Cybersecurity - Login - Username - Password - Biometrics - Password Manager

Why You Need a Password Manager


Many in the security community predict that passwords are on their way out. We believe it’s conservative to assume that they’ll be critical to your security for many years to come. According to Verizon’s 2022 Data Breach Investigations Report, 80% of data breaches from web application attacks are attributed to stolen credentials. It’s safe to suggest that stronger passwords and better password practices would go along way in this regard. Of course, multifactor authentication can help, but we’ll focus on password practices in this post.

With the dozens, or even hundreds of credentials that many of us manage, it’s no longer feasible to create and manage secure passwords without a password manager. Not only are we maintaining more credentials than ever (bank accounts, social media, email, Wi-Fi, disk encryption, etc.), password-cracking capabilities are likely many times more advanced than you realize.

For the managers and business owners out there, take note. Employees can often implement poorer password practices in the workplace than they do at home. The issue here is if one of their personal accounts gets hacked, they’ve got a big problem on their hands. However, if one of their work accounts gets hacked, that’s their employer’s problem. Many fail to realize that their entire business could be destroyed by a bad password, phishing email, etc. You need to take this seriously.


00:00:00,000 –> 00:00:13,200
Welcome to the Bigger Insights Privacy and Security podcast.

00:00:13,200 –> 00:00:18,600
In this episode, we’re going to be talking about password managers and why you need one.

00:00:18,600 –> 00:00:22,880
We wrote an article about this on our website,

00:00:22,880 –> 00:00:27,200
If you go there, click the little search icon, type in password managers,

00:00:27,200 –> 00:00:28,920
it should show up.

00:00:28,920 –> 00:00:34,360
And in that article, there are links and pictures and examples and things like that that are

00:00:34,360 –> 00:00:38,360
kind of difficult to communicate through audio.

00:00:38,360 –> 00:00:41,040
So if you’re interested, go check that out.

00:00:41,040 –> 00:00:45,160
Some experts talk about passwords being on their way out.

00:00:45,160 –> 00:00:51,520
There are a lot of limitations to passwords and basically how people use and manage them.

00:00:51,520 –> 00:00:56,600
However, we still think that they’re very important and they’re going to play an important

00:00:56,600 –> 00:00:59,480
role in people’s lives for many years to come.

00:00:59,480 –> 00:01:06,280
I don’t know about you guys, but last time I checked, I have about 450 unique sets of

00:01:06,280 –> 00:01:09,400
credentials that I’ve managed over the years.

00:01:09,400 –> 00:01:14,080
Some of those have since been closed, but it’s still quite a bit to manage.

00:01:14,080 –> 00:01:20,040
And you know, I acknowledge that the average person probably doesn’t have that many, but

00:01:20,040 –> 00:01:23,760
you probably have more credentials than you realize.

00:01:23,760 –> 00:01:30,000
If you actually sit down sometime and list out all of your email accounts, social media,

00:01:30,000 –> 00:01:36,160
online shopping, school accounts, government accounts, work accounts…

00:01:36,160 –> 00:01:37,560
It’s a lot.

00:01:37,560 –> 00:01:43,680
And if you’re not using a password manager, my question for you is, what are you using?

00:01:43,680 –> 00:01:49,520
From our research and experience, chances are what you’re doing is using really insecure

00:01:49,520 –> 00:01:57,480
passwords or reusing them over and over or storing them in a really insecure manner,

00:01:57,480 –> 00:02:04,480
like in a text file or an Excel file on your desktop or in Dropbox or something like that.

00:02:04,480 –> 00:02:12,240
So before we talk about what exactly a password manager is, we’re going to spend quite a bit

00:02:12,240 –> 00:02:18,840
of time talking about why they’re important and why your passwords are probably a lot

00:02:18,840 –> 00:02:21,920
more vulnerable than you think that they are.

00:02:21,920 –> 00:02:28,120
So every year Verizon does what they call a data breach investigations report.

00:02:28,120 –> 00:02:29,480
You can look it up and read them.

00:02:29,480 –> 00:02:31,600
They’re actually pretty interesting.

00:02:31,600 –> 00:02:40,000
So in 2022, they concluded that about 80% of data breaches in web applications were

00:02:40,000 –> 00:02:43,120
more or less due to stolen credentials.

00:02:43,120 –> 00:02:50,960
Now there’s a lot of detail and nuance in there, but one of the key takeaways is a huge

00:02:50,960 –> 00:02:59,240
amount of the problems that we have in cybersecurity world are due to weak passwords, reused passwords

00:02:59,240 –> 00:03:02,200
and poorly stored passwords.

00:03:02,200 –> 00:03:07,720
So that sounds kind of depressing, but at the same time, that means that we have a lot

00:03:07,720 –> 00:03:16,000
of low hanging fruit here, where if we can teach people how to use and store strong passwords,

00:03:16,000 –> 00:03:18,600
then we can really do a lot of good.

00:03:18,600 –> 00:03:23,160
Along those lines, there are a couple of key things to keep in mind.

00:03:23,160 –> 00:03:28,600
One is that a compromised password can ruin your life, it can ruin your life, it can ruin

00:03:28,600 –> 00:03:30,440
your business.

00:03:30,440 –> 00:03:38,240
And I think one of the most important things that people are missing is that is incredibly

00:03:38,240 –> 00:03:42,640
easy to crack the average person’s password.

00:03:42,640 –> 00:03:48,600
So before we go on, let’s talk a little bit about passwords in general.

00:03:48,600 –> 00:03:55,640
So generally speaking, passwords are used for third-party access.

00:03:55,640 –> 00:04:01,800
So when you go online and you create an account somewhere and you set a password, most of

00:04:01,800 –> 00:04:05,560
the time that’s just used for accessing your account.

00:04:05,560 –> 00:04:08,120
It’s not end-to-end encrypted (E2EE).

00:04:08,120 –> 00:04:14,040
And what’s important about that is we believe that a lot of people have a false sense of

00:04:14,040 –> 00:04:22,280
security because they think to themselves, well, when I sat down and I created my password,

00:04:22,280 –> 00:04:26,320
nobody saw me type that in, nobody knows what my password is.

00:04:26,320 –> 00:04:33,960
Therefore, my password is secure, my account secure, my data secure, and that’s generally

00:04:33,960 –> 00:04:35,840
not the case.

00:04:35,840 –> 00:04:41,180
If your password is not being used to encrypt your data, it’s just used to prevent somebody

00:04:41,180 –> 00:04:43,320
from signing into your account.

00:04:43,320 –> 00:04:48,480
What that means is that, first of all, your password is being stored.

00:04:48,480 –> 00:04:55,120
So if you go to a Fecesbook and you make an account, they store a hashed version of

00:04:55,120 –> 00:04:56,760
your password.

00:04:56,760 –> 00:04:59,320
And there’s a couple of issues with that.

00:04:59,320 –> 00:05:03,360
One is you don’t know how they’re hashing and storing your password.

00:05:03,360 –> 00:05:08,280
It’s possible that they’re not hashing it at all and just storing it in plain text.

00:05:08,280 –> 00:05:13,920
And the other issue is they don’t need to know what your password is to access your

00:05:13,920 –> 00:05:14,920

00:05:14,920 –> 00:05:19,640
Now, this is a little bit more of a privacy concern than it is a security concern.

00:05:19,640 –> 00:05:25,960
But when you store data in most third-party services, they don’t use your keys to encrypt

00:05:25,960 –> 00:05:26,960
your data.

00:05:26,960 –> 00:05:28,160
They use their keys.

00:05:28,160 –> 00:05:33,880
So not only can they access your data anytime they want for any reason they want without

00:05:33,880 –> 00:05:38,360
knowing your password, but the fact that they’re storing your password makes it vulnerable

00:05:38,360 –> 00:05:40,560
to a data breach.

00:05:40,560 –> 00:05:46,000
So when we talk about password hashing, what we’re referring to is your passwords start

00:05:46,000 –> 00:05:50,480
in plain text, and then they run through a one-way hash function.

00:05:50,480 –> 00:05:57,840
And what this does is it converts your plain text password into a string of characters

00:05:57,840 –> 00:06:03,680
that make it difficult for someone to figure out what the original plain text password

00:06:03,680 –> 00:06:04,680

00:06:04,680 –> 00:06:10,760
Now, any legitimate service should be hashing and salting your password.

00:06:10,760 –> 00:06:15,640
But every once in a while, we do find one that’s not doing that, either not doing it

00:06:15,640 –> 00:06:21,320
at all or using a really weak hashing function, which makes your passwords vulnerable to being

00:06:21,320 –> 00:06:23,000

00:06:23,000 –> 00:06:30,080
So another thing that a piece of software or a service should be doing to try to prevent

00:06:30,080 –> 00:06:34,320
people from cracking your password is rate limiting.

00:06:34,320 –> 00:06:41,240
So if you go to, you know, Fecesbook or Google or whatever, and you type in someone’s username

00:06:41,240 –> 00:06:46,680
and try to start guessing their password, you’re going to run into rate limiting.

00:06:46,680 –> 00:06:51,160
So after a few failed attempts, they might start to slow you down.

00:06:51,160 –> 00:06:56,160
They might tell you to, you know, try again in 10 minutes or block your connection or

00:06:56,160 –> 00:06:57,960
something like that.

00:06:57,960 –> 00:07:06,360
So that’s great, but between the rate limiting and hashing and all these other techniques,

00:07:06,360 –> 00:07:11,360
you know, we’re concerned that these give people a false sense of security.

00:07:11,360 –> 00:07:17,440
So when you think about somebody trying to break into your accounts or crack your password,

00:07:17,440 –> 00:07:19,520
what kind of things come to mind?

00:07:19,520 –> 00:07:27,160
I think that what most people are thinking is one person sitting down at their computer

00:07:27,160 –> 00:07:34,080
going to typing in your email address and just guessing passwords over and

00:07:34,080 –> 00:07:40,760
over until they get in, but that’s not really how it works.

00:07:40,760 –> 00:07:46,800
Typically, passwords are cracked using automated means and in bulk.

00:07:46,800 –> 00:07:53,120
So it is possible that someone will sit down and try to guess your passwords, but don’t

00:07:53,120 –> 00:07:56,560
let that give you a false sense of security.

00:07:56,560 –> 00:08:03,720
Typically what happens is a service provider gets hacked and then somebody will get into

00:08:03,720 –> 00:08:09,800
their systems and download all of their database contents.

00:08:09,800 –> 00:08:16,160
And what’s in there is, you know, your username, your email address, and what should be in

00:08:16,160 –> 00:08:19,600
there is a hashed version of your password.

00:08:19,600 –> 00:08:24,720
So once they get all that information, the rate limiting is out the window because now

00:08:24,720 –> 00:08:27,280
your* hashed password is on their system.

00:08:27,280 –> 00:08:28,840
They don’t have to abide by rate limiting.

00:08:28,840 –> 00:08:34,280
They’re now only limited by their CPU or their GPU.

00:08:34,280 –> 00:08:40,040
So at that point, the only thing that’s really protecting you is how strong your password

00:08:40,040 –> 00:08:43,560
is or how well it’s hashed.

00:08:43,560 –> 00:08:49,320
If it’s hashed with a very weak algorithm like MD5 or something, then there’s a good

00:08:49,320 –> 00:08:52,360
chance that someone’s going to crack your password.

00:08:52,360 –> 00:09:00,440
But beyond just the automated means, I think a lot of people have a false sense of security

00:09:00,440 –> 00:09:07,680
about their accounts and data because they think to themselves, well, I’m not Elon Musk.

00:09:07,680 –> 00:09:13,720
So why would anybody take the time to try to hack my accounts?

00:09:13,720 –> 00:09:19,320
And what you need to understand about that is a lot of this is not just automated,

00:09:19,320 –> 00:09:23,000
it’s not personal, and it’s done in bulk.

00:09:23,000 –> 00:09:30,120
So like when LinkedIn got hacked, somebody dumped their database contents and tried to

00:09:30,120 –> 00:09:34,080
crack every single account that was in there.

00:09:34,080 –> 00:09:39,320
So even if you think that you don’t matter to anybody or nobody knows who you are or

00:09:39,320 –> 00:09:42,440
whatever, that has nothing to do with anything.

00:09:42,440 –> 00:09:44,440
This is not personal.

00:09:44,440 –> 00:09:50,240
So the key takeaway here is to not delude yourself into believing that you’re safe either

00:09:50,240 –> 00:09:57,000
because you think nobody on the planet knows your password and nobody would have any reason

00:09:57,000 –> 00:09:58,600
to target you individually.

00:09:58,600 –> 00:10:00,680
That’s not how this works.

00:10:00,680 –> 00:10:05,720
Let’s switch gears to a concrete example to help drive this point home.

00:10:05,720 –> 00:10:10,560
So I saw a story a little while ago about a guy in Israel

00:10:10,560 –> 00:10:16,040
who just happened to notice that a lot of his friends and neighbors used phone numbers

00:10:16,040 –> 00:10:18,960
as their Wi-Fi passwords.

00:10:18,960 –> 00:10:25,400
So he was interested in this and wanted to see if this was a common thing or if it was

00:10:25,400 –> 00:10:28,000
just an anomaly that he noticed.

00:10:28,000 –> 00:10:35,840
So he put a little kit together with a laptop and a cheap Wi-Fi monitoring device, which

00:10:35,840 –> 00:10:37,400
you don’t even really need, by the way.

00:10:37,400 –> 00:10:44,440
I mean, a lot of Wi-Fi cards in laptops can be operated in monitoring mode, which basically

00:10:44,440 –> 00:10:50,120
allows it to listen to and capture any Wi-Fi traffic that’s within range.

00:10:50,120 –> 00:10:51,960
But anyway, that’s what he did.

00:10:51,960 –> 00:10:59,280
And he walked around a few neighborhoods and ended up picking up about 5,000 Wi-Fi password

00:10:59,280 –> 00:11:00,680

00:11:00,680 –> 00:11:06,000
So he went back home and used his laptop to try to crack them.

00:11:06,000 –> 00:11:12,720
And the first thing that he tried was to see how many people were using phone numbers as

00:11:12,720 –> 00:11:14,680
their passwords.

00:11:14,680 –> 00:11:23,800
Within just a matter of minutes, he was able to crack about 2,200 of the 5,000 Wi-Fi networks

00:11:23,800 –> 00:11:27,280
because they were using a phone number as a password.

00:11:27,280 –> 00:11:30,000
Now, you should never do that.

00:11:30,000 –> 00:11:33,520
A phone number is an incredibly weak password.

00:11:33,520 –> 00:11:38,200
You’re almost better off not even having a password at that point because even a modest

00:11:38,200 –> 00:11:45,520
computer can crack a 10-digit number as a password in about one to two seconds.

00:11:45,520 –> 00:11:48,400
It’s not like this guy was running an HPC or something.

00:11:48,400 –> 00:11:51,080
He was on a very modest laptop.

00:11:51,080 –> 00:11:56,280
So if you’re using a phone number as your Wi-Fi password, I would pause this podcast

00:11:56,280 –> 00:11:59,600
right now and I would change that as soon as possible.

00:11:59,600 –> 00:12:04,880
So after that, he ran a dictionary attack, which we’ll talk about in a little bit.

00:12:04,880 –> 00:12:07,680
It’s a very simple concept.

00:12:07,680 –> 00:12:09,240
Anybody can do it.

00:12:09,240 –> 00:12:13,400
And that allowed him to crack 900 additional passwords.

00:12:13,400 –> 00:12:24,400
So by this point, he’s got between 60 and 70% of the 5,000 Wi-Fi networks cracked in literally

00:12:24,400 –> 00:12:26,840
just a couple of hours.

00:12:26,840 –> 00:12:31,080
And just to help drive the point home about using a phone number as a password, even though

00:12:31,080 –> 00:12:39,640
this guy was using a relatively weak laptop, his CPU was able to guess 194,000 hashes per

00:12:39,640 –> 00:12:42,960
second, which is actually quite poor.

00:12:42,960 –> 00:12:51,320
I mean, if he was using a desktop with an array of decent GPUs, that could be well in the

00:12:51,320 –> 00:12:52,320

00:12:52,320 –> 00:12:54,760
So just keep that in mind when you’re creating passwords.

00:12:54,760 –> 00:12:59,840
If they’re relatively weak, it really wouldn’t take someone that much effort to use a system

00:12:59,840 –> 00:13:06,200
that can guess millions of passwords per second and crack your password, even if they can’t

00:13:06,200 –> 00:13:09,760
use more sophisticated techniques.

00:13:09,760 –> 00:13:15,400
And while this particular incident occurred in Israel, you know, we’re under the impression

00:13:15,400 –> 00:13:18,440
that this is probably a worldwide problem.

00:13:18,440 –> 00:13:24,720
So just from my personal experience, I recall one time I was at a professional services

00:13:24,720 –> 00:13:32,040
firm and I wanted to get on their Wi-Fi and I asked one of the employees there what their

00:13:32,040 –> 00:13:39,520
Wi-Fi password was and the guy who owned the place said, it’s our phone number.

00:13:39,520 –> 00:13:44,560
And I have heard of other people using their phone number as their Wi-Fi password.

00:13:44,560 –> 00:13:50,840
So not only is that incredibly weak and very easy to crack, but once somebody does crack

00:13:50,840 –> 00:13:53,880
that, now they also know your phone number.

00:13:53,880 –> 00:13:58,800
So now let’s talk about how people create passwords when they’re not using a password

00:13:58,800 –> 00:14:00,320

00:14:00,320 –> 00:14:06,840
So because we use a password manager, every single password we use is long, random and

00:14:06,840 –> 00:14:16,320
unique, and there’s no way that a human being could do that without storing them in some

00:14:16,320 –> 00:14:18,760
way like a password manager.

00:14:18,760 –> 00:14:26,040
So what people do instead is oftentimes they’ll reuse passwords over and over.

00:14:26,040 –> 00:14:29,400
And there’s a lot of problems with doing that.

00:14:29,400 –> 00:14:35,840
We mentioned before that some services might be storing your password in plain text.

00:14:35,840 –> 00:14:41,200
So in that case, even if you are using a strong password, if it’s sitting on someone’s server

00:14:41,200 –> 00:14:47,560
in plain text, their employees can see that, their contractors might be able to see that,

00:14:47,560 –> 00:14:52,720
and if anybody hacks into their servers and downloads that, then at that point it doesn’t

00:14:52,720 –> 00:14:57,640
matter how strong your password is because they have it and they can use it directly.

00:14:57,640 –> 00:15:02,560
And since password reuse is such a common problem, once somebody gets a hold of your

00:15:02,560 –> 00:15:08,800
password, one of the things that they’ll usually try is finding your other accounts and seeing

00:15:08,800 –> 00:15:11,200
if you’re using the same password.

00:15:11,200 –> 00:15:17,360
And if you are, then they can get into any other account that uses that password.

00:15:17,360 –> 00:15:22,520
And that might sound a little farfetched to some people, but what you need to understand

00:15:22,520 –> 00:15:24,680
about that is a couple of things.

00:15:24,680 –> 00:15:28,200
One, oftentimes credential stuffing is automated.

00:15:28,200 –> 00:15:33,400
So it’s not like somebody’s necessarily sitting there and going to, you know, thousands of

00:15:33,400 –> 00:15:37,600
random websites and typing in your credentials to see if they work.

00:15:37,600 –> 00:15:44,440
And another thing is, there are a lot of websites out there where you can type in people’s

00:15:44,440 –> 00:15:50,680
email addresses, usernames, phone numbers and things like that and pull up a list of

00:15:50,680 –> 00:15:52,680
their known accounts.

00:15:52,680 –> 00:15:58,560
So credential stuffing isn’t just, you know, some academic exercise, it’s a very real issue

00:15:58,560 –> 00:16:00,960
and it’s a very valid concern.

00:16:00,960 –> 00:16:04,680
It’s why you should never, ever reuse passwords.

00:16:04,680 –> 00:16:11,120
Another problem with reusing passwords or using a password and kind of modifying it a

00:16:11,120 –> 00:16:16,200
little bit from one system to the next is, and you’ll, you’ll find this out the hard

00:16:16,200 –> 00:16:19,880
way is every system has its own rules.

00:16:19,880 –> 00:16:28,320
So even if you can memorize like a 50 character random highly secure password, that’s great

00:16:28,320 –> 00:16:34,960
until you get to a service that only allows say a 20 character password or some of them

00:16:34,960 –> 00:16:40,080
don’t allow asterisks, some of them don’t allow underscores and so on.

00:16:40,080 –> 00:16:45,240
So this also makes memorizing passwords very difficult.

00:16:45,240 –> 00:16:53,040
I remember not too many years ago, I had an account at a financial institution where their

00:16:53,040 –> 00:16:59,840
password rules were that your password could be no more than 12 characters, numbers and

00:16:59,840 –> 00:17:02,680
lowercase letters only.

00:17:02,680 –> 00:17:09,480
So for that particular service, they were forcing me to use an insecure password.

00:17:09,480 –> 00:17:16,080
Luckily I was using a password manager and I could limit that weak password to that system

00:17:16,080 –> 00:17:22,320
rather than use say one weak password for all of my systems.

00:17:22,320 –> 00:17:27,360
Another thing that people commonly do when they’re not using a password manager is they

00:17:27,360 –> 00:17:33,840
have these kind of gimmicks that they use to generate passwords and that’s usually something

00:17:33,840 –> 00:17:42,440
like using a name of your pet or your child or your spouse using certain kinds of dates

00:17:42,440 –> 00:17:49,320
like dates of birth or anniversary dates, travel destinations, hobbies and so on, which

00:17:49,320 –> 00:17:54,560
of course for most people is pretty easy to find out whether those are public records

00:17:54,560 –> 00:17:58,440
or spammed on social media accounts and whatnot.

00:17:58,440 –> 00:18:04,080
So you definitely don’t want to use that kind of information in your passwords.

00:18:04,080 –> 00:18:10,440
One thing to keep in mind about that is there are tools out there where you can enter in

00:18:10,440 –> 00:18:16,960
this kind of information and it will generate tens, hundreds, thousands, hundreds of thousands

00:18:16,960 –> 00:18:23,960
of potential password combinations that somebody might be using with this kind of information.

00:18:23,960 –> 00:18:28,640
Another thing that we’ll notice people doing when they’re not using a password manager is

00:18:28,640 –> 00:18:34,920
we’ll see them store their credentials in something like an Excel spreadsheet or put

00:18:34,920 –> 00:18:37,560
them on a sticky note or something.

00:18:37,560 –> 00:18:43,640
And it’s not that uncommon to see these stories where you know malware steals these files

00:18:43,640 –> 00:18:48,960
off of people’s computers or someone makes a video of themselves or takes a selfie or

00:18:48,960 –> 00:18:53,480
something and you can see their password on their sticky note in the background.

00:18:53,480 –> 00:18:59,600
So even if you are creating strong passwords, you also need to be cognizant of storing them

00:18:59,600 –> 00:19:01,680

00:19:01,680 –> 00:19:08,360
And one interesting thing to note about Microsoft Excel, if you actually read through Microsoft’s

00:19:08,360 –> 00:19:14,000
documentation and you know their descriptions of things in like the group policy editor

00:19:14,000 –> 00:19:23,320
and whatnot, you can see that Microsoft Windows has the capability of capturing keystrokes,

00:19:23,320 –> 00:19:29,280
screenshots, mouse clicks, files and stuff, especially when something crashes.

00:19:29,280 –> 00:19:36,680
So I would also be hesitant to, you know, store sensitive data in

00:19:36,680 –> 00:19:42,160
an Excel file because there is a chance that some Microsoft employees could get access

00:19:42,160 –> 00:19:44,000
to some of that data.

