Here's why humans can't be trusted with creating passwords

With the truly atrocious state of password security in organisations all over the world, I thought it was time that I sat down with Darren Guccione, CEO and co-founder of Keeper, a password managing service.

In this interview we discuss why human's aren't good enough at creating and remembering passwords, how to educate the C-level on the importance of strong passwords and get to grips with some of the jargon surrounding password security.

Your current project is Keeper a password management system, which helps users manage their plethora of passwords. However what should businesses that need multiple people to login to services (such as Twitter) do to manage their passwords without keeping them in a spreadsheet (or a folder called “Passwords” a la Sony)?

All businesses should use a strong password manager, like Keeper. It’s important to be aware of the cybersecurity climate we all live in and to be educated. Every piece of confidential information inside a company should be encrypted and stored in a military-grade vault (this is exactly what Keeper is and simply stated, it gives businesses world-class enterprise security for passwords and files).

Additionally, we offer an enterprise product, Keeper for Groups, which allows companies to easily manage employee passwords, data, files and private information. Keeper has a simple “sharing” feature that enables secure sharing among individual employees and teams of users in an organization.

I’ve had a number of off-the-record conversations with IT professionals who often complain that the users with the worst passwords are those who are above them in the pecking order and maybe don’t consider remembering strong passwords as “mission critical”; what is the best way to get someone to understand the necessity of strong passwords?

The best way to get someone in management to understand the importance of strong passwords is with data and research, for example:

  • 76 per cent of breaches on corporate networks are due to a weak employee password

  • 75 per cent of internet users have fallen or will fall victim to hacking

  • 30,000 websites are hacked everyday

Sources: Verizon, AKUITY, Forbes

Strong passwords are not a luxury, they are a necessity.

Similarly do you have any tips for those who want to create strong, memorable passwords? I myself like taking the first letter of a memorable sentence e.g. “We are never, ever, ever getting back together” and turning that into “waneegbt” and then throw in some letters and capitals, resulting in “W4ne3gbt”.

We all have many different logins and passwords to keep track of. Many people don’t want to remember or simply can’t remember multiple, strong passwords - and, you should never use a password on more than one site. Additionally, passwords should never be in plain text, saved or sent in an email, word document, excel spreadsheets, sticky notes, etc.

The easiest and most secure way to remember passwords is by utilizing a password manager. Passwords should always be at least six characters in length and consist of letters, numbers and symbols. Today, the average Keeper user has approximately 90 different passwords in their vaults.

Could you explain in layman’s terms what “256-bit AES data storage”, “PBKDF2 key generation” and “Perfect Forward Secrecy enforcement” mean and why they’re so important.

Keeper uses state-of-the-art encryption and security techniques which are complex and difficult to put in simple terms. Generally speaking, 256-bit AES and PBKDF2 key generation take a user’s plain-text information and converts it into a format that makes it unreadable and unusable to a third party.

Perfect Forward Secrecy enforcement is a security protocol that allows Keeper to be immune to online security attacks such as the Heartbleed Bug that impacted thousands of popular websites globally. Our Security Disclosure, which covers the foregoing items, as well as additional detail on how we protect our users and their information is located here.

Lastly what is the one piece of advice you’d give to any IT security professional to help them excel at their profession?

Don’t underestimate the essential need for strong internal controls, threat detection, threat prevention and password management solutions. Having a cybersecurity system is no longer an option. It is essential – for both individuals and businesses.

Huge thanks to Darren for talking to us, you can follow him on Twitter @keepersecurity