You're doing passwords wrong, stupid (The Daily Charge, 3/11/2020)
The Daily Charge
Passwords kind of suck.
They're still the main way we protect ourselves online.
Let's run through a few well worn patch rules that are just plain wrong.
This is the daily charge.
It's Wednesday, March 11.
I'm Roger Chang.
And with me via Skype is our west coast secured reporter Laura Potala
Now, Laura, you're here to pass three well worn rules for dealing with passwords.
Let's run through them.
What are we doing wrong?
So for a long time, we've been told, never write down your passwords.
We've been told don't ever share your passwords.
And you just change them all the time just in case Change your passwords and then you'll be safe.
But there's some problems with all of these rules that kind of leads you to to do passwords wrong, so.
So yeah, so let's break it down individually like the first one, don't write down your password.
It's funny when I read that, because, there's always a scene in those in a movie where, someone's snooping around someone's desk and they see the written password and then if you.
You feel dumb because you've got the same kind of written password at your desk, or at least your friends do.
So what why is that counterintuitive because it seems to me like you, it would make sense to not have the written password out why is it makes sense to actually write it down now So now we have way, way too many passwords to memorize.
You're supposed to memorize your password never write down but if you have a dozen hundred passwords, how are you going to do that?
So the only way to have unique passwords for every account which is definitely what you should do Is to write them down.
You can write them down physically and keep them locked in a file drawer or something.
Don't put them on a sticky note under your keyboard.
That's still a bad idea.>> [LAUGH]
But you can also use a password manager which is a digital way of writing them down.
Just any way that helps you actually have different passwords for every account.
It's gonna require writing them down.
Right and the idea is that you don't share your account, you don't share your password.
Why does that make sense now, or why does it not make sense?
Well, I mean, the fact is that we just do.
We do share our accounts, we do share our Netflix accounts or if you have one Amazon Prime account you're not gonna get another For your partner to live in the same house as you that doesn't make any sense.
banking is often similar.
So the good news is that some services are helping you have shared accounts with separate passwords, so that's good, but other accounts will do that.
So you just have to be smart about it.
The number one thing to do if you're gonna share your passwords with someone is to not reuse that password somewhere else.
Because that limits the chance that you or your partner or whoever you're sharing with is gonna accidentally give that password to hackers and phishing scheme.
And then pop open all those other accounts where you're reusing that password.
Okay, so I can finally let my wife know what my attachments are.
Yeah, that's probably fine.
The other thing is that we don't live forever and at the end of your life, you're gonna want to have someone have access to your accounts.
That's a really good thing.
Yeah, I often have a frustration with older parents, you know, like, tell me where you keep your passwords, so that I can access things that I need to Definitely, okay and then, don't constantly change your password, which I'm a big fan of.
But break it down, why does this not make sense?
So actually there was this research about, over 10 years ago, showing that When people are required to change their passwords frequently, what they do is just add something really simple to the end of their other previous passwords.
And it's pretty trivial to guess what the changes so if your password is actually
Been stolen by hackers and all you do is like add a one or a two at the end, you're not really doing very much to secure yourself.
So if you know that your password has been stolen in a data breach, you should change your password absolutely, but you should change it to something totally different.
But if you If you don't have any reason to think your password has been stolen, you should leave it a complex, unique password that you're not using anywhere else.
And that's definitely just the best security.
Got it, I really wish our corporate parents would hear that cuz we have to change our passwords constantly here.
You know, we had Steven Shanklin on Monday to talk about why passwords suck.
You had a nice story yesterday about password managers.
There's been a lot of interest with our readers about our listeners about password managers in general.
When you break down some of the the key password managers options that are out there, and so ones you'd recommend.
Yeah, I mean so I think one password in [UNKNOWN] are some of the best known, there's also Dashling and there's actually close to a dozen really good ones right now.
And What makes them good is that they generate passwords for you that are unique.
You don't have to think of a really crazy long password yourself and stores them for you and that makes it as easy as possible.
To log in from your phone, from your device, from your laptop, whatever you're using.
So you don't actually have to remember any password.
And it's just kind of the best way to follow that rule of using a unique password for every site because otherwise you'd have to be a robot or a computer to actually do that well.
All right, I want to talk about the big story today and that is E3 potentially being cancelled.
We've got reports our sister site GameSpot has reported that the video game conference in Los Angeles is set to be canceled.
They are there they are scheduling a press conference earlier today I believe 9:30am Pacific so we'll likely get official word then.
But this is just the latest in a series of conferences and public events that have been canceled over concerns about coronavirus.
Now, Laura, it's gratuitous that you're here, because you actually attended one of the few conferences that went on despite the concerns.
That Is the RSA security conference?
The one that happened to actually have someone with Coronavirus attend so I share some of your perspective on that like, and why it's important for some of these conferences to be canceled.
Yeah, so at the time of the RSA conference, there hadn't been any community transmitted cases in San Francisco.
It didn't seem like it was an issue in San Francisco.
But of course when you bring, you know, 1020 30,000 people into the same place from all over the world That increases the chances of transmission.
And that seems to be what happened.
According to Bloomberg, one of the people who had COVID-19 while at the conference got sick on the last day of the conference and had to be put into a medically induced coma more recently, so it was quite serious.
So knowing that someone at the conference was just about to be symptomatic, that's Pretty worrying when I look back, and I'm pretty sure that everyone who attended the conference is also, you know, reassuring themselves.
I know I wash my hands a lot.
I know it's unlikely that I contacted this one person, but it's still pretty disconcerting to know that that possibility is out there.
I think we're mobile Congress that phone trade show in Barcelona.
They, They got a got canceled.
There are a lot of critics who said, this is a bit of an overreaction.
I think a lot of folks who are who made the decision to pull and pull the trigger on canceling these conferences are probably breathing a sigh of relief knowing that this had like the worst case scenario pretty much happened at RSA, and so on.
You can imagine this is going to continue to be a thing.
conferences like Google IO are being canceled.
Apple's WWDC is just a few months.
We don't know what's going on with that, but I suspect that'll get cancelled as well.
So it's Yeah, it's just sort of the latest in the string and just bring back to the sort of video game world of EA.
There were some questions about some of the value of E three as it were, you know, we were Sony had already Said they were planning to pull out of the conference completely to give their PlayStation 5 a bit more of its own limelight.
And Microsoft has always traditionally held a separate event.
And so Google had a big presence with stadia there last year, but it wasn't actually at the show was off site.
There's been a lot of questions about the value of E three even before the coronavirus conserves hit but obviously paired with these fears and just sort of the need to be cautious about things it does make a lot of sense for a theory to go get cancelled.
So, the huge impact of of this disease that not only are people really getting sick and it's it's scary to see you know whether or not we can contain it, but there's this Economic impact on businesses that are canceling these major events.
If you wanna learn more about today's topics check the links to all today's stories in the description below the daily charts.
I'm Roger Chang.
Thanks for joining us.