Money Donuts® Episode 3: Only Amazing Passwords, Please

Steve:
Welcome to another episode of Money Donuts. Thanks for joining us. As always, I'm joined by Cooper and James and let's just get right into it. James, what is our donut for this episode?

James:
The donut that we picked for this episode reflects the topic, and it is the Boston cream donut. Might not be familiar with what that is exactly. It's the chocolate glazed, soft, sweet donut with the custard filling inside. So delicious.

Steve:
Is there a reason why we picked that donut today?

James:
Because it goes with the theme of the episode. Top secret.

Steve:
Top secret.

James:
Top secret. It all connects to the theme of the episode. Shouldn't tell anyone your-

Cooper:
Favorite donut flavor?

James:
No. You're drawing a blank here. Come on, you guys. Shouldn't tell anyone your...

Steve:
Shoe size.

James:
Something to do with online things.

Cooper:
Password. It's password, right?

James:
Yes. Shouldn't tell anyone your password. It's the topic of this episode.

Cooper:
Got it.

Steve:
And in exciting fashion, we have a special guest with us today, Jody. And Jody, what is your title with Royal Credit Union?

Jody:
Information security officer, which is kind of a mouthful. Just means that I'm really focused on ensuring that the systems and the people and the processes that we have keep us safe and secure, so that member data doesn't get in the wrong hands.

Steve:
That's a very important job here at the credit union, so thank you for all the hard work that you do. So today we're talking a little bit about passwords though, too. Let's just start off, what makes a good password?

Jody:
Now, the password recommendations haven't really changed much over time, other than the length, but essentially what we look for when we look at passwords is, longer is better. Most short passwords can be easily compromised by regular machines these days, computing power is inexpensive. So we tell people 12 to 15 characters is a really good target for password length. We also look to mix it up, so don't make it your dog's name or your address. You want some level of complexity within that passphrase, because as you approach longer passwords, you need more than a single word. So a combination of words and symbols and numbers make it more difficult for someone to guess what that is.

Jody:
We also want uniqueness. So if you have multiple accounts, you should have multiple passwords. Don't use your online banking password for your Facebook password, because if Facebook were to get compromised, for some reason, people could take that login information and gain access to other systems. So uniqueness is really important.

Jody:
Then it's like, well, I have hundreds of accounts that I manage. So one of the other good password practices is to use a tool. There's lots of password management tools out there that can help you come up with long, strong, complex passwords, and can also help you manage that portfolio of passwords that you have across your accounts, your personal accounts, your social media accounts, your email accounts, your credit card accounts, your online banking account, social security, all those different places. You can generate long, strong, and unique passwords, and then use a tool to manage those that will keep them secure, help you generate new passwords and you can put them on your devices. So you could have it on your mobile device. You can have it on your tablet. You could have it on your laptop. And those things then become much easier to manage. And of course don't share them. I think that's where we started. Don't tell people what your password is. That's bad.

James:
Password distancing, social distancing, yes.

Jody:
That's right. Social distance, your password.

Steve:
Do we Have to worry about our password management apps being hacked or somehow those being used to find out our passwords?

Jody:
That's a great question. You're like, "Well, I just put all my eggs in one basket. How do I protect the basket?" Or put all my donuts in one bag? How do I keep James out? So what you want to do is use a tool that does a couple of things. One, when you read those websites associated with those tools, they'll specifically tell you, "Hey, we use industry accepted encryption standards." And what that means is, is that they're using mathematical algorithms that have been proven to be strong, to take your passwords and encrypt that data and store it securely.

Jody:
And the second thing that you want to look for is that, that actual encryption process, so that mathematical algorithm, that's running on your computer is actually running on your local machine. And then it encrypts the data. And then the only thing that leaves your computer is the encrypted package, as opposed to... Think of it as an envelope versus a postcard. When you send a postcard, everybody can read everything that you send. If you put that communication inside of an envelope and then mail it, you can't see inside of it. And so that's what these encryption algorithms are doing, is they're securing your data before they send it to these... Many of these applications are up in the cloud, but that data is encapsulated in a secure envelope, so nobody else can see it but you.

Jody:
The downside is, if you forget the password to your vault, they can't help you. So it's also really important to use the mechanisms that these platforms provide to recover your master password to that vault. It can be tied to a rescue email. It could be tied to a particular phone number. You can provide questions and responses to get a hint or to get a password reset. So leveraging those in addition to the password platform itself really can keep your data secure from other people, like you can't peek inside.

Cooper:
My phone, will just create a strong password for me if I'm signing up for something online or changing my password, and then it remembers it. Is that safe? Should I do that? Should I go to a different third party password manager? What are your thoughts?

Jody:
Many times there are applications like a browser or a system, I have a iPhone and I have a Mac and I use a variety of browsers, and any one of those things will ask me, "Do you want me to create your password for you? And then do you want me to save it for you?" Those things do a good job of generating passwords that are secure, so they meet all those things we just talked about. They're not necessarily going to look at the use the same way that other applications would. Many of the third party add on apps will do a much better job of ensuring uniqueness because they see both the username and the password.

Jody:
The downside of having your operating system, which if you have an iPhone that's what's asking you, or your browser is that that set of passwords then is available to anybody who uses that system. So if you share a computer in your household and you don't have separate logins for each person, then your passwords are potentially available for someone else to gain access to. Your phone is... Usually you don't share phones, but a lot of people hand phones to other people, "Hey, look at these pictures, look at this thing." So they are not as secure as they would be if they were in a standalone app, because that standalone app is going to ask you, challenge you for a specific login to gain access to that information. So that's one reason to use a third party app.

Jody:
Another is, if you look at the updates from Apple or Microsoft or all the major browsers, Chrome, Safari, there's lots of security patches that come into those platforms every month. And so a lot of times, if I can gain access to your computer through a vulnerability in the operating system or the platform, I can then gain access to data that's stored within those. So you don't get that extra layer of protection. So going back to the donut analogy, so it might be good for the big reveal, the Boston cream donut is a good security donut for a lot of reasons. It has different layers. It has a chocolate layer, there's the pastry layer. And then inside, there's a soft creamy layer. And we always talk about security being the shell that protects the inside. And we also talk about layers of defenses.

Jody:
So if you use the browser capabilities to store your passwords or you use the operating system capabilities to store your passwords, you don't have as many layers in your donut that's protecting that creamy center that is where all the good pieces are. I'm a big believer of, I don't want things tied together if I don't have to. So if you gain access to my computer, you don't automatically get access to my saved passwords. You have to pass another challenge. There's another quest you have to go on before you can gain access to that. So that's a really long answer, but it is a really complex concept, but also very simple.

Steve:
There might be some people are listening to this that say, "That's too much work. I'm just going to use the same password for everything. Nothing's going to happen to me because nothing has ever happened to me." What would you say to that person?

Jody:
Sometimes it's better to be lucky than good. We've talked to many people throughout my career and even here at Royal that they'll see some unusual activity in their account and they can't quite understand why. And they maybe have online banking and their online banking user credential is their first name and their last name, squished together. And their password that they're using for online banking is the same password that they maybe used for their LinkedIn account. There are many sites out on the internet and it's not the dark web, and you don't have to be a super secret hacker to find this data, but there are data dumps from Equifax and Experian within the last five years that dumped everybody who has ever gone through those credit bureaus, personal identifiable information. And it's identity-based information, which means it's your name, it's your phone number, it's your address, many cases that your social security number. It might have an email address associated with it. It also may contain actual credit history information that could tell you, "Hey, these folks have an account at Royal Credit Union."

Jody:
So if I was a malicious individual, I would take that data, and I would say, "Well, I'm going to see if James has an account, still has his account at Royal Credit Union." And I'm going to try to log in to online banking. And I'm going to use this information that I got for free and I downloaded it from the internet to try to gain unauthorized access to his account. So I'm going to put his first name and last name concatenated together and use that for his username. And then I'm going to look through this other data that I got from the same data dump that contained his password from LinkedIn. I'm going to try that password.

