While speaking at an industry event in DC last month I made a comment that “even my mother now understood the concepts of password entropy” because I had made the point of calling her in England to explain them. In recalling that conversation with my mother, I wanted to share the three things I told her she needed to do to securely use passwords on the internet.
My mum is a spritely 70 year old who lives in the UK. We stay in very good touch via Skype and email. She loves her iPad for the web and chatting to me, and especially likes the fact that she download and store endless amounts of Ukulele sheet music. Yes, my mother is one of “those”. The Ukulele Reformers. They’re like a cult; one that smiles a lot and puts on a gig at the drop of a hat whenever they can all stand together.
So our conversation that day had been about why she needed to be more diligent with passwords on the internet. To make things easier to remember, I gave her three basic best practices that would help keep her passwords safe. I wanted to share that advice here.
My first was that “long is strong”
I explained that, unfortunately, the longer and more complex the password the safer it will be. Twelve characters should be thought of as an absolute minimum. Avoid using dictionary words unless as part of a complex passphrase, and add special and mixed case characters wherever you can. She immediately said “so how do I remember my password then”? I explained a couple of simple mental models that can help, like using the first characters of a memorable phrase. The example I used was “Mary had a little lamb its fleece was white as snow 987654” would then become a password of “MhallifwwaS98754”. I explained how this created what we called “password entropy”, basically complexity, that made it hard for the bad guys to guess her password.
I also told her that writing down long passwords was better than using short ones just so she could remember them. Ironically if you’ve been in the security space for a while, you’ll recall how “the yellow password sticky note” was the cartoon joke of the late 90’s! Odd how things change but stay the same isn’t it?
My second was to “be unique”
To make things harder for the bad guys, the best thing she could do was to use unique passwords at every site. Again her reply was “so how do I remember them all?”. Again I said writing them down and keeping that list safe was ok, but explained that putting sites into mental groups (by value or name or something else) she could have fewer passwords and share them that way. I also explained that she could easily add something about the individual site to the middle or end of her “high entropy password” to create something unique for each site. So, for instance, her Google password would then become MhalGOOGLEifwwaS98754.
Fortunately there are, of course, good commercial tools and solutions that make this overall process much easier. As for me, I am lucky enough to have SailPoint’s IdentityNow solution to help capture, store and replay my complex passwords. Fortunately her US based tech support team (that would be me, by the way), was subsequently able to set her up with a consumer password management solution (she’s now a Lastpass user) so she had that benefit too.
My third was to “watch the road”
Basically this was to always be aware of where she was on the internet and to take specific note of anything and anybody that asked her to “login” or provide any of her “secrets” and personal information. Again her US tech support associate did have to show her how to setup strong, multi-factor authentication where it was available on her favorite sites. She does now understand the importance of HTTPS and what to do if there’s not a “little lock in the URL bar” – so she’s in much better shape than most.
On a slightly broader security note…
I should also point out that her US based tech support team, (again that would be me), had previously talked her through installing a browser-based web filter / adblocker (I’m a big fan of UBlock Origin) – so she had some degree of content protection. Plus we had, awhile back, had our “the birds and the bees of the internet” conversation – I distinctly remember telling her to “trust no one”. I recall she was a little disappointed by that statement. She said she was surprised that “you computer types hadn’t worked this security thing out yet!”. About all I could say was “Yes, I wish that too…”. She was a little annoyed, but not for long. After all it was already time to hang up Skype and take her iPad song-book and Ukulele to a local gig.