Are Your Passwords Safe and Secure?
Dan: And good morning. It's 8:30. In the studio with me, I have Sam. Good morning, Sam.
Sam: Good morning. How are you, Dan?
Dan: I'm doing great, sir. And Jason. Welcome.
Jason: Good morning Dan, how are you?
Dan: I'm doing actually pretty good considering the lack of sleepinitis that I've got. 3:00, did you guys get that little zing this morning at 3:00 for the tornado?
Jason: Woke the whole family.
Dan: Boy, it was loud. Wow, man. But it's a coffee day. What can I say?
Dan: It's a big coffee morning for me. Sam's back with us again from out of town. So welcome back, sir.
Sam: Thank you, yeah. I've been traveling a lot. It was three degrees up in Northern Michigan on Thursday when I was there.
Dan: So, now you're back and you're bringing it down to 35 degrees here.
Sam: It was a lot better when I got back here.
Dan: Thank you, sir. Oh, by the way, we haven't said, but it's a Bit-Wizards, the tip of the wand this morning. Our show going on. So, let's go ahead and just get started, shall we?
Jason: All right.
Dan: Okay, let's do it.
Announcer: Bit-Wizards : bits and bytes.
Dan: What do you got for us this morning, Sam?
Sam: So, our bits and bytes sections where we talk about tech views that we think applies to the people who are listening, especially small, medium-sized businesses. And the big one in the news that I saw this week was that Ring camera doorbells, they make doorbells and just internal cameras for your house for security, that there was a big news article that they were breached this weekend. And there were two incidents that happened : one was in Mississippi where someone had managed to hack into their Ring camera, this family's Ring camera. They only had it for four days and they had put a Ring camera in their little girl's bedroom so they could keep an eye on their kids remotely kind of thing. Well, this person hacked in and started talking to their little girls, which of course freaked them out, very much so. And then, there was also an incident in Florida where someone also did the exact same thing, got in and started yelling racial slurs at a family in Southern Florida through their own Ring camera system. So, this has kind of been going around a little bit because a lot of people do have Ring doorbells. They're very, very popular. They're like a hundred bucks or a hundred and fifty bucks, so not super expensive to be able to have this intercom at your house and be able to see who's at your door and everything. Very popular. I have one. I think you have one, right Jason.
Jason: Yeah. I think we all figured it out that we have them.
Dan: Of course you guys have one. Are you kidding me? You guys are all techies. I'm sure you got all the latest and stuff, but anyways, we were talking about how you could get around that to prevent that.
Sam: Oh, absolutely. Because even though this made really big news, because it is a little bit freaky, you got your little kids in the house-
Dan: Oh, yeah. It's very disturbing.
Sam: ... Somebody jumped in, it turns out that they weren't hacked at all. What had happened is in both of these cases, the people who had set up their Ring account had just used a password that they've used elsewhere or one that had already been leaked on the internet to something else. And so, all somebody did is they went online and found where this family had used their email address and their password and they weren't just targeting this specific family, they were just looking for anybody. And somebody wrote a little program and what it does is it just keeps testing Ring's website with different username and passwords that they found elsewhere. They're just kind of going through long dictionary of usernames and passwords. You can buy the program for six bucks on the dark web, so they can guarantee you'll find your way into somebody's Ring account for six bucks. But the way it works is, they're just looking if somebody's already been breached. I know T-Mobile had a big thing where their user data was breached or the Home Depot famously or Target, all of these people have had this thing where like, " Oh, sorry, everybody. Your username and password has made it onto the internet." And most of us just really think, " Oh, well that really stinks." And then, that's about where we leave it. Well, what had happened is someone was taking this treasure trove of usernames and passwords and trying them on Ring's website and every now and then, one of them would work. And as soon as they got into Ring's website, at that point they were able to then log in, see any of the cameras, any of the doorbells, all of that kind of stuff. Which is a little scary because I believe Ring also makes a smart lock system where you can unlock the door remotely or re-lock the door.
Dan: So, that'll make it even worse because if they found out where you lived, they could unlock your door and help themselves.
Jason: Right. And I was actually guilty of using the same password oh, about six years ago. And I'm not sure if you've ever heard of the site, Have I Been pwned?
Dan: No, I haven't.
Jason: So, you can go on this website.
Dan: What is that?
