Webinar replay: mastering passwords

[Visual] The screen opens displaying a slide tile that says, ‘The webinar will start shortly’. The host, John Mollo appears in a small window at the top right-hand corner. Throughout the video, the webinar slides change to match what the speaker, Sam Leggett, is discussing. At times John, the host will cut in – as each speaker speaks, they appear in the top corner.

[Audio: Host/John] Kia ora folks.

Welcome to the latest CERT NZ webinar. Our second webinar for consumers.

[Slide change]

This one's all about passwords. Passwords is our first line of defense when it comes to our online accounts. We will talk here about creating long, strong, unique passwords and try to clarify some of the information that is out there.

You know, passwords is one of the big topics out there. A lot of people talk about them, and we're very aware there's a lot of information out there, sometimes conflicting information. So we'll hopefully start to simplify some of that information. And hope everyone will have a lot more information about passwords going forward.

[Slide change]

So a little bit about who we are. My name is John Mollo, I'm a senior advisor here at CERT NZ, looking after our international program. And I am joined by Sam Leggett, our Senior Analyst, in our incident response team, who'll be running through a lot of the content today.

[Slide change]

So little about a little bit about CERT NZ. So CERT NZ is a government agency, and we're there to help people with their cyber security issues or their online issues. We offer incident response.

So when people have a cyber security incident or something goes amiss, we have a team there that can help people step through that and work with them to get a resolution around their incidents.

We also have some proactive information there to help people to better protect themselves when they are working online.

So we have a website called Own Your Online that has a lot of guides and resources to help build people's security skills.

[Slide change]

Now I'll hand over to Sam to run us through today's agenda.

[Audio: Speaker/Sam] Awesome. Thanks very much, John.

Kia ora everyone. As John said, my name is Sam Leggett. I'm a Senior Analyst with CERT New Zealand's threat and incident response team.

Today, we're talking all about passwords. So a few things that we're going to cover off today. Now, I want to reiterate that this is being recorded, the slides will be available, don't feel like you have to take all this information down in one go. It can be quite a lot to take in.

But some of the things that we're going to cover off today are why passwords actually matter, why are they important, and then break them down into what actually makes a good password.

So there's three key aspects to what makes a good password. It's length, it's uniqueness, and how secure or how strong that password actually is. And we're going to break those down and look at those a little bit closer.

We're going to talk about things like when to change your passwords, what the best practice around that actually is. And of course, how we actually go about storing our passwords. These days, people have about 100 to 160 online accounts, at any given point in time.

There's a lot of passwords to remember, we're going to talk about some of the ways that you can go about storing those passwords securely.

Now, as we go through the content, you may have some questions, we're going to have some time at the end for questions and try to address any questions that do pop up. As we go on through, if anything pops up for you, there should be a Q&A box where you can enter your question there, and we will definitely have time to get to those at the end.

Alrighty, let's jump into it.

[Slide change]

So why are passwords important? Well, you probably all know that when you have an online account, one of the first things you have to create as your password. It's ultimately the keys to your virtual castle. It's the key that gets you in the front door of your virtual house. Whatever analogy helps you understand the importance of that password.

It's that first layer of defense. You can only get into an account if you actually know the password for that account. And cyber attackers, these threat actors, what they're really going after is your personal information.

They're trying to get access to that information and access to your online accounts. Most often this is financially driven trying to get into your bank account. And if I can get the password for these things, that's how they that's how they're often getting.

If we have weak passwords, or we're not doing some of the things that we're going to talk about today, the reality is that we can make the attackers job that much easier, make it that much easier for them to get into our really important accounts.

That's why passwords are so important. That's that first layer of defense. And that's why we have to make sure that our passwords are long, strong and unique.

[Slide change]

How are attackers actually getting our passwords though? There are a few ways in which an attacker would go about trying to get compromised, crack, guess your password.

First one is brute forcing. Now this is basically where an attacker will try a lot of different possible password combinations against your account until they find the right one, and they're able to get in.

It's basically guessing a whole lot of number a whole lot of passwords in a really short amount of time. And usually what they're doing here is using some special software in order to get that really high amount, a high number of passwords in a really small amount of time.

When we use weak passwords or easily kiss passwords, unfortunately, those can be cracked by that software really quickly, and can be very easy to get into our accounts. Dictionary attacks is another tactic that they'll use, and this is where they use common password patterns. So, human nature when creating passwords is to follow some pretty common patterns.

Unfortunately, attackers know that we do that, they can use that to try and guess our passwords as well. And when we are following these really well-known patterns, it can be very easy for them to guess those passwords and get into our accounts.

And then, of course, there's credential stuffing, credential stuffing attacks, and that's where attackers are using known compromised passwords. So, passwords that have actually been used by people in the past, whether they've ended up ended up online and a data breach.

They use those lists of known compromised passwords, and try them on a range of other accounts to try and get into our accounts. And that's why password reuse has a really significant risk.

We are going to talk about password reuse specifically, in a little bit of time.

[Slide change]

So what can actually happen if someone gets a hold of your password, and what can the damage look like to you.

Unfortunately, there are a lot of bad things that can go on if attackers are able to get a hold of our passwords and get into our online accounts.

The first thing that I could do is impersonate you to defraud others. So I want you to think about social media in this instance. At CERT New Zealand, we get a lot of reports where someone's reporting that a family member or friend has had their account compromised, they've received a message from that family member or friend usually claiming this some kind of great investment opportunity, or there's a prize that you've won something like that. Unfortunately, that's when the accounts been taken over. The attacker is using that account, pretending to be that person and using the relationships, that person has to try and convince others to click on links, provide personal information, provide credit card details, all these kinds of things.

Attackers can steal your identity and open accounts in your name. Now typically we see this occurring on buy now, pay later schemes, where attackers are creating accounts, buying something, getting the goods and then it all comes back to the person whose identity they've used. So if they can get into your online accounts, and they can see all your really personal information, they may be able to use their personal information to go away and create other accounts online in your name, and commit fraud that way.

Ultimately, what they're trying to get is money. So if they can get your passwords for your bank accounts, they can get in there, and they can steal that money, and that's why things like bank accounts are so important to have really long, strong insecure passwords.

And the last one there is that can get into your other online accounts.

Now, when we're talking about strong passwords, the one thing I want you to keep in mind, as I said you probably have over 100 online accounts. Are you gonna go away today and make a long, strong unique password for every single one? Probably not. And that's okay. The most important thing is to acknowledge the accounts that are critical to you, and make sure you have a long, strong unique password on those accounts. Now, this might change from person to person. But what we're talking about when we say critical accounts are things like your bank account, obviously, that's handling all your money. So that's really important. Things like your email account.

And you may not realize why that's such a critical account, but the reality is that most of our online accounts are linked back to an email address. And so if an attacker can get into our email account that is linked to all our other accounts, they may be able to compromise those other accounts through things like password reset features. That's why email accounts are one of those really critical accounts too.

Social media, as we've already discussed, attackers may be able to get into our social media, use identity to defraud others or coerce others into clicking links, providing personal information. So social media is really important as well. And then other things like your ID account, government accounts, these kinds of things.

What is really critical to you may change from person to person, but acknowledging those four or five accounts that are super important and making sure you have long, strong, unique passwords there, is the most important thing to do. And if that's all that you do in terms of passwords, you've still improved your security drastically, then having the same password across all those accounts.

[Audio: Host/John] Just quickly, Sam, a question that's just come in. What are common password patterns, emerging common password patterns on the earlier slide, can you dive into that a bit more?

[Audio: Speaker/Sam] Absolutely, we actually have a slide on that. So we're going to get into that in just a little bit of time.

But when we say common password patterns, all we're really talking about is the ways that people generate passwords.

So the first thing that comes to mind is, you know, you may create your password based on a pet's name, you might add an important date to you in there somewhere, and then maybe you chuck a symbol on the end. And that's how you've created your password. That's the way you're adhering to complexity. You've got letters, both uppercase and lowercase, you've got numbers and symbols. So you're meeting all those requirements, you're going to be able to remember it because it's a personal pet's name, an important date, and in just basic symbol at the end.

Those are the kinds of patterns that we're talking about. We are going to get into that a little bit more detail though.

[Slide change]

So when we say good passwords, I've said it a lot of times already, long, strong and unique. These are the three keys of what makes a really good password. We're gonna start talking about that long, that password length aspect.

So how long should a password actually be? Different platforms will tell you it needs to be different minimum lengths, often, online accounts on platforms are saying at least eight characters, at least 10 characters. There's a bit of math that goes into what makes a really strong password, what length makes a strong password.

So what about eight characters? There are a lot of online platforms that are recommending at least eight characters. Depending on how you create that eight character password, the reality is a computer could be able to crack that within 90 seconds. Maybe you add a symbol, maybe you add a number and improves that complexity a little bit. But it's not going to take a lot of time for those sophisticated computers, that sophisticated brute forcing software to crack a really short password.

What about 12 characters? Gets a lot better. The reality again, though, is that it could take 18 months to crack. So a lot better than eight characters, not the best that we can get to.

And this is the really key breakpoint here is 16 characters long. The math shows that this could take trillions of years to crack. And again, as I say, different symbols, different numbers, different complexity is going to change this a little bit. But 16 characters is that really, really great sweet spot for password strength. That's the length that we're really looking for.

One thing I want to say here, though, 16 characters, the longer you make a password, the harder it's going to be to remember. Now we are going to talk about ways that you can store passwords securely, so you don't have to remember them all, but you may opt for the option where you actually are storing all these passwords in your head. And the longer the password is going to be, the harder it's going to be to remember.

So the message I want to get across today is let's not let perfect get in the way of good. You know, we can improve our security, we can make it better. If we have eight character passwords on our important accounts at the moment, we go away and make 12 character passwords there, it's going to be a lot better than it was.

If we can go that extra step and make our passwords 16 characters long, that's going to be phenomenal in terms of keeping those accounts nice and secure.

[Slide change]

So that's the first aspect. Long, the longer it is, the stronger it is.

Uniqueness is another really key aspect here. This is all about what makes a password strong, it makes it hard to guess and hard to crack.

[Slide change]

The unfortunate reality is that people out there use passwords that are easy to remember. And so that leads to a lot of people using the same passwords. And there's a lot of lists out there of most common passwords that are used.

In 2023, some of the most common passwords that are still being used: 1234567, password with a capital P, admin with a capital A, Qwerty which is just you know that top row of the keyboard letters, user, Taylor Swift made it in there as well. Apparently, she can do it all.

So these are the most common passwords that are used. And when we're using the same passwords across all our accounts, or common passwords that are used by a lot of other people, attackers know this. And they can take these lists of commonly used passwords and use that less to try and get into our account. So if our password or something along these lines, we are making it so easy for attackers to get into our accounts. And we're not doing much to keep our accounts nice and secure.

[Slide change]

Reusing passwords, as I've talked about a little bit already is a real significant risk to our online accounts as well. Why is this?

So, let's say we have 50 online accounts. Bank accounts, email, retail sites, and everything in between. We have the same password across all those accounts. Maybe it's a good password. The unfortunate reality is that organizations do have data breaches.

Now, you've probably seen a bunch of different data breaches in the media. This does happen and sometimes it means that our passwords end up on the internet. Now if our password did end up on the internet, and we've got the same password across all our online accounts, attackers will use that password across different platforms across different websites to try and gain access to other accounts. And if we use the same password everywhere, it's putting all our accounts at risk. If our password does get breached anywhere.

Many online accounts are using your email address as the username, and so, in data breaches often what gets leaked are things like our email address, are things like our passwords. If that's leaked in combination, what attackers will do is simply take that combination and try to plug it into as many websites, as many platforms as they possibly can, trying to gain access to as many different accounts as they can.

Sometimes, what we find is that online accounts, online platforms can be logged in simply through our social media. So you've probably seen the options when you're logging in, login with Facebook, whatever it may be. If we have the same password on a Facebook account that we have elsewhere, and we're using our Facebook account to log into lots of different platforms, that password gets breached in one location, it puts our Facebook account at risk. And now everywhere that we use a Facebook account to log into is also at risk.

So the really important key here is not to reuse the same passwords on all our accounts. And again, what I'm gonna reiterate here is, the key is not reusing the same passwords across those really critical accounts. So again, go through that process of acknowledging what's really important to you, bank account, email, social media, maybe IRD. You know, whatever it looks like for you.

