What other methods of improving security do you use?
Thanks to those who attended! @RicoA and I had a great time and look forward to continuing the conversation!
Two questions that were brought up today that I wanted to address in a short (sort of) post.
Should we really teach people to “trust” HTTPS when Let’s Encrypt provides certificates for free?
Any thoughts on how to convince folks to use a password manager like Bitwarden? The instant reaction I get is “I don’t want to keep all my eggs in one basket”.
To point number 1, as we discussed in the beginning on the session unfortunately we cannot say “here are these tools. I’m now secure!” Cyber security is ever evolving and we have to continually update our toolsets and methodologies to stay safe. So while we can’t say “yes this site uses HTTPS and I can feel secure” we at least know that is part of the equation. Using HTTPS enabled sites prevents bad guys from seeing the contents of our communication with a website. That includes sensitive data such as email contents, credit card numbers, etc. In the event a website is using their certificates for nefarious purposes is one issue. A bigger issue however is how we are connecting to the internet more and more every day. If you go to a coffee shop there is likely a free WiFi network right? That network is being shared by every other person in that shop. Tools like Firesheep and Wireshark make it a very easy process for bad guys to see what is being written to websites you browse. Being educated helps us be more vigilant. Using HTTPS enabled sites makes sure that information is encrypted so the bad guys see gibberish and we keep our data safe. That said however I want to be clear that HTTPS does not anonymize your traffic. Bad guys can still see how you are connecting and what you are connecting to if they work hard enough but using encryption protocols that can’t see data you may be transmitting. Anonymizing traffic is a whole new topic of security.
To point number 2, I’ll admit that most people I’ve talked to are very receptive to the idea of a password manager. The number one reason, in my opinion, that people should be using a password manager is simple. Passwords should be strong and unique. A password should never be used more than once. One weak password used for multiple services is an absolute recipe for disaster if your account credentials are ever compromised. Another great reason for a pw manager is simplicity. Every day our lives become more and more entangled in the digital realm. Stop to think real quick of the user accounts and passwords you use all the time. Your email account, your spam email account, instagram, facebook, twitter, work computer, home computer, checking account, savings account, slack, dropbox, steam, amazon…the list goes on and on. Using a pw manager helps simplify your life and keep all those items in one nice central location. Even better you can keep them across your devices (desktop, laptop, phone) and even access them via a web vault when using a device that isn’t yours. Now could you slim down all your online accounts and just “keep the passwords in your head”? Maybe but I would bet that at some point you will start re-using passwords. Then you’ll start using easier passwords. Soon the security foundation you have built will be gone and Admin1234! will leave you compromised.
Hopefully this helps address the questions raised from earlier today. As always just reach out if you’d like to discuss further!
Superb presentation @RicoA
I have an excellent memory - phone numbers, facts and figures, playing cards (where’s the casino?)… even passwords. However, I have almost 800 credentials stored in my Bitwarden vault, all unique, all strong, complex passwords. It’s just not possible to use strong, unique passwords everywhere and NOT use a password manager!
I think the key is making users aware that they shouldn’t re-use passwords, and the passwords they use must be strong. Once they know that, convincing them to use a password manager should be straightforward.