I just sat down with several of my family members, and gave them The Talk about how someone might call pretending to be me, and how voice and AI phishing filters work. Deviant and I have been getting family onto password managers to handle the more sophisticated attacks that are starting to pop up. Getting everyone onto password managers for everything is important but not urgent. That’s why it’s slipped on my todo list for literally years — and I also figured it would take some time and emotional energy to get family to operate differently. The juice is finally worth the squeeze to protect them all.
A random access memory gave me a good idea about how to start that conversation – just a single word. Many of us had a family password when we were little. I remember that there was a password for our family. It is still burned into my brain right along with my phone number and address from when I was a toddler. My parents could still use it and I’d know it was ok to get in a car with someone they sent. Start with that as a baseline.
If it seems overwhelming to start the conversation with especially aging family members about how to protect their financial assets and personal data, and how password managers are the best way to do that now, you can start with the talk about how AI vishing is growing extremely sophisticated and how you want to help them avoid it. Your cost for incident response for a true breach of multiple family member passwords to all financial accounts is going to be a devastating, months-long trauma for them and for you, as you work to not only help them, but must cope with their feelings of frustration and fear. It’s an *awful* IR scenario. We have been mostly fortunate to escape that so far, but I know some friends who have waited just a bit too long to start training family on how to handle online security and have seen finances, relationships, and futures irreparably damaged. This is important, but often gets backburnered. Start making the time now while you have trust and a bit of time.
A few technical lessons I learned about this process: first, don’t assume without a screen share session. One family member had a bad experience with 1Password that they hadn’t told me about. They grew frustrated typing in the long random passwords, and stopped using it in favor of Google Chrome’s password manager without understanding how they were storing multiple or problematic passwords. I hadn’t explained how to use 1P on a phone and computer, and I assumed they knew how to install the extension from the Chrome Web Store, and so forth. Don’t assume your family knows how to use a password manager. If you’re going to do this, make sure to walk your family through installing 1P onto both a phone and a computer (including the relevant browser extension), and how those passwords are shared in the cloud.
Next, explain carefully that there’s a difference between using the same password everywhere, and using a master password to access a vault which stores unique passwords. I have explained that it’s the difference between using a key only you have which opens a key cabinet, and using the same physical key for your office, car, and house. If someone steals a key to one of your possessions, at least they haven’t stolen the key to *everything*.
Follow up. Follow up. Follow up. Check back in with them quarterly and ask them to show you how they’re doing and ask if they have any problems with any browsers. Check their email multifactor authentication every time. Spend fifteen minutes a quarter for the rest of their lives. It’ll be worth it. Talking about it now will help, because in an emergency and with no context, it’s going to be very hard for family to process that you’re more experienced at technology and should be trusted. They’ll remember only that they wiped your nose and made your lunches. There are a lot of globally-recognized brilliant 45-year old cardiothoracic surgeons who have parents who will go to literally any other doctor, including a chiropractor or dentist–than their kid if they get chest pains. Start building trust and the conversation now, because the only thing worse than getting the IR call in the middle of the night is not getting it until someone else has royally screwed up the initial response.
Remember that family password? Think about it right now. Ask your family if they remember it…and I bet they do. I have a tall stack of hundred dollar bills that says that they *never* reused that password for anything else. Those family passwords were precious enough that they had a single word or phrase they never, ever reused for something as trivial as a bank account or email password, and they’ll instinctively understand that their vault password has to be as carefully safeguarded as the family password they used when giving a stranger mental access to their children. It’s the most powerful security analogy I know; if it will help you, use it.
