My challenge today is an entertaining speech with a message on a boring topic - Passwords. So I will start with an exercise. I am going two share with you two passwords and want you remember them both. Try not to write them down - it is a bad practice to write down passwords. The first password is -
@t1$#aY123. Directly the popular
xkcd comic strip, the second password I want you to remember is
correct horse battery staple. Ok so I need a volunteer to tell me both my passwords. So the recipe of a good password is that it needs to be a random set of words. Maybe add a non-dictionary word like from the flintstones -
yabadabadoo. These are long, difficult for the machine to guess but easy to remember passwords. Now that we are skilled in this, lets clean up our digital life. I want all of you to write hundred different passwords for the top 100 websites that you use and memorize them all. Also remember, we need to change them after every 90 days and cannot use the same password again for at least 5 years. That is where an offline password manager comes in. It is an essential tool that generates these usable passwords and stores them, while you need to remember just one or two.
Now all these are lessons that were taught to me by a friend who went though hell two years back trying to secure his own finances just because of these passwords. Now he was much more hygienic with passwords than most of us are. I had a professor in college who gave an analogy - Passwords are like your inner garments - Don't show them to others, mask them under proper clothing and don't wear the same ones all the time. He kept to that and was mostly sane. Except for the fact that, his mother was on facebook with her maiden name, first school in his linkedin profile and wife had tweeted their honeymoon destination when tweeting was a craze. His phone stopped working for around two hours one night that he never noticed and the next day he was in serious trouble.
Most people don't notice this for days. But he was lucky. As a coincidence, while having the burgers for lunch, he noticed something on his cellphone. It was a small message in the pool of push notifications requesting another one of those cows for Farmville. He had not wired money back home in almost six months but the app said he has. He had accounts in many transfer websites (as he used the cheapest one each time). He quickly got his main bank account frozen and contacted the transfer company. He had important meetings for the next 2-3 hours and he was satisfied that he had no money elsewhere and therefore there was no more damage the hacker could do. In the evening he realized he was so wrong.
In cases like this, the most important thing is to determine what has been stolen - the transfer site, his bank account or his identity. Unless you know what is lost, it is plain luck if you get away without further damage. And don't think the same person won't be targeted twice. This is not chicken pox. Ask yahoo. It was not just one account for him. The hacker had hit the jackpot - his Gmail account - which had everything. If the hacker wanted the identity was open. It could have been much worse if the hacker took over facebook, paid memberships or anything else linked to his email. It is extremely difficult to track each and everything in your emails and you don't even have a separate backup. Luckily it was an international hack and US identities are not very useful internationally.
The hacker had switched emails in all his bank accounts adding an extra
a to his name and was quietly siphoning off money. Do you know bank accounts can be drained to negatives balances? Most international crooks that siphon off money never get caught? Fraud protection in the developing countries is very poor. He learnt a lot more lessons as the case unrolled. Some of the losses in the Indian accounts were lost to bureaucracy and the complicated international situation. The hackers got away with whatever they stole and were never caught. Luckily the bank gave bank his US funds and he lived to tell his tale.
The summary of what we should do simple: Always use an offline password manager. Your secret questions are more passwords to remember. Learn what a good password is like - “correct horse battery staple”. And the most important of them all - “Don't keep a lot of money in bank accounts, especially where following up with is difficult and bureaucratic”. So, does anyone still remember the XKCD password I shared at the start of the meeting? - “correct horse battery staple”
Here is the video: