I’ve been thinking a lot about how much using a password manager has made my online life easier and less frustrating, and of course more secure. I have a lot of friends who don’t use password managers and I hear them complaining, watch them pull out ragged paper lists, and I know they’re not using good passwords. I got it in my head that it would be fun to invite a bunch of my girlfriends over to something I would call Password Playdate. I’d name it that to make them think it would be fun. I would also have to supply wine to get them to come. My idea was to try and convince them to use a password manager, and maybe even to teach them how to set it up right then and there.
I’ve been noodling the idea for a couple of months now but haven’t taken action on it. When I was in India, I got an email from a guy representing a local user group asking if I’d come talk to them again. In a weak moment (probably from lack of gin) I said yes. He left the field open to me so I decided it was time to figure out how to actually create Password Playdate.
I gave the presentation just this past week and I bring it up because it was an interesting journey trying to figure out how to do this well. I wanted to tap into their emotions about passwords and how much they hate them. Then I wanted to help them understand how password hacking works, explaining dictionary tables of known words with their equivalent hashes being compared to stolen databases of hashed passwords. I knew that would be a rough patch, but I had some ideas on how to explain it. That whole bit was to help them understand how bad their passwords actually are. To prove to them that they’re bad, I’d tell them about how I got hacked years ago when Gawker Media lost some data. Now I figured I’d have set the stage.
Let’s assume that I’ve got their attention, and I’ve motivated them. How do I demonstrate setting up and using a password manager without showing them my own data? I also wanted to be fair and explain that there are options, the front runners being LastPass and 1Password, but would I have time to demonstrate both? I happen to run both in parallel because Steve still uses LastPass and we share some passwords, but it seemed that demonstrating both might introduce a whole new level of confusion.
I’m more comfortable in 1Password so I thought I’d start there, plus I knew that 1Password has a demo vault you can set up that’s full of fake data. That’s good because you can show all of the kinds of data that you can keep in your password manager; not only logins but license codes, credit cards, identities, drivers licenses, etc. I figured that would be a great place to show the “reveal” button since it wouldn’t be my real data.
But I also wanted to show how easy and happy my life is USING 1Password. I didn’t think they’d believe me unless I could demonstrate going to a website and not ever seeing or even knowing what my password was.
I decided to noodle it with a friend of mine that I hadn’t bothered in ages, so I got Jonathan Cost of thinkmac.net on Skype with me to do a screenshare to noodle out the problem with me. Sometimes you just need another (smart) person to listen to you to figure things out. That’s probably one of the biggest things I miss about not working. I was surrounded by brilliant people. I could go bother Nancy or Niraj or Kieran or Ryan or Keith and they’d listen to me and help me think through the hard stuff. I have to be more resourceful now because they’re not right down the hall any more. Now Steve IS down the hall so after I worked with Jonathan and he helped me get a strategy in place, I ran it by Steve to see if it worked and got great advice from him too.
I decided to break this into four parts. I’d start with Keynote charts to set the stage of anxiety and fear, then do a demo from my normal Mac user account. I realized after noodling with Jonathan that I COULD use my normal user account without danger as long as I used the browser extension and never clicked on reveal. I logged out of Google and Amazon before I got started so I had both of those tabs ready. Then live in front of the audience, I could log into the browser extension because the default for 1Password is to NOT show your password as you type. That was a cool discovery. Then I went to my Google and Amazon tabs and tapped the extension to log in and all of my private information stayed private.
Ok, next thing to tackle was to convince them to use the cloud to store their data. I explained how even though the cloud is scary what we’re looking for is improving your odds. I figured I could get them all to agree that the chances that they had bad passwords today was 100%, and the chances that they’d reused a password was ALSO 100%, and that the chances of their encrypted password file being hacked was a number way way way smaller than 100%.
But to bring that point home, I needed to give them a motivation to put their encrypted password vault into the cloud. So that meant showing them how it worked on iOS. I remembered a trick I heard about from Don McAllister that you can plug in your iOS device, launch QuickTime, choose file, new movie recording and then you’d be able to change the camera input to the iOS device itself, and Bob’s your uncle, your iOS device shows up on screen. Using THAT trick I could log into 1Password using TouchID and then copy a password say to Facebook.com and log in without ever showing off my passwords.
Ok, now I’ve got that bit figured out but it really helps to see how to start with passwords. For this Jonathan and I figured out it would be better if I could go to a new, clean user account and install 1Password and run it for the first time. But how do I practice if I have to be running it for the first time? After a LOT of trial and error I was able to track down all of the plist files that Agilebits creatively tucks away in the corners of user-level Library, delete each of those, empty the trash, then remember that the mini-agent was still running, then clear them again and empty the trash and 1Password would then act like a new install.
In the new installation then I could show them how to create a new, last password they’d ever have to remember. Yeah, I heard it when I said it too – “This is the last suit you’ll ever wear.” This is where I got tangled again on how to do this linearly: I want to demonstrate the tool, but I also wanted to show them how to create a good password. Do I interrupt the flow and go over to Bart’s fabulous xkpasswd.net to demonstrate how easy it is to get a good password, and hammer home how whatever they’re thinking of is a bad idea? Once there, would’t I be tempted to go to Steve Gibson’s Password Haystack tool to do more demonstrations of how to improve your password? But if I don’t go down that rathole, I might still lose them on the motivation. Are you getting why this was so hard?
Setting that question aside, I knew I could show them the demo vault and how the reveal thing works and show off all of the other cool features of 1Password. I noodled this whole thing with Pat Dengler of Dengler Consulting and she suggested I switch to a blank vault and try creating a few logins at some rewards program sites like CVS and Sports Chalet. If I did that, I didn’t want to start getting spammed on my real email account so I created a demo email address at podfeet.com. Brilliant, now we’re getting somewhere.
Now let’s just pretend I haven’t lost them yet. My next phase was to suggest to them that they’re all feeling this would be WAY too hard. I created some charts suggesting that they start slow. I suggested they just GET a password manager, and get one last good gnarly password (I told them it should be upper and lower case letters, numbers, symbols, special characters, and maybe a goat if they could fit it in there). Then I would suggest they simply log into the tool and as they went about their normal day to allow the tool to collect their passwords. After a few weeks, then I would suggest they run the security check in their tool of choice to see how awful their passwords really are. I could even tell them how bad mine actually were!
Then I thought I could steal again from Bart and tell them to protect crown jewels first – fix the passwords on their bank accounts, credit cards and health insurance. Then they could just fix a few a week. I stole from Katie Floyd of Mac Power Users when she talks about going paperless – she says, “stop digging the hole”. By that she means at least from today forward, do things the way you WANT to do them. Maybe you go back and fix the past but at least make good passwords going forward. I figured this would be a good point to tell them how to use 1Password’s built-in password creation tool. To be honest I hadn’t used it before working on this because I always use the Service Bart taught us to build a while back that taps into the math behind his xkpasswd tool.
If I hadn’t lost them by then, I knew there were a couple more critical things to tell them. Number one was to give their one password to someone else for safe keeping in case they forgot it. I could tell them how Steve and I do it – we have each other’s password in each other’s vault. The chances that we both lose our minds on the same day is pretty slim, right? I could also suggest a safe deposit box as a great place to store that one last password they’d ever need.
Well guess what? It worked. I did the presentation pretty much exactly as I’ve described here, including going down the rathole of explaining Steve Gibson’s password haystack and Bart’s xkpasswd tool. The only place I truly lost most of them was in trying to explain how passwords are hacked. I used an analogy of a potato being mashed and how you can’t unmash the potato, but if you could mash enough potatoes till you found the identical mash you’d know you had the right potato. I know, as I’m saying it now I realize what a bad analogy that is!
Steve jumped in and tried to help me clarify things but I think I’d already lost them by that time. I’ll probably do a question in Google Plus on this asking if anyone has come up with an easy way to explain how a hashed dictionary file is compared to a hashed username and password database to find matches and ultimately the person’s username/password combo.
The good news is that at the end I think I had them back on track and when I asked how many of them truly thought they would go forward with this and about half of them said they would! My favorite person in the audience though was a woman who sat right in front, asked gobs of very intelligent and insightful questions and at the end she shook her head and said, “Nope. Can’t get over the idea of securing everything with one password.” I liked her because she was honest about it and was examining carefully what the pros and cons were. I’m pretty sure she’ll eventually come over because she clearly understood the problem.
My Keynote charts are mostly pictures that I talked to but I put a link to download a zip file of them in the shownotes if you’d like to take a look. It might be helpful to look at the speaker notes too.
Sitting at work on my Windows machine listening to music on a Mac Mini and looking at your charts I see a Keynote in OneDrive – my poor slider brain just went tilt!
Next time you want to show how much we need password tools just point them to the Adobe hacked password results at http://stricture-group.com/files/adobe-top100.txt where 130 Million+ passwords were hacked. The top 5 passwords the hackers got (with count each) were:
# Count Ciphertext Plaintext
————————————————————–
1. 1911938 EQ7fIpT7i/Q= 123456
2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789
3. 345834 L8qbAD3jl3jioxG6CatHBw== password
4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123
5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678
I mean, really!?! 1,911,938 people thought 123456 was a good password? Are they crazy? Do they do the same thing with their banks?!!??!? None of the top 100 were good passwords. It may wake some of your audience up to see just how reckless we as a people are.
As for 1P, LP, etc. I would run through the whole thing with 1P (my new best friend) and then after they have been given the concepts tell them “And there are others but to keep it simple I limited this talk to just one.” and give them the names.
The vaults in 1P are great. I imported my entire Lastpass database into a vault and my entire Dashlane database into another (I was between converting from one to the other) and then started my 1Password vault fresh from scratch with no garbage from the past in it. It’s been about a month and my most common things are in my new vault. I didn’t import any junk passwords – if they were bad I changed them when I added them in. Now everything is at the switch of a vault from my past and my present and future are hugely more clean and secure.
Good job Allison trying to help your fellow computer users out with a sometimes painful subject.
Sorry, that password list didn’t look so good. The first number is the count and the last string on each line is the password that many people had. Check the site for a better look.
Hi Allison,
I’m Megan, and I work for AgileBits, the makers of 1Password. I just wanted to take this opportunity to tell you that you’re awesome.
It was so cool to read your blog post about how you created a password playdate to educate people on the importance of online security. (Of course, because I’m biased, I also think it was extra neat that you mentioned 1Password prominently.)
To thank you properly for being a password ambassador, I’d love to send some 1Password goodies your way. Could you send me a message at [email protected]?
Thanks again for helping spread the word about password security!
Cheers,
Megan O’Brien
Level 60 Support Sorceress at AgileBits
guides.agilebits.com
Thanks for the info Jim, that’s truly appalling! I’m not sure that would have worked with the audience. What if they’re smart enough NOT to use the horrible passwords and get smug thinking they’re ok, even though they use that relatively good password everywhere, or have a paper notebook of passwords?
By the way I moved the charts to my own server away from OneDrive. I thought the link would be to the file, not to the folder level so that was kind of a fail. Sorry to tilt your world, Jim!
Good point Allison, that could give them a false sense of safety thinking “I’m not *that* dumb!” That’s where you did good to bring up xkpasswd and haystack to show them even what they think is good is not.
I’d like to have sat in on that just to see the lightbulbs go off in their heads!
Your example for hashing is a tough one. I was thinking of ripples in a pond. You can’t take ripples and produce the pebble that caused them but you can thrown enough pebbles in to recreate the exact ripple pattern and that’s your answer. It’s not perfect though because science can tell us, basically, where and how much mass a pebble has based on the pattern.
I did see this: “An unhashed password is like a transparent lock, anyone who gets a proper look at it can design the matching key.” With a translucent lock they would have to try every key in the world to get it open, worst case. Of course that has problems too – a locksmith can open a lock without the key.
Man, all this talk I’m seeing looking for an analogy about hash and salt is making me hungry! I’m going to lunch! 🙂