Acknowledge what those critical accounts are, and make sure the passwords on those accounts are long, strong, and unique. So the key here is not to reuse that same password, or using passwords that have been caught up in a data breach in the past.

[Audio: Host/John] So Sam, if an organization has had a data breach, would they normally let people know that their password has been put out there in the public domain?

[Audio: Speaker/Sam] Yep, so that's absolutely what organizations should be doing.

And when we work with organizations that have suffered a data breach, this as part of the advice that we're giving them. Should be a process of reaching out to affected customers to let them know what's happened and what information has been compromised. And that should give you some knowledge to then go away and make changes to keep your online account secure.

If you've got an organization that you have an account with letting you know that your information has been caught up in a data breach, and that includes your email address and your password.

Obviously, jumping into that platform, changing the password, there is the most important thing, and then changing that password anywhere else that you've used it or that you currently use it as the as the next most important step.

Absolutely, organizations should be letting you know when this occurs. And they do have obligations to let organizations like The Office of the Privacy Commissioner know when personal information has been caught up in a data breach as well.

[Slide change]

So we talked about this a little bit already, you know, how do we how do we create our passwords and this process is really key to creating long, strong and unique passwords.

So what's the process that we go through when we're actually developing these passwords?

Now, as I've already said, the most common thing that people like to do is create a password based on your pet's name. What I want you to think about is the passwords that you currently use, and whether or not you have any information about your password that's available online. Do you have an Instagram page that's all about your pet? So your pet's name is actually out there and online. What about your date of birth? Do you have public social media posts acknowledging when your birthday is? Maybe even you include your location. Is that public information on your social media accounts as well?

The overall takeaway from making strong passwords that I want you to keep here is if your password is based on information that can be found out about you online through social media, you are putting your accounts that use those passwords at risk.

So what attackers will do, as we've talked about already, they've got that software that can guess a really high number of passwords in a really short amount of time, what they'll often do is jump onto social media to try to grab personal information from social media, and use that in conjunction with the software. So now the software isn't just guessing random passwords.

It's guessing passwords based on our personal information, our pet's name, locations, dates that are important to us, whether it's dates of birth, whatever it may be, that can be used in conjunction with that software, to guess those personal based passwords. And that's the patterns that people often like to follow because they are things that can be easily remembered.

More complex doesn't necessarily mean more secure.

The other thing that people like to do is if they're required to add a symbol into their password, chuck an exclamation mark on the end. Now I've met that complexity requirement.

Again, attackers are aware of these common patterns. And what they'll do is they'll guess those things first. They'll follow those common patterns themselves. And they'll guess things like adding an exclamation mark on the end when they're trying to crack your passwords.

Now, another way that we can go about creating our passwords in a more secure and strong fashion is to actually use random words rather than words that are important to us. The example on screen 'correct horse battery staple'. That's a really long password. I don't know exactly how long it doesn't I can't count that quickly, but it's a really long password. So it's meeting that length requirement to have a really strong password. It's meeting that not following common patterns and using personal information to make sure our passwords are nice and strong. And this is actually going to be a really secure password in comparison to the kinds of passwords that people are currently using on their accounts.

Now, a password of the exact same length that's completely random uppercase, lowercase letters, numbers and symbols is going to be more secure than a password like this. But a password that's essentially a passphrase based on four or more random words, is going to be a lot easier for you to remember, than a 30 character password made up of completely random letters, numbers and symbols.

So that's one way that we can go about creating a strong password that isn't going to be easily guessed that isn't based on personal information. And that also makes that length requirement.

[Slide change]

[Audio: Host/John] Sam, going back to using personal information for our passwords, if my social media accounts are locked down, no one can see anything, am I okay to use personal information or passwords?

[Audio: Speaker/Sam] It's going to be a lot better. And it's really important call out that you may be a John.

So it's an important step to take to look at your own social media accounts and the information that is publicly available on you, especially if you are using personal information to create your passwords. Locking down your social media and preventing people that you don't know from being able to see those accounts and that information is an important step to take.

Maybe you can't do that, you know, maybe you have a social media account that's for your business. And there's, you want that to be public so that you can start building up that business and in that customer base.

In that case, not using any of their personal information at all is the solution. And in most cases, avoiding using personal information and your passwords is going to be better.

If you do have to go down that route, if that's the the only way that you can create a long, strong, unique password, then locking down your social media is a really important step to take.

[Audio: Host/John] Awesome, thank you.

[Audio: Speaker/Sam] Okay, so we've talked about complexity a little bit. And what we mean by complexity is when you're creating a password for a platform, and the platform says you must have an uppercase letter, you must have a lowercase letter, you must have a symbol, and you must have a number.

If you're adding a one at the end of your password, and that's how you're meeting that number requirement, that's not the most secure practice to use. If you're adding an exclamation mark at the end of your password to satisfy that symbol requirement, that's not the most secure practice to use.

Again, these are the patterns that people like to follow because it's easy to remember, but attackers do know that we often follow these patterns. And they can use these to easily guess or crack our passwords.

Maybe to meet that simple requirement, you've instead substituted the A in your password for an @, it's a little bit better. But again, this is a pattern that that attackers know we like to use, because it's easy for us to remember.

So in that sense, if we're using these patterns to meet these complexity requirements, that's not going to result in a long, strong and unique password.

Again, as we've said, substituting symbols for letters, maybe we substitute numbers for letters instead, zero for an O, that way we can make that number requirement. That's another pattern that we like to follow, because it's easy to remember, but attackers know we follow these patterns, and will use that when trying to guess and crack our passwords.

So if you're creating a password, and the platform requires that you have numbers in symbols, the best thing that you can actually do is use random numbers and symbols, not just ones, not just exclamation marks.

The other pattern that we all commonly like to follow is when we are required to change our passwords regularly. And we're going to talk about that in a little bit.

But if your organization is getting you to change your passwords, every three months, the most common thing that people like to do is change the one at the end of their password to a two and into a three, and then to a four and then to a five, and so on and so forth.

Again, this is a really commonly used pattern, attackers know this is a commonly used pattern, and so it's used in conjunction with the software and the other techniques, they have to try and guess and crack our passwords.

Best thing that we can do when we need numbers and symbols in our passwords is use random numbers and symbols and actually insert them into our password into random places.

So rather than right at the end, or right at the start, somewhere in between one of the four random words that your password is based on, is going to be a lot better than adding it at the end or the start.

[Slide change]

[Audio: Host/John] Just to clarify, Sam, if we sign up to a website, and it says password must be eight characters and have special characters and numbers, are we just aiming for those eight characters plus the numbers and special characters? Or should we still be aiming for that 16 characters?

[Audio: Speaker/Sam] That's a really, really good point.

So what people will mostly do is aim for that minimum. So if a platform says, your password must be at least eight characters long, people are trying to create a password that's exactly eight characters long.

Again, it makes sense why we do this, it's easy for us to read member. And let's be honest, it's a little bit of a pain when you've got 160 online accounts. And every time you create one, you're asked to create a password. That makes sense why people follow these patterns, why people use the same passwords. But it's important for us to understand why doing those things puts our online accounts at greater risk.

What I would encourage you to do is to ignore that minimum length requirement to make a password at least 12 characters long, ideally 16 characters long. That way, you can be sure that your password is long, strong, long, strong and unique.

Just because the platform asks for a minimum requirement doesn't mean that is the minimum that we should be reaching, the longer it is typically, the stronger your passwords going to be.

[Audio: Host/John] Thanks, Sam. And we do talk about storing passwords later on in the presentation.

[Audio: Speaker/Sam] Absolutely.

[Slide change]

 

Cool. So what about changing passwords?

Now, maybe you have, maybe you're thinking about your passwords in your personal life. But maybe you're also thinking about the passwords that you use and create in your professional life. It's not uncommon for organizations to ask you to change your passwords regularly. And in the past, this has often been looked at as the best practice, the most secure practice.

Actually, that's not really the case, as we know what people often do when they're required to change their passwords regularly, chuck that one on the end, change it to a to change it to a three change to unlock.

I've done this before, in a previous life in a previous role, this is how I would create my corporate passwords. And this is how I would change my corporate passwords. I even got to the point where at the end of my password, I had one three, so I had done it 13 times. That's not the most secure practice. And when we follow these common patterns, these patterns that attackers are aware of, we are making it easier for them to guess and crack passwords.

Frequently changed passwords can be harder to remember. That's why people tend to follow these patterns and simply change the number at the end and iterate it up one so that they can remember it easily.

Changing your password every 12 months should be sufficient. But what I would really try to get across here, and you can make it part of a normal routine that you have. So you know like you check your smoke alarms every year, you can make this part of your process as well, where you're changing your passwords at some point every a year. And once every 12 months is probably going to be enough, as long as the passwords that you are changing to are long, strong and unique.

What I would actually say is that if you go through the process of making a really long, strong, unique password. Let's say you've got a 30 character password, it's not based on any personal information, totally random characters, having a password like that is going to be a lot more secure than having a shorter, less unique, less strong, weaker password that you change every three months.

So actually, the best thing to do is make sure we're getting the correct password creation right, rather than enforcing constant changes to our passwords.

Making sure at the start, when you create that account, when you created that password that your password is long strong and unique, you're hitting those three marks.

If you go through that process, you don't have to worry too much about constantly changing your passwords. Making sure it's long, strong, unique as the ultimate key.

[Slide change]

And the other consideration that I would encourage you to make is to just consider changing your password as you actually need to do so. Maybe it's part of your annual process. Maybe when you change your smoke alarms and change the batteries there, you're also checking and changing your passwords.

But if you've clicked on a dodgy link, and you're worried that you've provided your password to a scammer, or to an attacker, that's a good time to change your password. Maybe you've received a phone call someone that claims to be from the bank. But actually, as you've spoken to them, you're a little bit worried that they're not who they say they are. You think it might be a scam, but at some point, you've actually given them that information, you've given them that password.

Jumping into the account, changing that password then is obviously going to be really important. If your information has been caught up in a data breach, that's really a good time to look at your passwords and consider changing into something long, strong and unique.

A resource that I really want to get across here is a website called haveibeenpwned.com. You can see at the bottom there. I know it sounds a little bit funny. It's a bit of a weird address. It is a legitimate site. There are agreements between government organizations and website owners.

What this website does is collect breached data information. So when an organization, and they do this globally, when an organization has a data breach, haveibeenpwned will try to get that information, understand exactly what information has been breached, and then make it a resource that we can use to determine whether or not our information has ended up in that data breach.

So if you go to this website, what you'll see is a search bar, you can chuck in your email address. And what it will tell you is anywhere that that email address has been caught up in a data breach. It will also tell you the other kinds of information that has been breached in that data breach.

So let's say, arbitrary business somewhere in the world has had a data breach. You've been part of that data breach, you pop your email address that you use for that platform into Have I Been Pwned it'll tell you, yep, your data was breached at this point in time. The data breach occurred with this organization and the type of information that was breached was your first name, your last name, your email address, your phone number, and your encrypted password. Whatever it may be.

 It'll tell you what information has been caught up in there. So that you can go away and change passwords where you need to. You can actually enter your password into the site. And as I say, it is a site that we can trust, there are agreements in place. And you can see if your password specifically has been caught up in any data breaches.

As we've kind of said, that's one of the keys to making sure our passwords nice and secure, not reusing our passwords everywhere, but also not reusing passwords that have been caught in a data breach in the past.

[Audio: Host/John] We've had a really good question actually just sent through. This question is, should I change my password if I've accidentally put my password in instead of my username?

[Audio: Speaker/Sam] Yeah. So again, as I said, haveibeenpwned.com is a site that we can trust. There are agreements in place between the website owner and various, various organizations.

It's a resource that we regularly use here at so New Zealand. So if you've popped your password into this site, particularly, that's not going to put any risk on you. But if you've done that for other locations, other platforms, other websites, you know, you've meant to type in your email address, but you've actually put your password in, maybe you've put it out there somewhere publicly, maybe it's posted online, whatever it may be. If you've done that, then certainly that's a really good time to consider changing your password and changing it anywhere else when you might use that password.

