kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

5 Things You Should Know About Password Managers

Are you reusing your passwords? If so, your accounts are vulnerable to cyber criminals. Over 80% of data breaches are due to poor password security and 53% of people use the same password for work and personal accounts.

Prefer to read? (Transcription)

DAVIN: Yes, thank you so much. I like that last part, ever-changing cyber threats. That is it. Cyber threats are happening every single day. They’re changing every single day. Me and Kindsey, just before we hopped on, were talking about actually a new press release regarding everything that’s going on in the world, overseas, and how the cyber warfare, really, overseas is flooding in over to the United States, so we’re seeing more activity.

But today we’re talking about the five things you should know about password managers. If you don’t know what a password manager is, you’re going to learn that today. If you don’t know why you need one, you’re going to learn that today. But I’m really excited to talk to everyone. This is a weekly deeper dive series that we’ve been doing, and I’m excited to talk to you all.

Before we start, actually I was listening to a podcast this morning, and it was talking about passwords. It was actually talking about Netflix. We probably have a lot of Netflix users here today, and we probably have a lot of Netflix users that share accounts. I promise this is on topic. Netflix actually is testing in different countries charging to share your password or to share your credentials to log in to other users. In the United States, I think they said they have between 70 to 100 million users, something like that, but that’s not accounting for the person that has a Netflix account and four of his other buddies use it as well. So they’re going to test out the theory that if they could charge – I think it’s like three bucks to share your password, see how that goes.

But that’s just the fun fact of the day. We’ll go ahead and get started. I have a short video for you to talk about password managers.

Video

Woman 1: I keep them saved somewhere.

Man 1: I have a system.

Woman 2: I use different passwords for everything.

Woman 3: I don’t.

Man 2: I use some different passwords for some accounts, but a lot of the same ones.

Man 3: They could probably hack into a lot of my stuff if they found out one of my passwords.

DAVIN: So that last comment in that video leads us to our first poll, our only poll today, I promise. Do you reuse your passwords? That guy at the end talked about “if they got one of my passwords, they most likely would have access to everything.” We’re going to talk about today reusing passwords and password management and good password practices, things like that.

So far in the poll, 100%, everyone here so far has said that they reuse their passwords. We’re at 86% now yes. 14% “No, I’m using a password manager.” That’s interesting. Hopefully after this, if we do this deeper dive series again, that poll will be 100% “No, I’m using a password manager.” But we will see.

Why is it important to have a password manager? Why am I vulnerable regarding my passwords, credentials, things like that? There are different vulnerabilities. There are different types of attacks that happen regarding passwords, that are targeted towards passwords.

Number one that almost everyone experiences, and I actually got a phishing email today – everyone in the office got a phishing email today. It was asking for some credentials and actually asked for my personal phone number. Phishing emails are a great way, if you are a cyber attacker, to get access to someone’s credentials, to ask for their password, to get access to their password. Or they could draw you to a malicious website where they will ask you for a certain login or Facebook login, things like that.

But it also can lead into password reset. When I started here at IronTech Security, the president of the company – his name is Matt – actually experienced a password reset type of attack. He had gotten I think a new MacBook, and he was getting all his Google stuff set up on there, and it just happened at the right time – and this happens often to multiple people – that he got a phishing email looking like it came from Google to reset his password. So he almost clicked on it and started to put in his credentials and said, “Wait, let me take a second, look and see if it’s real. This can’t be happening just now.”

Luckily, he is a cybersecurity specialist; that’s what he’s been doing all his life. So he knew what to look for in the phishing email to make sure it was legit. But if not, it happens every day. You’ll get an email that looks like it’s coming from Facebook, and it’s asking you to reset your password. You type in your email, type in your old password, now someone has complete access to your Facebook account. That’s how it happens every single day. It happens more often than not just because people aren’t aware. They’re not looking for it. They may not have the training. That’s something we’ll get into down the road. But password reset is a very, very convenient and good tool that cyber attackers are using to get access to your credentials.

Another type of attack or vulnerability is brute force. There is software and automated tools that can try all types of combinations and letters and numbers and symbols according to whatever password rules are used for that website to try to basically brute force break your credentials, break into whatever it’s trying to access.

Another one is weak passwords. I’ve said this before, and some people still use it – the word “password” just doesn’t cut it anymore. You need something a little bit more. We’ll talk about this in the webinar, but password phrases are what everyone’s recommending nowadays. Of course, “password123” doesn’t count. Maybe “the cow jumped over the moon in Idaho,” that’s a good password phrase. Wouldn’t really forget it, but that’s hard to brute force into. Also using your username as your password doesn’t cut it anymore, and actually, some companies or websites know that and won’t allow you to do that anymore as well.

Also, just like you saw in the video, reusing passwords is a huge, huge risk. It’s simple as this. Say you have one key that you use for your house, to start your car, open your bank account, open your mom’s house, anything. You have one key you use for everything. Well, if someone steals that key, now they have the keys to the kingdom. They have access to everything.

Reusing passwords and weak passwords go hand in hand. One simple example is the Florida water treatment plant. There was a recent attack. Everyone knows about the breach. It simply came about from sharing passwords, weak passwords, and reusing passwords. Could’ve avoided everything if you had a good password policy in place, but you see what happened. There’s lots of other examples – Solar Winds had a huge hack. They were actually advised of their poor password mana and advised to change their passwords and have stronger passwords and things like that. They were advised that two years before the attack; they didn’t, the attack happened, could’ve easily been avoided.

A recent attack happened on a gaming company, Ubisoft. They stated that it came from human error, which usually goes into clicking a phishing email, reusing a password, poor password management, things like that. There’s multiple different attacks and vulnerabilities that result in you needing a password manager.

What is a password manager? A password manager, to keep it short, is a vault that keeps all of your passwords in one safe and encrypted location. All those credentials, logins, different passwords, long passwords, short passwords – with a password manager, you only have to memorize one master password. I highly advise you don’t write it down; keep it locked up here. The only way someone could have access to that master password is if they have superpowers and can read your mind. And I haven’t heard of anyone having that yet. I’ve seen it in the movies, haven’t seen it in person. So I would put my money on that you’re okay if you just memorize your one master password.

Another good thing about the password manager is that it can generate complex passwords for you. Those 15- to 20-long passwords with dollar signs and capital letters and 0s, 1s, 2s, 3s, pass phrases – it can do all that for you and store them in one safe, encrypted location. We’ll get into why the encryption is very, very important for that.

The password manager overall gets your cybersecurity to a level where it needs to be, starting with your front line of defense: your employees. You. That is your front line of defense against cyberattacks because 95% of successful cyberattacks happen from human error. That’s a brief description of a password manager. We’re going to dive a little bit deeper. Key hint is the name of this webinar.

So, why should I use a password manager? One very, very important thing is that you no longer need to memorize all of those credentials, all of those logins, all of those passwords. Throw your little notebook that you have those all written down on out, because that is another security risk. Once again, someone gets a hold of that paper, now they have the keys to the kingdom. They have access to everything.

Also, the encryption part. Let’s say I keep them all in one place. How are they safe? That’s where the encryption comes in. if someone actually hacked in and got access to the encrypted data, that means it’d basically be, for lack of better terms, a whole bunch of mumbo-jumbo because they wouldn’t be able to make sense of it. They would need that encryption key. So that’s another layer of security you’re putting on your password manager that you can’t put on a piece of paper. You can’t put encryption on your login and password that’s written on your notebook next to your keyboard. It just doesn’t work that way.

Next, it helps you with defense against those phishing emails. We’re going to dive into how the password manager actually works on your browser, but if you click on a link and you have your credentials already saved to your computer and you click autofill, you’re basically easily giving your credentials to this malicious website to do whatever it is they want to do with it. With the password manager, it won’t allow you to do that unless it can make sure that this website is safe and secure, helping you combat that human error aspect of cybersecurity.

