 Good morning and welcome to this week's edition of Encompass Live. I am your host, Krista Burns, here at the Nebraska Library Commission. Encompass Live is the commission's weekly online event. Yes, we are a webinar. You can call us that. We will not be offended by it. We own it. We'll recover anything that may be of interest to libraries. The show is free and open to anyone to watch, both the live show here on Wednesday mornings and all of the recordings that are available on our website. We do the show live every Wednesday morning at 10 a.m. central time. And then the recordings are done of it and are all added to the archives on our website. So you can go there and see all of the recordings, if there's any presentations, links that are associated with the session, all of that is available after the show. We do a mixture of things here, presentations, interviews, book reviews, many training sessions. Basically anything that may be of interest to librarians, we will have on the show. And we have Nebraska Library Commission staff that sometimes do presentations. And we bring in guest speakers sometimes, which we have done this morning. On the line with us is Jasmine Dean. She is the director of the Portnuff District Library in Chubbock, Idaho. Hello, Jess. Hi, Krista. Hi, everybody. And she's going to share something very important that we all need to be paying attention to. And I know I am probably about 50% good at it, doing what I should be doing and not always doing what I should be doing. But password management and security, both for you, your patrons, however, Jess is going to take us to that. So go ahead and take it away. Great. Well, thank you and welcome, everybody. My name is Jasmine Dean. I'm the director at the Portnuff District Library in Chubbock, Idaho. I've been here for about four years before I was a public librarian. I was an academic science librarian with the Claremont Colleges in Claremont, California. I'm here today to talk about password security and management. This is something that we really need to be aware of as information professionals, not only for ourselves, but for our libraries and for our users. So I hope that you've got some good takeaways that you'll be able to take back to your libraries and certainly share with your users as well. I'm particularly passionate about password security and management because I have been hacked myself. I have a couple of different experiences that I will talk about in this presentation that really has led me to feel very strongly about sharing the message of being secure and managing passwords wisely, again, for yourself and for your library and your users. I would like to give Mad Props to Blake Carver of LIS Host. He is one of the profession's experts on password management security. And he also runs library hosting and LIS news. And I get a lot of my inspiration for this from him. So I just wanted to give a shout out to Blake. We're going to be talking about a couple of different things in addition to security as well, mostly about social engineering and things. So let's go ahead and get started. So why should we be worried? Well, hacks happen. And they happen to everyone. And it's almost something that you can't even prevent anymore. And many of us have had experiences with that. So think back on your own personal experiences and how many of you have had friends who have been hacked? How many of you have gotten spam from your closest friends and associates? I don't know how many of you are on the ARSL listserv, which is the Association for Rural and Small Libraries. That listserv has recently had a couple of people who were traveling overseas saying that they desperately needed money to get out of a bad situation. Well, that was because their emails were taken over. So we see this all the time. And we have to be really, really careful about it. Again, like I said, I have been hacked personally. I made a very crucial mistake a couple of years ago that we will talk about. I had daisy-chained my accounts. And I had used the same password in multiple places. And somebody hacked my Facebook. And they then took over my Gmail and sent out spam, trying to get all of my friends to click a link to get a free MacBook. That wasn't so bad. It could have certainly been worse. They could have taken my banking information. They could have gotten into my retirement accounts and made transfers. And they didn't. Thankfully, only my dear friends and associates were asked to buy a MacBook or click a link to get a free one. And this has also happened in other areas of my life as well. My husband has actually been hacked because he loves to provoke people into discussions on social networking sites. And he made somebody really, really angry. And they took over his phone. And after they took over his phone, they went in and they found all of my information. And they tried to brute force my accounts as well. So even if you know somebody who has poor security, you can become a target simply by affiliation. So it's really important to be aware of this sort of stuff. And I don't know how many of you have heard about the Matt Honen hacking story. This happened a couple of years ago. Matt Honen writes for Gizmodo. He is very tech savvy. And he's big in the world. And he had a coveted three character Twitter handle. And you can't get those anymore because Twitter is so popular. So hackers found his three character Twitter handle. And they decided that they wanted to take his account. And they just wanted to wreck havoc. They didn't really want to hurt him. But they wanted that three character Twitter handle. And they wanted to just slash and watch it all burn. And what they did is from his Twitter profile, they found his blog. From his blog, they found his email. They attempted a password reset. They found out what the backup email was for that. And they saw that it was an Apple ID. They called Apple. Apple said they needed the last four digits of the credit card in order to make any changes over the phone. So the hackers then went to Amazon. Because Amazon used to allow you to add a credit card over the phone if you knew your email, your name, and your billing address. So these hackers added a fake credit card to the Amazon account, then reset Matt's Amazon password, found the last four digits of his real card, which they then used to access his Apple account. They wiped his phone, his iPod, his laptop. They locked him out of everything. And he lost 18 months of data, including all the pictures of his brand new baby girl. It was a devastating hack. And this really made a lot of us in the industry sit up and pay attention to how we can act safer online. So who is it that hacks? Well, you've got primarily two groups. You've got people who are overseas syndicates. They are very savvy. They are very organized. They are very efficient. They simply run like organized crime. They steal millions of dollars from individuals, corporations, and small business businesses. They have malware. They do phishing attempts. And they're really out to turn a buck by taking over accounts and getting as much as they can. That's their job, is to just simply hack to try and get money. The other big group that we need to be worried about are bored kids. These are scarier because they're just bored. And all of us, especially in public libraries, know that kids are much more tech savvy. They're fearless. They will push buttons. They will click. They will try. They will figure out how to make something work. And a lot of times, they will just do it because they want to troll. They want to watch it burn and just wreck havoc. So these are the two primary groups that we really need to be worried about. Now, it's not just a matter of when or if it's going to happen. It's a matter of when anymore. Being the bad guy is really easy. You only have to succeed once. Once you succeed, then you can start really doing some serious damage. So try not to think about being completely unhackable because I don't think that that is really your goal. What you want to do is you want to make things difficult enough so that it is not worth the effort so that the