Why Are We Still So Lazy with Passwords?

Let’s face it, the Internet provides an amazing convenience to citizens worldwide. As we have seen though, it has also brought an increasing number of vulnerabilities and they continue to come our way. Daily we hear about hackers and cyber criminals, the eastern block cyber mafia, ransom ware, and the never-ending discussions on malware and viruses. How about the recent Ashley Madison hack and exposure of client accounts, passwords, etc. People are even now hacking for moral good. It never ends.

Even with all of this, one thing that still has not changed is the careless management and attitude towards the easily compromised PASSWORD. I was shocked to see and hear that with the Ashley Madison hack, the passwords people were using on accounts for their ‘secret lives’ were not so secret or hard to figure out to a hacker.

The attitude of  “it won’t happen to me” or “I am protected” is putting people at risk. This attitude could not be further from the truth. Everyone is at risk and although there will never be 100% safeguards, at least start with the basics and manage your passwords appropriately.

When someone is ‘hacked’ (more formally known as compromised) and their account is being used to send SPAM it is very annoying to everyone receiving the SPAM and takes effort by you to clean things up and resolve the issue (a future post will give suggestions here). If however the ‘hack’ goes as far as you having your identity stolen I can assure you that your attitude towards passwords would be very different. It could take years to recover from such a personal breach. If you do ANYTHING on the Internet that uses any kind of personal information you are at risk so protect yourself accordingly.

There are many websites, books, and other resources that can offer suggestions and tools for creating and managing passwords effectively. But for the sake of simplicity I would like to offer up one effective way to come up with strong, but easy to remember password that will reduce your risk immediately. The idea is to take an actual easy to remember phrase and turn it into a password.

Here is an example using the phrase  :  “Italian coffee at 6AM tastes good”

Here is the password I came up with from this phrase :   iC@6aT:g

italian Coffee @ 6aM Tastes : good

Note that I have added in some ‘special characters’, which are often required for a strong password, and I have used a combination of upper and lower letters. The password is also 8 characters long, which again is a good  ‘minimum’ best practice and is often required for many passwords anyways. The use of “!” “@” and “:” is not the best because those are the most common, however when combined with the method above it does help in strengthening your password.

A few more examples:

Bring me 2 muffins for breakfast!   = Bm2:m4B&

Please don’t let me have 2 desserts = pDlm#H2d

I rode my bike 7 miles Friday  = iRmB:7mF

Note that by using this simple method your are creating a very strong password that : a.) Contains no words, b.) Meets most strong password requirements and c.) Is easy to remember. I recognize that it may take a ‘little’ bit of effort to come up with these passwords but I can assure you that the effort you put into it is MUCH less than the effort that you will have to put in recovering your life if your identity is stolen.

Another thing to be aware of is that some sites do not allow for the use of special characters. This really makes no sense however it is a reality. In that case I would suggest using the same method as above with a mix of upper and lower case or if the site allows for long passwords, try add a number of words together that don’t really make sense.

Examples:   moneystarhippocar    loosebananafortalive

A final note here on this topic, it goes without saying that you should not use the same password for every sight you register for and you most definitely should never use your email password as the password for a website that uses your email as the username or login id. Doing this puts you at significant risk if your email account is hacked because once the hacker is in, they can find out where you spend your time pretty easily and will likely figure out who bank with, you online shopping account names, and much more. That will be the topic of a future post.

The Requirement for “Government Issued Digital ID”

“It is imperative that governments world wide recognize that it is their fiduciary responsibility to take on the management and governance of Digital Identities in the evolving global economy.”  ~ Jamie Glennon

Yes, I said it out loud. I have many times before and I will many times again. It is a  statement that could and should create an interesting discussion depending on whom it is that I am talking to and their view or understanding of what ‘Digital Identity’ is.

This of course is not meant to be a technical statement,  meaning that governments do not need to build the systems themselves in order to enable this. It does mean however, that they need to invest in services that allow citizens and business to prove who they are with a high degree of confidence on the Internet. They must put these services in place to help citizens protect themselves from their worst enemy; themselves.

In the physical world, the government is responsible for providing citizens “Government Issued ID”. Governments globally make large investments that  ‘enables’ citizens to prove who they are at local, national and international points of contact . The organizations that want to provide services to citizens use standard and well known  processes to accept the government issued ID and they make the investments in in services and infrastructure to support that.  For the most part of course, this is in the form of training people and incorporating the identity proofing into their business processes. This allows them to be compliant with the rules and regulations put in place by the government organizations that issue the ID.

In this context,  when a citizen must prove who they are with a their government issued ID to a company providing services, that company is under a strict set of rules and laws on what they are allowed to do with that personal information. Part of that process is to have the citizen ‘consent’ to them actually collecting that information and ‘consent’ with what it is the company is going to do with it.

In simple cases it may be quite harmless and the personal information may just be used for reference purposes. They company may need an address for correspondence or to be able to differentiate you from another person for billing purposes.   In other more complex situations there are stricter guidelines when a person is seeking to access more sensitive information such as personal health or financial information.

These types of rules and regulations also exist in the Digital World, but the problem is that most people haven’t got a clue what is being collected and what they are agreeing to. When you provide your personal information to a bank or medical office at their office with your government issued ID, their staff are typically mandated to explain to you what they will do with the information and ask for your consent to do what they explained. They may even have you sign a piece of paper stating that you agree to providing it and may ask you if you have questions. This interaction and the piece of paper helps them if they are audited to prove that they are in compliance with those rules and laws.

This goes the same for any information that is collected about you by a department within the government. One government organization cannot share your personal information with another one without you saying it is okay. In rare cases where they have the legal right to do so (eg. In a criminal investigation or in situations where social services or mental health are involved) it may be allowed but it is not common. These  government organizations are mandated and often motivated to be compliant with the rules and protect your information.

This is very different than what happens in some commercial settings, and more specifically the Digital World where electronic commerce and social media intersect. Those two domains can be quite confusing  to the average person and quite frightening  if you were to realize how tightly linked the two are. That topic will be the basis of a future entry, or even multiple entries.

Much like in the physical world, the Digital World involves providing services to citizens but of course  there are no traditional human interactions. If a company wants to do business on the Internet and needs to know who their clients are, they must make the investment in the technology, services and education to support this. They must also be compliant with the rules that are in place that govern these interactions. This includes similar if not the same laws and regulations just like they do in the physical world.  The problem that arises here though is that while in principle these things seem to be the same, there are different motivations and the rules can be easily broken, or more specifically ‘bent’ in the favour of the company doing the business.

For the most part, there is no way for a citizen to provide that government issued ID in any way similar to that in the physical world . A clerk at a service counter can look at the ID, validate it, and record the personal information required. This in turn puts either the company providing the service at risk of being the victim of fraud or having invalid information , it puts the citizen at risk of being victimized through identity theft or error, and it puts an overall weakness in the fabric of the Digital Economy.

To resolve this, governments must evolve the notion of government issued ID to the Digital Economy.  It is imperative that governments world wide recognize that it is their fiduciary responsibility to take on the issuance and governance of Digital Identities in the evolving global digital economy. Governments must work with citizens and industry to create universally accepted policies, processes , procedures and services to support this with the result being a Government Issued Digital ID.

This of course does not come without some heavy lifting including changes to long standing policies and standards that have been implemented worldwide. But with the Digital Economy growing at a rate of  8-10% annually it is a mandatory requirement of governments world wide in an effort to avoid a collapse in the Global Economy if the infrastructure is not there to support it.

It will be a while before a Government Issued Digital ID will replace the current systems, processes, rules and policies we have in place today. That said, governments worldwide must immediately begin the process of moving forward with this in a meaningful way in the interest of their citizens and to support the businesses that drive the economy in their respective jurisdictions.

Government Issued Digital Identification will provide an incredible amount of service delivery value for both commercial and government organizations while simultaneously protecting the citizen and providing them control of their personal identity information.

Welcome to Safe Identity Canada


Safe Identity Canada is an organization with a mandate to work with government organizations,  service providers, commercial corporations and Canadian citizens to safely and securely enable the Digital Economy.

Currently the digital economy is growing at a rate of 8% annually within G-20 countries and is expected to represent USD$4.2 Trillion online commerce in 2016.  This is outside of the scope of other services that continue to grow at extremely high rates that don’t impact revenue within this region. Canada continues to be one of the most evolved economies worldwide with respect to consuming services online and access to high quality internet services.

Over 90% of Canadian’s have access to high speed internet services.  With initiatives like “Digital Canada 150” this will continue to further enable more and more Canadians to access high value services in convenient ways from the homes and mobile devices. With this convenience however comes the concern about security, privacy and identity theft.

Safe Identity Canada is working closely with all levels of government across Canada to design, develop and manage services that store, move and manage personal identity information.

Safe  Identity Canada is acting in the best of interest of enabling safe, secure and privacy enhancing use of citizen personal identity information.  Our mission is to put the citizen in control of their personal identity information and work with governments and commercial organizations to provide the tools and services that enable that.

In the commercial setting, Safe Identity Canada is developing programs and services to work directly with commercial organizations such as financial institutions and telecommunications service providers to ensure that the services that they deliver can capitalize and utilize the privacy enabling services being put in place by the various Provinces and Federal Government.

For the citizen, Safe Identity Canada  provides educational material, services and seminars that allow citizens to gain a better understanding of the use of their personal identity information in the Digital Economy. Our seminars explain how to manage the risk associated with your personal identity information on the Internet while also separating fact from fiction in a practical way and explain what can be a very puzzling and confusing thing to many.

Currently there are very few controls in place for citizens to effectively manage their personal identity information which is scattered all over the internet. This is what creates the vulnerabilities that lead to identity theft. This is also the reason that governments worldwide are moving to put in place regulations, controls and services to help protect the citizens in their respective countries. Canada is a thought leader in this space and well recognized internationally for being conscious of balancing citizen privacy with convenience.  This is evident in the new identity services that are evolving for the citizen.

Safe Identity Canada’s mandate is to :

  • Educate and enable the citizen in the Digital Economy with respect to the use, management and control of their personal identity information
  • Work with governments at all levels in Canada and internationally to enable privacy enhancing solutions that allow citizens to safely and securely perform services online with the same confidence they do in the ‘physical world’
  • Work with financial and telecommunications service providers and  both government and commercial organizations to provide services to citizens that capitalize on the new identity, authentication and security solutions that are being put in place by government organizations to help  citizens avoid identity theft in the online setting and be provides with convenient high value services.

Safe Identity Canada has extremely close connections to the government organizations that are working to help citizens protect themselves yet capitalize on the convenience of this modern Digital Economy.  We are part of the working groups and national organizations creating the policies, standards, architectures and services to enable the citizen.

Putting the citizen at the centre and in control of their personal identity information.


%d bloggers like this: