 Hi, I'm Allison Sheridan of the NoCillicast podcast. I'm here today to try to explain why it's important to have strong, complex, and unique passwords on the internet. You might think that you're going to get hacked eventually anyway. What does it matter how strong your password is? But that's actually not necessarily true. If you're a security expert, you are going to think that I have completely oversimplified the encryption process. I have done that intentionally in an attempt to try to make this complex subject available to normal human beings. Every day we see articles on how passwords got hacked, exposing bank accounts, personal information, private photographs, credit card numbers. This seems to happen all the time. It does seem like it's inevitable that we will all have our passwords get hacked at some time. I'd like to show you though that it might not be inevitable and how having strong, unique passwords could keep your accounts from getting hacked. Let's start by looking at the top passwords. These passwords have a lot in common. They're short. They all use either letters or all numbers. They don't use any uppercase letters and they don't have any special characters or punctuation in them like asterisks or commas. They might be easy to remember, but they're not very good passwords. Now hopefully you don't recognize your own in this list, but let's pretend for the sake of this exercise that you have the password monkey and we'll walk through how hackers can figure that out. We're going to start by going to an unimportant junk site. We'll call it gimmefreestuffnow.com. You set up an email username of bobsuruncle at mac.com and you choose the password monkey. The good news is gimmefreestuffnow practices very good security to protect your passwords from prying eyes. They take your password monkey and they run it through an encryption algorithm. Encryption algorithms are tools that take your plain text password and essentially mash them up until they look like gibberish. If you put the word monkey into the algorithm, it always spits out the exact same gibberish. It's actually much more complex than what I've shown here, but for simplicity we're going to keep it short and represent it the way I've got it shown. In future charts, keep your eye out for the gibberish that ends in .comma89. While the encryption algorithm is well known and we know what comes out when we put specific words in, it only works one direction. It's a one-way thing. Think of it like mashing a potato. You can take a full potato and mash it, but you cannot un-mash it. This is probably the most important point to remember from this presentation. Hackers break into gimme-free-stuff-now servers and they download all of those encrypted passwords. As you can see, all they have is a giant pile of gibberish, so you should be safe, right? Remember, they cannot send these encrypted passwords backwards through the algorithm and figure out what your password is. Now comes the ingenious part. Hackers have been assembling over the years what they call dictionary files. They've put into the dictionary files every single word in the dictionary and every combination that's common of those words. Now, it used to be you could make a better password by simply replacing the O's in a word with zeros or the E's with threes or the L's with ones. I'm afraid the dictionary files also include all of those common words and phrases with those kind of substitutions in there too. So it isn't good enough to have a password that just has those substitutions. You've got to realize by this time that these dictionary files must be massive and they are. Remember I said that the encryption algorithms are well known? The hackers have run all of these dictionary files through the encryption algorithms and created an encrypted version of the dictionary file, so basically a pile of gibberish that represents all of the words they shoved in one side in a pile on the other side. They only have to do this once and they have shared these files with each other. Isn't it nice that they share like that? Notice in the left column dictionary file we can see our password monkey and in the encrypted dictionary file on the right we can see that it turns into that gibberish we saw before ending in dot comma eighty-nine. This means that if they find the gibberish ending in dot comma eighty-nine in the encrypted password file they stole from gimmefreestuffnow.com they now know you used the password monkey. But so what? We said this was a junk site. You didn't care about this site anyway. It's a throwaway account. It's not like it's your bank, right? Well the last step is the fun part for them. Now they go to all the sites you really do care about and try your username and password combination at places like I don't know bankofamerica.com, chasebank.com, bankoflondon.co.uk. You can see that you have two problems here. You've got a poor password and you've used it in more than one place, which is what we all did in the past. You might think this can't happen to you, but it happened to me. Let me walk through the story of exactly what happened. Many years ago a site called Gawker Media got hacked. I'd gone to that site one time and wanted to comment on a post and I needed to create an account. I entered my email address and my daughter's middle name is a password. I might have put a one in place of the I, but nothing more complicated than that. This was a junk site I didn't really care about, so I used that password that I used on all the junk sites. Well Gawker got hacked and the hackers went around the internet trying the username and password combinations they had found in the dictionary files. They eventually tried Skype, where I had used that same username and password. I didn't think that would be a big deal though. I didn't care much about my Skype name anyway, but I forgot that I had authorized Skype to auto load money from my PayPal account whenever I ran out of money on Skype. In the two hours I was gone to the gym one day, hackers made $140 in phone calls on my account to India. So yeah, this does happen. Now you and I can't possibly hope to remember all of the long, complex and unique passwords we would need to stay safe on the internet. There is a solution to this and it's to use a password manager. There's two really good ones out there right now. There's one password from agilebits.com and LastPass from LastPass.com. I can highly recommend both of these applications. If you'd like to ask me any further questions about this topic or about using a password manager, please send me an email at allisonatpodfeed.com and I hope you'll take a look at my podcast, the No Silicast podcast, while you're there.