bored kids get bored because it's too hard to go after your stuff. And they go and they run outside. They play. They get some Minecraft. They go do other stuff in the library or whatever. And then you don't want to make it so that it is so easy for these overseas syndicates. They don't want to draw attention to themselves. So if they hit brick walls, they will go someplace where they can operate without being discovered. So try and make yourself challenging and difficult because if you are giving the path of least resistance, that's what's going to make you the most vulnerable. Couple of other things to keep in mind with being secure. Really make sure that you are updating all of your stuff. And I know that updates are really annoying. But make sure that you do them, especially with Flash and Java, which have huge security holes. And if you don't use Flash or Java, just go ahead and disable it in your browser or don't even use it at all. I know that I have a couple of different browsers on my personal machines. And I have one specifically for work that doesn't have any of these programs on it. It's just this very stripped down, secure browser. And I don't have these opportunities on my work machine that will run Flash or Java. Continue to go through your accounts and your applications. If you have something that you're not using, get rid of it. And so maybe you downloaded a Solitaire game on your phone or you aren't using that particular account anymore for MySpace, for example. Well, go ahead and get rid of those things because anything that is left unsupervised becomes a hole for hackers. Maybe it's that you're not looking at that old MySpace account and there's data there that could be used or the account itself could be taken and be a stepping stone for getting to some other place. So kind of go through your stuff periodically and if you're not using it anymore, just get rid of it because that's in your best interest. Change your passwords frequently. And I know that sometimes a lot of people will fuss when their IT department says, okay, it's been three months or six months, it's time to change your password. Well, this is good because sites get hacked, stuff gets taken and data files ends up on the internet in the hands of hackers. If you make a good practice of changing your passwords frequently, it is more likely that that data that may get out into the wild is outdated and therefore useless for hackers. It's very easy to just look up on, and you can even Google for just lists of user names and passwords. So changing your passwords is gonna help cover you because by the time something might get out into the wild from an outdated website like MySpace, for example, that it's gonna be old and it's not gonna be useful for anybody. Make sure that you are really thinking about backups. This is really important. A lot of people will use remote services like Carbonite, which is really, really good. Redundant backups are also good. So if you use Carbonite, have a local hard drive. Things like Carbonite are really great because if the building burns to the ground, all your stuff is stored elsewhere. If you have only a local backup that is on a hard drive and the building burns down, well then you're gonna lose everything. So think of two different options for backing up. And the best practice is to back up with an air gap and that means that you back up and then you disconnect. So on your local hard drive, you plug your hard drive into your device, your laptop or what have you, go ahead and run your backup and then disconnect that hard drive from your device. That's called an air gap. And to do something like that with a remote service like Carbonite, instead of having it back up all day long, simply have it back up once a day. And then if you do lose data, you're only losing a day's worth of data instead of everything that you've got. And I know that right now, one of the biggest scams out there is this FBI screen scan where your computer is taken over. You get this picture of it supposedly from the FBI that says that you have to pay $300 to unencrypt your files. Well, if you use Carbonite and it's backing up constantly or your hard drive is backing up constantly, it could back up that hack. If you do an air gap, you can restore from that backup and then circumvent and still have those unencrypted files without having to pay the $300. The good news is, is that that happens in other, in many instances, if people paid that $300 to actually get your stuff back from the hackers. But create your backups, be really good about that. And when possible, make sure that you do that air gap. Be very careful with remote wipe options because if somebody takes over your account, say for example, your iCloud, they can completely wipe all of your data. They can just simply wipe your hard drive on your Mac, on your phone, on your iPad. So really think carefully about whether or not that's something that you want to do because you do run a risk if you have those remote wipes set up. So let's take a minute and talk a little bit about social engineering. Social engineering is the easiest way to hack. This is where people use your information against you. Many of us remember that Mitt Romney's Hotmail was hacked not too long ago during the last election cycle and it was easy to do because one of his security reset questions were all public knowledge. Everybody knew what his pet's name was. Everybody knew all of these answers. So think about these answers that you have to put in to reset your accounts because a lot of this stuff is public. You might be talking about your pets on Twitter or Facebook so everybody knows that your cat's name is Macy or what have you. Is it really that important that you put your maiden name on Facebook or what high school you went to or your college mascot or any of these things that can be used as password reset questions. So think about that really, really carefully because a lot of us put this data out there and then we don't realize that this can be used against us to gain access to our account. A good guess will get you right in. So when you're doing this sort of stuff there's some things that you can do. A lot of people will make up a character or will use a famous character from one of their favorite stories and use that security data for these reset questions. And this is kind of important to do. I have another story that I'll share with you. My daughter is almost 13 and four years ago my daughter wanted a dollar dragon game on her phone and I told her, no Lila, I'm not gonna buy you this now so we'll talk about it at home tonight. And we forgot a couple of days later she texts me from school and she says, mommy, I'm doing a project for school on my parents. And I said, okay. And she says, I need to know the year you were born. I need to know who your best friend is. I need to know what your lucky number is. And these were the questions that I had on my Apple iTunes account which my daughter was trying to get into in order to buy her dragon game, right? Well, mommy is a little bit paranoid. So I had fake answers to those questions. So when I gave her the true answers she couldn't get into that account and I actually ended up getting a phone call from Apple saying that you have had too many password reset attempts using your password reset questions and we think your account is being compromised. And that's when I realized that my nine year old was trying to socially engineer my account to get into iTunes in order to buy her dragon game. So really think hard about whether or not you want to put that personal information on social networking sites. Many of us we can just look at somebody's Facebook and see what their main name is where they went to high school and then answer those questions. And it's also a best practice when you are setting those questions. If you can choose create your own question, those are the best because then you can choose something that is really private and meaningful to you that you will remember that isn't put publicly elsewhere. So this is something that's good to keep in mind. The other thing that you want to avoid is you don't want to daisy chain all your accounts together, okay? So you don't want to have all of your stuff pointing to one primary email for resets. So kind of think of it like tiered reference, okay? So you can have your very public email for your different public accounts. So for example, I use my first name at whatever domain everywhere. So people can find me. People know where to find me on Gmail. People know where to find me on Yahoo. People know where to find me on Flickr. People know where to find me on my crochet groups, things like that. But my usernames and my emails for very important services like my retirement or my banking or my credit cards or any online shopping like Amazon, those are all different. Those are not publicly known. Those can't be just guessed by somebody. So you can make different categories of services for things that are extremely sensitive have a very unique username that nobody else knows of have your own email for that and then make a different one for public services where you want people to be able to find you. We do want to be discoverable in this profession but we do still have to be very, very careful about what we make public and how we separate our public and our private lives. So can take that into consideration when setting up these accounts. Another thing to keep in mind is two factor ID. Two factor ID is neat little tricks that many websites and services are using. Two factor ID requires that you have some other thing with you to log in. And so for example, if I wanted to log into my Gmail, I have two factor ID set up. I would go to log into my Gmail, I would put in my username and my password and then Gmail texts my phone a code that I actually put in to authenticate that. So two factor ID requires that secondary device and it can either be like a smart card that you put into your USB port. It could be a biometric like your fingerprint for example. So the new iPhones have that fingerprint recognition and you can use that. But two factor ID is really important if you can turn it on. Twitter, Facebook and Gmail and many other services are starting to move towards offering two factor ID which will help make you more secure. It is kind of a pain because if you wanna log into Gmail at a cyber cafe somewhere in Europe while traveling and you don't have your phone or you can't get texts and you can't log in, so it is that extra step. But again, it is secure. It's a better step than just having a username and a password. So for your most important accounts that you don't wanna have breached, please think about putting two factor ID in. So good passwords and I absolutely love this Twitter. Came across a bunch of years ago. Sorry but your password must contain an uppercase letter, a number, a punctuation mark, a gang sign, an extinct mammal and a hieroglyph. So you can add an interpretive answer, a secret handshake or a DNA sample or anything like that for a really good password. And good passwords are important to consider the stronger you make your password, the safer you're gonna be. So good passwords are long. You wanna shoot for as many characters as you can possibly get. Most of my passwords are anywhere from 25 to 35 characters long, oftentimes with high risk services like Twitter and Facebook. It's as long as I can possibly get it to be. Whatever link is allowed by the web service. Try to avoid using sites that don't let you make secure passwords. And there are some sites out there, really popular gaming site called Pogo for example, does not allow you to make secure passwords because they don't allow you a significant amount of characters and they don't allow you any special characters as well. So if you don't need to use that password or create an account, I'm sorry, if you don't need to use that site or create an account on that site because you can't create a secure password, just skip it. Find something else that will do just as good so that you're keeping yourself safe and secure online. Good passwords contain special characters and not just asterisk or exclamation point but use some unknown stuff like pipe or curly brackets or something like that, something that's not typically used. A lot of us will automatically go to the special characters above numbers. Well, look at some of those other special characters that you can put in that are not necessarily as popular. Never ever use names and passwords. No names whatsoever. There are just lists of names that you can get and it's very common that people use either their kids' names or their pets' names or their spouse's names or your high school crush or any of these other names. Well, again, that's discoverable by social engineering. So if you've got your high school crush and your friends and people can, it's not difficult to figure out how everybody is linked together. So just don't use names at all. It's very popular to use names and names are often included in brute force password attacks. So just stay away. Don't use anything that's found in a traditional dictionary or any kind of dictionary and this really includes any unique things. So I had one librarian once tell me, well, I use Star Wars characters. Well, so do a lot of other people. So just don't use any words that can be found in any sort of dictionary, traditional or unique or what have you. Again, dictionary words are easy to try and guess. XKCD came out with a comic a couple years ago featuring a random string of nonsensical words. It was very long, they're typically pretty secure. However, since that comic came out, there are more and more programs that are being written to circumnavigate this sort of structure. So at this point in time, it's not exactly safe to just have a random string of nonsensical words be your password. If you do that, throw in oddball numbers, special characters, different sorts of things to shake that up because then you can have the nonsensical words but you can also have some differences that will make it harder to get. Avoid common styles, it's very typical for people to use three for E, zero for O, one for I, five for S. We know what these shortcuts are now and if you thought of a pattern, somebody else has thought of that pattern too. So I have another little story about my daughter. Last summer, she decided she was gonna write her journal in code. She didn't want anybody to read her journal so she invented this elaborate code and she was writing in her journal in this code. Well, then she read a Brandon Sanderson book and in it was the same code and she was just with it. She's just this mommy. Brandon Sanderson copied me. How could he know what this code is? Well, the thing is, is that if you thought of a pattern then somebody else has thought of that too. So try to identify different unique ways of making substitutions that aren't guessable, that aren't very popular. And make them really, really long. This is important. A five letter password has 10 million combinations. It can be cracked in five seconds. Six characters, 500 seconds, seven characters, 13 hours, eight characters, 57 days. And if it has nine letters, it's too difficult to crack with brute force but there's other ways that you can try and compromise greater than nine character passwords by using rainbow tables. Rainbow tables are pre-computed tables of math that is reversing cryptographic hash functions. You can just Google and get rainbow tables online. So the longer your passwords are, the safer and more difficult that they will be. So again, change them often. Even if your IT department doesn't require you to change your passwords, set up a regular calendar reminder every six months, every three months, whatever you decide is important. And go ahead and change them. And you don't have to change all of them at once because if you think about it, we've got so many. It will take you so long to make all of those changes. So perhaps just do one a day when that six month cycle comes up. And that way you're making sure that you're changing them regularly and you're being safe and secure online but you're not overwhelming yourself with having to change the passwords for 35 different sites in one day. So to sum, good passwords have a combination of numbers and letters. They contain special characters, no names, no words found in the dictionary and they are never ever to be reused by other sites. Most importantly, never reuse your passwords on other sites. Password reuse is what really will kill you and that is from a quote from Dana Smetters, a software engineer at Google who works on authentication systems. Your security is only as strong as your weakest link. So let's say for example, that you use a very popular recipe site. You've got your email as your username because the password recipe site requires that you use your email as your username and you use your password. And that password is also the password for your email. Well, if that recipe site gets hacked and hackers get that data, they now have your email and your password. And if they can get into your email and that email is the password reset for other things, they can get into your banking. They can get into your credit cards. They can spam, they can send phishing attempts to the rest of your family members. So don't ever reuse those passwords. And I know that that is really, really hard because that means that in today's world, you've got tons and tons of passwords that you have to remember. Now, some people will invent a scheme for creating unique passwords. Perhaps they will say that the first characters are the website and then something meaningful and then a series of numbers. If that works for you, that's great. I can't do this, so I don't even try. So I use password managers. And password managers are software that manages multiple passwords for you. It's encrypted, it's secure. Your passwords are always with you so you don't have to keep them on an Excel spreadsheet on your laptop or in a handwritten notebook or sticky notes take to your monitor. Password managers will let you take them with you. Many of these password managers also have applications or the ability to work with tablets and mobile devices. And it keeps the record of all of your accounts which is really, really handy. So how do they work? Well, most are secure data files. They're stored on your device or they're online. And this is kind of nice because if you have your secure data file that means that you can log in offline without internet access but you also have them when you're on the go. So if you go visit your best friend in Texas or what have you and you want to log into your stuff, you can log into that web-based password manager and then you can access the encrypted files on that site. Some of them require a token for two-factor ID like we had talked about earlier so you can do that as well. It really depends. So there's some pros and cons of course. Password managers will create and manage complex and unique passwords for you. There's only one password that you have to remember. It bypasses key logging software that might be put onto a computer. So if you go into an internet cafe if it's bugged with key logging software password managers will bypass that because they will just copy and paste everything from their own area and you don't have to input any data from the keyboard. And it helps against phishing because password managers will keep the URL for that account and if it isn't the URL for that account it won't offer you any data. So it's a huge flag that says, wait a minute this isn't the URL that you think it is. So it really helps against phishing and that way if somebody, if you get a spam that is that is emulated to be from your bank. But when you click on that link and they're asking for your username and password for your bank account but it's not your bank's URL your password manager is gonna know that. And that's really, really helpful. There are a couple of cons to password managers. If someone gets your one password to your password manager all is lost and you're gonna have to do some data disaster recovery. So you have to make that one password really, really good, really, really secure and really, really complicated. And that way, and make sure nobody gets it. So don't write it down, commit it to memory and don't have it anywhere else that anybody can find. And the other thing is if you don't have your key or your app to your password manager you may not be able to get in. So this is kind of important to remember too. There was a couple of, I guess it was a couple of months ago I was at a conference and I had forgotten to bring my password to my last pass, I had just changed it and I couldn't get into any of my stuff for three days. So, you know, just remember that you've got to really be organized. And if you, once you commit yourself to a password manager though and you get used to how it works then it's really easy for you to kind of avoid that and keep that into your workflow. So password managers can be good for you and for your library because if you think about it how many staff do you have? How many services and sites do you have to govern? How many of those user names and accounts are shared with your staff? So how many of you govern your Facebook or your Twitter? How many of you interact with your users and upload pictures to Flickr or Picasso or Pinterest? Many of us in libraries, especially small and rural libraries, distribute the workload of managing social media. So we're sharing user names and we're sharing passwords and if a lot of us have a tendency to make them really easy so that all of us know what that is well that also means then that that pesky little troublemaker who came in and is mad that you wouldn't check out 10 DVDs to him and void the limit. Now it's gonna just go in and wrecks of havoc on your social networking stuff. So you need to still make your passwords really, really complicated and unique and not have all your accounts days to change together. And a password manager can help you do that. We at the Port of Library use LastPass and this is a screenshot of what LastPass web looks like. You can download LastPass to your different devices and tablets, it's really easy to use and LastPass is web-based but it also has a local stored encrypted data file on your device, so you don't have to use the online. You can actually just log in offline and use the locally stored data as well. Here is an example of what LastPass on the web looks like and you can see in here that we have all kinds of different stuff. So we've got not only our websites that we use and here's like our Twitter and our Fortneth and all this kind of stuff but we also have all of the usernames and passwords to different computers. This way instead of having just one default log on password for all of our physical machines, each one can have its own unique set of passwords for each different purpose that it serves and we have those all stored in LastPass as well. Now not all of my staff have access to LastPass. There's only three of us in my library that have access and those three of us, out of the three of us, one of us is always in the building and what that means is when a staff member does need to get something, there's three of us that have this master password to get in and manage all of our data. So all of our usernames, our accounts and our passwords are stored here and this is one place where any changes that are made, it manages everything for us. We can make really complex passwords that are not guessable by our users or anybody who would want to do us any harm and LastPass helps facilitate that for us. So here is another example of what LastPass looks like. This is how you add a site and this is a personal computer. So this is one of the staff computers at our service desk. It has the username, it has the password. LastPass will give you a color bar telling you how secure or insecure that password is. You can put in notes. We often put in the note that the last time it was changed so that we can go through the notes and just say, oh, okay, well that password for Facebook hasn't been changed in eight months, it's time to change it. So you can add notes in here and if you're doing a website, you can of course put in your URL and with this URL, again, that is unique to that site. So if you click on an email and you're routed to a different URL for that, it's not gonna work. LastPass is gonna identify that and say, hey, wait a minute, this isn't the URL that you put in before. So that's really important. And you can also choose different groups. So this is staff computer group but you can also choose social networking as a group or financials as a group or collection development as a group or however you wanna categorize your URLs. LastPass and many other password managers does have a browser extension. So you just download the little browser extension, it sits up in the corner by your close, maximize, minimize buttons. You click this and it will launch this little window that'll say, hey, what do you wanna do with your LastPass? Do you wanna log into your vault? Do you wanna create a secure password? Do you wanna do a security check? Do you wanna add a site? Do you wanna add a note? What do you wanna do? So it's really nice to have this browser extension and this browser extension works in offline mode and so if you have no internet connectivity, you can still log into your stored data file on your device and this is a really nice shortcut so that if you don't want to log into the webpage to get those passwords, you can just use the browser extension and the browser extension does not store the secured data file, the secured data file is on your device somewhere and they interface together but the browser extension does not store it so if your browser is hijacked, it's not gonna automatically go and get your stuff because there is a disconnect. They go and talk to each other but they are not completely linked together all the time. Here's an example of what LastPass looks like when it's trying to log into a site. So here we're trying to sign into our Yahoo for the library so it'll say, here's your user ID and here's your saved password. Now this kind of sits on top of the browser and will again bypass key logging because LastPass is gonna go ahead and input this for you but it's not going to require you to type anything so if there's a key logger on your machine it's not gonna capture any data and LastPass will ask you right here up at the top you'll get a little bar that says hey, I've detected some data, do you want to auto fill? Do you not want to auto fill? Do you want to close this? What do you want to do? Because LastPass identifies this URL because this URL has been saved so if we came to a fake Yahoo for example, LastPass wouldn't offer anything at all because that's not the URL that had been saved. So this is really nice because again it'll help protect you and your users and your staff against logging into malicious sites and software. LastPass will generate passwords for you. I love this feature. You can determine how long you want that password to be so you can decide well I want my password to be 45 characters and it'll go ahead and do it for you and it'll give you. I mean look at this random string. How many of us are gonna remember this? Well the thing is is that you don't have to because LastPass is gonna keep track of all of it for you. I like to avoid ambiguous characters. That would be like zero and O and L and I and that kind of stuff where you might have some different confusion about uppercase I, lowercase L but this is a really important thing because then you don't have to try and create a scheme or figure out what's going on. LastPass will just create a password for you. And you can share these things as well. So if you decide that you're gonna use LastPass but you don't want to give to a particular staff member the Facebook account but they need to log in to post something for you. You can share the information. It'll remain encrypted and hashed and all they'll see is the username but then they'll just see asterisks for that password. They can go ahead and launch that and go ahead and log in. It won't save the session and then you can just share the passwords easily that way. So this is really, really nice. This is a great feature because again you can restrict to just a few key people in your organization, their access to LastPass and your password manager but still share with the rest of your team all the things that we do. Couple of other things that password managers offer. They will allow you to specify logins by country. So you can just simply say that only people from the US can log into this account. So if somebody from Russia tries to log in, they can't do it. You can also disallow Tor network logins. I don't know how many of you might know what Tor is. The Tor network is a way to bypass security. It distributes your login and your user data across this huge network and it keeps you safe and secure but hackers also can use this because it keeps them untraceable. So just as much as when you use the Tor networks you become untraceable and your data becomes untraceable and your tracks are hidden. Hacker tracks are hidden as well. So you can just say don't let anybody from the Tor network login to my security, my password management. It'll also track logins and shares. So you can see how many people have logged in. Did you log in? Did somebody else log in? How many shares was that done? And many security, password manager security options will let you determine how many times you have to put in that master password. So do you have to put it in for every change? Do you have to put it in once a month? Do you have to put it in just when you log in? And you can determine. So if there's something for your library that is pretty secure and pretty important then you can require for that URL that it requires the master password every single time. And that's gonna make you a little bit more secure. And you can decide. You can set all these things up. Some other features. Most password managers will allow for multiple profiles. So you could have a work profile, a school profile. You could have staff profiles. They'll also save your credit card information, your bank information. And again, so that you're not inputting into a possibly hijacked browser or into a key logging machine, your credit card information or your bank information. It will just be hashed just like it was in the previous slides. And they'll input that data for you. And LastPass offers free credit monitoring which is really kind of cool. In the library world, we use those credit cards for everything we can't get a purchase order for or a net 30 days. And a lot of times we end up using these cards pretty extensively. So with the credit monitoring, if there's something that's really unusual or unusual activity, LastPass and some other security options will just email you and say, hey, did you know that this is going on? There's lots of password managers out there. We use LastPass because we like it, but that doesn't mean that it is the best option for you and your organization. So take a look at all of them. You can Google top 10 password managers and get a list of the best reviewed. I know that Life Hacker has a really good article on password managers. And this is just a list of some of the most popular that are listed in those different sites. So take a look at all of them and see what's gonna fit best for you. Some have different options than others. So again, this comes down to your personal preferences. Maybe grab some different password managers, do a free trial, see what might work best for you and your organization because lots of people will use different things just based on what fits their personality. Here's an example of what some of them look like. They all kind of look the same. So I showed you what LastPass looked like. And here you can see we have key pass, one password, which is iOS specific. It only works on Macs and iPads and Apple's products. And then some of these are open source as well. So then you have a whole team of people who are working together to make it more secure because the code is open source. So you have, again, different options. They all kind of look the same. They all kind of work the same and do the same sorts of things. So just kind of play with them and decide what might work best for you. Some of them are