Should your family have a secret password?

by Black Hat Middle East and Africa
on
Should your family have a secret password?

Welcome to the new 130 cyber warriors who joined us last week. Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA stages.


This week we’re focused on…

Family passwords. 

We wrote about misinformation and disinformation on the blog this week – which the World Economic Forum says is the biggest short-term threat to the global economy. 

False information is also a very real threat to individuals – voice cloning and deepfake scams are increasingly common, and even a phone call that you think is from your favourite aunt could lead you into trouble. 

A secret password, known only by your close family members or most trusted friends, could help to protect you and your loved ones from attack. 

The FBI is encouraging secret passwords 

In December 2024 the FBI released advice that people create a secret word or phrase with their family to verify their identity. 

In the UK, digital-first bank Starling has already created guidelines to help its users create ‘safe phrases’ to protect against WhatsApp scams. 

And child protection charities around the world have been encouraging families to introduce safe words with their children to safeguard against online scams in which threat actors pose as a parent or trusted relative. 

When would families use a password? 

There are a wide range of scenarios in which a secret family (or friend group) password could come in useful. 

For example…

  • Your mother calls you and says her car has run out of fuel and she’s got no funds in her current account – she asks you to transfer the money for fuel. You prompt her for the password before you send her the funds.
  • Your kids are at a friend’s house, and someone other than you arrives at the front door to collect them. Your child wasn’t expecting this person – so your child asks them if they know the password. If they do, your child knows they can be trusted. If they don’t, your child stays put.
  • Your nephew calls you, crying and in a state of panic. They say they’ve been kidnapped or arrested or they’ve been in an accident, and they need money. You mention the password – if they can say it, you jump into action. If they don’t, you’re aware that this panicked call could be an AI clone.
  • Your older child calls you in the middle of the night asking you to transfer them money to get a taxi home. You ask them for the password so you can confirm the caller really is your child, not a scammer. 

What makes a good secret password?

Some families have been using passwords and phrases since the 1990s, or earlier, to add a layer of protection – mostly for their children. 

Today, this simple tactic can still be effective – and with the rise of AI-powered scams, the use cases for a family security strategy are growing.

So how do you make a good one? The usual best-practices of cybersecurity apply: 

  • Make sure it’s not obvious. No birthdays, pets’ names, birthplaces, street names; definitely nothing that might be found on social media or shared elsewhere online.
  • Make it unique. Don’t use passwords you also use online.
  • Make it memorable. There’s no point in agreeing a password with your kids or grandparents if they won’t be able to recall it easily under stress. Keep it short and simple.
  • Never write it down anywhere, or even allude to it. That includes jokes referencing your password in text messages – just don’t use it or talk about it unless you need to.
  • Revisit it regularly. Once you’ve got a family password in place, check in now and then with the people who need to know it – when you’re together (with no one else in the room), just prompt them to recall the password.

But remember: a password isn’t totally foolproof. In stressful situations, our brains don’t always work the way we expect them to, and we can forget information. If your nephew can’t recall the password when he’s panicked on the phone, it isn’t absolute proof of a deepfake – just a reason to grab another device and confirm his whereabouts with another trusted person. 

Could organisations do this? We want to know what you think 

AI-powered social engineering attacks are on the rise. So could organisations find a way to introduce company-wide passwords to protect against deepfakes that leverage trust – for example, to persuade an employee to transfer funds to an external bank account? 

The differences between a family sharing a secret password and an organisation attempting to do the same are obvious: 

  • People come and go from organisations regularly
  • You never know if an employee could be a threat actor themselves; or sharing information externally, whether maliciously or not

But between small groups, there’s potential for secret passwords to help prevent falling victim social engineering scams; for example, a senior-management-team-only password that’s changed regularly. 

We want to know what you think. Open this newsletter on LinkedIn and tell us your perspective in the comment section: could organisations implement verbal passwords to protect against AI cloning and deepfake attacks? 


Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 9 February 2025.

Catch you next week,
Steve Durning
Exhibition Director

Join us at Black Hat MEA 2025 to grow your network, expand your knowledge, and build your business.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles