With Carole in the wilds of Canada, and Graham knee-deep in a security conference in Glasgow, we drag an episode out from the archives of February 2017 – looking at the thorny subject of passwords.
Join cybersecurity veterans Graham Cluley, Carole Theriault, and Vanja Švajcer as they offer some advice and tips for computer users.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hello.
Hello. And welcome to episode 99 of Smashing Security. My name is Graham Cluley.
I'm Carole Theriault.
And Carole, a bit of a special episode actually, isn't it? 99.
Well, it could be very special. I think 100 is more special though, don't you?
Probably.
This episode, this week, let's explain. We're doing something a bit different this week.
Obviously we've got episode 100 coming up and we'd like that to be good, but we need a bit of time to make that good.
Obviously we've got episode 100 coming up and we'd like that to be good, but we need a bit of time to make that good.
We're very short on time, both of us at the moment. We've done amazing getting a show out every week so far, though.
Yeah, because Carole, right now you are somewhere in the wilds of Canada without an internet connection, right?
Well, yes, not right now, but now, now at time of publishing, yes.
Right.
And I am up in the wilds of Scotland doing something up there at a security conference, which means that we can't get together over the internet to record a proper episode 99, so we're going to drag one out of the archives, a classic, a good one, a golden oldie from the early days of Smashing Security when we were a threesome with Vanja Švajcer, and we're going to talk about passwords.
And I am up in the wilds of Scotland doing something up there at a security conference, which means that we can't get together over the internet to record a proper episode 99, so we're going to drag one out of the archives, a classic, a good one, a golden oldie from the early days of Smashing Security when we were a threesome with Vanja Švajcer, and we're going to talk about passwords.
When we knew nothing about audio or editing.
Yeah, it might sound a bit crummy.
But maybe endearing, maybe endearing.
Anyway, let's play it right now. Smashing Security Splinter Episode: Passwords with Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello everybody, and welcome to Smashing Security, a very special episode of Smashing Security.
It's our splinter episode where we are talking today about tips on how you can better protect yourself online.
And one of the things which I think we should chat about, because people are always asking me what they could be better doing about it, is passwords.
They're a bit of a problem, aren't they?
Hello everybody, and welcome to Smashing Security, a very special episode of Smashing Security.
It's our splinter episode where we are talking today about tips on how you can better protect yourself online.
And one of the things which I think we should chat about, because people are always asking me what they could be better doing about it, is passwords.
They're a bit of a problem, aren't they?
They're pretty awful.
We all hate them. I don't know anyone who thinks passwords are fun, but they're kind of a necessary evil, a bit like dandruff shampoo, isn't it?
And you know, we all remember life before passwords. We're all of an age where I don't think I started thinking about passwords until I was in my teens.
And you know, we all remember life before passwords. We're all of an age where I don't think I started thinking about passwords until I was in my teens.
Right.
To be honest, I don't even remember what happened yesterday, let alone life before the passwords.
Poor old Vanja. He's got to that point.
He's so old.
He's so old these days. And yeah, I mean, passwords, they are a nightmare, aren't they? Particularly for the sort of, let's put it, the frailer, more elderly generation.
People like Vanja, who are finding it hard to keep track of all these things. And of course, people are expecting you to remember lots of passwords, aren't they?
People like Vanja, who are finding it hard to keep track of all these things. And of course, people are expecting you to remember lots of passwords, aren't they?
Well, that's it. You know, I mean, I have hundreds and hundreds of accounts, and I of course use a unique password, which we're going to talk about why that's important in a second.
But I have to, you know, in my head, I wouldn't be able to remember all those.
But I have to, you know, in my head, I wouldn't be able to remember all those.
Of course you wouldn't.
That's why you can always have one password for every site. You choose a nice password, you remember it, right?
Oh, I see. You're thinking you just come up with one strong password and use that everywhere. Yeah. And if you could remember that.
Well, excellent security advice there from Vanja Švajcer.
But I would argue that maybe choosing a password like enricojoyouslyleopards 79 isn't such a good idea because, of course, if you get hacked in one place, if your password spills out in a data breach, what's the first thing the hackers are going to do?
Well, excellent security advice there from Vanja Švajcer.
But I would argue that maybe choosing a password like enricojoyouslyleopards 79 isn't such a good idea because, of course, if you get hacked in one place, if your password spills out in a data breach, what's the first thing the hackers are going to do?
Well, they'll try again.
Yeah, they'll try it again and they'll try and unlock your email or they'll try and unlock your PayPal account or your Amazon or—
Exactly. Exactly.
It's going to be absolutely horrendous, isn't it?
Yeah.
Didn't Mark Zuckerberg earlier this year, his LinkedIn password got hacked and had he used that same password on other social accounts, he would have had a real disaster on his hands.