Jody:
And what happens is a lot of times, because I've reused the password, even though the username is different, these malicious individuals are gaining access to your online banking account, which then it's very easy for me to enter a transaction, to move money out of your account and into my account or send it to another malicious individual and then, poof, your money's gone. And you don't really notice it until you check your account or you check your statement. And that type of fraud is really challenging to detect on the front end. And so that's the biggest reason why you don't want to reuse passwords, because it makes it very easy for the data that we know that's out there to be recycled and reused to move money.

James:
That's like rule number one, don't ever reuse your password. And yet I think all of us probably can think of an account where we're like, "Oh, I'll just use the same password I always use. So I don't forget it. So I don't have to go look it up or just so I don't have to put it into my password manager."

Jody:
Or I'll be tricky and I'll change it by one letter. I'll put a one after it, because then it's really different than what I did before, or two. Because the other one I did was one. Guess what? The bad guys know all those tricks. They know about adding numbers in sequence. They know about the tricky one where you substitute the symbols for the letters like a is a @ sign. And three is an E. They know that one. Or the keyboard sequences like I'm going to type Q-W-E-R-T-Y. Guess what? Those are also very well-known passwords.

Jody:
And the other thing that I tell people is, don't use passwords that are well-known. Just last week, or maybe this week, I read an article that talked about the top six passwords. And you know what one of the top passwords is? Always password one or password zero one. But it's also just a series of numbers. One, two, three, four, five, six is one of the top 10 passwords used. Don't do those things.

James:
That's mind blowing.

James:
It's really, passwords are the tip of the iceberg when it comes to security hygiene or security practices that an individual could do, right? If you were starting to look at your situation and you're like, "My passwords are the same," there's probably some other areas where you could make some changes, too, is what I would guess, right?

Jody:
If you follow those rules, people are going to have a very difficult time getting in. There is one additional thing that you can do and not all applications support it, but if you have the opportunity to add a second authentication factor that can really make it much harder for malicious individuals to gain access to your account, because it's another thing they have know.

James:
And that's something that's built into Royal Credit Union's online banking system.

Jody:
Absolutely. You'll get a second pin number in order to complete that login process, adds tons of security to your session.

James:
More layers on the donut.

Jody:
It's another layer.

Steve:
I've talked to a couple of members and non-members who are worried about using a mobile app to do their finances. They're fine with online banking, but just worried about the app portion of that.

Jody:
When you look at what a mobile app is, it's really just like a tiny web page. You can think of it that way. It just happens to be customized to run on your tablet or your mobile phone. So there's really, fundamentally, not a lot of differences between those two platforms. It looks a little bit different because its screen is smaller, but from an authentication perspective, again, it's going to use maybe your username and your password, and maybe you have facial ID set up on your phone, so you've already told your phone when you see this image, it's really me.

Jody:
And so those things can add layers of security that are slightly different than what you would interact with on the website, but equally secure. But at the end of the day, mobile apps, especially when you get them from the Apple store or the Google Play store, go through quite a bit of rigor for validation across security and interoperability with the operating system, and they have to go through a bunch of checks and balances. So the majority of the mobile applications that come directly from the authorized platforms, they're very secure.

Cooper:
I'm just thinking about how I really need to change my passwords because I only use one password for all my personal accounts.

James:
So listening to this, you're totally freaking out. Like, "I need to do this right now."

Cooper:
Yeah. I'm totally panicking inside after this conversation.

Jody:
Here's a great time to plug the creating stronger password information on the rcu.org website, under the education and resources information, those tips and tricks about how do you create strong passwords and how do you avoid the easy to guess ones. It's out there. Part of what we want to do and part of what this podcast is doing is to help educate members and the things we're talking about seem insurmountable. It's like, oh, that's so scary. And there's so much work that I have to do. The good news is, is once you get a password manager tool set up, or you set a set of unique passwords up, it's really easy to maintain them.

Jody:
It's kind of like when seatbelt use wasn't a law and for those of us who are older, it was a big change to have to start wearing your seatbelt all the time. I remember nagging my grandmother and my parents to wear their seatbelt because when they grew up, you didn't have to wear a seatbelt. They didn't get it. They didn't understand why we needed that extra layer of security and safety. And for me, it's like, I can't even get in a car without clicking the seatbelt. It's just habit. So what you're trying to do is reestablish and redevelop those new habits.

Cooper:
If I have this super fabulous, strong, password, do I ever have to change it? Am I supposed to change it? How often should I change it?

Jody:
Nope. That's a great question. The "guidance" around password changes has really changed over time. As recently as three to five years ago, the rule of thumb was you should change your passwords every quarter or every six months, because it's somehow more secure if that data changes all the time. And so there was a lot of smart people doing studies and government organizations doing research, and the new advice is, if you come up with a really good password, a strong password, so it's long, and it's not a quote from the Lord of the Rings, or a Bible verse, which are two big sources of phrases that people use, that it has length and complexity and it's unique and you're not reusing it all the time, there really is not any reason to change that password unless you think it's been compromised.

Jody:
Now, a lot of organizations will continue to ask you to change those passwords on some frequency. It might be once a year or once every six months. And in those situations, they're doing that to protect you against reuse, or if there's been a data breach, like many online services and social media portals and those sort of things, you read in the news that they've had a data breach, one of the first things that they'll say in their press release to go in and change your password. So for sure, that's a time you want to do it.

Jody:
I think as consumers, it's really important to know that people we build relationships with should have our security of our data in mind. And it's up to us to inform ourselves with at least enough knowledge to make good decisions about that. If your credit card vendor or your internet service provider or whatever vendor that you're dealing with, if they're not asking you to make long, strong, unique passwords and not offering that multi-factor authentication, you should ask yourself why. Are they in it for them or are they in it for us? Because I think that that's what's really going to drive changes in the industry related to security, is that as us, as consumers, can hold those vendors to a higher level of expectation. To protect us, instead of just making it easy for them.

James:
And maybe you don't have anything for this, but is there a standard security joke that you bring to an interview or dinner party or something?

Jody:
No, not that I tell. Two things, if you work... It's sort of like if you're a doctor. If you work in IT, you never tell people what you do. Because they're like, "Can you fix my computer?"

James:
Sure.

Jody:
Which is fine. But that's like when you go to dinner or you're out, that isn't why you want to spend your time doing, at least not for me.

James:
That's all right. Cooper, do you have a joke that you usually bring to a job interview or in front of a group of people?

Cooper:
Well, I don't bring it to job interviews, but maybe I should, but I do bring it to other financial presentations. And I think this joke is hilarious. It's what did the number zero say to the number eight?

James:
I have no idea.

Steve:
I don't know, what?

Cooper:
Nice belt. You get it? Because eight is just a squished zero.

Steve:
Wow.

Cooper:
That's my favorite joke.

Steve:
All right. That was a lot of good information. I want to thank Jody for sharing her expertise with us. And I know that I definitely learned a couple things and I hope that you all did, too.

James:
That was so much information. I think we all have some good takeaway items on our to-do lists now.

Steve:
I know that I need to go back and change all my one, two, three, four, five, six passwords to something else, because I didn't know that was a thing, but I guess everybody's doing that password. I don't know.

Cooper:
And, just so you guys know, unlike people who steal your passwords, donuts are not malicious, they're delicious. No?

Steve:
Jazz hands.

James:
My donut.

Steve:
[Inaudible 00:22:49].

Cooper:
Money donuts.

James:
Don't be malicious, donuts are delicious.

Cooper:
Don't be malicious, donuts are delicious.

Steve:
I think this could be our new theme song to the podcast.

James:
Thanks for listening. And we'll see you next time. Don't forget to rate and review us wherever you're listening.

Cooper:
Don't be malicious, donuts are delicious.