Speaker Key: PB Phil Brown, DW David Whelan
PB: I’m here with David Whelan, it’s Phil Brown, and
we’re going to talk a bit about password protection in the context of
confidentiality and protecting client information. A lot of client
information is stored these days on things like desktop computers,
laptops, and smartphones. So let’s talk a little bit about password
protection.
DW: Password protection is important because it’s
the gateway to all of your information. If you don’t have a password on a
file, people can open it up and look at it. If you don’t have a
password on your computer or your email account, people can get into
those devices or accounts and see, perhaps, things that you wouldn’t
want them to see and, certainly, your clients probably wouldn’t want
them to see.
PB: And people tend to be human and try to find, sort of, the simplest kind of password they can use.
DW: Absolutely. It’s interesting, each year goes by
and there is always a new survey or a new study on the passwords or the
most common passwords that are out there and, invariably, the passwords
are 123456, or other things that are just crazily-obvious passwords. You
really want to get away from passwords that are easy to guess.
PB: And people tend to use passwords that they’ll
have a connection to; their mother’s name, their wife’s name, their
pet’s name, or a pet’s name from their childhood, or something like
that.
DW: Absolutely. And I think what’s interesting is
that those are the sorts of questions that your bank account, your
online bank account or other services that you use online are going to
ask you. They’re going to ask you if you’ve lost your password, what was
the name of your dog when you were six, or what street did you live on
at a certain age, or what’s your spouse’s name - things like that. And
if you’re using Facebook,
or if you’re using other services, or if you know people who are using
those services, that information may actually be out there. You may have
shared it yourself, or people may be sharing it on your behalf. So it’s
not a safe way to create a password even though it may feel warm and
fuzzy.
PB: And there are a number of password-generating tools available for free on the internet.
DW: I really like Password Meter, passwordmeter.com,
because it tells you what you’re missing. It has a number of categories
and it gives you colors - green, yellow, or red - based on how good or
poor your password is. And it suggests the types of characters or the
types of things you should do to your password to make it stronger.
PB: And a couple of different things... I know the
last time I changed my password internally I realised I had to have an
alpha character and a numeric character and it had to be a certain
length.
DW: Right.
PB: And that’s getting more common. But to make
passwords even stronger, it’s usually suggested that you have upper and
lowercase letters as well as numerals.
DW: Right. I think that the trick to making a good
password is making something that isn’t in the dictionary. And when
people attack passwords or try to break them, they often start with
what’s called the dictionary attack,
which is, literally, they just go through all the words in the
dictionary. So if you’re using a password made of up words that are in
the dictionary, they have a good opportunity to find it. And if you’re
using special characters or upper and lowercase, it starts to make that
password less distinct, further away from what a dictionary attack can
uncover.
PB: And we’re not talking about someone necessarily
sitting there with a dictionary. There’s a lot of software that will do
this in milliseconds.
DW: Absolutely, yes. I can’t imagine anyone sitting down with the OED and going through it.
PB: Every volume. Some of the things about passwords
- and I know you and I might differ on this particular point - whether
or not you write your password down in a, so-called, secure place.
DW: Right. I used to be of the mind that you
shouldn’t, but I’ve come around to the idea that, really, you should
write down your password. There are two good reasons for that, from my
perspective. One is that I can then have a really difficult password
because, if it’s written down, I don’t have to remember how many qs and
how many uppercase letters or special characters are in it, and I can
make it a very long password. Now, if you write down your password that
doesn’t mean that you just tape it onto your computer or put it under
your desk, because I think that’s where the insecurity of the password
comes in. If you’ve got a difficult password and you want to keep it
written down, you should really put it with other things that you value,
like your credit cards, or some other environment; perhaps a safe if
you really need to put it somewhere but you don’t want to carry it. But I
think writing it down is not a problem. It’s the lack of security about
how you take care of where it’s written down.
PB: And, similarly, in terms of changing your
password, I know internally, if you’re working in an organisation, I
think the standard is every 90 days or so they make you change your
password to a new one. With the perspective of having a very strong
password and it’s written down somewhere, would you bother changing it
or no?
DW: I wouldn’t. And, in fact, I was thinking that as
you said 90 days. Because I think a lot of people do this, and unless
your network administrator has changed this or unless you’re forced to
do it, you probably start off with password and then the number one for
the first time and then, 90 days later, you change that one to a two. So
you’re probably using, essentially, the same password over and over
again. Because, face it, after two or three years at a company you’ve
probably run out of all the good passwords that you can remember. So you
might as well have a good password and not refresh it on a regular
basis. I would still refresh it on at least a yearly basis, but write it
down and make it a really strong one.
PB: And just in terms of writing it down, I know
there’re a couple of programs out there like Password Safe and a few
other programs on the internet where you can actually securely store
your passwords. Good idea or no?
DW: I’ve always been leery of it. I think that your
comfort level is really what you should take into account there. I don’t
keep any passwords out on the web, and I’m always a little leery about
saving passwords, even in my web browser. There’s an interesting tool
for Firefox web browser users called Web Developer’s Toolkit,
I believe it’s called. It’s an add-in and it actually... if you go to a
web page and you have saved your password in the form, it will change
the password from the little asterisks to what your password really is.
So I think one of the things to keep in mind is that, if you’re saving
your password somewhere, anywhere, you really need to be sure that’s a
secure environment.
PB: And that might be another tip. If you’re sharing
a computer with anyone or your computer’s accessible, don’t use the
automatic form fillers.
DW: Right. When you go to a public library it warns
you, but you may forget if you’re working in a firm or sharing someone’s
laptop that you might have just logged in for a moment and then
forgotten to get rid of the information that saved your password.
PB: And then I think this probably states the obvious, but never give out your password.
DW: Absolutely. Giving out your password is one of
the worst ideas. If you have something that you want to share with a
person and you need to give them access to the file in an account that
you have online, take Dropbox.com for
example. Say you uploaded a file to Dropbox, you’re better off giving
them access to the file through sharing it through the service’s secured
share folders, by putting it in a public folder if it’s not something
that is confidential, but don’t give your password out to Dropbox so
that they can log in and see the information in the same setting. You
need to control their access and make sure that they have their own
password or other access to that account.
PB: Okay. So that’s a bit about passwords, and
there’ll be resources available as well you can check out after the
podcast. Thanks!
DW: Thank you!