The Top-Secret Better Password Management Approach

Matthew Dunn
A free video tutorial from Matthew Dunn
Chief Explainer at Say It Visually
4.1 instructor rating • 3 courses • 2,011 students

Lecture description

With conventional IT, you lock up the machines when you leave the office.  With cloud systems, PASSWORDS become the main source of control and access.  This lesson gives you a manageable scheme for passwords within the company - more secure than the "one password for everything", but easy enough to learn that you can do it from memory. (Yet every password is different!)

Learn more from the full course

How To Run Your Business On Cloud Systems

A non-technical visual explanation by a working entrepreneur and veteran CIO, step-by-step from domains to dollars.

04:26:44 of on-demand video • Updated June 2013

  • In this course, you will learn:
  • How to set up the "Internet foundations" for your business
  • How to evaluate cloud-based software and services for short and long-term fit
  • How to make your workforce effective for both virtual (telecommuting) and mobile activity
English [Auto] With cloud and virtual systems your usernames and passwords are really the key asset for the company. If you think about it you don't have the hardware sitting there. You don't have software on a CD. You don't have the data usually even if you back it up occasionally. Your access to that thing is based on user name or user names plural and passwords. What I want to talk about in this section is a scheme that we came up with over time to manage passwords to keep them secure. Give us the ability to know them within the company without letting the password on one service give away the password on another service. Face it you do it. I did it for years you know I got to my passwords to remember I'm going to use this and it's a combination that means something to you. Hopefully not password but that's the one you use for everything. The problem and there was a well-publicized case not that long back. Problem is if someone gets it and guess is that you use the same username and password or e-mail and password on other services you're hooped. But at the same time a different password for every service. Forget about it. I've had hundreds of passwords and there's no way on earth I'll remember them all at the tail end. So we'll talk about a bit of technology that I strongly recommend to help you with that but macro level on this is about understanding and remembering. And I've got it. We've got a better solution for you to do that. It doesn't load your memory it doesn't require remembering a different password for every service but it actually enables you to use a different password for every service. Sound like an impossible trick. Check this out. OK. By the way I just realized even though I should have known this that the technique of creating an e-mail alias or an e-mail forward for each service you use also has the benefit of buffering one service from another. If you use your name on PDU dot com is P-T Q At Q Dot Com and your username on Amazon is Amazon at PDU dot com different username as well as different passwords so double the protection. There are plenty of people in the security world that think username and password is antiquated. Dead should go the way of the dodo bird. I don't disagree with that but it's not going to happen any time soon and you will be using usernames and passwords for years and years to come. We still use internal combustion engines right. So let me see if I can spell out this scheme for you in a way that makes sense. So user name which is very frequently email. Sometime you get a user name. Aside from email sign and password. So using password normal default on we are we have too much to remember. Solution is to say I'll use my e-mail here me. Pity he got his password password. Terrible solution. Right. Don't do it don't do that. Here's what you do instead. The basis of this technique for passwords is one set a strong password that you can remember maybe even one multiple people in your company can remember. I'll come back to that. To borrow from the service it goes two steps so the strong password you keep consistent from service to service and to borrow you borrow from the service itself. Let me see if I can show you. Let's say this service I'm just making this up to make the point was was is sales force dot.com sales force. It's pretty amazing. OK sales US DOT com. And let's say I don't know if the sales force uses user names or passwords right now. If you sign up for sales force at least one account for your company the email you're going to use. If you take the advice here is sales force at BT dot com. You may get to where everyone in your company has their own logon. That's kind of the nature of sales force as a service and from that perspective it's a little broader scope and some of the other services will be talking to. Even then you might consider using aliases of a sales guy leaves. You're still in control of his log and believe that aside. So you decided to use sales force that PD you PD Q Dot com as the username. Why do you set for a password that's going to make that different from other services and yet memorable at the same time. So a strong password. The technical advice is a mix. It's a mix of letters numbers and sometimes if you're really going to be strict about its symbols and preferably a mix of upper and lower case letters. So let me pick a strong password and make up a strong password to illustrate what use my company name or a variant of it. S.a Why use a one instead of a capital. I'd say it is well we don't use it for a password of course but it's a strong password because it's got a mix of letters upper or lower case a number in the middle of it in that case and symbol the exclamation point at the end. You're even better served to use something as complete jibberish with no English and no words at all. Honestly you are and always have a hard time remembering those. So for the sake of the example you say it visually with a one for the capital I. That's not the password we want to set on sales force dot com. That's half of the equation so a strong password that we're going to use part. Part of what we're going to use on multiple services. Now what do I mean by borrow from the service. We've got these letters that we know because we're logging in the sales force. S a l e s f o r c e. So here's the here's the critical here's a critical tumbler in this lock. My suggestion is that you pick up position in the service usually in the domain name of the service or its sales force and Dotcom's sales force is the domain name here. Pick a position first letter second letter third letter something like that. Then decide on a shift if you want to. So if you said we're going to always use the second letter in it tell me. In this case it would be what you'd be right as a sales force essay and then decide where you're going to put that in combination with the strong password you use. So in that scenario for sales force I may say that my password is going to be say it with a 1 visually exclamation point. I just picked the second letter and I didn't shift it. I didn't rotate it at all. If you want to make it slightly stronger you might say we're going to do second letter. We're always going to shift it up by three characters a b c d of plus three would equal D. In that case I would say my password for this service is Little D. Inside a little in my design and I might just lower lowercase might decide in upper case little d say it visually with the one in the middle and an exclamation point at the end. Sounds complicated right. All I had to remember coming into this was the password this strong password that we picked to say warranty visually exclamation point say it visually. I remember that one right. Company Name. All I have to do is remember that the information I need to get or to derive from that particular logon is baked right into the name itself. Sales Force gives me letters to work with. And if you want to be a little bit more secure instead of taking a letter out of the name take a letter and shift it so a plus three up three gives me a date. Let's test that against another hypothetical service say we wanted to take a subscription to pick some fresh ones because I think those guys are really great fresh books dot.com right. What's the password going to be. What's the user name and the password going to be. If you open a fresh books com account for your company will keep the sales force stuff over here. There's your sales force credentials right there. Remember our rule is second letter plus three. So you're racing ahead of me and you already know the answer to this one. For fresh books there's letters and I've got to work with four fresh books. The username that we're going to use is kind of the books that you'd like and password. Take the second letter which in this case is in our go plus three s t you do that right. R S T U A B C D. Yes. So you are plus three equals you. So my password for this service is going to be you ask a one nation point. So look at the security that I've got in place there. If someone gets my sales force password our sales force password on they know that it's sales force AAPT queued up that's a username it's not a rocket scientist we say OK that using the name of the service but leave that aside. Most of this is automated and most most much of the nasty cracking and hacking is highly highly automated to begin to grab your username and your password and go knock on the door of a bunch of other services. You're going to have the wrong e-mail the wrong username and they're going to have a password. That's not the same as the other's sales force at BBQ dot com and D. Strong password versus fresh books EPD Q-Bot dot com. And yes they should be a use sorry. And you want strong password so different passwords on different services but you don't have to remember what's different about them different usernames on different services. And again you don't have to remember it's derived or it's implicit in the name of the thing itself domains at a minimum are two letters I don't know if there's any commercial two letters in existence like three is very very typical and that's if you were early early on in the Internet. So borrowing first second or third letter letter and preferably shifting it works. I use the same thing for desktop apps that require a password and I use the name of the app itself. I was going to password protect Excel. I'd say actually it is the strings that I've got to work with at a company level. You can take the strong password and say this is what we use and this is the schema we use. So here's the company's strong password. And here's the technique. Second Letter shifted by three. In this example there the virtue of that is someone else in your company and I'm assuming a relatively small trusted company here who needs to get into a service that you use multiple users one password multiple users one log in can get it right. If I've set up a password for some relatively new service and I say to my business partner go check it out. He actually knows how to log in. I didn't get to tell him the user name or the password I'm consistent about doing this and I'm consistent about the strong password that we use for company stuff and he knows the place and the shift to pick. It's not as good as super top secret cryptography and fingerprints. But like I said that's really not going to show up any time soon. And passwords and usernames are one of the critical assets that you've got. The other thing that really insulates you from practice everyone should follow. That's really really hard to follow. It's having records. Right. If everyone in your company has accounts here and accounts there those are cookie company assets and if you don't have them written down and something gets wiped out someone leaves the company someone's point nasty and you need to change stuff really fast to protect yourself with this approach to a reasonable extent. You know what the password is going to be and you've got a good shot at what the user name is going to be. Last tip about password you might even consider giving every employee an alias to use for sign ups that's different than their e-mail. If we had a guy Fred at PD here this may be a repeat example my apologies we might say we're going to give Fred an alias we might say Fred Smith is his alias IPD Kudankulam we say Fred listen when you're signing up for the kind of services that require an individual log in because each of us in the company is going to have one we want you to use Fred Smith FRED SMITH It's an alias he goes to Fred at PDU dot com. Why do you want to do that. If Fred leaves you can reappoint that to yourself to catch the last of the traffic from his account. If you need to log in to reset or you need to log in to get access. You know what he used. So that's one other company policy. You might you might use less suggestion about passwords. I'm a long time really long time. Five six seven years I think user of a utility called one password. I'm not going to show you one password in action because it's mine it's got thousands of records and obscuring them all would kind of wipe out your experience of the user interface. This is the site for one password agile bits dot com Mac Windows and mobile devices. One password does a couple of things. It remembers the username password and possibly address credit card. Those kind of details if you want it to. And it will actually auto fill those for example here I talked about Twilley and I was talking about 11:8. If I jump onto the pill Twilley signing page and it wants the username and password and password and it's going to feed it the password. Notice it's Twilley I would say visually dotcom and boom we're in the really cool thing about one password is they've used the dropbox technology Dropbox as a platform. See previous lesson and built one password clients for iPhone iPad Android and those will sink synchronize with your desktop back and forth. So I keep all these passwords on my desktop in addition to secure nodes credit card records decryption is top notch. That's actually synchronized without being decrypted with my phone with my iPad so if I go oh my gosh what was the password for such and such. If I can't guess it from a consistent schema I've actually got that thing with me. There are systems that force regular change of passwords. One password is really really handy in that scenario as well. And I suppose if I got hit by a bus my business partner knew my password into one password. He didn't be able to recover all of the stuff accounts etc that I log into on a regular basis. It's actually quite an important record if you think about it. There's an earlier Windows app called robo form. I used it 10 years ago or so it was terrific at the time when passwords started on the Mac there was no robo form on the Mac before may still be in existence. It's probably worth checking out. But these guys that agile bits are just terrific. They're just a terrific company. They keep advancing their technology. They keep up with stuff like iPhone Android Dropbox and I'm very impressed with them. So passwords are a company asset and I can't emphasize that strongly enough. And security is a terrifically important thing if you're going to be cloud and virtual based. You want to keep stuff locked down but you don't want to keep everyone locked out. This approach consistent strong password and a letter and a shift place letter and a shift kind of balances off the security of a single system versus the frustration of having to remember lots of different things. It's very useful. I hope you find it useful. That's it. Thanks.