Pirates and Password Retrieval
LFG Marketing | April 2019
“Who Knows Dad’s Passwords?”
Ooh. That question makes you uneasy, doesn’t it? Without any context, you know something is amiss. If no one knows the passwords, that uneasiness ticks up a notch.
Imagine the level of anxiety when employees at a crypto-currency exchange were asked “Who knows the CEO’s passwords?”
In early February 2019, Quadriga CX, a Canadian exchange service and storage vault for encrypted digital currencies like Bitcoin, Litecoin and Ether, announced that almost $150 million held by the company could not be retrieved. The company’s CEO – who died suddenly on December 9, 2018, at the age of 30 – was the only one who knew the password to the exchange’s digital vault, and after two months of looking, it was still “lost.”
Gerald Cotten, the CEO, was hyper-aware of the security risks in his business. To protect the virtual currencies from digital theft, he regularly moved them offline – into digital “cold storage.” But Cotten apparently left no record – on- or offline – of the passwords for these accounts.
Most likely, you’re not the keeper of a password that controls millions of dollars of other people’s money. But you probably have something in common with Gerald Cotten: You may be the only person who knows the passwords for your financial accounts and personal data. If something happened to you, could anyone else access that critical information?
The Proliferation of Passwords
Digitalization certainly has advantages in storage, portability and access. But the security of digital information remains a thorny issue.
The starting point for most digital security is a password. Almost every online vendor, retailer or service provider who regulates access to their products or services uses passwords.
Because of their gatekeeper function, passwords are valuable to data thieves. As of March 1, 2019, the Pwned Passwords website reported 550 million real-world passwords had been the subject of data breaches, making “them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.”
To mitigate against password theft, many institutions insist on frequent password resets, sometimes monthly. To further deter hackers, sites increase their password complexity, requiring numbers, symbols, upper- and lower-case letters. For consumers, these protocols produce an expanding list of ever-changing, increasingly-complex passwords, far more than most of us can memorize or recall without a written reference.
This torrent of passwords has prompted the development of password retrieval systems, usually in the form of password manager applications.
The specifics will vary with the application, but in general, password managers include the following features:
* A master password that, when accessed, can automatically call up the passwords for corresponding websites.
* A storage center/vault for other confidential information, such as credit cards and brokerage accounts, scanned legal documents and personal notes.
* Connectivity across multiple authorized devices – a desktop, laptop, smartphone, etc. Data entered in one device is instantly updated in all other connected devices.
* Automatic generation of new, random passwords. For sites that require lengthy, complex passwords or frequent resets, the application does the job, and remembers the new sequence.
* The option to include another designated user. Security consultant Roger Grimes relates his experience: “I’m growing older. My wife is worried about me unexpectedly dying and leaving her without appropriate access to my critical financial accounts. I installed another instance of the password manager on her computer, told her the master password, and showed her how easy it is to logon to any website I have.”
Obviously, if Mr. Cotten had shared his master password with another employee, things might have been a lot easier for the crypto-currency exchange. But password managers are not a silver bullet for password retrieval.
Some do not interface with all devices or browsers. The password retrieval and entry feature usually only works with internet-based browser logons; you may not be able to log onto your computer, smartphone or corporate network from a password manager.
And a single point of access also creates a single point for disaster. Says Grimes: “If you lose your master password or other identifying info, you could lose access to all your passwords at once.” In the same vein, the single-sign on (SSO) feature means that if an identity thief steals a master password, he most likely gains access to all other passwords.
Back to the Pirates?
Password security and retrieval presents a security challenge akin to 16th-century pirates trying to hide their looted treasure. They wanted to keep the cache a secret, yet make sure trusted confederates could find it in case they were incapable of retrieving it themselves. But who do you trust, and how do you preserve the information? The options available then, while not fool-proof, still work today.
Memorize and regularly recall. Here’s the founder of a tech company, and what he requires: “All my guys use a password complexity of greater than 64 characters for a password, which is never written down. It’s just something you remember. Mine, for example, is 72 characters. To keep your memory fresh, practice typing it into an offline computer on a regular basis.”
Move passwords to a non-connected storage device, like an SSD card, or a flash drive. Password information cached in a physical location offline eliminates the threat of online hackers.
Use “analog encryption.” Write the master password on a piece of paper, using a code or other obscuring formats (like riddles or inside jokes). Then put the document in a deposit box, or family safe.
Moving the master password to a single location, known only by select individuals, and encrypted in a format that only trusted individuals can easily decipher, provides a high level of personal security.
The last two options are very similar to a pirate’s treasure map. As long as the map stays in the possession of the intended beneficiaries, and as long as someone can decipher the information, no one has to worry about losing access to your family’s critical digitalized files.
Lifetime Financial Growth, LLC is an Agency of The Guardian Life Insurance Company of America® (Guardian), New York, NY. Securities products and advisory services offered through Park Avenue Securities LLC (PAS), member FINRA, SIPC. OSJ: 244 Blvd of the Allies, Pittsburgh, PA 15222 (412) 391-6700. PAS is an indirect, wholly-owned subsidiary of Guardian. This firm is not an affiliate or subsidiary of PAS. 2019-77341 EXP 3/2021
© Copyright 2019 2019-77341 EXP 3/2021