00:19:44,000 –> 00:19:48,520
That’s also a reason to consider not using Windows, but that’s the subject of another

00:19:48,520 –> 00:19:50,000

00:19:50,000 –> 00:19:52,400
So what does this mean for you?

00:19:52,400 –> 00:19:58,440
What you need to understand is that people who crack passwords understand these things.

00:19:58,440 –> 00:20:05,880
They understand how people create passwords and believe it or not, they have a lot of

00:20:05,880 –> 00:20:10,680
tools at their disposal that they can use to crack your passwords.

00:20:10,680 –> 00:20:14,720
So one of those are password dictionaries.

00:20:14,720 –> 00:20:19,800
When an attacker gets a hold of one of your hashed passwords, they can only really make

00:20:19,800 –> 00:20:26,100
use of that by figuring out what the plain text password was that generated that hash.

00:20:26,100 –> 00:20:32,360
So the hashing is helpful in your case, but it’s really only as strong as your password.

00:20:32,360 –> 00:20:38,080
And the reason for that is because your hash passwords might be in one of these dictionaries.

00:20:38,080 –> 00:20:46,320
So there are free dictionaries online that anybody can download that basically map hashes

00:20:46,320 –> 00:20:48,840
with plain text passwords.

00:20:48,840 –> 00:20:58,520
So if you take any known password, like password123 or letmein or something like that, anybody

00:20:58,520 –> 00:21:02,320
can calculate what the hash of that is.

00:21:02,320 –> 00:21:07,960
So basically what people do is they collect known passwords, they hash them and store them

00:21:07,960 –> 00:21:09,680
in a database.

00:21:09,680 –> 00:21:14,480
So if anybody comes across your hashed password and they don’t know what it is, they can look

00:21:14,480 –> 00:21:20,480
it up in one of these dictionaries and if there’s a match, then that positively indicates

00:21:20,480 –> 00:21:24,480
what your original plain text password was.

00:21:24,480 –> 00:21:31,080
Now you might not think that your passwords are in there, but what I can tell you is that

00:21:31,080 –> 00:21:39,120
some of these password dictionaries contain billions of passwords and they get these from

00:21:39,120 –> 00:21:40,660
old data breaches.

00:21:40,660 –> 00:21:47,160
So it’s possible that you’ve created an account 15 years ago to buy a t-shirt or something

00:21:47,160 –> 00:21:54,520
and just forgotten about it and that service has since been hacked, they downloaded the database,

00:21:54,520 –> 00:22:00,600
that database contained your hashed password, it was cracked using a number of techniques

00:22:00,600 –> 00:22:07,800
and eventually those end up on the internet and people put them in these password dictionaries.

00:22:07,800 –> 00:22:13,040
So for the average person, I would say it’s actually quite likely that at least one of

00:22:13,040 –> 00:22:19,120
the passwords that you’re using is in one of these password dictionary databases.

00:22:19,120 –> 00:22:21,800
And this is just one type of attack.

00:22:21,800 –> 00:22:27,000
There are probably at least a dozen other ways of cracking somebody’s password and there

00:22:27,000 –> 00:22:31,520
are all kinds of tools that people can use to do this.

00:22:31,520 –> 00:22:38,600
I’m not going to name them, but you should also be aware that there are public forums

00:22:38,600 –> 00:22:46,440
and websites where the hacker community publicly discloses people’s credentials.

00:22:46,440 –> 00:22:52,800
So one of the websites that I have in mind allows anybody, even without an account, to

00:22:52,800 –> 00:22:58,960
go to it and type in a username and email address, a phone number or something like that and

00:22:58,960 –> 00:23:07,280
pull up in some cases many, many, many records from data breaches associated with that information.

00:23:07,280 –> 00:23:13,560
So when one of our clients asks us to do some reconnaissance on their information, I’d

00:23:13,560 –> 00:23:22,560
say more than half the time with this website, we can find at least one of their passwords.

00:23:22,560 –> 00:23:28,240
So if you’re thinking that some of this sounds kind of like just an academic exercise where

00:23:28,240 –> 00:23:34,120
this doesn’t apply to you for some reason, I’d say statistically you’re probably wrong

00:23:34,120 –> 00:23:37,760
and you’re probably in these databases as well.

00:23:37,760 –> 00:23:46,120
Now keep in mind, what I’m referring to specifically is one tool that takes, you know, 15 seconds

00:23:46,120 –> 00:23:50,200
for us to type in someone’s information and see what comes up, but there’s tons of these

00:23:50,200 –> 00:23:51,720
out there.

00:23:51,720 –> 00:23:57,320
And one of the important things worth noting with these kinds of websites is that they might

00:23:57,320 –> 00:24:01,120
be revealing some information about you that you don’t realize.

00:24:01,120 –> 00:24:07,480
So if you actually go to these websites or you look at common passwords, you’ll notice

00:24:07,480 –> 00:24:12,880
that they contain some information that might be sensitive or you might not want people

00:24:12,880 –> 00:24:14,400
to see.

00:24:14,400 –> 00:24:22,720
So we’ll see passwords that say things like satan and naziman, and we were actually doing

00:24:22,720 –> 00:24:30,800
some work for a client and found one of her passwords, and it was Ilove… a person’s name.

00:24:30,800 –> 00:24:33,600
Like let’s just say IloveBob.

00:24:33,600 –> 00:24:40,480
Now one of the things that’s interesting about that was this client was married and it wasn’t

00:24:40,480 –> 00:24:41,520
to a Bob.

00:24:41,520 –> 00:24:47,080
So you can kind of see how something like that might be misinterpreted or used against

00:24:47,080 –> 00:24:49,040
you somehow.

00:24:49,040 –> 00:24:55,560
So in addition to creating strong passwords, also be careful to avoid putting information

00:24:55,560 –> 00:25:00,280
in there that you wouldn’t want someone else to find just in case if your password is cracked

00:25:00,280 –> 00:25:03,720
or it’s stored somewhere in plain text.

00:25:03,720 –> 00:25:10,560
And this applies to security questions as well because sometimes websites get breached and

00:25:10,560 –> 00:25:15,000
security questions get compromised and those also end up on the internet.

00:25:15,000 –> 00:25:21,880
So we recommend to our clients that when you get security questions, you answer them with

00:25:21,880 –> 00:25:27,520
random answers and store those in your password manager as well because you know, a question

00:25:27,520 –> 00:25:35,000
like what color is your car or where’s your favorite place to travel or our favorite what’s

00:25:35,000 –> 00:25:40,640
your mother’s maiden name, which is basically public record at this point.

00:25:40,640 –> 00:25:46,120
You don’t really want to answer those honestly because a security question is basically just

00:25:46,120 –> 00:25:51,800
another password and it’s usually the last stop before someone gets into your account.

00:25:51,800 –> 00:25:58,640
So if you are forced to answer security question, like what’s your mother’s maiden name, you

00:25:58,640 –> 00:26:03,120
don’t want that to be the real answer because obviously it’s very easy for somebody to figure

00:26:03,120 –> 00:26:06,000
that stuff out and get into your account.

00:26:06,000 –> 00:26:12,600
But of course, if you’re not using a password manager, it’s a lot harder to avoid answering

00:26:12,600 –> 00:26:18,920
those questions honestly, which leaves your accounts vulnerable because let’s face it,

00:26:18,920 –> 00:26:22,840
if someone wanted to get into your account and they don’t know your password and they

00:26:22,840 –> 00:26:26,800
have no way of obtaining the hashed version of it and cracking it, they could just as

00:26:26,800 –> 00:26:32,320
well go through the password reset process, which might be as easy as answering one of

00:26:32,320 –> 00:26:33,320
these questions.

00:26:33,320 –> 00:26:37,200
And we’ll go into more detail about that in a future episode, but we just thought we should

00:26:37,200 –> 00:26:39,680
mention that here free of charge.

00:26:39,680 –> 00:26:46,720
At this point, we’d like to reemphasize that a lot of password cracking attempts are done

00:26:46,720 –> 00:26:49,120
using automation.

