A guest post by Danny Budzak.
Danny is the Senior Information Manager at the London Legacy Development Corporation and is involved in data protection and information security. He regularly delivers training and learns as much, if not more, than he might teach. He has also worked with Silver Surfers, helping older people to get online. What he has learned makes him amazed and concerned in equal measure at the whole issue of ‘password management’.
In days gone by, confessions could be described as the aural equivalent of click-bait. Everyone wants to listen. I will start with mine. On a recent holiday, I found that space where work and the office and projects and PowerPoint presentations seemed far away. And at that point I realised I had forgotten my network password. I was convinced such a thing could never happen. I used it at least ten times a day to log on, unlock the screen, to log on, to unlock the screen. During lock-down I was probably using it more than in the office. But it had gone. Where that password should have been in my brain was nothing but a blank space. Being in the office would have mitigated the problem. It can be reset remotely. But it doesn’t work like that for many people when working remotely.
I do a lot of information security training and password training is a key part of this. I was used to watching people counting on their fingers how many characters their password had (usually eight), or counting on one hand the number of “different” passwords they use. Some could this with one finger. One password to rule them all.
Then I introduced a new exercise by asking people how many online accounts they had. Some said “about twenty…or maybe thirty”, others admitted, “I don’t have a clue”, two people with password managers knew exactly; 189, 233. Research shows that most people think they have around 20 – 30 online accounts, but they are more likely to have 120 – 130 accounts. Sit down and make a list. And that will just be the ones you can remember. What about that website where you bought tickets for an event ten years ago? It’s still there, even if you have forgotten. Just remember, the internet has a much better and far more comprehensive memory than you do.
And then the story goes like this. So if you have 120 – 130 accounts, how do you manage the passwords? “One key password with variations”, “the browser remembers them”, “I just re-set them each time”, “a small number which I swop and vary”. Why not write them down with invisible ink on a sheet of A4 and store the paper in the third book of the fourth shelf in the kitchen?
After a couple of years I was puzzled why no-one ever asked me how I managed passwords. So I started telling them.
For my most important accounts – bank, email, social media, consumer sites – I write them down. In a book. These are long passwords – 25-30 characters long. But I write them down in such a way as they don’t look like passwords. Paradoxically, if you have a password of 1*EKLP&!!mm…!()??.< and write it down, it’s obvious it’s a password. But if you do have a password like that, you will never remember it.
For what I consider low-risk work applications (appraisal system, annual leave, bike shed booking) all the passwords are in a spreadsheet, that’s in a part of the network drive that only I can access, that is among 10,000 other files. That spreadsheet has a password on it. What could possibly go wrong?
And then the passwords for my social life – art galleries, books, music, exploring. These generally require accounts because it helps them sell to advertisers and they can do more fancy analysis of what you look at. Somewhere in the universe a database exists which shows I like the art of the Northern Renaissance, German electronic music and Italian food. It’s all a bit creepy that companies want to know this but I don’t care two hoots where that “web page usage” data goes and what Facebook or anyone else does with it. Good luck with anyone who manages to sell me anything based on that. An original Jan Van Eyck perhaps? But where there is a problem is if you use the same password for everything; because you are then at the mercy of the weakest system in which you have data. Does it matter if your password is the same for an obscure fan site of CAN as your social media account? Well yes, actually it does.
But there are already three systems here. Four if you include “saving passwords in the browser”. Five, if I have to accept that I get in a muddle with passwords sometimes and need to re-set them, or log in from a different machine. And yet the password is the key security element which we all hold and control.
I still had a vague sense that I was doing something wrong so I thought it might be worth asking my peers. I sent a very short questionnaire to two online communities which I thought might be interested. The Data Protection forum and Records Management forum on JISCmail. Nothing could have prepared me for what happened next.
This is not a scientific study, it was almost a bit of light-hearted fun. Some of the responses certainly made me laugh out loud, but for all the wrong reasons. There are no percentages or totals here, but I got the feeling that the 50 or so people who responded were a fairly representative sample. The responses very much reflected the sort of responses I have been getting in training for the past five years. “I have one password and no one will ever guess it.” Actually, it doesn’t really work like that. “I use 3 instead of E”. Wow! Don’t tell the hackers they would never think of such things. “All my passwords are in French.” That’s great. No hacking problems in France. “I use the same one but change the number at the end.” “I have a few which I interchange.” One person’s reply was so baroque that one felt like asking if they had taken part in the Napoleonic wars where cyphers and skull-duggery became ever more elaborate: “I use the names of the first team squad of my favourite football team but I remove all the letters a and e”. This is fantastic, but it only provides 25 passwords. What about the 100 others?
Other responses made me gasp and some were so shocking that if I revealed the methods it would only help the bad people. I suspect the people who use Password1, TopCat2, OpenSesame and others kept their guilty heads down. So the problem is almost certainly worse than the responses received.
The other thing I noticed was that very few people displayed much confidence in their “methods” (although in many instances that is stretching the meaning of the word). The small minority who did display a certainty about what they did were those who were convinced that one password is enough, and those who use a password manager. And that got me thinking.
At a recent training session I started to go through password management. The different types of passwords for different types of systems; using reminders such as salsa sauce recipes (1 handful of basil, 2 tbsp lemon juice, a lot of parsley – they are actually good passwords); writing them down but also having a couple of characters which only you know; using the third page of a book. And half way through I stopped.
“This is madness”, I said, “get a password manager”.
I don’t know if they are the best way to do it, but it has got to be better than the Heath Robinson approach which so many people have.
As well as managing passwords, it will also help you understand how many accounts you have online. And if you don’t know that – which most people don’t – then how can you be in control of your own personal data?