Also, autofill is an amazing feature of the password manager. We’re going to show you an example of what the extension looks like on your browser, but basically it’s a simple extension on your browser for the password manager. You click on that, type in your master password, and say you’re logging in on LinkedIn; you go to LinkedIn, click that extension, type in your master password, and then it’ll autofill your username and strong 15+ character password for you, saving time and combining security and convenience.

Next is unique passwords. It does it for you. You don’t have to think about it. You don’t have to think about memorizing it. It takes care of it for you. It really makes security easy, and that’s what it’s there for.

Another good thing is that is syncs to all devices. You have it on your laptop, on your phone, on your other laptop at home. It’s all synced, so you don’t have to try to go back and forth, pulling passwords and credentials from all different devices. It’s on everything. It makes it easy and it makes cybersecurity convenient.

The big question everyone has is: How do I know my passwords are safe? Basically, I’m putting all my eggs in one basket. How can that be smart? If you write all of your passwords on a piece of paper or keep them in an Excel sheet, that’s similar. All your eggs are in one basket. The difference is there’s no security on them. Maybe you have security tools on your workstation, on your device, but your passwords aren’t encrypted. If they get access and have access to that Excel file with all of your credentials, then it’s basically useless.

What the password manager does is, one, it’s safe and encrypted. When I say safe and encrypted, it has a team keeping up to date on all the bugs, reporting and fixing those. Everything has bugs. Everything has problems. But the difference with a password manager is that the team behind the managed password manager, which we’ll go into – the one that we specifically partnered with and have chosen to use is Keeper – but they have a team specifically dedicated to making sure all the bugs are reported and fixed immediately, making sure there’s no security holes within their organization, within their vault.

That’s the first level of security. Then the encryption. Of course, if the password manager’s server gets hacked, that doesn’t mean they have direct access to all of your passwords. That only means they get the encrypted data, which they cannot do anything with, and the encryption key to make sense of that data for each account isn’t stored for someone to find. It’s just not there for someone to try to hack in and access. That takes away the concern of putting all of your eggs in one basket.

The last thing is you have that master password. No one can get in your head and figure out that master password. You’re not going to write that down. You’re going to memorize that. It’s going to be strong. That is that extra level of security that’s needed to make sure your credentials, your keys to the kingdom, are safe and secure. Partnered with all the extra security tools that Keeper or any password manager uses, making, once again, cybersecurity convenient.

We have a short video actually from Keeper.

Video

Woman 1: Why is everybody talking about Leah from IT?

Man 1: You mean you haven’t heard?

Woman 2: She switched the entire company over to Keeper. Their zero trust, zero knowledge password management platform helps prevent breaches and cyberattacks. So we can get back to what we do best.

Woman 1: Wow. That’s the best.

(song lyrics) You’re the best around, don’t let passwords keep you down.

DAVIN: Some of you may know that song. It may sound a little bit different now, but that’s a good video. It’s not abnormal to have a password manager. That’s what organizations are relying on, and that’s what organizations are moving towards as cybersecurity cultures are being adopted now by almost all organizations.

Here you see a small picture of what Keeper looks like. This shows the main page when you’re looking at your overall security posture. Here you see all of the accounts, the logins and passwords, and it actually shows the password strength of those. When you get started on a password manager, that “97%, Strong” – I can almost guarantee – I wouldn’t put money on it, but I’d put a crisp high five on that that percentage will be under 30%. Because people reuse passwords, they have maybe 5-number passwords, things like that, and your overall security posture regarding your credentials isn’t up to par.

What Keeper will do is, one, it will help you generate those random strong passwords for each account, and slowly your security strength percentage will increase from 30% to 40% to 97%, hopefully, to 100% one day. But that’s just the beginning.