00:26:49,120 –> 00:26:56,360
And we emphasize this because we’re concerned that a lot of people choose weak passwords

00:26:56,360 –> 00:27:04,480
or at least passwords that are weak for a computer to guess, because they don’t envision

00:27:04,480 –> 00:27:06,320
that that’s how their passwords are cracked.

00:27:06,320 –> 00:27:11,720
They envision someone sitting down at their account and just typing in passwords.

00:27:11,720 –> 00:27:17,480
So you know, we would agree if you picked something out random like purplekeyboard or something

00:27:17,480 –> 00:27:23,480
like that, you know, it’s true that nobody would probably sit down and guess that.

00:27:23,480 –> 00:27:29,880
But you have to remember that it is automation that you’re trying to fight against.

00:27:29,880 –> 00:27:37,840
Automation that can guess millions of passwords per second on even consumer-grade hardware.

00:27:37,840 –> 00:27:45,040
Now in fairness, sometimes people do sit down and guess passwords like those scenes in Archer

00:27:45,040 –> 00:27:49,080
where they’re trying to guess the password to get into the mainframe or whatever.

00:27:49,080 –> 00:27:51,560
And it just turns out to be guest.

00:27:51,560 –> 00:27:56,320
That does happen and every once in a while we do see data breaches where the password

00:27:56,320 –> 00:28:02,160
was something stupid like that, like admin username admin password admin.

00:28:02,160 –> 00:28:07,920
This does happen, but the standard that you’re trying to protect against is automation using

00:28:07,920 –> 00:28:12,080
dictionary attacks, brute force, and other techniques.

00:28:12,080 –> 00:28:17,320
But even if those automated techniques fail, you should be aware that information that

00:28:17,320 –> 00:28:24,640
is available about you on the internet, particularly social media can also be used to create probabilistic

00:28:24,640 –> 00:28:27,640
guesses as to what your passwords may be.

00:28:27,640 –> 00:28:34,880
And you might not think that that’s very effective, but it is because again, people tend to use

00:28:34,880 –> 00:28:39,640
very common techniques for creating their passwords like using the name of their pet,

00:28:39,640 –> 00:28:45,760
for example, which of course, on most people’s social media, they list that kind of information.

00:28:45,760 –> 00:28:51,600
So if somebody is motivated and they can’t crack your password with a dictionary attack

00:28:51,600 –> 00:28:57,280
or with just brute force or something like that, they might resort to perusing your social

00:28:57,280 –> 00:29:03,060
media and other sources of information about you to try to come up with more tailored guesses

00:29:03,060 –> 00:29:05,160
as to what your passwords are.

00:29:05,160 –> 00:29:12,680
And this is one of an infinite number of reasons why you should be very selective about what

00:29:12,680 –> 00:29:17,280
information you expose about yourself to the internet.

00:29:17,280 –> 00:29:24,760
You know, you might not think that something like the name of your dog is sensitive information.

00:29:24,760 –> 00:29:31,400
But you know, usually it isn’t until you use it as a password, which a lot of people do.

00:29:31,400 –> 00:29:37,760
But we recommend that people just either don’t use social media or use it very sparingly

00:29:37,760 –> 00:29:45,480
because it’ll surprise you what kind of information is used for security purposes.

00:29:45,480 –> 00:29:53,320
So one time I had an issue with one of my banks and they made me answer some identity

00:29:53,320 –> 00:29:58,240
verification questions to make sure that I was who I said I was.

00:29:58,240 –> 00:30:05,360
And one of the two questions was, what was the color of one of my cars?

00:30:05,360 –> 00:30:09,560
And you know, you might not think that that’s a big deal, but you know, it should make you

00:30:09,560 –> 00:30:11,720
wonder how hard is that to find out?

00:30:11,720 –> 00:30:16,160
I mean, first of all, car records are somewhat public record.

00:30:16,160 –> 00:30:18,680
A lot of BMVs do sell people’s car records.

00:30:18,680 –> 00:30:23,920
And second of all, a lot of people have pictures of them in their cars on social media.

00:30:23,920 –> 00:30:29,200
So you might not think that a lot of the information that you have on your social media accounts

00:30:29,200 –> 00:30:34,280
is sensitive until, you know, something like this happens and somebody’s able to use it

00:30:34,280 –> 00:30:37,360
information to breach your accounts.

00:30:37,360 –> 00:30:42,200
So we’ve talked a lot about how passwords are cracked, but now let’s talk about what

00:30:42,200 –> 00:30:44,760
happens when passwords are cracked.

00:30:44,760 –> 00:30:51,280
So obviously, if somebody is able to get ahold of one of your passwords, they’re probably

00:30:51,280 –> 00:30:56,220
going to use that to access whatever data that was securing, whether it’s decrypting

00:30:56,220 –> 00:31:01,440
some data or getting into an account, they’re probably going to get in there and and check

00:31:01,440 –> 00:31:06,840
it out, but very rarely does the damage stop there.

00:31:06,840 –> 00:31:12,520
It’s quite likely that whoever has your password is going to see if you’ve used that password

00:31:12,520 –> 00:31:18,880
with, you know, banks, social media, email, and so on, and try to get into those accounts

00:31:18,880 –> 00:31:20,120
as well.

00:31:20,120 –> 00:31:26,440
That’s an attack called credential stuffing. You should never ever reuse passwords for that reason.

00:31:26,440 –> 00:31:33,600
And I think another thing that people do sometimes is they don’t necessarily reuse the same password

00:31:33,600 –> 00:31:39,400
exactly, but they’ll memorize the password and then add a little bit to it.

00:31:39,400 –> 00:31:45,200
So it might be like purplekeyboard-Facebook or purplekeyboard-Twitter or something

00:31:45,200 –> 00:31:46,200
like that.

00:31:46,200 –> 00:31:47,680
And that’s better than nothing.

00:31:47,680 –> 00:31:54,280
But if somebody sees that, then they can obviously tell what you’re doing and they can use that

00:31:54,280 –> 00:31:59,880
to infer what your passwords might be in other systems.

00:31:59,880 –> 00:32:05,920
So when an attacker is done having their way with you and your accounts, then oftentimes

00:32:05,920 –> 00:32:12,840
what they do with it is they either sell it to other attackers, or they’ll just make them

00:32:12,840 –> 00:32:14,880
public for free.

00:32:14,880 –> 00:32:20,680
A lot of passwords from previous data breaches are freely available on forums, particularly

00:32:20,680 –> 00:32:22,000
on the dark web.

00:32:22,000 –> 00:32:26,560
And then from that point, I mean, you better hurry up and change them because now there’s

00:32:26,560 –> 00:32:31,400
going to be tons of people looking at those and looking to take advantage of you.

00:32:31,400 –> 00:32:40,480
And even beyond that, what cracked passwords are also used for is improving password cracking

00:32:40,480 –> 00:32:42,120

00:32:42,120 –> 00:32:49,240
So this is something that gets hackers and security researchers really excited is when

00:32:49,240 –> 00:32:56,200
we get one of these mega data breaches like LinkedIn where they result in a lot of cracked

00:32:56,200 –> 00:33:02,080
passwords, people get really excited because we get to see real world examples of how people

00:33:02,080 –> 00:33:08,560
are creating passwords and how those kinds of trends change over time.

00:33:08,560 –> 00:33:15,680
So this is a really important point to keep in mind is that we need people to stop believing

00:33:15,680 –> 00:33:21,160
that their passwords are safe because only they know them, you know, you’re a human being

00:33:21,160 –> 00:33:23,120
just like anybody else.

00:33:23,120 –> 00:33:29,000
And chances are if your passwords are not random, that you’re using some sort of a mental

00:33:29,000 –> 00:33:33,480
shortcut to create them that a lot of other people are using as well.

00:33:33,480 –> 00:33:39,840
So even though only you know your password, you might be making it in such a way that

00:33:39,840 –> 00:33:45,360
based on how everybody else makes passwords that we’ve seen, we can guess what your password

00:33:45,360 –> 00:33:48,280
is, even though we’ve never seen it before.