free. Key pass is open source and totally free. Roboform is Windows. It's free or a pro version is $30. One password is probably the most expensive. And again, one password is Mac specific and the desktop is 40 bucks and the iPhone is $15. We use LastPass. It's the free version works really, really well and that's actually what we use in our library. And the premium is a whopping like $14 a year if you wanna be a premium member. So it kind of depends on, again, what your goals are. Many of them also offer a business solution. So you can actually buy a password manager for your business and have all these other options. And this might be a really good option for you if you have a larger organization with more staff and more employees. We're pretty tiny. So just having the free version works for us. But LastPass, for example, is $24 per employee per year. Well, that's really pretty cheap if you think about it because then each of your employees has this password manager, can use it for all of the different things that they do and it's all tied together as a part of your organization. So this is something to really take seriously because you might be able to just go ahead and buy that business solution if you're a little bit bigger and use it that way. So let's summarize. General security, make it hard enough just not to make it worth their time. Just set up enough brick walls to deter people from trying to hack you. Try not to be unhackable. I don't think that's attainable, but instead just make it more difficult than just leaving the doors open. Remove anything that you're not doing, kill accounts you don't use, change your passwords frequently, make sure you run your updates and patches, make sure you're doing your backups. And the most important thing is don't leave your stuff lying around. So don't have your passwords on a sticky note on your monitor or in a notebook that you might leave on your desk or in an Excel spreadsheet that might get inadvertently uploaded to Google Docs and shared with your organization. Just be really careful about your security and kind of think about this stuff as your grandmothers watch that you keep in a safety deposit box, right? So just really think about that. For social engineering, create a fake persona, perhaps, and use that fake persona's information as your password reset questions. Very your user names, make sure that your public user names are very different from anything that requires significant security. Don't daisy chain everything to one email. There's so many different ways of getting free email anymore. So go ahead and create some different accounts and keep some that are just specific for those most important sensitive personal things for your finances in particular to keep yourself safe so that you don't end up losing a bunch of money because your cards get out there in the wild till money gets gone. And of course, don't share. Be very careful about sharing your personal data on social networking sites. Use two factor ID. If it is an option, make a good password, make them long, change them often, use your special characters. Never ever reuse them ever, ever, ever. That is the number one takeaway that I really wanna encourage you guys to remember. Never reuse your passwords. That just doing that will save you so much and that is the most important thing is just never ever do that. And try some of these different tools. Password managers work for some people, password managers don't work for others. And when considering a password manager, you know, look at how do they maintain the security of the data that they're holding for you. What are their service level agreements? How are they making these promises? What encryption do they use? And make sure that you're doing your homework on a password manager because again, these password management tools, they're really kind of protecting your digital life and your livelihood so you wanna make sure that you are using something that is reputable. So do your homework before you just start using a password manager. Okay, so be safe out there. Thank you very much for your time and we do have nine minutes. If there are any questions. Yes, there were a few. Thank you very much, Jess. That was awesome and scary. Of course. I think personally for me, I'm pretty good with the creation of the passwords, being long and secure, and making up a new one for everything that I sign up for. But trying to keep track of it, that's always been my hard thing too. I do bad things like write them on pieces of paper, but like on my desk at home, I pretty much figured nobody of my friends is gonna walk in and steal them hopefully. But, and I always think about these last past things in the password managers I should get into it. And now seeing how it can work and what yours is doing, I think I may be going home to John, my fans say and say, yeah, we're doing this this weekend. Yeah, well I. This is our weekend project is getting all this coordinated and sorted out for us. I have, I'm so sold on these now. And after I had that really nasty hack where everybody, and I don't know if you got one, but I had people from all over the country were sending me emails saying, did you really want me to buy a Mac book? And I'm like, oh my gosh, it was just mortifying. It's so embarrassing when that happens. After that, I've been sold. Yeah, I've only been hacked once myself. I think I had a hotmail account. I still do have it. And a weird thing happened to it where I sometimes new emails like when I sign up for some new system or new account or something, I wouldn't get the confirmation. Somebody's intercepting that somehow is very strange. But then nothing else ever happened based on that. So I cut off everything from that and started all new with the whole one, but it was very strange. It was like somebody kind of sort of halfway tried and then gave up, I don't know. Well, and the other thing too is that the older your accounts are, the more known it is. I mean, I just had to change my Apple ID because I've had the same Apple ID since, oh, I don't even know since iTunes was like invented. And I was, every day, I was getting phishing attempts from non-Apple representatives trying to get my Apple ID and my password telling me I needed to update my credit card. So I finally had to change my Apple ID because the older those accounts are and I still have a hotmail from 1999. It was the second email I ever created. And yeah, and eventually those things just become huge targets because they've been used so many times, they end up in so many places. Yeah, yeah. We did have a couple of questions. So I just want to remind anyone, if you do have any questions, type them into the questions section of your go-to webinar interface and I'll grab them here. The first one we had was about pricing and you actually answered that before I could even get to it. So I think it was one of our commission staff here asked about that. I think she covered that for you guys. Let me know if you want to know any more else about that. But then another question, which is a good question too. Assuming that your master password, and I assume she's talking about the last pass or some sort of password manager, assuming that your master password is very secure, how do you store or remember that one? You got to commit it to memory. I mean, and that's the difficult thing. So what I do now, after having gone to a conference a couple of months ago and having forgotten what my master password was because I had just changed it the day before I left, what I do is I just repetition, you know, I will, and I use memory, you know, I actually will type it multiple times. So just over and over and over again on my phone, on my keyboard until I've got it completely remembered. So that is a huge challenge because you want that one to be long, you want it to be secure, you want it to have all the features of a secure password, but you still have to remember it and just commit it to memory, you know, just actually carve out a set of time and commit it to memory and then an hour later work on it again so that, you know, you're not just keeping it in your