Information security and operational security are issues near and dear to my heart.
When I am not escaping rooms, I do digital strategy and user experience work for large web applications. I have designed some life or death systems.
Whether you’re dealing with a major organization’s mission critical software or an individual on the internet, basic password security is important.
Passwords & escape room companies
At the Chicago Room Escape Conference, Dave Ferrier of Trapped PHL gave a talk on the “nuts and bolts” of running an escape room. He dropped a ton of knowledge on the audience in a very informative talk.
One issue he raised, which I hadn’t even contemplated, was the volume of usernames and passwords that a room escape company needs to operate the business:
- Website administration
- Ticketing system
- Groupon / Livingsocial / other marketing platforms
- Payroll system
Among many others.
He recommended that companies maintain a Google Doc with all of their accounts, usernames, and passwords.
I loved his talk and his point was well taken… but the recommendation to use Google Docs broke my heart. I don’t blame him; account security isn’t common knowledge. I regularly have to teach people who should know better about this stuff.
Storing account credentials unencrypted is never safe.
Why password security matters
“Hacking” isn’t generally what Hollywood portrays: the nerdy guy or the tattooed punkish sexy geek girl clacking away on a computer in a monitor-lit room, then saying “I’m in!”
Yeah, that shit is fake.
The easy way to do real damage and make money is through social engineering and exploiting leaked password data. This requires no technical skill and no code.
Here’s how it works:
Some asshat wants to seize an account and do some bad stuff (make fraudulent purchases, add a computer to a botnet, steal naked selfies, whatever…). All this nefarious putz needs to do is get their hands on one good username and password combination and they can generally own all of their victim’s systems.
Why? The tragic magic of password reuse.
Far too many people reuse passwords. When a major password leak happens — and they happen all of the time — these criminals can grab username/ password combinations and try them in other accounts. This works because the username/ password that many users use in Dropbox is the same as their Amazon or Gmail credentials.
As soon as a set of credentials works on an email account, the whole ballgame is over. They can reset passwords on your other accounts because password resets filter through email.
How to properly handle password security
First, stop reusing passwords. Every account you own should have a unique password.
But how are you supposed to remember all of this? Easy. You don’t.
Get yourself a password management system. I recommend:
These are systems that will generate large, random, alphanumeric, symboled passwords… and store them for you. As LastPass & 1Password’s names imply, you only need to remember one password to gain access to the system.
These things will allow you to:
- greatly diminish the risks of password reuse
- store your passwords in an encrypted format
- privately share passwords with people who need access
- allow easy access on desktop and mobile
They offer a lot of additional benefits. I use LastPass and 1Password (work and personal), and they are the best investment I’ve made in paid software (something like $12 a year).
LifeHacker has a great writeup of password management software. They also offer a superb starter’s guide for LastPass.
It’s really important that your password for your password management software is really good.
Please, take the time to handle your passwords properly.
Practice safe computing.