00:33:48,280 –> 00:33:53,320
Now in fairness, we do recommend that people create random passwords.

00:33:53,320 –> 00:33:54,320
It’s what we do.

00:33:54,320 –> 00:33:58,560
We’ve got hundreds of them, they’re all long, random and unique.

00:33:58,560 –> 00:34:03,600
But a password doesn’t necessarily need to be random in order to be secure.

00:34:03,600 –> 00:34:09,880
You could do something like five, six or seven completely random words all strung together.

00:34:09,880 –> 00:34:17,360
That would be very difficult to crack, but again, if you’re not using a password manager,

00:34:17,360 –> 00:34:18,640
it’s not realistic.

00:34:18,640 –> 00:34:21,960
It’s just not realistic to do that without reusing them.

00:34:21,960 –> 00:34:28,800
You know, how can you manage or remember dozens or hundreds of passwords?

00:34:28,800 –> 00:34:33,680
And if you are using a password manager, you might as well just make them random.

00:34:33,680 –> 00:34:39,640
All right, so hopefully by this point, we’ve convinced you that your passwords, if you’re

00:34:39,640 –> 00:34:43,760
not using a password manager are probably more vulnerable than you realize and that

00:34:43,760 –> 00:34:45,760
you should be using one.

00:34:45,760 –> 00:34:50,600
So now let’s talk about what actually a password manager is.

00:34:50,600 –> 00:34:57,400
A password manager is simply an application or a service to help you store your passwords.

00:34:57,400 –> 00:35:00,080
That’s what they are at their most basic level.

00:35:00,080 –> 00:35:04,640
But you know, over time, they add all kinds of, you know, interesting features which can

00:35:04,640 –> 00:35:09,480
help you manage your passwords like random password generators, little helpers that

00:35:09,480 –> 00:35:12,000
show you how strong they are.

00:35:12,000 –> 00:35:15,960
So if you put like a phone number in there, it should probably show you some kind of warning

00:35:15,960 –> 00:35:21,760
telling you that it’s extremely insecure and they’ll have things like automatic sign-in

00:35:21,760 –> 00:35:28,800
features for like websites and things like that and store arbitrary files and whatnot.

00:35:28,800 –> 00:35:36,080
So a password manager stores this information in what’s typically called a vault, which

00:35:36,080 –> 00:35:38,720
is basically just an encrypted file.

00:35:38,720 –> 00:35:42,760
The whole thing should be encrypted.

00:35:42,760 –> 00:35:48,800
I don’t know if you heard about this LastPass, this most recent LastPass security

00:35:48,800 –> 00:35:49,800
incident that they’ve had.

00:35:49,800 –> 00:35:54,040
They’ve had several of them, which is why we don’t recommend LastPass.

00:35:54,040 –> 00:35:59,760
And we’ll talk about that in a separate episode, but one of the issues with LastPass vaults

00:35:59,760 –> 00:36:05,920
was they weren’t encrypting all of the data that you were putting in LastPass.

00:36:05,920 –> 00:36:10,640
So there was certain information like website URLs that weren’t being encrypted.

00:36:10,640 –> 00:36:13,920
For God knows what reason, I have no idea why they would do that unless they were doing

00:36:13,920 –> 00:36:19,640
something like, I don’t know, selling that information or something stupid like that.

00:36:19,640 –> 00:36:26,000
So a good respected password manager should encrypt every piece of information that you

00:36:26,000 –> 00:36:30,720
type into it and the ones that we recommend do.

00:36:30,720 –> 00:36:36,960
So we’ll go into some more detail in future episodes, but we recommend that our clients

00:36:36,960 –> 00:36:43,200
use KeePass or Bitwarden, just depending on what your needs are, you know, we’re not

00:36:43,200 –> 00:36:46,360
sponsored by Bitwarden, they don’t even know we exist.

00:36:46,360 –> 00:36:50,500
And obviously KeePass doesn’t sponsor us because it’s free and open source software

00:36:50,500 –> 00:36:53,600
that you just run locally on your own system.

00:36:53,600 –> 00:36:57,460
So to start wrapping this up, let’s talk about action items.

00:36:57,460 –> 00:37:01,880
So if you haven’t figured it out by now, one of those action items is start using a password

00:37:01,880 –> 00:37:02,880

00:37:02,880 –> 00:37:07,360
And once you get one set up, start replacing your passwords.

00:37:07,360 –> 00:37:12,840
We recommend that our clients document what accounts they have, which I think a lot of

00:37:12,840 –> 00:37:13,840
people don’t* do.

00:37:13,840 –> 00:37:19,480
I think they just try to remember them all, but write them down in a secure manner, go

00:37:19,480 –> 00:37:23,200
down the line and start changing your passwords.

00:37:23,200 –> 00:37:25,760
And you know, I understand that that’s a tremendous amount of work.

00:37:25,760 –> 00:37:31,520
So what we recommend that people do is start with your most critical accounts like your

00:37:31,520 –> 00:37:35,480
email and your bank accounts, things like that.

00:37:35,480 –> 00:37:40,760
And also make sure you hit all the ones that you use passwords with, because those can

00:37:40,760 –> 00:37:42,240
really blindside you.

00:37:42,240 –> 00:37:45,540
So I’ll share a personal story.

00:37:45,540 –> 00:37:52,200
So I created my first email account many, many years ago is with, you know, one of the

00:37:52,200 –> 00:37:59,920
biggest email providers at the time, and one day I noticed that someone got into my email

00:37:59,920 –> 00:38:06,040
account and was sending out suspicious emails to the people in my contacts list.

00:38:06,040 –> 00:38:11,840
And I wondered for years how this happened because, you know, this was a major company.

00:38:11,840 –> 00:38:17,680
This was the type of company that would have disclosed if they had a data breach.

00:38:17,680 –> 00:38:24,360
And because they didn’t, my assumption is that someone got my password and logged into

00:38:24,360 –> 00:38:25,360
my account.

00:38:25,360 –> 00:38:29,160
And I wondered for years, how could someone have gotten my password?

00:38:29,160 –> 00:38:34,560
I mean, very few people even knew that this account existed.

00:38:34,560 –> 00:38:38,400
And the password wasn’t super bad.

00:38:38,400 –> 00:38:43,440
And it wasn’t something that you would guess by looking at the email address.

00:38:43,440 –> 00:38:47,760
So now that I’ve been studying this stuff for years, I would bet a lot of money that

00:38:47,760 –> 00:38:53,640
what actually happened was I was probably using that email address and password for

00:38:53,640 –> 00:38:58,360
other accounts because, you know, this was decades ago and I was very young and this

00:38:58,360 –> 00:39:00,960
is just what everybody did.

00:39:00,960 –> 00:39:07,800
So I probably made an account somewhere like some game forum or something, you know, this

00:39:07,800 –> 00:39:12,200
is one of the reasons why we recommend that people start documenting all of their accounts.

00:39:12,200 –> 00:39:18,280
Because if you really think about it, if you go back, you know, decades and think about

00:39:18,280 –> 00:39:25,320
every little website that you went to to create an account, like a forum or a website that

00:39:25,320 –> 00:39:29,120
just sells t-shirts or something like that, you probably have dozens of these accounts

00:39:29,120 –> 00:39:31,200
that you’ve forgotten about.

00:39:31,200 –> 00:39:37,360
And I’d bet a lot of money that one of those got hacked and never disclosed it.

00:39:37,360 –> 00:39:44,360
And then whoever hacked that site downloaded my information, cracked my password and then

00:39:44,360 –> 00:39:47,160
used that to get into my email account.

00:39:47,160 –> 00:39:52,520
So this is a cautionary tale to encourage you to update your passwords and especially

00:39:52,520 –> 00:39:57,160
make sure you hit those ones that you’ve reused with other accounts.

00:39:57,160 –> 00:40:03,400
Now I acknowledge that, you know, this episode has been pretty light on the details regarding

00:40:03,400 –> 00:40:08,920
KeePass, Bitwarden, how you actually download, install and use them and best practices and

00:40:08,920 –> 00:40:09,920
things like that.

