Juanita. I’ll be honest. I have never heard anyone discuss this subject at a security conference. But it is obvious to any lawyer or trust manager who has to handle estate settlements. And it doesn’t have to be death. You could simply be traveling and someone at home needs to access an account. With more and more financial activity being conducted on the Internet, there is often few clues in your paper files at home. Financial firms are often in the forefront of “sustainability,” i.e. the use of e-mail rather than paper and snail-mail. The only evidence that you have a bank account or a stock trading account are the e-mailed statement notifications. For someone to access that account they would need to know the e-mail address and the password. The old fashioned way of transferring assets upon death still are required, but it may mean the difference of one day versus one to six months before you can access the account information.
The impact of your loss, however, will be felt most by the everyday things you do over the Internet. Consider how many bills you pay on-line. Does your spouse know those IDs and passwords? Consider all the services you use that may require a periodic password entry: Hulu, Netflix, You-Tube, Facebook, the cell phone provider, resolution of medical bills with the insurance provider. The list can go on and on.
One way to reduce the confusion and chaos for the beneficiaries is to provide the list of passwords and IDs in printed form, filed away in a safe location, preferably in a safe or safe-deposit box. If all involved are cyber-sophisticated, you may find it practical to keep a digital copy of the password file with a beneficiary, or simply place a thumb drive of critical documents in a safe.
Finally, use a shredder. Any piece of trash that contains an account number or, heaven forbid, your passwords, can be used against you. Shredders are not that expensive and handy to have around.
A fun movie is Sliding Doors which explores the consequences of one decision, tracking the subsequent events of a person’s life. Let’s return to John Smith, and go back four years. John, seeing how important it was to document passwords, decided to record IDs, passwords, PIN #’s, account numbers, etc. in one password-protected document. He named the document “Grandma’s Recipes.docx”. He printed out the document and placed it into the safe. Juanita, not being cyber-friendly, barely provided enough attention to recall John’s remarks about the document. She squirreled away the safe combination in her wallet.
On hearing the tragic news of John’s death, she fell into shock. The coming days passed before her like a bad dream. Friends provided meals. Her parents and John’s parents all converged at their home, providing comfort and support. But the time came when she had to live again. She saw the bills sitting on the counter, which reminded her that they needed to be paid. She recalled John used on-line banking and rarely used checks. She then recalled John describing this document that he placed into the safe. The safe! Where was the combination? She remembered she placed it in her wallet. There it was, worn thin, the numbers barely visible. She went to the safe and breathed a sigh of relief when the door opened. There it was, the document listing all the passwords. At the top was the password to the file on their computer. She went down the list and found their bank. She got online. The ID and password worked! She studied the page and learned how to track transactions. She noticed there was a button on the upper right portion of the screen labeled “Bank Online.” She found the utility bill. She paid it. She sighed in relief. She then noticed a credit card bill being paid last month. She never recalled seeing a credit card statement in the mail, so she found the ID and password to the Visa card. To her relief, it also worked and she saw that the bill would need to be paid soon. She printed out the statement and looked it over. She returned to the on-line bank and scheduled a payment. “Yes,” she said to herself. “I can do this.”
She would later access his e-mail accounts, noticing that there were some bill notifications. She paid those as well. Yet as the months went by she noticed the other accounts he had listed. She recalled the memories of his love of sports, his uncanny ability to plan trips, and his diligence in providing insurance coverage. She would decide in the coming months to return to her hometown to be near her parents. With that list of passwords, she was able to access the travel accounts, transfer the accumulated points to her name and arrange the flights that saved her over a thousand dollars. Consulting with customer support, she was able to close out his unneeded accounts and update those she would continue to use. She kept his Facebook and Instagram accounts. She wept when she viewed the photos and his witty responses to his crazy friends. These were practically all that was left of him, the ghost in the machine.
The Most Common Hiding Places for Workplace Passwords, Alan Henry, LifeHacker, November 13, 2012. Fun article for all the tricks people have tried to hide their passwords.
PC Magazine has a good article rating password vault apps.
“The Best Password Managers of 2017”, PC Magazine, Neil J. Rubenking, December 13, 2016
Another source organizes the recommended vault applications by operating system, expanding your options if you have a non-Windows platform.
“Best Password Manager – For Windows, Linux, Mac, Android, iOS and Enterprise,” Swati Khandelwal, The Hacker News, July 29, 2016