short-term memory, but you actually go through a process where you're committing it to your long-term memory by doing it over and over and over again, and that's been the only way that I've been able to really master learning my master password. Yeah, and having it be secure. It's just like, I mean, it does seem like, you know, there's no tricks, there's nowhere to save your master password, that's kind of, doesn't work that way. Just like you think you memorize your new phone number when you move somewhere, if you have to, you memorize your new address, it's just something you have to do for that. Oh, there's a good, here's a good question. If you're using a password manager, and this is a whole another topic that we can even go into in a whole other show, should you give your master password to possibly a family member or someone in the event of your death? You know, that is a really good question and I currently do have my master password in my living will. There you go, yes. Somewhere that someone will get once something does happen, it'll be part of that. Yeah, cause, and I actually, I don't have a family member who is executor of my estate. I actually pay the same person who does my taxes. They have a little department that will act as executor of your estate. And it's not like I have a ton of money or anything, but just somebody else to manage the pittance that my daughter would get in the event of my untimely demise. And in that is my master password because the instructions are to go through and kill all of those accounts and remove all of that data. So yes, but again, I don't give it to a family member and it's not that I don't trust my family members. It's just that I do have this other place where an executor of my estate or the owner of your living will it could be. So if you have a family member who is the executor of your estate or a best friend, sure, give it to them. If you have enough trust and faith in them not to make sure that that gets out in the wild. But that's a really good question and that's kind of a personal question on where you want, how you wanna do that. My instructions in the event of my death is that you are to go in there and you are to disable and remove and delete all of my data. And I even have lists to websites like accountkiller.com and things like that that will help people go through and just completely delete all that because I don't want any of my social networking stuff out there, it's just too, it's just too much free. Yeah, and there's been lots of articles you can find online just about anything, like what we should do, like what happens to your Facebook account if you die, what happens to your Twitter account and how are you supposed to handle that. Someone did give a suggestion of a way to do it is to give, split up your password. If you do, I mean, the area was just one way to do it. Split it up into two parts and give to two different people. For example, maybe your wife and your lawyer or people you can trust, your family member and a lawyer or whoever. And then not one person has it, but once there's instructions once you die in your living will or in something saying, okay, you guys need to get together and this is how you'll figure out how to take care of all this. That's a really, that's brilliant. That's a very good idea. Okay. And Osamoza says, Google has a feature to set it up so that if you don't check in every so often, it will remind you, it will send an email with such info to someone of your choice. So basically, if you haven't arranged for this and it will notice that I see they haven't logged in in a week or two or whatever, maybe I should send a feeler out to see, are they still around? Did something happen? What's going on? That's very interesting. And that's a concept that requires deeper thought because what if you use iMap or something to read your email and you never log into Google anymore because you have it all coming. But then they're starting to email your best friend and say, oh my gosh, she's just dead because she hasn't logged into her email. So that's a very interesting thing to think of and I'm wondering how long it'll be before that might be an option elsewhere. I know periodically and I've never been able to figure out some things that I go into, I leave myself logged in sometimes to my Facebook at work or to other things and so it just when I open it, it's already logged in or at home and sometimes I have to re-log in and I've never been able to figure out why. Is that maybe part of that that I haven't actually logged in recently? So it says, this is not that cool. Let's log you out automatically and let make you actually type in your password again. I don't know. Yeah, and I think some sites are also very savvy to different locations. So if you're logged in someplace and then you drive 30 miles and you're logging in somewhere else so you drive 700 miles and you log in somewhere else. They're gonna be suspicious in the past. Yeah, they're gonna be suspicious. Which is good. Yeah, which is really, really good. And then there's also features, Google has this feature and so does Facebook where you can look at all of the concurrent sessions that you have and you can kill any sessions that you aren't using or that you're unsure of and maybe you logged in to Facebook at a conference and it says, hey, did you know you're still logged into something in Tacoma, Washington? You'd be like, well, no, actually I don't need to be. Go ahead and kill them. Remember, I've seen that when I used to use instant messaging software, AIM, I think, or AOL. One of them said, you're logged in somewhere else. Do you also wanna be logged in there still? And every time you try to log in on a new one. Here's a question. What happens when your password, I don't know if this has happened yet, but what happens when your password manager software goes belly up and you can't get into any of your online accounts anymore? I have not seen that happen on the news yet. I mean, let's just say yet because we all know how this works. I assume that, and this is again, this is an assumption, but most companies ought to take responsibility to their users and say, we are going out of business in X days. Right, and they'll reach out to their, yeah. And then you have enough time to, you know, get your passwords because all of these tools that I've looked at have some sort of way for you to gather and export or whatever your passwords. And, you know, the data file is secured on your device. Whether or not you can get it or look at it or do anything with it is different. But I guess the best answer for that would be to do your homework and make sure that you are working with a company that has sustainability, that has good security, that has longevity and that has made an investment in providing that service so that you're not shooting with somebody who then goes belly up because that would be really pretty tragic. But hopefully if that happens, the companies would assume some social responsibility for communicating that to their users. Generally they do. And we do have a comment from someone who was mentioned earlier. Blake Carver is actually on the line with us. He logged in. He was a little late. He missed your shout out to him, Jez. But Blake does say you can export from last pass. So if it dies, you have a backup. So maybe once you have set that up, periodically do an export, put it on some sort of local hard drive that is then, as you said earlier, disconnected from anything. And then you've got your own preemptive backup ready just in case. But usually what's happened with most of these companies is they've given warnings when something, any of these social networks, social sites say, we're gonna have to shut down. We can't keep going, blah, blah, blah, for whatever reason. And give you time and notification that you need to do something about it. Generally, especially as big ones that everyone knows about now, they don't just go away, poof, certainly. And someone does have a question. What about open ID? I started to use them, but they folded. They were a type of password manager. I don't have that much experience with open ID. I used to use open ID. And kind of the concept of open ID is still being emulated elsewhere with the single log on. So you can log into a site using your Facebook and you don't technically have an account with that site. You're just logged into your Facebook. So kind of that concept still exists. I prefer, and this is just personal preference, I just prefer to, if the site is important enough that I need an account for it, I just go ahead and just create it and manage it. Because again, I don't want too much stuff being out there and playing online without my supervision, but that's just me. And maybe Blake can, I don't know if he wants to chime in on any of that, because that's a little bit more out of my depth, but. And one other question we had, and I'm not sure if I might need more explanations. I'm not sure I understand the question very clearly. Should you feel safe of your home computer remembering your password? I don't let anything remember anything. Because you're showing where it has, and I see that come up a lot when you first log into it, or even when I repeatedly log into a site. I know Firefox has this automatic, hey, do you want us to remember this? I always say no, never remember. Nothing remembers anything. So, and again, you want to talk about repetition and having to commit your master password to memory. Have nothing remember you, because you're putting in that master password every time that you want to buy something on iTunes on your phone. Anytime that you want to log into Facebook on your laptop, you're constantly having to put that master password in. But I have it set so that nothing remembers anything. So my personal laptop doesn't, my iPad doesn't, my phone doesn't, nothing remembers anything. And I have to actually go to the process of logging in. And I think that that's really kind of a personal question that you need to ask yourself, how secure do you want to be? It's pretty likely that your desktop is not going to have some strange person coming to it from the keyboard through your house. But that doesn't mean that they aren't going to find a way to hack your ISP and get into that computer remotely. So I just have it so that nothing remembers anything. And that's just the end of that. Nothing is logged in. And even my last pass doesn't stay connected. I have it set so that I, for the session, I log in for the session that I'm doing. And as soon as that session is closed, then I'm logged out of my last pass. Yeah, I think that helps with the previous person's question about how the heck do you remember that main one? You just make yourself use it every day. Like I know my email passwords off the top of my head because I use them every day to log in. And it just becomes something you know, because you're forced to. And it is a change in user behavior. So part of us is that we are just boom, boom, boom, boom, boom. I want to have it now. I don't want to wait. I don't want to have to take extra steps. And using a password manager is an extra step because, for example, let's go back to my phone and let's say that I'm going to go ahead and buy the dragon game for my daughter. Well, that means that before I go to iTunes and look up the game and buy the game, I have to go to last pass, log in the last pass, paste the password to my clipboard, go back over to iTunes, log in to iTunes, paste that password in, and then make the purchase. So there are these extra steps that I choose to take because I have a very savvy child that at the age of nine was trying to socially engineer me because she wanted a dollar dragon game, right? And the kids are very, very creative. Yes, they can be. Yeah, this is the child who her father regularly texts me and says, how can I keep Lila out of my computer? Well, we don't call her Darth Lila for nothing. So yeah, I mean, this is the choice I make, but I think that that has to come down to how secure you want to be. And I do realize that I am much more cautious than most people are. Well, once you've been burned, I think it changes your... Oh, man. Yeah, yeah. We'll just do this one last question that just popped in because it does relate to what you were just talking about because we're a little after 11 o'clock here in Lincoln. What about leaving yourself logged into apps on your mobile device as long as your phone has a password set on the main screen? That's a really good question. And again, I think that that's kind of a question of how secure you want to be. I don't stay logged into the apps on my phone, accepting the cheesy little city-building games that I'm playing and stuff like that that are linked to a fake Facebook account so that I can play games. I'm just really hesitant about that because when Dale was hacked and they took over his phone and he has an iPhone and somebody took over his phone, they took control of it. And they were brute force attempting attacks on my phone and my accounts. So no, I don't want to do that. I don't want to take that risk. But then again, people may not have the same sorts of experiences that I do. I just don't stay logged into anything. If I open Facebook in Safari and I don't believe in the Facebook app whatsoever, I log out when I'm done and I clear my history when I'm done using it. I'm particularly worried about Facebook because I don't believe that Facebook values my privacy as much as I do. So depending on the app or how important it is or what its purpose is, I think should dictate whether or not you stay logged in on your phone. Let's get another personal choice thing. OK, there's no extra questions left over. So I think we'll wrap it up. It's about almost quarter after 11, which is fine. We go as long as we need to here with any questions and issues that people have. So thank you very much, Jess. That was really good. Like I said, I've always wanted to use the last pass. And now I think I'm going to jump in and figure out how I can do it and get it set up for at least our home computers. I'm not sure how we do it here at my place of work. That's a whole other issue. Well, you can always set up. If you set it up at home, you can always create a profile on your home that you use at work. So you could at least do that on your own personal one. But there's so many different password managers. They're at least an answer for me. They're not an answer for everybody. But it's good to get this info and just at least the concept you need to be paying attention to these kind of things for both your libraries, passwords, and things. And also, you're going to guarantee someone at your library, someone of your patrons will come in and say, oh my gosh, this happened to me. Help me. And at least now you know what you can do to help them. Cool, all right. Thank you. I'm going to pull back control now to my computer. There we go. So thank you very much, Jess. And thank you, everyone, for attending. Are we showing? Cool. All right. That will wrap it up for this morning's show. It has been recorded. It is being recorded. It'll be available later today sometime. And Jasmine, if you'll send me your slides at some point or somewhere where you push them up, we can add them as well, whichever works for you. And so that wrap it up for this morning. Hope you join us next week when our topic is a Book Club Kit Reviews. Here at the Nebraska Library Commission, we do have our Book Club Kits to Libraries across the state. So Lisa Kelly, who's in charge of our reference downstairs, along with a couple other staff, Debra Dregos and Beth Goebel are going to be going over some of the books that are in there. So you can see if you want to borrow any of those to hold book clubs at your library. So sign up for that. If you are a Facebook user, we are on Facebook and Compass Live is. So you can go to our Facebook page. And if you like us there, you'll get notifications of when new things are happening, when the shows are recorded, when it's this morning, when we're reminding people to log in today to the show so you can keep up with us on Facebook as well. So that will wrap it up for today. Thank you very much, everyone. And we will see you next time on Encompass Live. Bye-bye.