Haveibeenpwned.com again, this is a safe site for us to use. But other sites that maybe you're unsure about whether you can trust, you've accidentally put your password in there. Absolutely. That's something that you should go and change.

 

[Audio: Host/John] Thank you for that, Sam. And yes, thank you for pointing out that the URL is slightly, there was a typo in the URL, but we will send out the correct one with the recording.

[Audio: Speaker/Sam] Yeah, good call out, we'll get that updated for the slides before they get sent out. There's just an i between 'have and been', that's the only difference there but very good spotting.

[Slide change]

Right. We've talked about this a little bit, storing passwords is a really important key here. We've got so many online accounts, most people have between 120 to 160 online accounts. How can we possibly be expected to make a 16 character random password for every single online account we have?

The truth is I don't think anyone's capable of that. So we need some solutions in place that can help us to remember our passwords, especially when we're making them long, strong and unique.

Again, most important thing to do is make sure that your passwords on your important accounts, so those critical accounts just going to reiterate them again, things like your bank account, your email account, social media IRD, any of these important accounts to you. That's where it really matters to have long, strong and unique passwords.

However, we've already listed about five, and that's already getting to the point where it's not realistic for an individual to remember, five, six different long, strong and unique passwords. So it can be difficult to remember a password. So how do we actually store them? What can we do in order to keep our passwords in a safe location so that we can access them when we need to, but no one else can. You may consider writing them down in a notebook.

You may consider using the 'save my password' function in your internet browser. Maybe you use a password manager. We're going to look at these options and talk about the pros and cons to each of them.

[Slide change]

So what if you store your passwords in a notebook, I'm going to call my mom out here because I know that she likes to do this. This can be a risky practice.

But there are some important things that you can do to make this a more secure practice. What we don't want to do is get in front and tell everyone that you shouldn't do this or you shouldn't do that because it's not secure enough.

What we want to be able to do is enable you to pick the option that's most accessible for you, and do so in a way that's going to make it a more secure practice. There are some risks to writing down your passwords in a notebook. And it's important to acknowledge what those risks are and understand how you can do so in a more secure way.

So what if someone gets access to their notebook, essentially, they have all your passwords, they have the keys to your online castle, they can get into all the online accounts that you've noted in there. This is actually against some terms of service for some platforms. There are some banks out there that do prohibits you writing down your passwords.

And if you lose, or you misplace that notebook, then you've lost all your accounts, you don't know the passwords for your accounts. And it can be quite hard to get back into accounts if you don't have that password.

 

So the most important thing here if you are choosing to write your passwords down in a notebook, for example, is to make sure you are storing that notebook securely, in a physical safe, in a locked drawer. Something that only you have the key to that way you can make sure that those passwords are stored securely only you can access them and you can access them when you need to.

I have heard stories there have been incidents where individuals have chosen to go with this route, write their passwords down in a notebook, they've had a contractor come into their house to do some work. The contract has seen the notebooks sitting on their desk, and I can see all the passwords and the usernames next to each other. That person has decided to log into the bank account and transfer some money out. These are the kinds of risks that are posed when writing down your passwords in a notebook.

I will be honest with you, writing down your passwords physically in a notebook is not the most secure practice to use. But if you're making sure you're locking that notebook away in a safe and a locked drawer and a lock box, whatever it may be, when you're not using it, and only you have the key there.

That's a really, that's the most important step to make sure that if you are writing your passwords down, you're doing it in a secure manner.

[Slide change]

What about the 'Save my password' function in Internet browsers and, we're going to talk about password managers in a little bit, but the 'Save my password' function in Internet browsers as essentially the built in internet browser password manager.

A lot of people I know choose to go down this route, save their passwords to their internet browser so that when they're navigating through the various websites, the browser remembers their password it plugs it in, they log in, they're good to go.

Again, this is not the most secure practice, but there are some important things that we can do to make it a much more secure practice.

So if you use the save password feature in your browser, you can go straight into your accounts without logging in the browser knows it plugs it in, way you go. But if anyone else has access to that device, especially if you stay auto logged in to the account for that internet browser, so I'm just going to use Google as an example.

You stay auto logged into your Google account. So when you open up Google Chrome, your auto log down there, that's where your passwords are stored on that account. Google Chrome can then grab the password, you can log in and away you go. If you choose to do that, and you lose that device, or someone steals that device, all those accounts are now at risk.

That's why it's so important to make sure if you do go down this route that any devices you use, that internet browser, that built in password manager for, that device is secured with some kind of protection, it's might be a password.

And we were talking today about how to make a long, strong and unique password for your device. It may be a PIN number, it maybe you know a little pattern on the lock screen. It may even be biometrics like thumbprint, and face ID. Not all of these, not at all these protections are built the same. But having some kind of protection like this in place on those devices is the most important thing.

Now I want to reiterate here, if you choose to use a built in internet browser password manager, you are making the account that you have for that internet browser, like your Google account, you are making that your password manager.

And we're going to talk about password managers in a little bit. But the key with password managers is that you only have to remember one password. The password manager will store and generate all your passwords for you, and it saves you having to remember them all you just have to remember the password that you use in order to get into that password manager.

So you do have to go through that process of making sort sure the password that you use for that account is long, strong and unique. You have to make sure that that password is up to scratch, because that password is what's protecting all your other passwords.

The other really important thing, if you do choose to use built in password manager features is to make sure that that software, Google Chrome, whatever it may be, is kept up to date with the latest updates from the vendor as soon as possible.

We've all seen that pop up in the bottom right-hand corner of our screen asking us if we want to update our device. And we've all deferred it off for seven days even more at some points in time. If you do choose to go down this route, making sure Google Chrome has updated with the latest updates as soon as possible is a really important step to take.

So again, just to reiterate some of the keys here, you do choose to use built in password manager and 'Save my password' features in those internet browsers. What do you have to do? Make sure any device that is auto logged into that account is secured with a password pin, pattern or biometrics. Make sure that software is kept up to date with the latest update as soon as possible.

And make sure that the password that you have for that accounts is a long, strong and unique password so it can protect all your other passwords.

[Slide change]

That's a lot on password managers and internet browsers.

What about third-party password managers? This is probably the most secure option for storing your passwords.