Jason: So it's I-A-M-P-W-N-E-D. com.
Jason: You can punch in your email address and it will tell you if you have been a victim of a breach. So, your Capital One card, your account, things like that, if your information is out there on the dark web. Well if it is, you should really take a look at changing your passwords.
Jason: So I mean, I went through and I changed all my passwords. Well, I made the same mistake and changed it all to this, a different password. But it was all the same across the board. So, and this is five, 10 years ago when that was the mindset like, " Let's just make it really complicated." Well, that doesn't work anymore because if you get one of my passwords back then you would have had access to everything.
Dan: I think a lot of people probably do that because it's hard to remember all those passwords.
Jason: It is extremely difficult. Well, it used to be.
Sam: Absolutely. So, what Ring are really asking people and Nest is the same way. You may have heard of the Nest thermostats where you can just tell your Alexa device, " Set the AC to 72 degrees " and your wife says, " Set it to 75 " and then you say " No, set it back to 72." You get to go back and forth. That's a fun little game. But Nest does the same thing. Ring are doing the same thing. They're all asking, " When you log in, please set up two factor authentication." Which all it means is, it's asking for your cell phone number. So, you put in your username and your password like you usually do. I would still recommend resetting that password if it's something you've used elsewhere and create a brand new one and save that. But then, it asks for your cell phone number and it sends you a quick text message with the little code in there, six numbers. You punch in those same six numbers into the app so that it confirms, " Yes, this is definitely you." And now, anytime someone tries to log your account from a different device, it's going to shoot a text message to you first and just say, " Hey. We've got the right username, we've got the right password, but before we let this person in, let's be smart about this and just make sure that it really is you." And I'll tell you, this happens to me every now and then where all get a little pop up on my phone telling me someone's logging into my account and they have the wrong password, but they tried it. And I'll get an alert about that. Or sometimes, it may be someone's on my computer at home or something and they try to get in and it'll pop up and say, " Are you going to let them in?" And I don't accept it at that point because I'm not there to see the login. But that second two factor authentication is a really big deal.
Dan: That sounds really secure.
Sam: It does. Because if someone wanted to hack into your account at that point to look at your video cameras in the house or whatever that is, they would not only have to be able to find your username and your password, they would also have to somehow get access to your phone at the moment that they're trying to log in, get the code off of that phone because that doesn't go anywhere else and then somehow remove any trace that that happened at the same time to be able to get access to it. And then even then, if they were able to log in that way and somehow sneakily get in, for them to even be able to change the password to something they want it to be, they would still have to re-authenticate again with your username and password and another one time code that would be texted to your phone. So, it makes your account a lot more secure. Now, what this breaks for a lot of people is they like to share their accounts. So, " I want Granny to be able to see the grandkids, so I send her my username and password to get into the Ring doorbell system." And so, they have systems for this in place where you can share your account without having to give up your username and password. All it does is send Granny an opportunity for her to put in her own username and password to pick it, and then she would see your devices. But it's better than actually just giving somebody else that same username and password because it wouldn't be any good to them anyway once you've got it set up to where you have to log in with your phone.
Dan: Okay, I see that. So actually, I have my insurance with USAA and every time I go in there, they have to do that authentication for everything. So, that makes me feel pretty good that it's secure. So, if Ring does the same thing, people should really take advantage of that.
Jason: They should, but it's not set by default for a lot of different services and accounts. So, you actually have to turn it on.
Dan: Oh. So you have the option to use it or not use it.
Jason: Correct. And you know, we always say, " Security is not convenient." And-
Dan: That's true.
Jason: ... It just isn't. So, you have to pick and choose really your battles. Do you really care if anyone gets into your Facebook? I personally don't. So, I don't have it turned on on Facebook. Or something like that. But for all my bank accounts, my credit card, my Amazon, anything that's important to me, I don't let Google save my password in the Chrome browser. I have a extremely unique password and we'll get into exactly how we do it.
Dan: I got you.
Dan: Okay. And it sounds to me though, honestly, when you're talking Facebook, real quickly about that, shouldn't put a lot of information in that anyway.
Dan: Right? Because they're watching.
Jason: Yeah. If it's out there, it's out there.
Announcer: Bit-Wizards : what's up our sleeve?
Dan: You've got short sleeves on, so I don't know what it could be.
Sam: Well, we still got our magic tricks as usual since we are wizards. But I thought, today since we are talking about the Ring breach, even though it's not really a breach, but it is definitely a big vulnerability everybody should be aware of, I thought it'd be a good opportunity for us to talk about passwords in general because they're the bane of everybody's existence. If you work with a computer, you have to have all these different passwords. And so, there were some studies out there and I went and had a look at some of the studies and I thought I'd pull in just some of these statistics real quick and it says that on average in America for every email address that you have, you probably have about 130 different services tied to that email address. You might sign into your bank with it, to your Facebook account, to social media or you signed up for that one time deal online or you went to a convention and they asked for your email address and now they have it. But for every email address, it's about 130 different accounts attached to it. And of course, nobody is out there trying to remember 130 different passwords. And so because of that, about 20% of people are still using the same passwords they were using 10 years ago, which is probably most of us, right?
Sam: And half of us are using the same passwords that we invented over five years ago. So, that's over half of the passwords out there. We've been using them for five years straight without anyone actually doing anything about it. They did a survey of office workers and they found that 71% of regular office workers were willing to give up their password for a bar of chocolate.
Dan: You're kidding. Must be hungry people out there.
Jason: Did you bring the chocolate with you?
Sam: So, they did a little bit of a little bit of social engineering here, I'm sure. But in some blind testing, they were able to get over two thirds of people to give up their password willingly in exchange for just a piece of chocolate. And so, they say 50% of all employees write their passwords down. Their work passwords are written down somewhere in... I live and breathe the IT business and I see it all the time where I see sticky notes on people's monitors or under people's keyboards or labels all over the place, on a monitor that says " Here's the username and here's the password to get in." And so, I see this a lot. And over a third of people say that the password they use for for work stuff that they've actually shared that with someone else at some point because they needed to give someone access to something. And so, they just went ahead and gave up that password. So, it really brings up the question, why would people do this?
Jason: Yeah. So I mean, as the employee, we're forced to change our password frequently. And we get annoyed with that.
Dan: We have to do it here as well.
Jason: " I just remembered that password." So what normally ends up happening is, I'll make it like password one, two, three. " Okay, I got to change my password. Okay, so password four, five, six." So, and you build on that. So, with a password manager is these newer thoughts, these newer processes that are out there, we use one and we're not of course a sponsor and endorsing them or anything like that, but we use something called LastPass. LastPass takes care of all my passwords and all I have to do is remember a very long password phrase, something like, I'm making it up. This isn't my password.
Jason: The duck quacks when it's wet. And there's spaces and I'll put an exclamation mark at the end or something like that.
Jason: And it's my password, but it's all I have to remember is that password. And then, I log into that with two factor authentication. It's secure. And then, that thing remembers these complicated 24, 64 character passwords going forward that I couldn't remember. Even if I wrote it down, I'd mess it up.
Dan: Still punch it in wrong.
Dan: Yeah. That's so long.
Jason: So, every time someone calls me up or I get a notice on my computer at work, it's " Hey. It's time to change that password." It's no longer an issue. " Okay. Log into my password manager, generate a new password. It remembers it for me and we move on."
Dan: Okay, that sounds good. So, trying to think of all these different passwords and try and remember them. And then if you can't remember, where do you write them down, where do you put them so that it doesn't get in the wrong hands at some point?
Sam: And that's where that password manager comes in. It's a piece of software that goes with you everywhere you go. It's on your laptop, it's on your cell phone, it's everywhere. And all of your passwords are in this one app. And so, the only password you have to remember is how to get into this app because it creates all the other passwords for you. So, I couldn't tell you what the password is to my email because I didn't invent it. I let my password manager invent the password for me. In fact, some of them like LastPass or 1Password are even intelligent enough that you can tell it, " You know what? Every two days, go in and reset my Facebook password for me." And it will log in as you, it will go ahead and create a brand new password. It'll change it to that and it'll save it. And then every time you sign into Facebook, you don't have to worry about it. You just tell LastPass, " Hey, go ahead and log me in please." Or 1Password or KeePass, there's a lot of different password managers out there, but they do quite a few different jobs. But one of those is coming up with some very unique, very complex passwords that no human being is ever going to guess. It makes them one time use only. So, it will warn you. If you've used a password twice, it'll say, " Hey, just so you know, you've used that for Facebook and Netflix and your bank and that could be a problem." And it's going to warn you that. But so then, it also stores all of those passwords to the point where you never ever have to worry about them. You never think about what they are. They could be 50 characters long, I don't know, and just a jumble of letters and numbers.
