Securing Sexuality is the podcast and conference promoting sex positive, science based, and secure interpersonal relationships. We give people tips for safer sex in a digital age. We help sextech innovators and toy designers produce safer products. And we educate mental health and medical professionals on these topics so they can better advise their clients. Securing Sexuality provides sex therapists with continuing education (CEs) for AASECT, SSTAR, and SASH around cyber sexuality and social media, and more.
Links from this week’s episode:
Securing Your Digital Identity: Protecting Your Private Life in a Digital Age, Password Managers, Secure Email Services, and Longer, More Complex Passwords for Maximum Security
In the digital age, online security is more important than ever. With the rise of cybercrime and data breaches, it is essential to take steps to protect yourself and your data. One of the most important steps you can take is to create secure passwords and use a password manager.
Creating secure passwords is one of the most effective ways to protect your online accounts from hackers. A strong password should be at least 8 characters long and include a combination of upper-case letters, lower-case letters, numbers, and symbols. It should also not contain any personal information such as your name or birthdate that could be easily guessed by hackers.
It’s also important to avoid using the same password for multiple accounts as this increases your risk of being hacked if one account is compromised. Using a password manager can help you create secure passwords that are difficult for hackers to guess while also making it easier for you to remember them all without having to write them down on paper or store them in an unsecure file on your computer.
Password managers store all of your passwords in an encrypted database which can only be accessed with a master password that only you know. This means that even if someone were able to access the database they would still need your master password in order to view any of your stored passwords. Password managers also make it easy for you to generate random, secure passwords for each account without having to remember them all yourself.
Many popular password managers offer features such as auto-fill which allow you to quickly log into websites without having to type in each individual username and password every time you visit a website or app that requires authentication.
In addition, many modern web browsers now offer built-in tools such as “password checkers” which will alert you if any of your saved passwords have been compromised in a data breach so that you can change them immediately before they are used maliciously by hackers or other criminals online.
Overall, creating secure passwords and using a reliable password manager are two essential steps everyone should take when it comes to protecting their online accounts from cybercriminals in today’s digital age. By taking these precautions now, users can ensure their data remains safe and secure while browsing the web or using apps on their devices
Hello and welcome to Securing Sexuality, the podcast where we discuss the intersection of intimacy and information security. I'm Wolf Goerlich. He's a hacker and I'm Stefani Goerlich. And she's a sex therapist and together we are going to discuss what safe sex looks like in a digital age. And today we're talking about passwords, why there's such a pain and why you should probably change yours. Again.
So we had to reset a password today, didn't we?
Yeah, it was fun because I got a message from you in Signal, which we always talk about in terms of dating. I got very excited for a minute. It was just you wanting to log into our HBO. Wow.
Who's messaging on Signal that gets you excited?
So many of your hacker friends.
I mean, all my hacker friends. Yes. And it's all right. So it's not necessarily like something racy. It's oftentimes something like here's a meme, here's something funny. And today I'm boring.
I'm like, oh, by the way, I really would like to watch the end of Westworld and everyone else has the television.
What's the password again?
And I couldn't remember it. So we had to reset it and I made it super secure because I added an exclamation point and we all know hackers are immune to exclamation points.
Oh, it's absolutely true. That is a known security.
Oftentimes in my day job, I get asked by organizations, hey, how do I craft a good password policy?
Shouldn't we really have a special character?
And there's a reason for that. Like we can get into the math and the building and password cracking rigs. But basically if there's a special character, it takes a little bit longer if you're checking character by character. But the interesting thing is almost everyone when I require a special character uses an exclamation mark or a question mark or a period.
And so I don't really know how secure that is, but it sure does feel good. It feels like a very secure password effect.
Are there other special characters?
Because I mean, as somebody that's not at all techie, I mean, I look at the top of my keyboard. I look at the options on the numbers line, and I assume those are my choices. And frankly, there aren't many there.
Yeah, no, just shift in one of the numbers and you're pretty good. But it's fascinating. People are really interesting. Now there is insecurity. There's this concept called psychological acceptance, which is we want to make security acceptable. We want to make it easy. No one believes us when we say that, but it really is something we try to do.