00:40:09,920 –> 00:40:12,680
We’ll go over those in a future episode.

00:40:12,680 –> 00:40:18,520
This one is really just focused on convincing you that you should be using a password manager.

00:40:18,520 –> 00:40:21,920
So please take this seriously.

00:40:21,920 –> 00:40:25,320
One of the things you need to understand is that you might not care about your security

00:40:25,320 –> 00:40:30,240
for whatever reason, but just keep in mind that if you have a security incident like

00:40:30,240 –> 00:40:34,520
someone breaks into your accounts, whether those are personal accounts or work accounts,

00:40:34,520 –> 00:40:39,520
that has the potential to affect not only you, but others around you that might be your

00:40:39,520 –> 00:40:43,200
employer that might be your spouse, your children or whatever.

00:40:43,200 –> 00:40:49,200
So please take this seriously because if somebody can get into your email accounts or your social

00:40:49,200 –> 00:40:51,160
media, they can do all kinds of things.

00:40:51,160 –> 00:40:53,520
They can do illegal things.

00:40:53,520 –> 00:40:58,400
They can spam and scam, you know, people in your contact list.

00:40:58,400 –> 00:41:03,280
They can lock you out of your accounts, but just just sit down sometime and think about

00:41:03,280 –> 00:41:07,160
how much damage somebody could do by getting into your accounts.

00:41:07,160 –> 00:41:12,960
Because if you really think about it, a lot of service providers don’t really know who

00:41:12,960 –> 00:41:15,040
anybody actually is.

00:41:15,040 –> 00:41:20,560
As far as they’re concerned, you’re responsible for the security of your account.

00:41:20,560 –> 00:41:25,760
And if somebody takes over your account, it can be very difficult to convince them that

00:41:25,760 –> 00:41:28,720
you’re the actual owner of the account.

00:41:28,720 –> 00:41:33,680
So if you can imagine somebody getting into your Fecesbook account, for example, if you

00:41:33,680 –> 00:41:39,520
were to contact them and say, hey, somebody took over my account, how are they supposed

00:41:39,520 –> 00:41:42,200
to know who you are or who they are?

00:41:42,200 –> 00:41:47,520
You know, most likely what they’re going to do is ask you some questions which you either

00:41:47,520 –> 00:41:50,760
might have a difficult time answering.

00:41:50,760 –> 00:41:55,160
I’ve read that if you’re trying to recover a Google account, one of the things that they’ll

00:41:55,160 –> 00:42:02,000
ask you is the date that you created the account, which obviously very few people record that

00:42:02,000 –> 00:42:03,000

00:42:03,000 –> 00:42:08,080
But you know, a company like Fecesbook, they might be liable to say, hey, we’ll only let

00:42:08,080 –> 00:42:15,600
you recover your account if you upload, say, a government ID, which is pretty sketchy because

00:42:15,600 –> 00:42:20,600
you know, as far as we’re concerned, they’re one of the creepiest companies that the world

00:42:20,600 –> 00:42:25,960
has ever produced, not to mention they’ve had their own fair share of security incidents.

00:42:25,960 –> 00:42:32,160
So just imagine giving them, you know, a scan of your driver’s license and then later have

00:42:32,160 –> 00:42:37,040
another security incident and now your driver’s license is floating around on the internet.

00:42:37,040 –> 00:42:39,120
Think about what somebody could do with that.

00:42:39,120 –> 00:42:43,360
They could open a crypto account using your identity and launder money and all kinds of

00:42:43,360 –> 00:42:44,360
crazy things.

00:42:44,360 –> 00:42:50,400
So long story short, take this stuff very seriously because it is very serious.

00:42:50,400 –> 00:42:52,800
That pretty much wraps up this episode.

00:42:52,800 –> 00:42:56,800
Hopefully we’ve convinced you that using a password manager is important.

00:42:56,800 –> 00:43:01,540
If you still don’t think that it is, you know, I don’t really know what to tell you other

00:43:01,540 –> 00:43:07,680
than we’d be very interested to hear how you manage your passwords or, you know, what

00:43:07,680 –> 00:43:13,480
makes you think that you’re immune from these kinds of issues that we’ve discussed.

00:43:13,480 –> 00:43:15,560
We’d be very interested in that.

00:43:15,560 –> 00:43:20,240
So if you like this content, you know, feel free to like it or give us a review, but more

00:43:20,240 –> 00:43:25,920
importantly, please share it with your friends, family or whoever, because we really need

00:43:25,920 –> 00:43:32,240
to get society as a whole to improve their password management practices.

00:43:32,240 –> 00:43:39,320
I mean, the data is very clear about how much of a disaster our password management practices

00:43:39,320 –> 00:43:40,320

00:43:40,320 –> 00:43:44,960
You know, I mean, obviously if 80% of our data breaches are the result of poor credential

00:43:44,960 –> 00:43:47,600
management, this is a very serious problem.

00:43:47,600 –> 00:43:51,600
And finally, make sure you subscribe because we’re producing a lot of great content like

00:43:51,600 –> 00:43:52,600

00:43:52,600 –> 00:43:58,880
And we’re going to go into more detail about password managers, VPNs, Tor, email, text

00:43:58,880 –> 00:44:02,280
messaging, end-to-end encryption, all kinds of things.

00:44:02,280 –> 00:44:28,000
So subscribe, stay tuned, and stay safe out there.


Cybersecurity - Data Encryption - Virtual Private Network (VPN) - Tor - 2

Passwords vs. Encryption

First, let’s clear up any potential confusion between passwords and encryption. Data that’s password-protected is not necessarily encrypted. For example, the password to a local Windows account doesn’t encrypt your PCs data, it just prevents Grandma from getting into your account with a single click.

Even if your password is used to encrypt your data, it needs to be considered how the encryption is performed and who has access to the decryption key. If you use Apple’s iCloud, for example, understand that even though your data is encrypted on their servers, Apple holds your decryption key and can decrypt your data for whomever or whatever purpose they please. Similar to the “not your keys, not your crypto” mantra in the digital asset community, it’s “not your keys, not your data” in the security community.

The reason we emphasize this is because we believe some forgo a password manager because they have a false sense of security as to what their passwords do. This then justifies implementing weak password practices, such as password reuse. It’s true that most businesses don’t have your password in plain-text, nor will they bother cracking it. However, that doesn’t mean your data is safe, as you might assume if your data was encrypted with your password (i.e. because only you know it). In addition to storing your password (usually in hashed form), most app/service providers have their own decryption key to your data, which allows them and potentially hackers to decrypt your data without your password.

What is a Password Manager?

At its most basic, a password manager is an application designed to securely store your passwords. The data the password manager stores is secured by a “master” password. Therefore, it’s critical that your master password is strong. In the case of a local application, the data is stored in a file, normally called a “vault.” This is a good option for users who are diligent about backing up their files. However, many of the most common password managers store your data on central servers. Doing so is more convenient, and can offer other features such as emergency access. This is a better choice for users who don’t have a good backup system and procedure.

Modern password managers typically contain several other features – e.g.:

  1. Password strength helpers (entropy, reuse check, common password check, data breach check, etc.)
  2. Random password generator
  3. File storage
  4. Automatic sign-in
  5. etc.

How App & Service Providers Manage Passwords

How app and service providers handle your passwords can make or break your security. Unfortunately, this is usually rather opaque, so one needs to be careful about whom they entrust their data.

For most services, your password is hashed and salted, then stored on their servers. However, your data is encrypted with a key that the provider controls. In addition to the risk of enabling the provider to decrypt and exploit your data, this leaves your hashed passwords vulnerable to hacks. If the server that holds your password gets hacked, the attackers will download the hashed passwords and start cracking them (i.e. converting them from hashed to plain-text). For this reason, we generally recommend software and services that encrypt your data using end-to-end encryption. End-to-end encryption doesn’t give others access to your password (i.e. decryption happens only at each end).