There's some important things that we need to take into consideration with our password managers as well. So what is a password manager? It's essentially an online vault that stores all your passwords for you, and it's all protected by your one master password.

So again, it does have the benefit of meaning that you only have to remember that one password, you only have to go through the process of creating that one password. But because that master password is protecting all your other passwords, you do need to make sure that that one password is long, strong and unique.

So in this case, your master password I will be making that as long as you possibly can while still being able to remember it. Making sure it's hitting all those complexity marks. It's got uppercase and lowercase letters, numbers and symbols. It's not based on any personal information. No information that's used in our password can be found online. But it's obviously important to remember that password.

So it's a bit of a balancing act. But again, because it's protecting all your other passwords, it's so important that that master password is long, strong and unique. So it's the point right there, making sure that master password is long, strong, unique. So it's, it's, it's a secure option for keeping all your other passwords safe.

Unfortunately, password managers to not impenetrable, some password managers in the past have had data breaches.

So how do you go about choosing a password manager. There's a few things that I would encourage you to take into consideration when you're looking at a password manager. Look at their track history, do a bit of Google searching, you know, that's going to be your first port of call. Have a look what the list of top password managers are out there.

One caveat that I'll make there is just because something returns highly in a Google search result does not mean it's legitimate or good. And I would actually encourage that you scroll down past all the ads, and start looking at the results that aren't actually Google ads. This is the first port of call though, you know, we can start seeing lists of commonly accepted good password managers.  

And if we look at a few different lists, we can see the ones that are popping up on all those lists. And this is how we can start to determine which password managers we're going to look at first. Once you've found one that you're pretty comfortable with, as you know, commonly accepted as a good password manager, it's appeared on a few different top lists, you start looking at that individual password manager, start looking at the track history. Have they had a data breach in the past? Maybe that's not a deal breaker for you, maybe how they handled that data breach is more important to you than whether or not it happened. Maybe your password manager having a data breach at all is absolutely a deal breaker. And so you can move on to the next one that you want to look at.

The other consideration I'd recommend with a password manager is looking for one that will generate the passwords for you. Most password managers do this these days. But having a password manager generate your password for you will mean that password is really long, you know, we're usually talking 20 to 30 characters. It's got uppercase lowercase letters, it's got numbers, it's got symbols, and they're all completely random. A password manager generating a password like that, it's going to make sure all the passwords that generates for you are long, strong and unique.

What some password managers will do is actually monitor for data breaches as well. So if they find that your information that's part of your password manager has wound up in a data breach, some of them will actually give you an alert. And that's something that you might want to look for in a password manager.

Some password managers cost a little bit of money, sometimes they have additional features on top, some password managers are free. Just because it's free doesn't mean it's not necessarily a good one. That's just a consideration to take into account.

I would say the most important thing to look for in a password manager, though, is a password manager that offers you either two-factor or multi-factor authentication. There's a lot of different terminology around multi-factor authentication, two-step verification, two-factor authentication, multi-factor authentication. Whatever it's called. Usually, this looks like a code being sent to your phone that you have to enter in order to log in. Sometimes it's a code generated by an authentication app.

Sometimes the website itself generates the code and you have to enter that code into an app, maybe opt for physical multi-factor authentication, and you have what's called a YubiKey. Something you plug in, you have to push a button on, you can only access the account if you have that little physical device.

Whatever option you choose, having multi-factor authentication in place in some form, is the most important thing. This is this is the second layer of protection on top of our passwords. And today's webinar is not about two-factor or multi-factor authentication. But this is probably the most important thing to look for in a password manager to make sure it's going to keep all your passwords as secure as possible.

So you go through the process of making sure your master password is long, strong and unique. You've chosen a password manager that offers you multi-factor authentication, you've turned that on, you've gotten an enabled. Now you're operating with what we call a defense in depth model, you've got multiple layers of protection, keeping all those passwords nice and safe. So that's the probably the number one thing I would look for in a password manager before I commit to one.

[Audio: Host/John] So you talked about a free password manager doesn't necessarily make it a bad one. And then I guess the inverse is also true, if one is charging you doesn't necessarily mean it's a good one, right?

[Audio: Speaker/Sam] Absolutely.

Again, all it really comes down to is looking for those key things.

Looking at the password managers track record, how they handle incidents if they have them. Whether or not the password manager will generate that password for you, whether or not it's monitoring data breaches, but most importantly whether or not it offers you that multi-factor or two-factor authentication option.

That's probably much more important than looking at a password manager that is the charges you or doesn't charge you.

[Audio: Host/John] Thank you.

I might just actually read a couple of questions, might just dive into those real quickly before we move off the slide. We have one here that's asked, what should I do to avoid keystroke capture while entering passwords?

[Audio: Speaker/Sam] That's a really good question.

So there's going to happen two ways. Unfortunately, sometimes this can exist on websites. More commonly, what we see is that malware has been delivered, and it's capturing your keystrokes. So the best way to avoid malware is something I've already touched on, but it's actually updating your devices, specifically the operating system of your device.

Again, that's that pop up in the bottom right hand corner most the time, maybe sometimes the top right hand corner, whatever it is, in saying that there's an update to your device. And we've all deferred it. Actually what those updates are doing are addressing security vulnerabilities and keeping your security software up to date with the latest updates.

That's probably the number one way to keep your devices safe from malware. And malware is often the way that keystroke loggers and info stealing malware is actually capturing your information. Having some kind of antivirus software is also a good option to look at. Most devices these days actually come with something built in. But having that option there so that you can run a scan, if you're concerned that your device has something. That way it can let you know whether it's got something and help you try to get rid of it. These are probably the two most important things in terms of preventing malware.

Unfortunately, there are websites out there that can be compromised. And it can be very hard to tell whether or not that website has anything on it that's trying to capture these kinds of things. So the reality is, we can't necessarily prevent that from always happening. And so that's why it's so important to make sure that our passwords are unique, especially those critical passwords.

Let's say you jump into a website, you enter your password, and unfortunately has some malware on it. It's got a keystroke logger on there, it's captured your password, you've minimized the damage by making sure that you haven't actually used that password anywhere else. It's just that one account that's now at risk, unfortunately, can be hard to determine when that's happened. That's why monitoring data breaches and things like that can actually be really beneficial. And it's not just those high, high media attention, data breaches that occur.