But the reality is, is because the way people are wired, how often do you create a password with a up character or a parens?
Now I would imagine more people are doing hash marks for a hashtag these days. But for the rest of them, it's like exclamation mark or hashtag or a period. So I hate passwords because I can never remember them.
And I know that I am in such a company in telling you that because you basically hear that all day every day, right?
Like, nobody likes passwords. I remember when you and I were dating and I showed you my brilliant solution to just keep a running list of passwords in my notes app because then I could change them as I needed to. And that was one of the few times I thought you were going to dump me, honestly.
But you know, we worked through it and eventually you forgave my breach of trust, no pun intended except for all of them. And you told me about password managers, which I found a cute one. It had a teddy bear. I loved it. It's called remember.
Every time I go to log in, I put in my main password and this cartoon little bear gives me like a nod, letting me know I done good. And then it opens up this magical window that has all of my passwords in it. But I got an email saying they're going away.
I have a year to figure out what to do before they take remember out back behind the zoo and retire him. So help me understand what do I need to do if I can't keep things in my notes app or else she'll divorce me and I can't use my beloved remember anymore because in a year he's no longer going to give me like that.
Yeah, you done good.
No, I don't know.
What do I do?
How do I make sure that I am safe?
Yeah, first off, kudos to the remember folks. I'm really sad they're going out of business. I think there any way that doing the right thing is more fun. I'm all about.
So one of the reasons why I'm oftentimes talking about passwords is I work quite frequently with a multifactor company and no one wants to turn on multifactor passwords are bad in terms of being annoying, but certainly no one wants to do multifactor. And so there was a game site that was trying to get people to do multifactor.
And what they did was they said, hey, if you enroll your account in multifactor, guess what will give you the special dancing emoji or a moat rather and you'll be able to make your character dance. And I thought that was fantastic. Anytime security can make your character dance, I'm on board. I think that's awesome. And so when you showed me remember, I'm like, that is so cool.
Now I use a different password manager. There's a lot out of this, the key pass and last pass. And I'm sure you don't need to write these down, but I'm sure I'm going to have to get your phone and help you configure it because we're not going back to the notes. That was a very trying time in our relationship. But none of them are cute and none of them are fun.
So it is kind of sad that remember is going away because I think they had a really cool like cognitive emotional affordance. I hate password managers. I hate passwords. I hate remembering things, but I do love cute cartoon animals and I am really very like surprisingly upset about the demise of remember.
So I appreciate you helping me find something new, but it's never going to live up to my little like bear buddy giving me the nod when I go to log in.
Although, I mean, after you told me about not keeping my passwords in my notes app, I did find a workaround because I screen capped all of my notes, right?
And for a while I have them saved as pictures because you can't hack my pictures until you told me that apparently you can. Well there's a couple of things to that. Now pictures are at least on certain versions of phones, they will do OCR. So they'll take the text out of your picture and they'll make it into text you can copy and paste. So that is no longer an issue.
But yeah, I mean, we heard about a lot of celebrities back to intimacy and being safe in today's world. We've heard about a lot of celebrities who've had their photos hacked. We've heard about a lot of people who have had photos that they were sharing with their partner or someone who are they dating and then those got leaked because someone used a bad password on iCloud or any of these sites.
And maybe we should actually get on some of the people who tackle that sort of revenge porn problem. Now that I'm thinking about it, like a hint for future listeners, we may have them on.
But yes, there is a problem because you store those same pictures with a password. And if it's easy to guess password, people are going to be able to get into it. And if you don't have multi-factor, people are going to be able to get into it.
Okay, so one thing I hear from my clients is that they don't necessarily feel like there's a point in trying to password secure pictures specifically because anybody can just like pull up Facebook or FetLife on their phone and just screen cap the picture. You don't have to be able to log into the account to steal photos these days.
So what do I say to them?
How do I explain why passwords still matter today?
Well first we start with a sad note that they do still matter.
You know, it's really funny because the first password was created on an IBM mainframe at MIT in the 1950s.
And do you know where the first password breach was?
MIT, the next room over?
Yes, spot on, exactly. It was like within a year, people were already having password breaches and already complaining and breaking around. It's been a problem for a long time. But I think now you know your audience better than I do, but I would imagine a couple different things.
First off, you mentioned Facebook and what was the other site?
Okay, so Facebook and FetLife.
First off, I am imagining that most people are not posting the same type of content to both of those sites.
No, Facebook is where you go to let your grandma and your aunt know that your son's graduating from high school. FetLife is, it's Facebook for kinky people. It's a social media site, not a dating app, but really kind of like a FetLife clone for the BDSM and kink and fetish communities.
So first thought would be, if I was talking to one of your clients, I would say, look, I agree people can screenshot it, but if you've already protected it on FetLife, you don't want it to be wide open so that people can download that and post it to Facebook or vice versa. You want some level of control of your material.
Secondly, back to the reason we need different passwords and the reason we need things like multifactor, both Facebook and FetLife have had password breaches. I remember FetLife had something like 100,000 users had their account information compromised and shared out. So if people were trying to discover that information, it would be possible if they didn't protect those accounts.
And this is a conversation that I have with clients because when that information gets breached, then tell me if I'm wrong, if they're using the same passwords or the same usernames, it's really easy to then link their FetLife profile to their real life presence, even if they're using sort of a gnome de plume or some online persona. I actually saw that happen.
Somebody reached out to me with their new dating app for kinky people and they wanted me to share it with my clients.
And before I did that, I reached out to a friend of ours and I just asked, you know, hey, how secure is this?
If I share this as a resource with my clients for whom it would appeal, am I putting them at risk?
And if I remember right, it took him less than 20 or 30 minutes to go from just their publicly available, like public facing information to without logging in or creating an account to their users' Pinterest profiles, Facebook profiles. It was really, really easy to link somebody's very private life to somebody's very public life.
And if I'm understanding correctly, a big part of why he was able to do that was because they were reusing usernames and passwords, right?
Yeah, there's three pivot points that people use to link accounts. One is a shared picture. So you may have a profile photo you really like and maybe you crop it a little bit differently and one goes on one website and another goes on another website. While using Google Image Reverse Search, you can pull up all the different versions of that picture and you can oftentimes link people's accounts that way.
That's one way. Another way is if they're using the same name or variations of the name. So you know, Hot Mama 10 and Hot Mama, you know, exclamation mark and Hot Mama 1013 all are close enough that we can make some suppositions that they are the right and same account. Related to that is email addresses, to your point.
I think if you're signing up for a site that you don't want linked back to anything, create a new email address. We talked about some secure email services earlier in a previous episode, but things like ProtonMail and disposal email addresses. So make sure you can't link those email addresses. And then finally the passwords.
There's a website out there called Have I Been Pwned by Troy Hunt and Pwned is P-W-N-E-D, have I been pwned?
And that will allow you to see if your passwords and usernames have been caught up in any of these mega breaches. But also a subset of that type of data is oftentimes available to people who are trying to find people.
So you might, if you use a very unique password that's shared over multiple accounts, any one of those accounts is easy to compromise once that password is in the wind as well as the ability to link you across those multiple accounts becomes possible. And it becomes easier when the username is effectively your real name.
I mean, you use help mama 10 exclamation point pound sign hooray a few minutes ago. But I remember, I knew people that when the Ashley Madison breach happened, their spouse had no plausible deniability because the username on Ashley Madison was literally first name, last name at Gmail. And that makes it pretty easy to track back to a real life person, I would think.
Yeah, yeah. 100%. And you may recall, we did that demo, I was doing a keynote, and they asked me to be scary. I'm not normally a scary person, audience listener, but and this particular one that like you should be scary. And so I took a person's business card, and I traced it all the way back to multiple different sites on stage as a demo showing this sort of thing.
Within like five, 10 minutes, including finding is Ashley Madison account. Which was projected on a ginormous screen behind you in a room full of his peers and colleagues.
Yes, that that is correct.
Yeah, I was there for that one. And then I called him from his wife's cell phone.
So I mean, I think I was a little bit like I ticked off the box. No one else would volunteer after that. That was the problem. You were definitely scary.
In fact, one person who didn't know who I was suggested that if they were me, they would have broken up with you. And I turned around and told them that, you know, I thought about it, but I was going to stick with you a little while longer. See that was your moment.
My moment was the passwords written down and your moment was wait a minute, who is this creeper?
So Ashley Madison, that life, all of these things that people both single and perhaps not so single use to find connection, to find community, to find casual sex. These are all traceable back to real life, not only identities, but other real life information. Right. Like if you get my password from OkCupid, theoretically, you could use that password to get into my bank account if you can follow that trail. Right.
If it's the same password. Yeah. That's why things like using a complex password is important, but also using different passwords. So the first one using a complex password, one of the numbers that really just surprised me about the Ashley Madison breach was over a hundred thousand users, over a hundred thousand people chose basically their luggage code as their password. They chose one, two, three, four, five, six.
You're on a site where ostensibly you don't want your partner knowing you're on this site. You're on a site where ostensibly, and you do this work. So you tell me what the ramifications are if a spouse finds that their significant other is on dating websites. I would imagine that can't go well. Right. That's not a good conversation.
I mean, unless it was a conversation that happened beforehand, then they're in an ethical, non-monogamous relationship. But I will say that for the person I know who found first name, last name at husband.com, that was not a great moment for their marriage or their relationship.
One of the other things I know about the Ashley Madison breach was that one of the things they found was it was a whole bunch of guys and a whole bunch of bots pretending to be women. So I would like to think that those hundred thousand one, two, three, four, five, six people were bots anyway. There was no real human connected.
No, those were all real people. Those were all human verified accounts.
Oh, guys, come on. If you're going to cheat, be better at it. So first up, using a complex password. Now I know I drive you nuts because a lot of mine are like 32 characters and random and I don't know any of them. And when we need them, they're often times not there. But so maybe not as crazy as I am.
So however, use a longer password, use a sentence and make sure it's unique to each one of these websites to your point you were just making a minute ago, which is if you're using the same password on Ashley Madison, on FetLife, on Facebook and on the bank and any one of those get popped, now that password could get access to your bank and other information shouldn't.
Okay, so I like the idea of using a sentence, but most of what I do these days I'm doing on my phone and I hate the idea of trying to type in a sentence on my phone, little keypad every time I need to log in anywhere. I know that my iPhone will like auto create a really complicated hard password.
Yeah, save it for me. But then when I go from iPhone to laptop, now I don't have that crazy password. So what do I do if I'm using lots of different devices? If I'm logging into things several times a day, I don't want the pain in the ass that passwords are. But I'm very new and I know that you won't let me reuse my notes app again.
So remember is going away, I have to come up with a new system, you won't let me use my notes, what do I do?
Well we're going to give you a couple different password managers and I'm not going to mention the one that I'm using because I'm paranoid.
However, again, like keypass, last pass, there's a lot of them out there that are good for individuals, for families, and they'll work on a computer and they'll work on a phone. And they'll create random passwords and remember sentences and type it all in for you. So we'll get you squared away. The other thing is, and this has not happened yet, but I'm so looking forward to this.
The other thing is, is that a lot of people in the industry are moving away from passwords altogether. Now there's a problem with that. We'll come back to the problem in just a minute.
But again, the balance is between psychological acceptance and security, psychological acceptance and privacy. There's a big move towards passwordless. So you authenticate your phone using your code or looking at it or using your fingerprint and then your phone logs in everything or the same thing with your device.
You look at your camera or use your fingerprint in your device and then from there it logs into everything for you using a passwordless method. I like that a lot. I'm really keen on that. That makes sense. I like that. When I think of passwordless, I think of things like how my Mac will let me unlock it with my thumb or how my phone will let me unlock it with my face.
And I know that, you know, from an activist social justice perspective, I know better than to use my face because I have been told that my thumbs require a warrant, but my face does not.
So help me understand that in not just the passwordless options, but the password free things, what are my better options and what are my not so great options?
Yeah. This is the challenge because right now we're running into that second part that you just mentioned, which is to say that the police are using faces, using fingerprints to authenticate devices. There's a court case that's working its way through the system right now that will determine this. At the moment, passwords are considered protected, biometrics are not.
So if you are concerned about activism, if you are concerned about the police, if you are concerned about being in a situation where you and your device are together and the police may be motivated to get into your device, this goes right back to the episode one where we're talking about, you know, abortion and whatnot. You still want to have a passcode for your device.
And I mean, I made a joke a few minutes ago about if you're going to cheat, cheat better.
And you know, from a relationship perspective too, if you're using your face to skip the password process, theoretically, a date while you're sleeping could hold your phone up to your face, right?
And unlock your phone.
I mean, it doesn't require your eyes to be open or you to be moving in order for it to recognize you and unlock things. So if somebody is not cheating, but dating, if somebody is having moments where their device is with somebody that they don't know especially well, I can imagine that that might present problems as well.
Yeah, yeah, absolutely can. Especially in situations where one partner is particularly suspicious of the other partner in cases where we may have stalking or abuse going on. So all that comes into play. There's also concerns that the reversal of Roe v.
Wade can reverse and erode some of our biometric data privacy laws because the fundamental underlying legal arguments are the same, right?
It's all about privacy, the constitutional right to privacy. So we can also run into the issue where some of the laws that are currently protecting the biometrics themselves are overturned.
So if you are in a situation where you're with someone and they use your phone, do you have legal recourse?
Well, at the moment you do, but moving forward, we may not. And I promise not every episode we ever do is going to touch on Roe v.
Wade, but this is a privacy and sexuality podcast. And right now Roe v.
Wade impacts both of those in a lot of ways, right?
And ways that we don't even know about fully yet. So that is an important consideration that I hadn't thought of. I know that eventually you're going to want me to figure out my next strategy. I know that I need a new password manager, pour one out for remember.
I know that you want me to be complicated and that sentences for people like me are probably the best bet because I'm not going to remember 36 random characters and listeners. Someday I will tell you the story of Wolf having to hack his account and mine because he was so secure he couldn't get into it. But that's a story for another day. I don't want that level of complexity.
I know that that's like your security, that's what you do, that's like your whole mission. But I represent the people that are like, no, I don't want to, I can't, it's obnoxious. So new password manager, sentences. I feel like biometrics are great for the time being, but that's something that we need to be paying attention to and maybe moving away from. I think that's fair, plus multifactor. All right.
Did I miss anything?
What else do I need to know to be safe online when I'm getting messages on signal from people that aren't you?
I want to know more about these people who are not me. But it's fine.
You know, you hit on all the important points, longer is better, different is better. And if it is a site where you are concerned about the information getting out, log into it with a new unique private email address. Okay. So instead of having to remember a million different passwords, I need to remember a million different email addresses.
But I feel like that could be simple because I could do like, I don't know, FetLifeSG at protonmail.com, right?
Like is that going, would you recommend that or not recommend?
I mean, maybe not the SG if you're trying again to be unique.
But again, the password manager will remember that for you. So it won't give you the head nod. It won't be a cute little bear. I know. I really feel bad about that. But it will remember the username and the password you set up.
If the remember people are out there, if they happen to catch this podcast, could you just send me like whatever remember swag you have laying around the office so that when you go away next summer, I have a little something to remind me of the little bear that kept my password secure and my husband off my back for the last few years.
Because really, he means a lot to me and I'm going to miss him. So thank you remember team. And know that is not a paid promotion. It's a genuine affection for the little bear and his head nod. So it sounds like we've hit this. So thank you so much for tuning into securing sexuality, your source for information you need to protect yourself and your relationships.
From the bedroom to the cloud, we're here to help you navigate safe sex in a digital age. Please be sure to check out our website securing sexuality for more links and more information about the topics we've discussed here today. And join us again for more fascinating conversations about the intersection of sexuality and technology. Have a great week. Thank you.