Cybersecurity - Password - Sticky Note - Bad Password Practices - Use a Password Manager

Password Psychology without a Password Manager

If given the choice to target either a person who uses a password manager or one who doesn’t, an attacker would go after the latter. Why? Because if you’re not using a password manager, chances are your passwords aren’t random*. If your passwords aren’t random, it’s likely that you’ve used some convenient gimmick to create your password**. And, chances are that you’re not the only one who has used said gimmick. Attackers know this and use this against you when cracking passwords. Do your passwords contain names or birthdays of your children, spouse, or pets? How about a phone number, favorite sport, or old address? Do you reuse passwords? If the password rules require having a number in the password, do you just add a 1 at the end? If your answer to any of these are “yes”, you’re not alone and that makes your passwords vulnerable.

In cases where users are forced to choose strong passwords, we unfortunately see risky behavior, such as writing them down on sticky notes or storing them in an Excel spreadsheet in Dropbox. Password managers solve this problem.

*In fairness, a password doesn’t necessarily need to be “random” to be secure. A password consisting of several random words can also be very secure, despite not being totally “random”. However, we say this because in absence of randomness, people usually choose predictable passwords.

**Just for fun, see if you use any of these common passwords.

Cybersecurity - Password - Password Cracking - Password Manager

How Passwords are Cracked


Let’s now discuss how passwords are cracked, which will reveal why your passwords are probably more vulnerable than you think. Before we lose you in the weeds, understand that the following is going on every day, usually with automation. It’s true that no one is probably sitting at their computer, typing in password guesses on your Facebook account. But that’s not the concern here – automation is. Give a hacker 100,000 hashed passwords of average users, and they’ll probably have half of them cracked within a few days using automation, not manual guesses.

We’re convinced that many choose weak passwords because they can’t imagine how someone would crack them via manual guess-and-check. Therefore, we need to emphasize that this is not how most passwords are cracked.

Plain-text and Weakly-hashed Passwords

In some cases, an attacker will find your password in plain-text, so there’s no cracking necessary. Unfortunately, some providers do get caught storing passwords this way, which is one of the reasons why reusing passwords is so dangerous. You can have the most secure password in the world, but if it’s discovered by an attacker in plain-text, the password’s strength won’t save you.

Even if your password is hashed, the hashing algorithm matters. Some hashing algorithms, such as MD5, leave passwords vulnerable to attack, whereas others like bcrypt are much more secure. Unfortunately, app and service providers don’t often tell you how they hash passwords, leaving users in the dark as to how vulnerable their password may be.

Cracking Strongly-hashed Passwords


If an attacker is able to obtain your hashed password, they can use dictionary attacks and related techniques to see if you’ve used either a common password, or one that’s been cracked in the past. For example, the MD5 hash of qwerty123 (without salt), a very common password, is 3fc0a7acf087f549ac2b266baf94b8b1. A dictionary can be created that maps hash values to known passwords (e.g. 3fc0a7acf087f549ac2b266baf94b8b1 = qwerty123, 5f4dcc3b5aa765d61d8327deb882cf99 = password, etc.). If a hacker gets ahold of your hashed password, they can quickly see if it’s in their dictionary and, if it is, this reveals your password. This might sound rather benign, but note that some password dictionaries contain over 10 billion passwords. Chances are you’re either using a password in one of these dictionaries or have in the past.

Example Dictionary Attack

The following illustrates a simplified dictionary attack against a user database that someone has hacked into.

Password (User-entered) MD5 Hash (Stored on Server)
password 5f4dcc3b5aa765d61d8327deb882cf99
qwerty123 3fc0a7acf087f549ac2b266baf94b8b1
trustno1 5fcfd41e547a12215b173ff47fdd3739

Figure 1: Example password hashing and storage

ID Username Password
1 koolkat 5952e5d10ede271bcddceb99fca44c04
2 sk8erboi d5637ac35652681d6bdf48f00d285fa3
3 paranoid 5fcfd41e547a12215b173ff47fdd3739

Figure 2: Simplified example user database table stored on app server

MD5 Hash Password
5f4dcc3b5aa765d61d8327deb882cf99 password
3fc0a7acf087f549ac2b266baf94b8b1 qwerty123
5fcfd41e547a12215b173ff47fdd3739 trustno1

Figure 3: Hacker Builds Dictionary of Known Passwords

In the above example (Figures 1-3), if a hacker obtains the data from the database in Figure 2, and references the user’s hashed passwords against the dictionary in Figure 3, what would happen? As we can see, user “paranoid” is pwned because he used a password with the corresponding hash: 5fcfd41e547a12215b173ff47fdd3739. Even if we can’t crack MD5, we know from the dictionary of known passwords that 5fcfd41e547a12215b173ff47fdd3739 corresponds to password: trustno1*. For the other two users, whose hashes are not in the dictionary, the hacker would need to employ some other technique (e.g. brute-force).

*trustno1 is a very common password. Ironically, if you trust no one, you shouldn’t use such a pathetic password. Security is not without it’s humor.

Guess-and-Check Using Knowledge of Victim

If an attacker doesn’t have your hashed password, and they’re motivated, they may use their knowledge of you to make educated guesses using an understanding of password psychology. If they don’t know you well, they may peruse your social media profiles and other sources for clues. This is one of the reasons why over-sharing on social media is so dangerous. Seemingly harmless data like pet names, travel destinations, the color of your car, etc. can be used to crack passwords, impersonate you, or correctly answer identity verification questions to get into your accounts.

Password-cracking tools can then be used to take pieces of information about you (dates, pet names, etc.) and create an array of probable password guesses. This sounds rather mundane, but depending on how well the victim is known, and how poorly they choose their passwords, this technique can actually be rather effective.

Brute Force

If all else fails, brute force may be used, which is the systematic guessing of password combinations until either the password is cracked or the attacker gives up. Think of one of those padlocks that use 3 single digits for the combination – it wouldn’t take you very long to manually brute-force this until you crack it (000, 001, 002, 003, …).

If an attacker is able to guess passwords without rate limitations, this technique can be effective for weaker passwords. Bear in mind that modern computers, especially if equipped with high-end CPUs or GPUs, can make millions of guesses per second. One of the fastest supercomputers in 2019 had the capability of making 100 million million guesses per second. How would your passwords hold up to brute force?

It should also be noted that brute-force techniques can be enhanced to guess the types of passwords most likely to match. For example, it’s well-known in the security community that many Wi-Fi routers are “secured” with the user’s phone number. Therefore, if someone was trying to crack your password, Wi-Fi in particular, guessing all possible phone numbers would be a great place to start. This would only take a few seconds given modern hardware, so if you’re using your phone number as a password, change it to something more secure ASAP.

What Happens to Cracked Passwords

When hackers crack passwords, what happens next depends on their motivations. State actors may be inclined to keep this information for themselves, whereas many private hackers end up releasing their stolen goods at some point, either to the public or to buyers only. In the latter situation, regardless of who the credentials are shared with, it’s conservative to assume they will eventually end up being publicly available. This cannot be stressed enough. We won’t share any of them here, but there are websites that allow you to view almost anyone’s passwords as long as you have their username or email address. This makes for great party conversation: “So, what are you up to these days, besides using terrible passwords like letmein and iloveyou?”

At some point, someone with the credentials will use them to try to get into the system or data that the password protects. When a password is gathered and cracked, there’s usually other information associated with it (e.g. username, email address). This other information is often used to go to other services (e.g. Facebook, Gmail, etc.) to see if you reused those credentials, which is an attack called “credential stuffing“. If you did, you may have a big problem on your hands, because all of those accounts are now compromised.

Concluding Thoughts

When people don’t use password managers, they almost always choose passwords that are easy to crack or store them insecurely. When people use a password manager, they’re more likely to use strong passwords because the password manager remembers the passwords for you. At Bigger Insights, all of our passwords are long, random, and unique. We couldn’t imagine doing this without a password manager.

If this post doesn’t convince you that you need a password manager, we’re not sure what would, and we pray that you don’t get pwned. If you do get pwned, or would like some assistance with implementing a good password manager, fill out the contact form at the bottom of the page.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top