What it looks like on your browser – this is once again a small little picture, but say for Amazon, you’ll see at the top, on the little square, it has a website you’ll be able to put in. When you go to that website, it’ll automatically be ready to go. You can title it “Amazon Registration,” and then your email. You’ll see where it has “password,” the little cube there. That’s how you can randomly generate the password. You don’t even have to look at it, but of course, you have the option. Under there, the website address. You put the direct website address where you would log in.

I will show you in the next picture – right here, you see at the top it has a little Keeper logo, and next to it, it has “Keeper.” The way it’ll pop up, you go to your website browser. Say you’re going to shop on Amazon. You see the little extension on your browser. It works for all browsers. It’ll be on your browser. You click the little Keeper logo. It’ll ask for your master password. From there, you just type it in real quick, the master password that is strong and that you’ve memorized. You’ll type that in, you’ll click that little arrow button and it’ll automatically sign in and fill in everything for you. You don’t have to copy and paste. You can copy and paste the email or password, but you don’t have to. It’ll fill it in for you. Overall, having a password manager makes cybersecurity easy and convenient.

I know we’re coming up on the 30-minute mark, and I know this is what you came for, the 5 key takeaways, the 5 important things about overall password management and password managers.

Number one, 95% of cybersecurity breaches are caused by human error. That is clicking on a phishing email, having weak passwords, reusing passwords. Poor password management is one of the leading causes of successful cybersecurity breaches. With a simple password management, good password policies, of course, that percentage can go down. But there needs to be something done. It needs to be addressed overall to protect not only your organization and the information held within, but your clients and employees as well. It’s extremely important.

Also, with a password manager, you don’t have to memorize 30, 50 gajillion passwords and login credentials. You just have to memorize one. That’s it. Memorize 10-15 characters in your head, locked and loaded, you’re good.

Next, with a password manager, your data, your login, your credentials are safe and encrypted. There is no other way that you can keep your passwords, your keys to the kingdom, safe or secured without a password manager. I mean, you could write them down on a piece of paper, put them in a safe maybe, but that’s not convenient. I can’t think of anything else. You can’t put it in your pocket; what if it falls out? There’s no way to protect your credentials without having a password manager. It’s just that simple.

Next, the password manager creates the complex passwords for you. You don’t have to spend your time thinking about it. It’ll do it for you, and it’ll make sure it’s strong, make sure it’s where it needs to be, and you can actually even control how many characters are in that password – 15, 20, 25, 30. You can control that.

The number one takeaway, though – if you don’t get anything else out of this webinar, I beg you, I beg you, do not reuse passwords. It’s 2022. There’s no exception for it anymore. If you are reusing passwords, you are at risk and you have an extremely higher chance of becoming a victim of a cyberattack if you are reusing your passwords.

Think of it this way. Think back to the example. If you reuse your password and it becomes compromised, now they have access to everything. Think about it if someone has access to your email credentials. If you’re using Gmail, if they have access to your actual password, if your password’s compromised, all they need to do is go to Facebook or go to LinkedIn, “reset password” – now they log into your email, they can set it to whatever they want. That’s a great example of how if one password is breached, it can affect everything.

But 5 key takeaways, password managers are important; they are a necessity. It is essential to equip your first line of defense, your employees, with the proper tools that they need. Of course, cybersecurity training, we talked about that last week, and now password managers. Those are the proper tools that your employees need, that you need, to protect your organization, yourself, and your clients and everyone else.

“Okay, I know I need it. What do I do?” or “I have some more questions. What’s the next step?” Speak with an infosec specialist. I’m here to be an information security asset to you. You see the meeting.irontechsecurity.com. Kindsey’s going to put that in the chat. You simply just have to click on that and it’s directly connected to my calendar, and you can schedule a short chat. We can talk for 15, 30 minutes, however long you want. We can discuss your current situation, talk about how a password manager can help, talk about how other security tools can help, overall get you to the security level that you need to be at.