Sometimes what will happen is phishing campaigns will capture a long list of credentials. And what those sites like Have I Been Pwned. And what those password managers are doing is also monitoring those credential dumps for anywhere that your information has ended up.

Using Have I Been Pwned, using a password manager that offers that as an option are two things that you can do to  keep track, keep track of your passwords and whether or not they've been caught in a data breach or been caught by a credential, key logger malware or been caught by a phishing campaign and ended up in this credential dumps. That can give you a bit of alert that hey, that passwords at risk, that passwords been compromised, I need to now go and change that password. And when we're not using the same password across all our accounts, we're minimizing that damage as well.

The additional thing that I would say, implementing two-factor authentication, multi-factor authentication, not just for your password manager, but for those critical accounts that we've already talked about, is a really important step to take as well. That way if your password does get compromised, whether it's through a keylogger, whether it's through phishing, whether it's through brute forcing, whatever it may be, you've got that additional layer of protection on top.

That way, even if an attacker gets your password, they often can't get into your account because they can't get to that, through that two-factor authentication layer. So again, not reusing passwords, monitoring our information ending up and data breaches through Have I Been Pwned or password managers that have that as an offer. And then implementing two-factor or multi-factor authentication on our critical accounts, are probably the most important steps to take to minimize or eliminate that risk.

[Audio: Host/John] While we're on that question around keystrokes, and malware, so even if you use an online, sorry on-screen keyboard keystroke captures still possible, right?

It just depends on the malware that you get. So best to just try to keep yourself free of malware essentially.

[Audio: Speaker/Sam] Absolutely. If it's, if it's malware on your device, you know, depending on the type of malware, it may only be looking at that physical keyboard and may also be looking at the on screen keyboards.

What I'd recommend is worrying about what the specific type of malware that you may get as as using those secure practices to prevent malware from getting into your devices at all. And that's that looks like updating your devices, updating those operating systems and the software that you use.

And actually having you know, the antivirus software running scans every now and again just to make sure you're nice and safe.

[Audio: Host/John] Thanks Sam, I'll let you move on and save these other questions to your cover off the recap.

[Audio: Speaker/Sam] Cool. So moving into the recap, then choosing a good password is essential for maintaining your online security.

[Slide change]

 As we say, it's the first layer of defense for a lot of your online accounts. As we all know, security is largely based in the password space. And so having long, strong and unique passwords again, especially on those critical accounts, is really important. Passwords should be at least 15 characters long.

Now, you might be thinking, okay, you talked about 12, you talked about 16. Why are you now saying 15?

Look, the longer it is, the better it's going to be. And that's why password managers are so powerful, they can create 30 character, 40 character, 50 character passwords, like it's nothing. It can remember it, no worries at all. That's how you're going to make sure your passwords are nice and strong.

If you choose to try to just remember your passwords, you probably going to have to opt for slightly shorter passwords, and there may be a little bit less secure. But the longer your passwords are, the more secure they're going to be.

A good way that you can generate your own passwords if you opt not to use a password manager is a combination of four or more random words. So this is what a passphrase is, it's a lot more secure than creating a password based on personal information, as we've already talked about. And it can actually be a really strong password when you create it using formal random words. It can be a little bit easier to remember as well. Not based on personal information and not following those common patterns.

As we've talked about, attackers will use that personal information to try and crack or try and get our passwords. And if we are using their personal information, if that personal information is available online, we are making it that much easier for those attackers.

Avoiding those common patterns as well, it's really important to do, so not just chucking an exclamation mark on at the end of your password, not just chucking one at the end of your password, not substituting those really common substitutions like A for @ or O for zero. And not changing our passwords to 1 at the end, to 2 at the end, to 3 at the end, 4 at the end, avoiding those commonly used patterns is really important to keep our passwords nice and safe.

Changing annually or if you've experienced a cyber security incident again, just to reiterate, if you've gone through the process of making sure your password is really long, strong and secure, you've got a really stellar password on your account. Keep that password unless you actually have to change it, unless it's caught up in a data breach. Or unless you're worried that you've given it over in a phishing campaign or scam call or something like that. Actually, keeping that really long, strong unique password is probably going to be a better option for you than regularly changing it.

Password managers are the most secure option for password storage, not just storage, but actually generation creating those passwords as well. And it makes it a lot easier for you, you only have to remember that one master password, but you do need to make sure that that master password is long, strong and unique.

It's not based on personal information, it's not following those common patterns. It's not just eight characters long. All those kinds of important steps that we've just talked about are really key for your master password.

And again, looking at a password manager that offers two-factor authentication or multi-factor authentication is a really important consideration when you are choosing your password manager.

[Slide change]

Make your passwords on your critical accounts long, strong and unique. I've said this a lot. I'm going to keep saying it. Look at your critical accounts first. I do not expect anyone on this call to go away and change 160 online passwords that they have today. But an important step that you can do today is go and change the password on those critical accounts.

Just to reiterate, again, we're talking about bank accounts. We're talking about email accounts, because they are often linked to all of our accounts. We're talking about social media so that our friends and whānau aren't targeted with scams that come under our name. Maybe we're talking about things like important business accounts, or IRD accounts these kinds of things as well.

If you were to go away today, and make sure that the passwords that you have on those four to five critical accounts are long, strong and unique, you have taken a great stride to improve in your own online security. Review how you store your passwords as well.

Look, if you do opt for writing your passwords down in a notebook, it's not the most secure practice. But here are some things that you can do to make it more secure. Simply locking that notebook away in a safe, a lock box or locked drawer, something like that something only you can access is going to make that a lot more secure.

Maybe you choose to save your passwords into your internet browser. Making sure that that device that you stay logged into on that internet browser, or actually choosing to not stay logged in to your internet browser, is a really important step to take making sure that Internet browser is kept up to date with the latest updating and making sure the password that you have on your internet browser account is long strong and unique are all really important.

[Slide change]

So question time, I think we still got a few in the queue.

[Audio: Host/John] There has been a few. So I'll read them out so Sam can answer them.

So you talked about Google Chrome and storing passwords and your browser or of the like, what about built in managers like Apple's keychain, for example? Do the same sort of rules apply around that?

