Secure Passwords Secure Data

hello I'm Jason Bitner from triple helix Corporation and Welcome to our Helix Insider podcast I'm joined in studio today with my colleagues Pedro Lopez and Sam Sheldon two of our developers and we're going to be talking to you guys today about security passwords and the importance of strong passwords and all of that good stuff so um I wanted to start with password management and why it's important to have something and the importance of keeping strong passwords Pedro why don't you kick us off with what that means to you so like in the office setting typically you know uh some companies like they store passwords in a spreadsheet or even like on paper and that might be a little bit of a security risk so you want something a little bit more professional uh what we recommend is using uh password managers uh there's two types uh the first type stores passwords on a key file on your machine and that's like typically more secure uh but there there's also like password managers that store uh off-site

uh on a cloud you know in a browser and they usually have like better um you know guise for you know people so they are less uh intricate to set up but definitely uh those are very two good options to to be mined when picking your password manager obviously you want to go online make sure do your research make sure they they haven't been hacked and you know they haven't had any problems uh before adopting them within the company or for yourself but those are usually the two options that we should keep in mind for that now why even have a password manager like what what really drives us to needing these these days well I mean security at is at the Forefront like you want to make it hard for people with malicious intent to access you know information uh access your system right uh the credentials for pretty much where you know places where that your business needs um but uh more importantly to uh make sure that um you do everything you can to make sure the data from your company your clients

are secure so I I think it's worth mentioning is that you know when we first started using the web and computers and accounts and all this stuff there really really wasn't that many passwords to remember but I think these days we have thousands upon thousands of passwords that we have to remember and you know unfortunately because of that people tend to go with something simple like cat dog or one two three four and password is password and it obviously creates a huge problem because yes you can remember it but two it is incredibly easy to break into your systems hence the idea of having this password manager where you don't have to remember it you remember have to use the first password to get into it but then the software takes care of the memory for you um but you know what I've noted over the years with with passwords is that um there actually are a few different websites out there that help you create a password in fact there are some statistics that say like you know the simpler

your password is the easier it is for a program to break and I was reading these um art articles about how like you know something that's a dictionary word with like five characters and whatnot can be broken in a matter of seconds by these computer programs so you want something that's long and strong and something ideally auto-generated that a human wouldn't necessarily guess I've actually found this website called passwordgenerator.net and we recommend using something like that if you go to that particular site it actually will generate um 16 characters is sort of what we recommend as a minimum but you actually when you use that software and reason I like that one particularly is that it actually doesn't generate the password over the Internet it actually generates it right there locally on the browser so if there anyone was hacking the data stream of you being on that website the fact that it's generating the password doesn't actually hit anywhere else other than your own computer so

I think that's incredibly valuable Sam talk to us about some of your ideas like you were telling me earlier about how you had um ways of generating passwords that are easy to remember but hard for any to gas yeah so one of the things that I'll do to you know when I don't want to go and grab you know a passwordgenerator.net or some other type of password generation I know a lot of um actually a lot of password managers have a tool to generate passwords within them um but what I don't want to do that when I just need a quick password what I tend to do is patterns I'll look at my keyboard and I'll say right I'm going to start from this letter or number and I'm going to do this pattern and I'm going to pick another and I'm going to do the same pattern again maybe with some variation hold shift or something like that and then I just use that pattern and all I have to remember is where I started it means that I can notate like if I need to make one really quickly and I do end up you know writing

it on a sticky note or something I can just write those you know five or six characters you know I can write t h f or something and that means an entire you know 12 character password or however many characters right and to be clear you're not talking about like just taking your finger and sliding it across the top row of the keyboard like QWERTY one two three four right because that was a famous password people thought it was so secure right yeah no that's that's not what I'm talking about I'm talking about a pattern that like you know it's it uses you know four or five characters on the keyboard in a pattern that's easy for you to remember as a person but doesn't necessarily mean anything once it's letters on the screen there used to be a really great um uh website uh for life hacks and I believe it was called Life Hacker actually and one of their recommendations for password generation was actually mashing together [Music] um longer passwords from things that you remembered shorter

