Password Management

Dave Hodgdon and Steve Ripper from Portsmouth Computer Group discuss password management and what you can do to keep your work and personal information secure.

Mike: The Morning Information Center, all powered today by Portsmouth Computer Group with convenient locations in Portsmouth and Dover and Manchester, Portland, Maine. You can check them out pcgit.com. We’re going to talk a little bit about password management today.

Dave Hodgdon: Exciting topic.

Mike: So I can’t use that one, two, three, four, five, six password?

Dave: No, one, two, three, four, you know, change one digit every time..

Mike: I can’t do that?

Dave: Dog’s name, your kids’ names. No.

Importance of Passwords

Mike: Because what we want to talk about today is password management, Steve, and you know, and what employees need to be doing to access all of their applications, websites and social media outlets at work. And now probably even more because people are still working at home and everything else.

Steve Ripper: Yeah. So passwords are the keys… Like, so you have keys to your house, you have the garage door opener, the ways into your house, passwords are the ways into your data. So if you don’t have good passwords, people can get at your data. It’s very simple, you know, and the real thing, we’re going to try and scare you today. That’s our goal. We’re going to scare you. Dave is all lined up with statistics that are scary, scary, scary.

Mike: Is it Halloween already?

Steve: But if there’s one thing… I’m going to hand it off to him, but if there’s one thing I can get across to everybody, do not use the same password for everything. We’re going to tell you why. Right, Dave?

Dave: Exactly. And especially in compliance, how we’re working remotely, passwords, as Steve says, one of the easiest ways to break in. So a couple of statistics: 81% of breaches are for a weak password policy, 81%.

Mike: 81% of hackers get in because the password is weak, weak, weak passwords. All right.

Dave: 7 million is the average of a data breach, 7 million buckaroos. That’s a big one.

Mike: That’s what it costs, you mean?

Dave: That’s what it costs for a company…

Mike: On average?

Dave: On average of a data breach. Think of some of the big ones, here’s a big one though. The average user has only four passwords. Mike how many do you use?.

Mike: How many passwords do I use?

Dave: More than four?

Mike: Oh yeah. Yeah.

Dave: Good, good, good.

Mike: I can look at my lockbox right now and I must get at least 15.

Steve: So, you’re way ahead of the curve, Mike, that even that you have a piece, that you have a software package that manages your passwords for you. You know, so many people don’t do that.

Dave: Cause the average person only uses four passwords.

Mike: Well I can’t remember that.

Dave: No, exactly.

Mike: I mean usernames and passwords. I mean, come on.

Dave: Sure. That’s why you need a password manager. But think about that. Think about that password on my phone right there.

Mike: You’re a busy guy. You’re a busy guy. Do you need to take that? Is that from the president?

Steve: He’s coming today.

Dave: He’s coming today.

Mike: No, he’s not coming today. Saturday.

Steve: Saturday. He might be. Let me call Dave to see him. You know, so, but that’s what people do. They can’t remember their passwords, Mike. So they use the same one. Or they add like an exclamation point and use it over again. Right, Dave?

Dave: Right. No. So think about that for 40 sites, they’re doing that. Many of these are not complex. We talked about the temp. one, two, three, four. We were surprised when people bring their PCs into us, we ask what their password is and they look at the piece of paper and say password.

Steve: It’s not hard. It is not hard for hackers to figure out who your grandchildren are. Like, it’s not hard for them to figure out the first names of your grandchildren.

Dave: Yeah. So we’ve always called these guys the bad actors, the cyber criminals. So, they’re thriving on this and we’ve talked about ransomware being on the upswing. So we’re here to talk about why you as a company need to have a password policy in place and on your acceptable use policy, because this is how they get in.

Password Managers

Mike: So you’ve mentioned things like a password manager. So what are we talking about, a password manager? Is this actually, is this a person?

Steve: No. Well, it would be great if we could all have personal assistants and we just kept like, “Hey, you know, Tom just make me a new password.” No, but a password manager is a software piece, a program that you can either have on your phone, like you do, Mike. You can have it on your PC. You can have it in many locations that you enter the passwords in. Right? So it’s going to keep them securely in the password. You can access it generally online. So you’re also protecting yourself, right? If you have all your passwords and your, your hard drive dies in your PC, you still can get out your passwords. It will generate new passwords for you. That’s a really nice feature that a lot of people don’t know.

Right. So, cause a lot of people will struggle at the moment, this program, the bank, whoever, Amazon is asking you to create a password and people freeze at that moment, what do I do? Right. So they can’t think of one. They can’t think of one. So they end up putting their grandchild’s name in, their dog’s name in. Right? So anyone can go on Facebook and figure out what your dog’s name is. There’s a hundred photos of your dog on Facebook and you’ve written the name in a hundred times, right? So password managers generally have a button in them that you can hit that will make a complex password for you. Okay. It may not one that you like, it may be hard to remember, but that’s the whole point as I always say, and I’ve said this on the show before, if it’s easy for you, it’s easy for the bad guys. If it’s hard for you, it’s hard for the bad guys.

Mike: But even as complicated of a password as that password manager program might give you, you’ll know what it is though, right?

Steve: So the password manager will save it for you. So that’s the whole point. Is that…

Mike: You don’t even have to remember?

Steve: You don’t. You don’t.

Dave: That’s the best part. And a lot of the password managers, not only is that password very complex, but they’re going to use, we spoke about the MFA or the two factor authentication. It’s going to confirm that. So you’ve really made it tough, a lot harder for that bad guy to get into you.

Mike: Interesting. All right. So I shouldn’t use the password of one, two, three, four five exclamation points now.

Dave: And I think one of the biggest parts about this, Mike, is for compliance. More and more businesses are coming that, especially in manufacturing, HIPAA, legal, that from a compliance standpoint, they’re looking for these companies to make sure that they’re protecting the data, the assets that they have and they’re asking as part of the compliance checklist: do you have a strong password? Are you using two- factor authentication? Do you have a solid backup? So having a strong password policy really enables you to meet and check off that compliance check box.

Mike: Yeah, yeah. I’m just looking at the possible passwords that I have now. I’ve got Amazon, I’ve got Associated Press. I have my Apple ID. I have my laptop here, my personal laptop. Let’s see, my email, my Facebook, my bank accounts, Hulu…

Why You Should Not Use the Same Password

Steve: So, that’s a really good point that you’re bringing up, Mike. And this is what I always tell my customers. Right? So if you use the same password over and over again, and then you fall for a phishing scam that we’ve talked about on the show before.

Dave: Oh, absolutely. Yeah.

Steve: If you fall for one and the bad guys get that password, the very first thing they’re going to do is run that password against every other thing out there. So, if you fall for the phishing example and your password is temp, one, two, three is, as Dave has said, it probably isn’t, but let’s say it is. They’re going to run temp one, two, three against Facebook, Amazon, a whole host of banks until they get to your bank site, right? JetBlue, your mortgage, Wells Fargo, right? Anything credit cards, right? All of these things, they’re going to try that password.

And if you use that password again, they are into that system. So if you’re using the same password and you get breached, you are breached across everything you do.

Dave: And we spoke about that, Mike. Remember we talked about the dark web side of it. This is where they’re selling that stuff. So once they potentially have that password, they are selling that for such short money. And then all these bad actors or hackers are just trying any way of that format just because they have the one password, they’re going to try every other digit similar. And they’re going to keep on trying until they find a way in.

Mike: I have to ask you who are, and I’m being very serious about this. Who are these people that are the hackers? Are these people in our country? Are they people from overseas or around the world?

Dave: Around the world.

Mike: Around the world.

Dave: I look at it as a form of the mafia. I mean a lot, a lot of it is just people trying to make money.

Mike: Really? Okay.

Dave: A lot of it is very, very organized and a lot of money in the backend.

Steve: In many cases, unfortunately, they’re ex-IT people. They’re someone like myself, someone like Dave, who, who was in a company, who was in the industry, who understands the industry. And then they started, I mean the dark side, we call it the dark side within, within the IT industry. But they’ve already gotten good at security. They already know how things work. You know, I come on the show all the time. I talk about how servers work and, and passwords and security complexes and everything else. So many of these people are, are people who learned all those things and then went towards trying to make money out of it.

Mike: Yeah. Interesting thing too, is that you’re talking about phishing scams. I just bought something recently on Amazon, actually. I do a lot of shopping on Amazon. I have my account there, but I’m very careful about what I do. I have a very careful password and, and everything is discrete and secure. But I got something yesterday, which kind of, kind of funked me out a little bit and it was, it looked like Amazon and I didn’t check it out. I didn’t click on it all. It said there was something wrong with my payment, but yet my payment went through and I had nothing wrong with my payment and I got my item already, but yet there was something Amazon sent me something about…

Steve: You have to be careful.

Mike: Yeah, whatever my card I used, whatever I used was not valid or something along those lines, it looked and it came like, look like on Amazon stationary, you know, on your, on, on your, on your desktop. And I said, this is weird because I’ve already gotten the item and it’s already paid for. So I don’t even know why I’m getting this.

Dave: But you’re doing exactly what we want you to do. You thought about it? I’ve already done this.