Didn't Mark Zuckerberg earlier this year, his LinkedIn password got hacked and had he used that same password on other social accounts, he would have had a real disaster on his hands.
He was using it, actually. He was using it on his Twitter account.
Oh, that's right, that's right, that's right.
And now, interestingly, he didn't use that particular password. By the way, it was a very dumb password. It was dadada, D-A-D-A.
He didn't use that password on his Facebook account, probably his most important account, I imagine, because his security team had said, 'Hey, buddy, you've got to have a really strong password on your account because you are a prime target.' You know what though, you're making a super good point.
He didn't use that password on his Facebook account, probably his most important account, I imagine, because his security team had said, 'Hey, buddy, you've got to have a really strong password on your account because you are a prime target.' You know what though, you're making a super good point.
That not all websites or accounts, you know, where they demand a password, actually teach you how to make a secure password. So some of them might accept something dadada, right?
And that is, you know, it might give you a false sense of confidence that, you know, that they know what they're doing, but actually you need to take ownership of how secure you make your password.
And that is, you know, it might give you a false sense of confidence that, you know, that they know what they're doing, but actually you need to take ownership of how secure you make your password.
Right, so let's step back a little bit and think about passwords because when I speak to regular civilians, what am I talking about?
People outside the computer security industry who have sort of accepted that they do need passwords, but aren't necessarily sure quite how they should be dealing with them. Yeah.
They say to, you know, they say all the time, well, what makes a strong password? You know, what should my password be?
And I've got a couple of rules and maybe you guys can chip in if you can think of any others. But I think one of them is what we've just mentioned. You need a unique password.
You need different passwords for different accounts, but you also need a password which is hard to guess.
And one of the mistakes that some people make is they will make their password the name of their dog or their favourite soccer team or their mother's maiden name or something which is fairly easy for someone to determine if they know that particular individual.
So you might have someone close to you or a work colleague who's then able to work out how to get into your accounts. Yeah.
People outside the computer security industry who have sort of accepted that they do need passwords, but aren't necessarily sure quite how they should be dealing with them. Yeah.
They say to, you know, they say all the time, well, what makes a strong password? You know, what should my password be?
And I've got a couple of rules and maybe you guys can chip in if you can think of any others. But I think one of them is what we've just mentioned. You need a unique password.
You need different passwords for different accounts, but you also need a password which is hard to guess.
And one of the mistakes that some people make is they will make their password the name of their dog or their favourite soccer team or their mother's maiden name or something which is fairly easy for someone to determine if they know that particular individual.
So you might have someone close to you or a work colleague who's then able to work out how to get into your accounts. Yeah.
Even if it's a phrase from a song or a book, you know, those are not very difficult to guess.
So summer of '69 is not a good choice for a Canadian.
Okay, no matter how great this song is, it is a fantastic song.
Let's face it, it's one of the best. But those sort of phrases, no good at all.
And similarly, password is no good, and 12345 is no good, and qwertyuiop is no good, because we've seen that all before.
And similarly, password is no good, and 12345 is no good, and qwertyuiop is no good, because we've seen that all before.
1Q2W3E4R, that's not good either.
Yeah. Yeah, and I think people do this though because they don't see the importance of the data they're protecting as being valuable because they're just starting off the account.
So what you have to remember is that you're going to be probably using this account for something.
That's why you're setting it up and you're going to be putting in data and information that if it did get out, it could prove to, you know, to be harmful to you.
So what you have to remember is that you're going to be probably using this account for something.
That's why you're setting it up and you're going to be putting in data and information that if it did get out, it could prove to, you know, to be harmful to you.
Right. So we're saying your password needs to be unique. It needs to be hard to guess, but another thing—
It must be long. It has to have lots of characters.
It can't just be 5 characters. Length matters. So the longer the password—
I would of course say length matters.
Normally that makes it stronger. Not always.
Not just the length, of course.
It's not just length. It's also the complexity of the password.
So we would recommend that you have lowercase and uppercase, you have numbers, you have ampersands, special characters.
So we would recommend that you have lowercase and uppercase, you have numbers, you have ampersands, special characters.
Yeah.
Any stuff like that you can shove in there, it's got to be good.
And this will help make your password hard to crack because one of the things which the hackers are doing is they are using dictionaries.
They have dictionaries of the most common words and the most common passwords which they will use against a password database in order to try and crack your password.
And this will help make your password hard to crack because one of the things which the hackers are doing is they are using dictionaries.
They have dictionaries of the most common words and the most common passwords which they will use against a password database in order to try and crack your password.
Also, if you use passwords and you exchange some of the letters for numbers instead of e, use 3, or instead of L, use 1, that's also easily guessable.
