In this episode of The PE Geek podcast I share advice around best practice when it comes to your passwords & online security. We talk about how long it takes for a computer to hack a password & what you can do about it, plus much more.
Resources mentioned include;
- LasPass, Dashlane, 1password
- Facebook & Twitter App authorisation
Press play to listen to the episode below or listen here. Watch this episode on YouTube here. Alternatively, download a full episode transcript here
Jarrod Robinson: [00:00:29] Hello everyone and welcome to episode number 88 of the PE Geek podcast. And as always it’s an absolute pleasure to have you here. Now I’m really excited to be recording this shorter, than normal episode, it’s probably likely to be. And it’s all centering around a topic that you may not think has anything to do with phys ed or anything to do with your day to day life. But I think it really does, we’re moving to a world that is more and more connected and part of the stuff that
we do online and particularly the stuff that I advocate for being digital tools and so on comes with a level of susceptibility to all sorts of things that can go wrong from hacking and mal-attempts to steal your data and all sorts of things and even though they don’t directly impact your profession they may impact you personally if you ever get down some of these horrible situations. I wanted to
prepare an episode because I do see this happen a lot with people e-mailing me and talking to me and I get a lot of e-mails from the different tools that we run and the different apps and so on where people are having trouble with their passwords and where they basically are using passwords that just won’t reach the bare minimum of passwords security strength and asking if I can make it easier for them to create a password that
will let them fill out the form or wherever it may be. I thought it would be a good idea to dive in, record this episode and share some of the different things that you should be really mindful about when creating passwords, some of the best practice around that so that you can hopefully never have a situation where you know someone is able to get into your accounts or utilize whatever it is that you’re
keeping protected with those passwords.
Now I will say straight out the gate that just because you have a secure password is not the be all an end all for you ever potentially never having one of these situations occur. But it is definitely a step in the right direction and we’ll talk about some of the other facets that you can add to a password to make it even more secure. Then how I deal with a multitude of other situations that confront you daily and what you can do to
also make it a little bit easier to manage the security and the situations that may happen in your day to day life. So let’s dive into this episode.
Now, obviously all of us have passwords for different things and some of these probably have connection with different things in our life to help us remember those and you know so that we aren’t sitting there and trying to log in and having to reset our passwords, we probably have passwords that we
use all the time for various services and some of these passwords are incredibly important like your bank details and so on and it’s probably likely that you’ve put in a variation of something common that you use and you may add in a special character and a number or something to make it match the required minimum of whatever that service or entity is that you’re signing up for.
But in reality this is probably not good enough.
Just to give you a bit of an idea the top 10 most popular password types around tend to fall into categories such as a pets name, a significant date- wedding anniversaries etc., birthdays, kids names, family members names, your birth place, favorite holidays, your football or sports teams, partners names, or in fact as terribly as the word password. These are common
constructions of popular passwords that people use and the common practice would be to put in your kids’ name and then some number that might be their birth date or your birth date. But the problem is using this sort of approach, it really sort of minimizes the amount of time that it would take for someone to use a brute force attack and get access to whatever your details were, in particular if they happened
to find other bits of information that they could use such as you know e-mails or other letters or correspondence that had your name and your partner’s name and kids name on it then this information sort of drastically reduces the amount of time that they need to effectively get access to your material.
Now one of my favorite web sites is howsecureismypassword.net and you can go there and you type in your password. It doesn’t
actually capture your other details. It’s just you put it in your text that you use for your password and it would tell you the amount of time that you need to generate or a computer would need to hack that using a brute force attack.
Now, basically a brute force dictionary attack is the computer that’s doing the cracking running through a script of firstly popular passwords that people use and then just trying them over and over and over
and then, yeah, eventually getting a result.
Now, the good thing about a lot of these services that we sign up to is that they simply would not let you do a brute force attack on them. So, for example if you get you know three or four password attempts it might lock you out for a period of time. So, with that being said it’s, there’s a lot of protection built into our services that we use these days that goes to protect us.
But I still find it fascinating
because you know the password that I used for many, many years that I thought was, I thought it was brilliant. It was a variation of a couple of things and it had some special characters and numbers on it, if I typed that into howsecureismypassword.net it quickly worked out that it would only take about a minute for a computer to hack that password which isn’t a lot.
Now, like I said brute force
attacks aren’t going to happen on web based services because the servers will probably recognize that and lock out whoever it was that was doing it but your computer very well easily could be locked by one of these passwords and very quickly it could be opened up and then obviously all your other passwords are stored inside that. So, it’s a serious concern.
But if you simply take a variation and add in a special character, just another special character to the one that I had
previously it takes it from one minute to one day and if I put in you know another number it goes to two months and I put in another special character and all of a sudden it’s at 11 years, put in let’s say two more characters and we’re at exponential sort of time now in terms of it would take two million years for my current, my password which now is comprised of one, two, three, four, five, six,
seven, eight, nine, ten, eleven, twelve, thirteen, fourteen characters. It would now take two million years for it to be cracked. So, the real lesson here is that it’s not really a combination of difficult word or complex structures that make a password secure, it is the length. This comes from all sorts of academics and people who are specialists in security and a longer password is
usually better than a more random password. Something as like 12 to 15 characters long, in fact even longer passwords that are all lowercase can be way more beneficial than trying to come up with some sort of alphanumeric gibberish that is a shorter password.
So, what you should really be doing is trying to come up with some sort of even word or phrase that you can easily remember that strung together
are quite a long sentence and then it becomes quite secure.
So, basically to test that if you had a series of words apple, banana, pear. Apple, banana, pear, strung together is 51 years. If you just kept putting together a series of words and chunk them and created what’s more commonly known as a passphrase then you would
exponentially increase the difficulty of that password and all of a sudden you’ve got a very secure password. So, apple, banana, pear, plum would take 23 million years to crack and it’s just a combination of words together.
Now you might be saying well what about just using you know all my kids names or all my family members names? Probably not smart because anyone who is trying to leverage and get your identity may be able to easily
get access to those things. So try and keep it weird and try and keep it long. If you can keep it memorable with these passphrases then it’s certainly going to serve you really well.
Now, a couple of other little tips that you should consider is don’t bunch special characters you know put them throughout if you’re going to use them put them throughout but they’re not as important as keeping it long. Make sure you change them often.
Not too often, but try and change them often so that you know if for whatever reason people are able to find out then it’s going to be you know changed by the time that they get around to hacking it. Try and layer up your password logging in. So, what I mean by that is if the service that you’re using offers two step log-in, you need to make sure you put that on and two-Step would be you enter your
password into the bank and your bank sends you a text message and you’ve got to put a code in because that exponentially again makes it much more difficult for you to be hacked because now the person needs to have your phone, they need to have whatever it is login to your phone and even know your password and they need to be in that time and place for that to happen. And that’s far less likely than just having a password. So, any service that you can do you should do and you should turn on.
Now, one of the, I guess, biggest risks that we take outside
of using really basic passwords is authorizing other websites to log in and give our information. We basically do that all the time whenever we login with Facebook or login with Twitter or login with any of these other services that you can say alright login with Facebook and then all of a sudden you’ve created an account and you’ve not had to enter in your details. It’s
really quite good but it’s also a risk. So if you want to check out what services you’ve and enabled with Facebook then all you need to do is to login to Facebook and you need to, in the top right hit the little dropdown and select settings and then you can go and click on apps and you can see all of the services that you’ve enabled so that you can create an easy account.
Now, most of these will actually be quite good
in that the only information they were after was your e-mail address, but some of them are more robust and they’re actually off to your friends lists, they’re after all sorts of stuff so that they can invite your friends to whatever it is that the service that you’re using, the common thing is games on Facebook or whatever. All of a sudden you get invites from those game places and while they may be a little bit annoying when you keep getting Candy Crush
invites or Farmville invites from your third cousin. But the problem is that over time we build up this complete library and database of people that we’ve said okay they can find out more about us and that can get out of control. We should definitely go and audit them from time to time just to make sure that we still know who those services are and turn them off if we decide that they no longer need access.
So, I’ve logged into my Facebook backend right here
and I’ve authorized 225 applications or websites or services to use my accounts. Now, in most cases all they are after is quite literally the name of my account, my personal details so that they could create a profile for me quite quickly. But you know that’s probably not even needed for many of these service. I look through them now and quite a few of them no longer
exist as services so I probably can go through and revoke quite a few and if it turns out that I still need some the next time I go to use that service it’s not too difficult to be able to resume. So, that would be the first little advice for you to go and check out is going to check what services are connected to Facebook or services are connected to Twitter. Review whether you actually need those services any more.
And the other action item would be to go and have a think about your passwords and put them
into that how safeisyourpassword.net and find out whether or not adding a few characters would increase the difficulty of those passwords being cracked. Aside from that adding in a two-step function so that you get a text message whenever you try to login to an important service.
Now, aside from that obviously there is a lot to think about there’s a lot to remember and you know as we know it’s not good practice to use the same password
on all your sites. So a common thing that people will say to me is that’s great Jarrod, it sounds good but I don’t want to have to remember 52 different websites’ passwords because I’ve tried to make them all different, I’ve tried to make them complex enough and now I spend all my time trying to remember my passwords. So just to prevent that you know I write them down in a little file and I hide it in my computer or it’s written on a piece of paper and it’s stored in a cupboard at home.
And I mean that’s possibly the worst thing that you could do. And I mention that because that’s exactly what my mom was doing. She was creating these passwords for different entities and she just had them stored in a cupboard in the house so that if someone randomly managed to come into our house they would see bank- the password for it, it was very, it wasn’t even cryptically sort of presented so that a random eyes would not be able to tell what
it was, it was written in a way that anyone could pick it up and log it in. And I don’t think she’s alone in that. There’s lots of people that have similar practices, maybe a word file on their computer where they store their passwords and you know literally all it takes is someone to search on your computer for the word password and that file comes up and then all of a sudden they are in it. It’s really just not smart at all.
So there’s a couple of tools that I use that make it easy for me to store a variety
of passwords across all the services I use. But most importantly keep it safe. The tool that I’ve blogged about before it’s called LastPass. LastPass you can get as a free account. I have the paid version which has a few features that I’ll talk about in a moment it works out if you get $20 a year or something Australian not much at all. Or an equivalent tool is 1password with the number one they both do the same thing and there’s a few others like Dash-lane etc.
But I find that a lot of people are either using the LastPass or 1password and they both really do the same thing.
So what they do is you install the password extension in your browser. So for me it’s LastPass and I have little extension that sits in my browser so that every time I’m browsing sites it’s accessible. Now if you register for a new service or a new website what it will do is prompt you and say would you like to save
this password? So the minute you’ve registered it pop up and say website URL, you’ve put in your e-mail address whatever details you used to register and your password that you entered has been captured and you say save and it stores it in your password vault as it’s known on LastPass.
Now that password vault has a variety of different features because it will store all of your passwords under one master
password account. So you unlock your password vault by logging in with a password that your master password and in that you get access to all of the sites that you’ve stored in your vault.
Now it’s usually at this point people say well that doesn’t sound very smart because if someone gets a hold of your vault password then all they need is that and they can log in and find every password that you’ve got. So how is that any better than having just a piece of paper
sitting in your house? But the answer would be that it’s much safer because if someone did happen to get a hold of your vault password and they logged on their computer or their phone or wherever it may be. They would still have to have your mobile phone so that when the passcode came through they could enter that in.
Now, let’s just say for example they did have that, they were sitting at their computer, they’ve stolen your phone they had your pass vault,
they logged in, they got the pin code that came through on the text message and they typed that in. They would still not be able to get into your vault because LastPass or the other services that you subscribe to do this would recognize that their computer was not your computer and it was a completely different device and it would send you an e-mail to basically click a button and confirm that you had
actually authorized those things to take place. So, it’s pretty much a three step process then that if they didn’t have access to your e-mail or wherever it was then they wouldn’t be able to click that. So, at the end of the day it’s the three step approach that really protects the passwords. If somehow whatever reason they still managed to get in then that’s pretty unfortunate because you could go and reset your password for your master vault and then obviously you would
protect all the passwords that were inside it. So LastPass has been really quite amazing for me that the best part about it isn’t that everything is secure, it’s that I never need to type passwords in. So once it’s in my vault if I ever end up back at that site and I hit the login button it’ll automatically pre-fill my email and my password and I just have to hit sign in. I don’t even need to know what the password is for that site.
In fact most passwords that I use
for websites I don’t even know what they are. So when I’m signing up for the service I will use LastPass to generate a 32 character long password of random words and phrases and that will become my password that gets saved in the vault. Then whenever I go to use it I don’t even have to see the password. I just need to know my password vault which is a nice long password and then
I have these random passwords for every single service. In fact some passwords are so long that I’ve signed up to a few services and they’ve actually said can you please use a shorter password because the password I had entered was too long and complex.
So the answer to most of the questions that we’ve spoken about today is to start using a password manager. I used LastPass, 1password Dashlane, quite a few of them that you can use that also work on your phone so that no matter what device
you’re on you’ve got the ability to log into places seamlessly.
It’s a really exciting time in terms of being able to ensure that your safety is as safe as possible. At the end of the day nothing is guaranteed and you need to obviously exercise some common practice in there as well of if you do use these services then don’t just leave your phone sitting out open and ready for someone to come in and use it.
The other cool aspects of most devices these days is that they often require
some bio-metric login as well. Obviously my phone uses my fingerprint to open it up and no matter what no one’s going to be able to really get that unless they can get a copy of my fingerprint somehow. So, we’re getting to a point where it’s becoming a lot safer to work online but unfortunately many of the people that I talk with and speak with are still using practices that are just not going to cut it in today’s day and age and it’s just far too important, you don’t want to be in a situation where you’ve
lost your account to someone who’s interested in doing you harm because that’s just going to impact your day to day and then obviously your teaching. You’re just going to feel like it’s the worst possible thing that could happen because more and more stuff that we do these days is invested in and connected to digital devices. It’s critically important, go and get it right.
If you’re sitting here and you’ve listened to this and it’s sounded obvious, great. Hopefully you’re already using many of these
practices in your life. But I know that there are plenty of people that are not. So the takeaway is to really go and actually act on what I’ve mentioned here. I mean I’m not an expert but I’m just talking about things that I’ve implemented in my life that have made it easier for me to manage complex passwords and stay more secure. And that’s something that you can do too with a password manager and just with some common practice around not using the same passwords for each sites, using longer words even if they’re very simple chunked phrases
together, and just ensuring that you know you regularly update it as you need to.
Okay, hopefully that’s been useful, as always you can get a full word for word transcript over at thepegeek.com/ the episode number. So if you’re listening to episode 88 then /88 and you can get the transcript and all the show notes and links to things that we’ve spoken about. If you have any questions then you can also download the mobile apps and contact me or press the contact chat
button on the page that you might be listening to this podcast on. There’s a million different ways to contact these days and I’ll be more than happy to answer your questions. So we’ll speak soon. And I look forward to seeing you again in next episode. Bye.
The easiest way to listen to The PE Geek Podcast is via our dedicated mobile app, which you can download for FREE for iPhone/iPad & Android. The app will let you know when new episodes go LIVE & allow you to listen to all of the episodes while on the go. We even let you store files for offline playback so you don’t need to use your mobile data. Go download here.