[Audio: Speaker/Sam] Yep, absolutely. So again, if you're opting to save your passwords into an Apple solution, then making sure the operating system of that device is kept up to date with the latest update as soon as possible is going to be really key.

Making sure that device is kept nice and secure. You've got biometrics, you've got a PIN code, something like that on that device is going to be really important as well. And then making sure that the password that you have for I assume the iCloud account, your Apple account, whatever that looks like, making sure that password as long, strong and unique is also going to be really important.

So those three key steps, making sure the device is kept up to date, making sure the device is secured with some kind of authentication, making sure the password that you have for that account associated to the device is long, strong, unique as well, are all really important.

 The reality is, if you're using any kind of built in password manager, the account that you have for that platform ultimately becomes your password manager account. The password that you use there should be treated as a master password, making sure that password is long, strong and unique.

[Audio: Host/John] Thank you, Sam. And we've got a few more questions to try and get through as many as we can do continue to send them in though through the Q & A function.

Even if we don't get to them today, we will try and answer them with the material that we send out and post the webinar.

So this next one here, what does next generation password management look like? Will we increasingly move towards biometrics and other solutions?

[Audio: Speaker/Sam] There's a few different things out there that are kind of being looked at as the horizon of security. If anyone wants to go away and do a little bit of research, a little bit of digging, encourage you to look at Fido2.

But ultimately, where I think things are going is probably down the route of those two-factor authentication solutions. So I touched very quickly on what physical two-factor authentication looks like. And that's usually a passkey, you know, these little devices that you have to physically have, that you have to plug in to the device you're using, and you have to interact with an audit to be able to login to your account.

This is this is probably where things are heading, I would say. This is a little bit anecdotal here. But I think those those two-factor authentication solutions that are currently being used are probably where security is headed.

[Audio: Host/John] And the sixth one is, do you have any resources available to share covering all of this information to be covered so where we can people go to find more information?

[Audio: Speaker/Sam] Absolutely, I would encourage you to check ownyouronline.govt.nz.

And what we'll do is when we send the slide pack out to everyone here today, we'll include a few links to a few key pages on that website. There is a really good page on how to create and store long, strong and unique passwords. So it'll be a bit of a recap of the information we've gone over today, you'll obviously have the slide pack that you can use that you can refer back to. But links to those pages, I think that we also have pages on password managers on how to create and store secure passwords, all that kind of good stuff. We'll make sure that we're including links to those important pages in the slide deck before we send it out.

 

[Audio: Host/John] Thank you, Sam. So the next question is for the elderly living alone, where should they leave the password manager?

[Audio: Speaker/Sam] Yeah, so I'm kind of assuming that this is more when you're considering that day are probably writing their passwords down. And as I kind of said, you know, if you do opt for that locking it away, is going to be an important step to take and making sure only you can access it.

In the case where we're talking about seniors, and in you know, maybe the concern is, what happens if they're the only one that can get into their password, notebook, a password manager.

Maybe we need some kind of solution for someone else to be able to get in there to help them. Choosing a really trusted family member is going to be the most important thing there. Still going through that process of making sure that they are locking that notebook away is going to be really important and making sure that if they are opting to have someone else that can access it, that you're limiting the number of people that can. You know, choosing one trusted family member or friend who can also maintain some kind of access there, may be an important step to take.

If they are opting for a password manager. It's kind of a similar thing. Whereas, whereas they have a physical key that will unlock that drawer so they can read the notebook. Instead, they've got a virtual key being their master password, and maybe a trusted family member who is also aware of what that looks like or where that may be stored and how to access that may be important step to take.

Again, all I'd say is that making sure that you're limiting the number of people that know that or can access that is really important. And you're only trusting that with a really trusted family member friend.

[Audio: Host/John] Thank you and a few people asking about recommendations for a password manager.

Going back to what you're saying before in terms of people being able to go out there and do their own research, right? CERT NZ as a government agency, unfortunately can't recommend or isn't in a position to recommend a particular password manager and it's probably quite unique, obviously to the individual as well. Is that accurate, Sam?

[Audio: Speaker/Sam] Yeah, look, I'd love to be able to make recommendation, this is the question we always get.

The unfortunate reality is as a government agency, we can't recommend to any particular solution or any particular product but I'd just reiterate what the keys are when you are doing research into a password manager.

Start with start with a simple Google search, what are the best password managers to use? Look at a few different lists and see the commonalities across those lists. Pick one of the password managers, they look pretty good. Maybe you're looking for specific options, you want a password manager that's going to generate those passwords for you. That's actually monitoring data breaches and credential dumps for your information. And that offers two-factor or multi-factor authentication.

When you found one that offers the things that you're looking for, maybe you've made the consideration of am I willing to pay a little bit of money for this a month? Or am I looking for a free option? Then look at that, that individual password manager, look at the track history. You know, have they had a data breach in the past? If that's not a deal breaker for you? How did they deal with that data breach? Just because they have had a data breach doesn't necessarily mean it's the end of the world for that password manager. If they handled that incident really well, if they had really good communications to their customers, sometimes this is actually a bit of reassurance that if something is gonna go wrong with this password manager, that they're going to handle it in a positive way.

Again, I just reiterate, those most important things to me when I'm looking at a password manager is, does it generate the passwords for me? So it's making sure the passwords are really long, strong and unique? Does it monitor for data breaches and credential dumps for my information ending up in those things? And does it offer some form of multi-factor authentication, if you're taking those three things off, then that password manager is probably going to be a decent fit for you.

[Audio: Host/John] Perfect, Sam, that is probably all the time we have.

There's some questions in there, which we haven't got to. But like I said before, we will follow up with the material that we do send out post the webinar, so you should be receiving some follow up emails afterwards.

Also, if you think of questions, once the webinar ends, feel free to fire them through. There should be some contact details on that email as well. But thanks so much for joining us. It's been a fantastic session.

[Slide change]

As Sam said, you can go to ownyouronline.govt.nz to look at all the sort of information that we've covered off here today. And we will be sending out the information posts this webinar. But thanks for joining, and we'll see you next time.

[Audio: Speaker/Sam] Awesome. Thanks so much, everyone. Have a good day.