Right, so for instance, if your password, let's just use a really dumb example to explain that.
If you've got the word password, don't just change the A to a 4 and the O to a 0, because you know, that's no protection at all against a modern attacker trying to crack your password.
So it needs to be better than that. But all of this stuff, right?
The length, the complexity, the uniqueness, all comes down to one central problem, which is how on earth is Carole's puny brain, which is simply full of Bryan Adams lyrics, how is it going to be able to cope?
How is it going to remember all of these passwords?
If you've got the word password, don't just change the A to a 4 and the O to a 0, because you know, that's no protection at all against a modern attacker trying to crack your password.
So it needs to be better than that. But all of this stuff, right?
The length, the complexity, the uniqueness, all comes down to one central problem, which is how on earth is Carole's puny brain, which is simply full of Bryan Adams lyrics, how is it going to be able to cope?
How is it going to remember all of these passwords?
Ask me. Ask me how I manage it. Ask me.
Carole, how can you manage this impossible task with your feeble female mind?
That's a bit sexist.
I was just doing that for effect, guys. Okay, yeah, we all know, we all know you're not really female. Come on.
So I use a password manager. There's a lot of reputable password managers, and there are a few out there that maybe are less reputable, so choose wisely.
But what a password manager will do is basically keep all your passwords in one place, and all you need to remember is one master password, which you make, as Graham said earlier, unique hard to crack, holding lots of characters, and I'm talking over 12 characters to be long.
Some go up to 20. I mean, that's a minimum. And then you have this one password to access everything. It proves very useful, and you don't even have to make them memorable that way.
So they're not as easy to crack. They're very random because they're automatically generated.
But what a password manager will do is basically keep all your passwords in one place, and all you need to remember is one master password, which you make, as Graham said earlier, unique hard to crack, holding lots of characters, and I'm talking over 12 characters to be long.
Some go up to 20. I mean, that's a minimum. And then you have this one password to access everything. It proves very useful, and you don't even have to make them memorable that way.
So they're not as easy to crack. They're very random because they're automatically generated.
Yes, they're automatically generated and they are stored in a safe and secure way.
So even if they get compromised, they wouldn't be, you know, the hackers wouldn't be easily guessing their passwords.
So even if they get compromised, they wouldn't be, you know, the hackers wouldn't be easily guessing their passwords.
So what we're recommending everyone does, right? Everyone who listens to this podcast, I think, has got an interest in doing this and properly protecting themselves.
We would recommend for the vast majority of people, run a password management program on your computer which stores your passwords securely and encrypted, protected by one strong master password.
And that master password, if you find it hard to remember all that complexity, maybe you could create a passphrase, whereas you have a sequence of random words.
So it could be something I don't know, suspects38plague21rots or something that. It's quite a long phrase. You've got some numbers in there as well.
You could add an exclamation mark somewhere in there or an ampersand.
We would recommend for the vast majority of people, run a password management program on your computer which stores your passwords securely and encrypted, protected by one strong master password.
And that master password, if you find it hard to remember all that complexity, maybe you could create a passphrase, whereas you have a sequence of random words.
So it could be something I don't know, suspects38plague21rots or something that. It's quite a long phrase. You've got some numbers in there as well.
You could add an exclamation mark somewhere in there or an ampersand.
But no one should use that one. No one use that one.
No, don't use that one. In fact, I've already forgotten it. But if you memorise your master password, then that will be your key to your password management programme.
And the beauty of this is that when you try to log into online accounts, you can actually have your password manager pop up and say, oh, I know the password for this site.
I'll type it in for you.
And the beauty of this is that when you try to log into online accounts, you can actually have your password manager pop up and say, oh, I know the password for this site.
I'll type it in for you.
Some good ones even say to you, ooh, your password for this site is actually quite weak. Let us help you make that a stronger password, which is wonderful service.
Yeah, it's fantastic.
Okay, quiz time, quiz time.
All right.
What percentage of data breaches originate from email?
7 out of 10.
It's pretty — take a guess, but you're way wrong. 96%. Oh, bloody hell.
And one of the big things that companies have to worry about is phishing scams, because that's the kind of way that hackers and other baddies break into your company.
And one of the big things that companies have to worry about is phishing scams, because that's the kind of way that hackers and other baddies break into your company.
Because that's how they get your passwords, I guess.
That's how they get your passwords. So MetaCompliance make it easier to train and prepare your whole environment to stop these kind of attacks.
They have information on phishing and cybersecurity and policy and privacy and incident management. There's all kinds of training out there.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance. That's smashingsecurity.com/metacompliance.
They have information on phishing and cybersecurity and policy and privacy and incident management. There's all kinds of training out there.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance. That's smashingsecurity.com/metacompliance.
Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
So, I think passwords are pretty much here to stay, but also password stealing is here to stay as well, and the bad guys steal your passwords through phishing attacks where they try and lead you to bogus websites trying to trick you into entering your password details.
That, by the way, is another way in which password managers can protect you because they won't pop up if it's a bogus site.
They should only pop up if it's the real site and offer to enter your password.
But you can also have your password stolen through keylogging malware, maybe even keylogging hardware, or through a data breach.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
So, I think passwords are pretty much here to stay, but also password stealing is here to stay as well, and the bad guys steal your passwords through phishing attacks where they try and lead you to bogus websites trying to trick you into entering your password details.
That, by the way, is another way in which password managers can protect you because they won't pop up if it's a bogus site.
They should only pop up if it's the real site and offer to enter your password.
But you can also have your password stolen through keylogging malware, maybe even keylogging hardware, or through a data breach.
There's tons of ways.
Lots and lots of ways to do this. But generally our advice is have unique passwords, make them hard to crack, hard to guess, and run a password manager.
What else can people do to better protect their accounts though?
What else can people do to better protect their accounts though?
So you can, we haven't mentioned 2FA or two-factor authentication or multifactor authentication as it's also known.
You're nerding me out right now, right?
I'm sorry.
With this terminology. What, what is this 2FA and multifactor authentication? What, what's that bringing me that passwords don't bring me?
Well, you have this additional factor. I mean, passwords are something you know, while the second factor is something you have.
So you can have this sort of unique generators of numbers, which when you authenticate, it really proves that it's you that's trying to log on to a particular system.
So it's not just the password, but an additional number that you have.
You either receive it through an SMS message, or you have an app on your phone that generates a number for you, or you have some other specialized hardware that allows you to enter and create those numbers.
So you can have this sort of unique generators of numbers, which when you authenticate, it really proves that it's you that's trying to log on to a particular system.
So it's not just the password, but an additional number that you have.
You either receive it through an SMS message, or you have an app on your phone that generates a number for you, or you have some other specialized hardware that allows you to enter and create those numbers.
So it's a bit like your bank account, for instance, right? It's like your bank account. You're using a kind of token to generate an automatic number.
So it's like a physical device in some cases. Absolutely.
So it's like a physical device in some cases. Absolutely.
Yeah. Right. It's exactly like that.
Right. Okay. So we would recommend— and many websites are now beginning to offer this kind of additional level of security.
We would recommend that people do this and enable it in order to harden their accounts.
And if you do that, even if your password does get stolen, Lord forbid that it happens, but if it does get stolen, the hackers shouldn't be able to access your account because they have that extra hurdle to get past.
So a good tip there for everybody. Well, I think that's about all we have time for this episode. We very briefly covered passwords.
I'm sure we'll be coming back to passwords again, but I hope that's been some useful advice for most people as to how to create stronger passwords and how to remember their passwords rather than using their puny human brains.
All that's left for me is to apologize to Kroll, first of all, for making the rather sexist comment earlier and to recommend that if you like us— Kroll, do you forgive me?
We would recommend that people do this and enable it in order to harden their accounts.
And if you do that, even if your password does get stolen, Lord forbid that it happens, but if it does get stolen, the hackers shouldn't be able to access your account because they have that extra hurdle to get past.
So a good tip there for everybody. Well, I think that's about all we have time for this episode. We very briefly covered passwords.
I'm sure we'll be coming back to passwords again, but I hope that's been some useful advice for most people as to how to create stronger passwords and how to remember their passwords rather than using their puny human brains.
All that's left for me is to apologize to Kroll, first of all, for making the rather sexist comment earlier and to recommend that if you like us— Kroll, do you forgive me?
No.
Oh dear. I just did it for a cheap gag. I didn't really mean it.
We'll see how this develops in next episode.
That's right, tune in to find out what happens and how Carole gets her revenge.
Subscribe if you like us, leave a rating and review in iTunes, follow us on Twitter @SmashingSecurity, or visit us at smashingsecurity.com.
But until next time, thanks very much and speak again soon. Toodaloo!
Subscribe if you like us, leave a rating and review in iTunes, follow us on Twitter @SmashingSecurity, or visit us at smashingsecurity.com.
But until next time, thanks very much and speak again soon. Toodaloo!
Bye!
Well, that's a short episode. We put in a lot more work these days, don't we?
We do. These days we have Pick of the Week.
We have different guests every week.
We don't have banjo anymore. But we added a lot more work to our initial idea. Why did we do that?
I don't know. Maybe we can explore that next week on our episode 100, Be There or Be Triangulaire. Crawl, crawl. What? What?
Don't build it up too much, just in case. All right.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Vanja Švajcer – @vanjasvajcer
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management. Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit www.smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