and then actually putting something unique about the the site you're logging into about it so you could have like you know your the city you were born plus um maybe the street address you grew up on plus the last um uh four digits of the website um some unique identifier about the website or the or the place you're signing in on so you've created this really strong password that's easy for you to remember but because you know your pattern similar to what you're talking about on the keyboard you can actually easily create a strong password for something that normally no one would really be able to guess so I think that's pretty cool yeah the other thing about passwords that like what password managers allow you to do is not reusing passwords because more than even more than simple passwords it's reusing passwords that gets you in trouble because once a single one of those once you know if you use a particular password on you know say Twitter for example and you reuse it elsewhere if Twitter

were compromised and the passwords got leaked even if they were hashed you might end up exposing that password to you know and that that you've used on any number of other services and if somebody can put together what that password is then you're in you're in trouble there and I and I also think like the most important uh passwords that you have you want to cycle through them like at least every six months or at least a year uh and make sure you're always creating new ones because you know even though it might be just letters and numbers and special characters and not something that is very innate to humans uh those still get hacked so you want to make sure you're cycling them so they don't end up on a dark web or some other place that you know people you know staying with the same password for very important things for a long period of times as bad as having repeated passwords you know so just got to keep that in mind no excellent point so let's actually talk about like why we do this

right so I mean the whole reason why we secure the passwords and whatnot and and go to all this effort because there has been a real concerted move out there among hackers and and fraudsters who would try to take advantage uh and the the websites that we traffic frequently and how they even something as simple as like a department store website I've got a few in my mind where you hear about data leaks all the time and how important it is what you said Pedro about making sure that you're changing those passwords frequently because they do get hacked and I read a statistic that said that most major retailers have a password uh League or or of a flaw and they've all got to be vulnerable um pretty much at least once in their entire history or maybe multiple times so the idea that you know if you think your password's safe because it's with a larger organization or institution it's really not true what do you guys think about that like what things should we be thinking of like um why the password

management matters well I mean I think the password management uh you know software is that you might choose uh really help get the bulk of the work done you know generating passwords and uh starting them for you in a way that um it's not as easy for people to get access to and whatnot uh but I think you gotta have a system in place um in you know the the reason that it's important to like secure your you know your passwords whatever is people can assume your identity the identity of your company and cause serious harm to your business into your clients right so it just it doesn't really go just you know to your company but it goes beyond you to your client or your family and they can cause irreparable harm that it might be easy to recover from that's right we were talking about this where like in some companies like people who want to gain access to your funds that will actually try to spoof you I I know with here at triple helix we had an incident where um the person was trying to um

pretend they were me and they were emailing all of you you guys on the staff that hey I'm in going into a meeting and I need you to go to Walmart and buy some gift cards and and read and take a photo of the back of the card and send it to me and it's like that seems so outrageously crazy but you know people do it right they they don't know that their boss isn't the one emailing them and they and they don't think that oh that's kind of odd he's asking me to go to Walmart and take the photo of a back of a gift card but like oh he's the boss he knows what's best until they go do this so I mean you know best protection on something like that is to actually not do that unless you have a verbal just because it's so common Sam you were going to say something oh I was going to say that I've like on the business side the other risk is that if your company gets hacked your your internal emails can like they can use that to appear legitimate and email your customers and ask for something that normally

would be completely legitimate hey can you make a payment but then redirect said payment to themselves and it happens to even like nor like normally quite secure people they say oh this company that I'm working with Shirley has not had a data breach this thing that they're asking for is completely reasonable and they send it along and suddenly they're in trouble because it wasn't a real email so there's there are sites that you can go on to check if you know your email address for example has any hacks associated with it I think the site is have I been pwned and you can plug your email in and it'll tell you of all of the Hacked passwords that have been dumped onto the web does your email show up among them and it can and it's kind of scary to look at because you can see like history going back years of where your email has shown up in these data leaks yeah I mean once they have your credentials it's pretty much done uh you know it's really hard to like you're gonna have to go through a

lot of Hoops and you know you might even have to you know resend up your server your email server and do all kinds of things and there's gonna be probably data lost and so it's irreparable damage really for most companies you know yeah and if you think about your email and how do you reset your passwords for most services you go through your email so if someone gets the credentials to your email they buy extension unless you have you know two-factor authentication or something similar set up they can reset the passwords through your email and you're locked out that's actually a great Point can tell our audience what two-factor authentication means because that's a fairly recent thing it's been around for a while of course but not a lot of people are using it yet so what does that actually mean yeah so two-factor authentication is pretty much what it sounds like there's two things that you use to authenticate one of which is your password so you go to your email and say you type in your

password and it says okay I see you're trying to log in I've sent you a code to your cell phone I'm calling you with a code or I'm sending this code to a different email address and then you have to put in this one-time code within a certain amount of time which means that if someone has your password they also have to compromise whatever you're using as your second Authentication so they'd have to get their hands on that code in addition to the password and often that code is time sensitive excellent point I know a lot of websites too that I'll actually do two-factor authentication and then they'll say oh you should recognize me on this device and not do the two-factor authentication going forward because it is a bit annoying now oh God I got my phone now but you know we highly recommend not doing that because even though it is your personal device and like what are the chances of someone actually you know using that device and like not invoking the two factor two-factor is there for

the basic reason is that these guys will figure out ways of getting around it and and actually hijacking either the two-factor signal or our code or something like that so I mean it's there to protect you so highly recommend you use it and and don't subvert it by saying turn it off on these devices I would always recommend keeping it no matter what yeah so I I actually have one thing that I'd want to talk about and that's fishing because a lot of hacking is actually not you know brute forcing passwords a lot of it is social engineering you get an email that looks legitimate from a company that you think you know or a friend or something like that and it directs you to a website you know the a recent article I read was somebody who basically as you know an experiment hacked a friend and I think he sent them a resume he reached out as you know a recruiter for some company that they previously worked with saying hey I have this resume from so and so they said they worked with you on such

and such a date can you review this and give me a reference and the link to the document was a fake site that was designed to capture their password and this person just did it without a thought they didn't have to hack anything that's actually a really common trick too because one of the things people will do if you don't remember the password for your you know for some site you don't use very frequently and it says you entered the wrong password what do you do you try another password oh I didn't use this one on this site maybe I used this other one or this other one and by the time you've realized that it's never going to let you in you've already given up half a dozen passwords that's an excellent point I've actually seen Recreations of popular bank sites in fact I got one of these emails where they the the hacking group had had meticulously perfectly recreated the Bank of America website and the login so you went to this thing and you think you were logging in and it said oh can't

log in username uh not found or whatever or honestly if you get a communication from say your bank or your email or something don't actually click the link just go to their site and log in normally and navigate to try to find whatever it is they warned you about if your bank tells you that there's a risk of fraud just go to their site don't even interact with the link just go to their site navigate through it and see if there's actually an alert yeah the the key there is when you're logging into any of these sites especially if you think the link is actually uh not right is you you need to check the link and a popular tactic is that they'll send you this very official looking email and they'll say click here to log in and the click here to log in it'll or or it'll be a URL they'll actually type in the proper URL bankofamerica.com but if you hover your mouse over it it's quite clearly a completely different link to another website um in some you know other country maybe and you know in

fact some of those just by the act of clicking the link is actually invoking a payload on a a virus to into your machine so it's very very um important to check those links not to click on them but to hover them and to see what's actually you're going to go to right or call them I mean direct yeah and don't call the 1-800 number on the email like go to the web and then call the number from there to see that so you know the idea of the importance of strong passwords is you know like we have so many of them out there a password manager can help us keep them straight so you don't subvert your security by using simpler ones um the idea of using passwords in some sort of a generated code that only you know it's sort of like in your head and then of course the really really importance of actually having um good strong passwords and rotating them as Pedro said earlier like you know things that are rarely important to you you should be rotating them regularly just because if you assume that larger

organizations like Banks and whatnot are not vulnerable to these things it's not true so the things that really matter to you you need to protect them and keep them safe um any final thoughts Pedro I mean I think there are two things that companies they need to keep in mind most is like the emails and following those best practices and also so if they have like a corporate account with ATT T-Mobile you know for like you know phone services where people within the company or Executives usually use as you know two-factor authentication for important stuff to make sure that they're not you know they're following best practices too so they're not vulnerable to people maybe hijacking you know their phone number or whatever you gaining access into their systems good well I think that's all the time we have for today so um I want to thank my two special guests Pedro Lopez and Sam Sheldon for get their insights into uh security and why it matters and um I'm Jason Bitner from triple helix and uh

thanks and we'll talk to you next time bye-bye