Mike: I mean, I deleted the whole thing, right? Yeah. Cause it made me think that why would I be getting this?

Dave: I’d rather get a second email from saying you still owe the money. So, I mean…

Steve: In any cases, make them come at you a second time and then you can start to go, okay, this might be real. Amazon sent me again, but deleted it the first time.

Mike: The thing was, I had already received it and the order went through and I had a tracking device on it and stuff like that. And it said here’s the order, here’s what we got, here’s where it was sent, and you received it. And I did. And it was paid for. So I don’t know why I got that. So I kind of felt… I didn’t fall for it, but I knew about it, but it came exactly looking like Amazon, like an Amazon statement.

Dave: No, you’d be surprised. Some of the requests we get, probably the number one help desk request we get is “I forgot my password”, “I need a password reset”. So think about that. If you’re a company and have IT support that having a password manager will help eliminate a lot of that noise. Because so many people forget their password and they get locked out. So having that password manager is great. Not only, not only personally for you, but for your business to store all those complex passwords and having the ability to get you to what you need in a way. And they also allow you to, let’s say you might have some accounts that are shared, that you might as a group need to get in. So you can have a team password. You know, a lot of times we might have a password for a customer. That’s the master password.

Mike: Yeah.

Dave: And our group might need to share that. So it gives you the ability to share that too, as a team, which is important.

Phishing and Other Scams

Mike: Let me ask you this. Do you sense that the more people shop online or use a lot of the same common sites? Are they more at risk for being hacked into?

Steve: We call that an attack surface, the larger your attack surface is, the more chances of you getting breached. Okay. Because there’s , aside from phishing, phishing is a very, the biggest way that people try to get, they try to trick you into giving them your password.

Mike: Yeah. Right.

Steve: But they can also do what’s called brute force. They can use programs that can just, so they know you have a Facebook account. So they will just, they will just attack the Facebook interface with your username. Okay. And then just try to use a computer to figure out what your password is by constantly running through all the digits.

Mike: Gotcha.

Steve: And all the combinations. So the important point that I want to make here is, a six length password. Six characters in the password takes them on average to brute force that about five to six hours. Not a long time at all.

Mike: No, not at all.

Steve: …worth it to them. Okay. A 12 character password takes them, on average, five years. Okay. Five years from the minute they start till the minute they will actually be able to brute force, get the actual 12 character password. Okay. So, it’s not worth it for them to stay on that, to try and figure out a 12 character password, but a six character password, a five character password is almost not, it’s trivial for him to brute force. So that’s not even them tricking you. They just banged against it with a program, and let a computer just work on it. And then they just, they just keep running through and they’ll use what are called, they use algorithms. The algorithms will be like all of the biblical names, right. So they know that you probably used a name. So they’ll just apply biblical names.

And if they get hits on that, it even gets easier. Right. So if you used something like your grandchild’s name, it’s going to be even easier. But six, five or six characters, on average, five to six hours for them to do that. So that’s worth it to them.

Mike: Wow. That’s amazing.

Steve: Anything over 10 characters, we’re talking years. They’re not going to break it. So, so you have to think like that, man, it’s painful that I have to have all of these characters, Dave, and numbers and letters and then have them be 12. And it doesn’t mean anything to me. How can I remember that? You get a password manager and you put it in there and you have it be completely random and completely long and you’re safe.

Dave: And they change those too. So they’re auto-generating that right there.

Mike: Interesting. Interesting.

Dave: The average cost for a password manager to think about buying insurance is about $3 to $5 per user month, which is very short money. Just think about what it just takes for one potential-

Mike: Worth it. Well worth it.

Dave: $3 to $5 per user to have a password manager. You’re meeting the compliance. You’re making it easier on your staff. It’s not frustrating that you can’t… When a person can’t get their password, they can’t get their email. You hear it on their voice from their calling. “I can’t get in my password” and they’re blaming us. It’s not our fault.

Mike: Final word, Steve, tonight?

Steve: You know, I say it, I’ll keep banging hard on it. Just don’t use the same password over again. You are making their job the mythical day, the very bad people out there. You’re making it so much easier for them. You’re making it so much easier.

Dave: And I just, password management is the ultimate cyber security and productivity application every user can use. So as a business out there, think about putting one in place, Mike, and you will help your employees and meet all your compliance requirements.

Mike: And you can call PCG today at 431-4121, that’s 431-4121 or visit them at pcgit.com. Good to see you guys. Welcome back, back in the house. Good to see you. Be well, stay healthy, my friends, it’s a five before eight tech Tuesday here on News talk 98.1. Our thanks to Dave and Steve from Portsmouth Computer Group today.