Dan: That sounds great.
Sam: And I had never had to see it or touch it or anything at all. All I had to remember was my one password to get into the password manager itself and then let it handle everything from there.
Dan: It's all accessible from any devices, sounds like too.
Jason: And any hacker that's just trying to do that, trying to find my password or Sam's password by brute force by just going in there and punching in passwords, punching in passwords, it's just not workable.
Dan: Never going to find it.
Jason: Never going to find it.
Dan: Because it sounds like they're long and they've absolutely mean nothing, just a whole bunch of gibberish.
Sam: That's exactly right. In fact, a lot of people don't know this, but actually the length of the password is the most important thing, not the complexity. So, we feel like we have to take a normal word and swap out some letters for numbers because I don't know, we could say, " I'll use an at symbol instead of an A and the hackers will never guess that. And if I put an exclamation mark at the end of it, they'll never guess that. Or if I'll swap out an S for a dollar sign, they'll never see that coming." And so, you end up with P-at symbol-dollar-dollar-W-zero-R-D and it's just password with a couple of letters swapped out and we think, " Oh, the hackers will never guess that."
Dan: Boy, am I slick.
Sam: So, exactly. That's the kind of code I'd put on my luggage. And so, what these password managers do is they create it a little bit longer. And so the reason why is, there's several ways that our passwords fail. I mean, one of them is that someone just guesses it. So, you named your password after your dog and your kid and a few birthdays and it wouldn't take anyone but a few minutes of looking around your desk or your cubicle and go, "Oh, I see. Oh, your Facebook. Oh, I see your date of birth and I see these things and I can have a stab at it and try to figure out what your password might be." Or like we talked about earlier, it can be lifted from a dump where somebody else has already dumped a bunch of passwords onto the internet and you just buy 10, 000 passwords all at once for a couple of bucks and you get to go through them and see if any of them are any good anymore. Or what Jason was talking about, sometimes as a brute force cracker, and what that is is a program that's going to go through every single letter, one at a time. It'll start with the lowercase A and then a lower case B, and then a lower case C, and it'll exhaust all of those. And then it'll go, " Okay, now A-A, A-B, A-C." And it'll go through and it'll just keep going and going and going. And so of course that's for a computer, not the end of the world. You just kind of let it do its thing and leave it overnight. But if you have an eight character password, it could probably crack that in a couple of hours just by trying every combination of every letters. So in less than a day, it could try that. But if you bump that up to 12 characters, now it doesn't take eight hours, it takes 17 years. And if you bump it up to 16 characters, now it's going to take longer than the heat death of the universe because the way entropy works, just by adding that extra character. So I always tell people, add spaces in your passwords if they allow for it. Definitely use spaces because it makes it easier for you to remember your password because now you can do a past phrase, your favorite song lyric or a favorite scripture from Bible or something like that that's meaningful to you that you're not going to forget, but make it nice and long as well. So it could be baby comma, it's space cold space outside, exclamation mark. That password would be almost impossible to crack because as it's trying to brute force it, it'll start with that B and the A and the B, but it's going to take forever. It's going to take centuries and millennia for it to get all the way to that it's cold outside exclamation mark at the end of it.
Dan: That's good information.
Sam: So, the length makes a really big difference to it.
Jason: And we work with our clients. We set them up with an enterprise grade password management for their whole organization.
Jason: So I mean, we help them secure their passwords in a secure portal that is almost impossible, I mean pretty much impossible, to break through. And if someone's doing it, we're talking about the NSA or the CIA here because no one's going to have that time, no one's got that much processing power. Like Sam said, it's going to be the end of the universe before they break into what we set these our clients up on.
Dan: So the bottom line is this : the Bit-Wizards are going to help you take care of your password.
Jason: And we're going to try to make it a little easier on you as well.
Dan: Easier on you and tougher on the criminal.
Dan: We love to hear that.
Sam: Yeah. And a lot of what we've got happening here is we laugh about it because we all know we're guilty of it. We all know we've got those same three passwords we use for everything. And one of those is my, " Oh, I don't care about it password." And one of those is my, " It's a super secret password. No one can ever know this." But we're still using those passwords across the board. And so, because we know this, we only know it because we're guilty of it. And so, as I work with businesses and we start doing their IT, the biggest vulnerability to their company is an employee getting breached, not a hacker trying to get in through their firewall from China and trying to do this massive attack where they've got thousands of computers all over the internet trying to hit your firewall and figure out a way to get through it. It is so much easier to get on the phone with someone at the front desk and be very pleasant and charming and talk them into giving you access to something that you shouldn't have access to. And so, having complex passwords makes this so, so much more secure for your business because if your employees are logging into their computers, but they're also using that same password for their Facebook or for their Target account, now they have made your entire organization vulnerable because it only takes for Target to get hit one more time and those passwords to get out there into the wild. And while it's very convenient for your employees to just say, " Well, look. I have these same three passwords, they're fine. I've never had any problems with them." The truth is, if you look on one of those websites like Have I Been Pwned, you can see, nope, that password is out there in the wild. It's already been available to people for a long time and they're already trying it in different systems. And now, it makes your organization more vulnerable because you've got an employee using that password in your organization. So at Bit-Wizards for instance, we use LastPass for the entire organization. We have a pretty strict rule that your LastPass password has to be the only time you use that password. You can't use that anywhere else in life. That's a one time deal. You have to set up your two factor authentication on that too. So, when you log into LastPass to get all your passwords, it is going to pop up and say on your phone, " Are you sure this is you?" And we confirm every single time, " Yep, this is still me, still doing this." But then the other part of that is that all of our passwords that we have, we keep in LastPass. So all of our clients, for instance, we could ostensibly do a lot of damage if someone got into our system knowing that I have a lot of access to a lot of other people's computer systems. So, it's even more imperative for us to be that much more secure. So if someone ever asks me at Bit-Wizards, " Hey, what's the password for such and such firewall for such and such client?" The answer is always, " It's in LastPass." I would never message it to them. I would never email it to them. I would never text it to them because I would tell them, " No, go get it in LastPass." And that's one other beauty of these password management systems is, for about three bucks a month, they're usually pretty, pretty affordable, you could have a company-wide password management system where you can have some stuff that is only HR and Finance only they have access to these passwords or some stuff where the entire organization might have access to. Let's say you need to store your wifi password in there and you want everyone in the company to have access to it, but you don't necessarily want people sitting out in the parking lot at 2:00 in the morning jumping on your wifi and having a little snoopy snoop around your network and see what's happening. And so, you put that in LastPass and when someone says, " Hey, what's the wifi password?" The answer is very easy again, " Oh, it's in the password manager. You can go get it from the password manager." And so-
Dan: That makes good sense.
Sam: ... We take it very, very seriously ourselves. But we also, for our managed IT clients, we help them get their things set up. So, one of the first things we do when we onboard a new client is we go through and we start changing passwords, which is frustrating sometimes for people because they're like, " Oh, I've had that password for forever. And I know that password." Which is part of the problem. And so, one of the things we do is we don't hide those passwords from the client at all. Those are their access to their information, but we want to make sure we're setting it securely and locking it down so that they're not going to be vulnerable to a breach at that point.
Dan: It sounds like a good philosophy. Love that idea.
Announcer: Bit-Wizards : from the spell book.
Dan: Sounds like a witch stirring a pot.
Sam: Well for our spell book, I thought a good term today, you may have heard it, it's sort of been a buzzword around the internet for a few years, is IOT. It means internet of things. So, you may have heard of IOT devices. And I thought this is a good time for us to talk about it because a Ring doorbell is an IOT device.
Dan: Oh, okay.
Sam: So, it's a good example of that. There are all kinds of fantastic uses for IOT devices. And what they all are, they're all a small device with its own little computer and it is managed 100% by the internet. And so, an example of that would be when my thermostat at my house, my Nest thermostat, when I tell it through my Amazon Echo device and I say, " Hey. Set the temperatures are 72 degrees." It's not talking to the thermostat, it's talking to the internet. And then, it's talking to the Nest system on the internet. And then, the Nest system on the internet is talking to the thermostat in my house and saying, " What's your temperature right now? And set it to 72." And then, my thermostat says, " That sounds good." And it sets it and then it goes back up to the internet and relays that back over to Amazon. Amazon relays that back down to my Echo device and says, " Hey. I set the temperature for you." Which seems cumbersome. It seems like, " Well it's right there. They're like six feet apart. Couldn't they just talk to each other?" But the whole point of that is that you can take these things and move them around and they have their own access to the internet. There are all kinds of fantastic use cases for this. I was at a Microsoft event and they were designing an IOT device for trash cans in airports because there's so much wasted effort with the janitorial staff having to go around and check to see if a trashcan is full or empty or not. And so they said, " We've discovered that if the door on the trashcan swings open, I don't know, 17, 170 times, by the end of 170 times, we know it's more than likely full." And so, they'd have an IOT device on the little swingy door on every single one of those trash cans at the airport that's talking back to the Cloud, talking back to the internet, and it will alert the janitorial staff when a trashcan has been opened 170 times so they can go get that. And it immediately makes things a lot more efficient and a lot cleaner.
Dan: Yeah, that's interesting.
Jason: I'm a big nerd. I know Sam's right along with me. I mean, everything's becoming connected now. I mean, heck, my dishwasher is connected. And I have an app on my phone. If I'm over at Publix picking up a frozen lasagna, I can pull out the app, scan the barcode, the app goes " Oh, okay." And it starts preheating my oven on the way.
Dan: Oh, my God.
Sam: We're living in the future.
Jason: We are. And I'm just like, " Where was this 20 years ago?"
Dan: Do you have the one on the refrigerator too that tells you what food's in your refrigerator or whatever it is?
Jason: Not yet. I'm working on my wife.
Sam: Christmas is coming.
Jason: I'm like, " Honey, we need a new fridge."
Dan: That's crazy. I love that. My wife would love that for like a frozen pizza or something like that. " Hey, let's scan this baby." Because she's calling me if she's out shopping and I'm home, " Hey, would you turn the oven on? I'm going to bring this home." But she could do it herself and then I could keep watching football.
Dan: That's cool.
Sam: Just at my house, I have cameras, multiple cameras. I have a thermostat, I have a doorbell, I have Amazon Echo devices, all kinds of, they're all IOT devices.
Dan: You are wired.
Sam: For security sake though, I put them all on their own network. They can't see each other. They can only see the internet because that's all they're supposed to do. So if one of those was to ever get hacked, the worst it could do is turn my temperature up too warm, right? It could never actually do anything else to the rest of my network. So, I thought it was a good time for us to talk about the IOT. This internet of things is sort of a buzz word right now, but all it means is small devices that are directly connected to the internet and they're getting all their information back and forth from the internet.
Dan: Would those games everybody plays on the internet kind of the same thing? Is that different? Like XBoxes, when they're playing, and you can play anybody in the country off of it?
Jason: I mean, that's going to be a different thing. So, that's not the truth.
Sam: It's the same on the back end though. So, they're all going to this one big Cloud service that's managing, " Oh, this person's coming in and he's playing Halo from Germany and this person over here wants to play Halo from Seattle " so they can use this Cloud service on the back end. Microsoft really excels at this with their Azure service and Azure also does their IOT where you can have 500 of these small devices all talking to that same service in the Cloud and talking to each other. We always wrap it up by giving a plug to one of our clients that we really appreciate and so I was going to ask Jason if he wanted to talk a little bit.
Jason: Yeah, so we want to send a big Bit-Wizards thank you and shout out to one of our customers, Fresh Start for Children and Families.
Dan: Oh, perfect.
Jason: Yep. Fresh Start's primary focus is helping families achieve longterm self-sufficiency through a nine-month residential and educational program. Their mission is to share love and compassion. They're a comprehensive educational, vocational and economic housing program to help homeless families achieve self-sufficiency. Bit-Wizards provides managed IT services for Fresh Start. You can support their work at no cost to you by doing your Christmas shopping on Amazon through their affiliate link. Thank you to the whole hardworking team there for allowing Bit-Wizards to serve you. We love working with you guys.
Dan: You guys are great. And we appreciate you. Sam, Jason, hope you have a wonderful Christmas. We're about at a time.
Jason: Merry Christmas.
Dan: All the best to you.
Sam: Merry Christmas.
Dan: Merry Christmas. We'll talk to you again in a couple of weeks.