You can also send us an email. You have my personal line right there. I say this every webinar: I work 8 to 5, Monday through Friday, but you can call me on the weekends. I won’t turn down your call, but I can’t promise I’ll answer it. But I want to talk to you. I want to answer your questions.

Also, this is a weekly deeper dive series. Last week we talked about training, this week password managers. Every single episode is important because it’s talking about securing your organization.

Next week we are going to talk about why data backups are critical to the life of your business, why they’re important, why you have to have them, and what you need to have in place to make sure they’re successful.

That’s a lot of information at once. I’m definitely open to take any questions, any comments that you may have.

KINDSEY: I’m not seeing any questions in the chat box just yet, but we can give everybody a minute. If you do have any questions, just throw them in there for Davin. Any questions regarding password manager or anything else while you’ve got him on here, now’s the time. We’ve still got one more minute.

DAVIN: Yes. And if you can’t think of anything at the moment, jot that meeting.irontechsecurity.com down. Save the email, save that number. Take your time, think about it, digest all this information, and come back. We can talk about it. Shoot me an email at any time.

Once again, we have the episode next week talking about data backups, why they’re important. If you missed some of the other webinars, if you want to hear about maybe what’s the difference between infosec and IT or different things like that, feel free to reach out. We can shoot you some recordings if we have some.

We do have one question from Mary. Thank you for reaching out. She says, “One password, what’s the transition like to Keeper?”

It’s a very easy transition of getting your actual credentials into the actual password manager. But we don’t just give it to you and throw you out there to figure it out. We have tutorials. We can actually do a live presentation, so you and 15 other employees or 10 other employees. If y’all want to get on the password manager and get it going, we can get you all in one room, do a live presentation, walk you through it, make sure it’s up and running. If you have any questions at the time, of course we can answer that. We can do one-on-ones where we can help you set it up.

But you’re not only just getting the password manager with us. You also are getting our security team. We provide you with the security tools you need, but we also provide you with the security team you need to manage, update, make sure everything’s running properly. An information security team is the number one thing everybody needs. If you have an information security team, they will make sure everything you need to secure your organization is in place.

So Mary, yes, we won’t just leave you out there. We will actually help you transition your credentials into the password manager. But we can assure you it is very easy and very simple.

One thing I do want to point out. Some people are worried about the congestion between “I have some business credentials that I need to use, but I also have some personal accounts I’d like to keep separate.” With us, if you come to us, “Okay, I want to get a password manager as well as other security tools,” you actually get a business account. So you can keep those credentials regarding your organization and operations in one part of the password manager, but you also get a personal account, so you can use it for everyday apps, everyday social media, things like that. But you can keep business and personal separate, all in one place. It’s a very amazing tool.

KINDSEY: We do have another question from Steve. “There are many password managers available. What is your preferred choice for a password manager?”

DAVIN: That’s a very, very good question. Yes, there are multiple password managers out there. LastPass, Keeper, different things. We personally prefer to use Keeper. We’ve used other password managers and things like that, but Keeper, I believe, is the most safe and secure. But it also has the good – I guess you could call it the convenience aspect of it. It’s very user-friendly, and it’s easily adopted into organizations. All of our clients use it, and we’ve gotten very good feedback.

I highly would recommend Keeper, and if you are interested in getting set up with password managers for yourself or for your organization, like I said, reach out. Email or call, and we can help that whole process, make sure everyone has it up and running and make sure you have the exact password manager that you need that fits best for you. That’s a good question, Steve.

KINDSEY: I think that’s about all the questions. Again, I want to thank everyone for joining us this afternoon. There will be a follow-up email going out this afternoon with the recording link, so feel free to share it with your friends. And then there’s also going to be a link in that email to sign up for next week.

DAVIN: Yes, next week, March 29th. Next Tuesday at 2 p.m. We’ll talk to you all again, and hopefully some more of your friends as well.

KINDSEY: Thanks, everybody.