We need to talk about your passwords. Your dog’s name plus your year of birth aren’t going to cut it. But there’s an exclamation point, you say?
We need to talk about your passwords. Please invite your bank customers to listen in.
First, to illustrate the underlying problem, consider a test run by the U.S. Department of Homeland Security in 2011. Thumb drives were scattered around the parking lots of government and private buildings. Have you ever found a thumb drive and couldn’t help yourself? In this test, curiosity led to 60 percent of the devices being plugged into office computers and giving DHS access to systems and entire networks. If a company or government logo was on the drive that level hit 90 percent.
We also need to talk about your self discipline, but that’s another column. The point is, since artificial intelligence running behind the scenes has become so adept at warding off attacks, hackers have had to rely on people being careless. Your greatest weakness in cybersecurity is probably yourself — and poor password management does you no favors. It’s an eternal spring, and those weak passwords are water flowing.
Twenty years ago, most people had only a few passwords: A work email, personal email and that one for your bank account. You may recall how terribly flimsy those passwords were by today’s standards. A lot of hard lessons were learned along the way, and it’s been a long time since e-commerce sites, much less a bank site, would allow you to choose a weak password. But even with eight character minimums and an insistence on a base level of complexity, most passwords aren’t nearly complex enough to thwart AI’s ability to crack them.
Worse still, many people employ one password for numerous accounts, from Amazon to Facebook to their favorite take-out restaurant. Criminals are well aware that the username and password for your bank account and your favorite pizza parlor’s reward program are likely the same. And it’s not so tough to hack into your local pizza parlor.
This problem is easily solved. Applications that will produce and manage passwords for your many pursuits have been around for years now; they are extremely secure and should be used by anyone who gets online these days, which means everyone. Microsoft, Google and others offer free or fairly inexpensive password managers. I myself use something called LastPass, which is great.
They all work the same way. The password manager itself has a password — a master password — and will eventually be the only password you’ll ever need to remember or write down. So make it complex! Once installed on your web browser, you can either enter all of your accounts into the manager manually, or it will collect the information over time as you go about your business.
If you tend to use the same password for different accounts, using a manager is an easy way to change that. When you add a site or service to the manager you can also take the opportunity to update your password to something complex. No creativity is required. These managers will generate a password for you, if you want. Mine will generate them up to 99 characters.
Here’s an example:
Now that’s a password!
The password for my bank account isn’t 99 characters, but it’s a truncated version of the above, and much more secure than the name of my cat, the year I was born and a question mark.
Passwords are antiquated, really. Ten years from now, they will probably be a thing of the past. In the meantime, up your password game with a dedicated manager. And convince your customers to do the same.
Side note: Use an independent manager instead of letting your web browser itself store your passwords as a courtesy. That method is not nearly as secure or convenient.
Sharing passwords is sometimes necessary so take care to do so safely. If passing a piece of paper isn’t an option, texting is, well, okay. A better practice would be to use a website like onetimesecret.com. It generates a hyper-secure link to reveal the “secret” to whomever you send the link. The link and info within are destroyed after one use. Never list both the username and password in the same communication.
Also, I once learned of someone using their social security number as their go-to password. Don’t do that…