Cybrary Pro Day is here!


401 Access Denied Ep.01 | Busting Password Myths

401 Access Denied Podcast Icon

With World Password Day upon us, individuals of all backgrounds and varying levels of cybersecurity hygiene will be confronted with the same question - are my current personal (or corporate) security measures enough? Today's episode will take listeners through a journey of best practices, horror stories, debunked myths, visions of a passwordless future, misconceptions, and just how challenging it really is to crack them.

Topic: Everything passwords with World Password Day upon us
Hosted by: Mike Gruen, Joseph Carson
Length: 34 minutes
Released on: May 6th, 2020
Listen to the Audio
Enjoyed this podcast?
Share it with friends now!

In this very first episode of the 401 Access Denied Podcast, Mike Gruen, the CISO at Cybrary and Joseph Carson, the Chief Security Scientist at Thycotic, exchanges their views about passwords and it's best practices and much more.

Password is the first thing when it comes to Cyber Fatigue for a majority of the people. Joe talks us through the history of passwords. At present, The number of passwords a user has to remember has grown into a pretty large number. Joe points out that reusing passwords is what makes most people be a victim of cybercrime. Another bad practice that Mike observed is similar patterns in different passwords of a user. Having to remember a lot of passwords is unfeasible. Writing down passwords isn't a great idea unless stored in a secure location. The best thing would be to use a password manager. Joe addresses some key features and functionalities to look for when choosing a password manager. It's hard to leave out Least Privilege when talking about secure authentication and authorization. The Duo shared stories from their past where Least Privilege could have prevented accidental mistakes. The way Companies see Single Sign-On as a security measure is misleading. Instead, they should implement additional authentication factors to make up for it.

The End of Passwords is nowhere near and Biometrics claiming to replace passwords is just a myth. Joe clearly explains how Biometrics acts as a strong identifier and might even replace usernames. We're moving towards lesser interaction with passwords in the future, thereby preventing cybercriminals from compromising our accounts. Mike and Joe concluded their talk by addressing some best practices while creating and managing passwords such as password length, complexity, lifespan, etc. As a final note, Joe reminded us that passwords must be used wisely and aren't going away.


Mike: Welcome Joe back again. Today, we're going to be talking about passwords and authentication and authorization.

Joe: Absolutely. It's a pleasure to be here. I'm really, this is one of my, probably most passionate areas. It's been one of my pain points for many, many years. And as something that, you know, I've been researching a lot on, I've been looking into different ways in technologies and innovations, so hard to really, you know, reduce the pain. Just that little bit further. Because passwords today, while it is our, you know, way to access things, but it's also one of the most challenging and painful things. And that's actually public for most people is probably the one of the biggest things for cyber fatigue in many employees and people around the world.

Mike: Yeah, I agree and passwords is one of those things that I'm super passionate about. And I think probably a great place to start would really just be like, what are we talking about? Like what do we mean by passwords? And what does that encompass?

Joe: Absolutely. I mean, one of the things I always look at, I'm a person, you know, I'm very embedded in the digital world. And I always look at things digitally, but for me, one of my things, you know, through my education past the way I've always looked at things is to try and see it. What does that look like in the physical world? And that's why when you go to events, that's where you see people passionate by things like lockpicking, because lockpicking is really that essential. Once you see it in a physical sense, it helps you adopt that to understand it better in the digital world. So passwords, I mean, passwords have been around for centuries. They are nothing new. In the past they used to be called passcodes or passwords or passphrases. They were also called Whats words, you know, use with it, you know, abracadabra, you know, Open Sesame, all of those famous things you see in the movies and, you know, all came through history. Because there were really to verify, authenticate people who should be there, it was the open doors. It was to gain access to things like vaults. So in a physical world, I'm always looking into that inorder to better understand it. And then I try to convert that into the digital sense. And if we get into the digital scenario since passwords have been around for a long time. They’re cost-effective, they are very cheap. The problem is always that exchange is exchanging passwords to make sure only the person and the system are actually knowledgeable of it. But the passwords in a digital sense have been around since around, I think it was the 1960s and it came really from even the late sixties, early seventies where Robert Morris kinda was looking at how to make sure that multiple people could use a Unix operating system. And this is really then, therefore that it wasn't just you type in a username and again, access that you wanted to have that shared system and shared experience within these mainframes and therefore introduced back in the Unix, the first generations of digital passwords and for many years, and even still today. The password is the difference between the cybercriminal and the attacker gaining access to sensitive data in a digital sense. And we really haven't came a long way. A lot of the best practices really haven't evolved that much and, we really get into a point where there's been a lot of discussions about the future passwords, where they're going. But there has been a major difference since around, I think the late nineties, early two thousands, because during that time from the sixties and the seventies, till the early two thousands, most of us really only had one password to remember. It was just one. But in the last 20 years with social media and internet services, the acceleration of those accounts. We've actually went for where it was the first 10 years up until about 2010, or maybe we had time vibes remember, but then the internet boom, social media, new internet services means the average person has somewhere between 30 and upwards of a hundred different passwords they need to remember. And this is what's accelerated the pain.

Mike: Yeah, definitely. And I think talking about a little bit about like the history and where things are going. I think one of the things that's really, so much is based on that original, like eighties, nineties Unix system, or sixties, like eight characters this and this, so many best practices started there. And then we sort of didn't really evolve in thinking about passwords and their length and how that actually is more important than say, you know, their complexity and things like that. I think there's a lot, that's sort of locked up in this historical where did passwords come from and how did we get to where we are?

Joe: Absolutely. Because the concept, the passwords was is that they looked at best practices from individually into, this is the best practices for a password

Mike: Right

Joe: but they didn't really think of it as a collective. As that you've got, you know, tens of 50, hundred passwords, you need to remember. And that's where best practices really need to evolve is how to remember the mess. How do I remember the collection? And this is really what the challenge has become. We're, you know, really the, probably the worst practice and bad hygiene that people have is reusing passwords. The reusing of a password is probably what most people causes them to become victims of cyber crime.

Mike: Right. That, and I know people and I used to have to, You know, as someone who is responsible for security, I would have to remind people not to do this, which was patterns, right? Like, Oh my past, every so often I have to change my password. So it will be fall2019, then it'll be spring20 now, whatever. And they would just sort of, and so if you figured out what the pattern was, you sort of forever had access to their account.

Joe: So It's not even, you know, it's even this small variations, there's so many password cracking tools out there.

Mike: Right

Joe: As long as you've got one example, On the past of a used password, you can do is based on the knowledge of, you know, social data or personal information that's available publicly. I was, you know, even what was crazy. The last couple of years is, you get into, used to be the security questions. But, you know, that was how you reset a password.

Mike: Blue, Toyota. Sorry.

Joe: Absolutely. What was your first dog? What was your pet name? What's your favorite book? What's your mother’s? All these things are, and then became the craze was, is that then the surveys came. And all the surveys were, what was your first concert? What was your first car? All of the things are related to statutory, and you're simply just to participate in the survey. You're giving up all the answers to security questions, and that's the most ridiculous thing that I've ever seen. I mean, one of the guys, Rick Ferguson, has left his comment is that you don't always have to be honest when you're answering the security question.

Mike: Yeah, no, mine are totally non-sequitur. What's your favorite, you know, dog, the New York Rangers that's like. Not that I use that cause everybody knows I'm a Rangers fan, but you know, that type of thing, just trying to make it as non-sequitur as possible. And then, use, you know, secrets manager to keep track of what answer did I give on that particular place if I had to give one? Absolutely. And in addition to that, one of the things that we'd have to remember, you know, normally the history and some misunderstandings as well as. Some people say, use, for example, pass passphrases instead of passwords, but that's incorrect terminology because ultimately the password is the top level entity. And actually above a password is what's known as a secret and a passphrase and a pin and a passcode. All of those are variations of methods of creating passwords. So that's, it's what we're teaching them to do is make a better password. And that's what the actually uses in terminology from passphrase comes from, which really means is you want to get the password as long as possible. So those are techniques of creating them. And then also there's a lot of misunderstandings as well as we have to make sure that one has usernames is really the identifier. That's where you get into. And then it's the password, which is really the, let's say authentication or the verifier portion. So the heart of the system really knows that you really are who you say you are. And the problem that we've got today is that anyone who's created a login system and there was 30 to one hundreds that we all have to remember, and in my cases, ridiculous, I've done well over 500 at this point because of penetration testing and ethical hacking, you had to have different identities and personas. But with that, we look at not all systems have created them equally. There's been more stuff you can have, you know, simple things, worse accepts anywhere between four to eight characters. You can have systems that accept up to 64. And I think the maximum is somewhere around, I think it's 127 as the maximum size of password you can create in a window system. And this really gets into that. Yes, all systems have these various different complexities, sizes, lengths, some require only numbers, some require, you know, characters, some require lowercase only. And that problem is that that means that we get into these situations where whatever the system that takes the least type of security controls sometimes becomes the baseline of all our other passwords, which is a really bad practice as well, because there's so many tools I've tripped to guess and to crack those passwords.

Mike: I also think though that when you start adding all those additional constraints on, it's actually limiting the space in some ways, right? Like, Oh, you can't have this, you can't have that. Like, you can't have two letters that are the same in a row and it doesn't matter how like, There's a point at which some of those constraints are just making it that much harder to create a password, remember a password, and then also eliminate some of the space.

Joe: Yeah. Complexity doesn't work and frequent rotation doesn't work, especially for human interactive types of passwords that just forces people to use simple, common, easy to remember, easy to guess passwords

Mike: or write them.

Joe: Oh right. And then some cases rather than does not a bad thing as long as they store them in a secure location.

Mike: Right.

Joe: You know, for people at home, writing them down in a notebook and keeping in a locked drawer is perfectly OK. It comes into why I will say is that, you know, choosing the right solution method is always a bite. You know, what you're protecting and where the access of that protection, you know, starts and ends. It's all about what you're trying to protect with a security control. And this is, you know, so some cases bring them down, you know, for people who live alone and putting them in a locked door is perfectly okay if you're in a shared area and you've got people that might have access to that, then that's probably not a good thing you may want to then, for individuals of home elevate into a password manager and use something that, you know, allows you to then create all of those passwords, let's say using system generated because the worst thing that I ever see is we should never let humans create internet, can account passwords. This gets into the problem because when you let humans create them, we create the easiest choice possible. That's easy to remember and sometimes small variations of the previous ones. So where humans are allowed to create passwords is somewhat, you know, kinda inheriting into the problem as well.

Mike: So let's talk about password managers a little bit. I'm curious. You know, what are some of the key features that you would say you would look for in a password manager?

Joe: In a password manager, some of the key features is really that central vault about being able to make sure that you had them all locked. So sometimes, you know, keeping them in the operating system, keeping them in the browser. That means that once again, access to the system, you've got access to all the passwords. So it's sometimes just not a good approach. It might be okay for people who, you know, individuals, consumers at home but it means is that you're locking all of your accounts equally, meaning that your bank, you know, your Twitter account, your Facebook and all of those social media accounts is equal to all of accounts. So it means is that you want to also make sure that you can create different types of security controls for all of those and putting them into what's more like focused, dedicated password manager. It really allows you to get that centralized vault. It allows you to auto-populate so you don't have to type them in. So we have a few of these free auto fill forms as well. You want to make, be able to show them what people, you know, so that they have access for a period of time. Maybe you're on vacation, maybe you're away. Maybe you want somebody else to access an account for you. Making the ability to assist and generate passwords. Giving, you know, one integration with vulnerabilities, for example, or passwords are being compromised. Therefore you might change them or giving you also password strength and password age, and integration into things like two factor, multifactor authentication is also important. But as we can grow those number of passwords that we put in and reporting and auditing is also increasingly becoming more important as well. And then become multifunctional as well, you can start putting in identity information or connecting information or you can start organizing them. You can put more information to those vaults. So, a lot of those features are really somewhat the basic and then the ability to show them through between multiple devices becomes important as well as we have.

Mike: Yeah. The multi-device one I think is more in this day and age is one of the more important ones. Whereas in the past, right, if you had, you know, encrypted file or whatever, it was just local. That was probably fine to a point, but now there's so many different devices. I also think, one of the features that it's definitely on the more advanced side, but that I'd like to look for is can it actually automatically rotate passwords for me pretty easily and stuff like that and manage that for me. So I, again, I just don't, you know, I don't have to worry about it too much.

Joe: Absolutely. In that case, what you're really moving into is more the kind of small business, medium business, or even large business side of things. What you're really thinking about is getting into privileged access management, because that's what. Your password managers are good for consumers and good for individuals. But when you get into for businesses, you need to move beyond password managers. Because password manager, what you're really doing is you're still delegating accountability, responsibility to the employee, and where privileged access management what you're doing is you're taking that centrally. So it means you're getting consistent security. You're getting more accountability between the auditability as well. You’re also getting scalability, integration into enterprise type tools rather being active directory or SIEMs or vulnerability scanners and so forth, and also gives you many cases, APIs that allows that more automation. So yes, absolutely is you get into more of the business side. Privileged access management gives you much more enterprise ready ability to rotate passwords to the point where my goal is always to get to the disclosure rate of passwords to be as minimal as possible because your disclosure rate also means that who has access to what, and they want to keep that as minimal, because that reduces the risk ultimately, of not just external types of threats but also insider abuse as well.

Mike: Right. And I think, raises an interesting point when you talk about access controls and the notion of least privilege, right like there's the making sure that people who were admins should have admin access on and so and so forth that sort of that escalation, but there's also the, how much should you have if you don't have a use on that system? Maybe you don't have an account on that system. I think that's one of the ones that people frequently overlook when they think about least privilege.

Joe: Absolutely. Least privilege for me is one of the areas that, you know, I always look back, you know, I was a data center domain administrator, you know, 20 years ago. And this was really where I kind of moved into really focusing on password managers because as a domain administrator, I was responsible for a hundred thousand servers and I had one account that had access to everything across multiple companies.

Mike: Right.

Joe: And I remembered going into the data center cages, and I had to go through the security Gates with people who are armed guards and, you know, have to go through all these IDs. And I had to get the key and the big furry coat on and ear muffs. It’s cold data centers. And I remember, you know, I could have to get into the cage. You’d be locked in the cage. And of course, you'll be, if that was the only cage you're allowed into at that time, and everything was in the physical sense, completely segregated, isolated, separated, but I could go home and get on my laptop, open up a view, can connect and access whatever I wanted. So what happened was at that time, it really made me realize that I was that stopgap between, you know, compromise and security and that made me realize that I should never have that access all the time. Every day, every time I access the system. And it made me realize that we do need to get to where no one's in the main administrator. Noone's a local administrator. What we have is, we operate in standard accounts. And even I do this practice at home. I operate in a standard account and anytime I need to elevate, I actually have to give the right credentials inorder to gain that elevated access. And this means that it should be no domain administrators. We should be elevation on demand.

Mike: Right.

Joe: And that's what means that beginning to at least privilege approach, meaning that we only have access to that system or that application when there's an authorized business reason justification to do so. And that reduces abuse and it reduces the ability that attackers elevating and abusing accounts more and more. And these purposes are well, kind of a gold standard what we really need to get to.

Mike: Right. And I think they also reduce just, like human error. I remember my first lesson in, why having all the users on their Linux systems, all the developers were admins on their boxes and that was the account that they, you know, frequently used. And when one of our users was reformatting his machine, he forgot to unmount something and started reformatting our entire repository. And it was like, Whoa. So, you know, things like that, you realize, well, you know, that. You know, you learn the hard way sometimes.

Joe: Absolutely, I got so many worse stories of those scenarios that over the years, I mean, I've seen, you'd probably remember tools like rapid deploy deployment solution or ghosting. You probably remember ghosting. So those were some of the solutions I was responsible for and I used to take, I used to run the support services for those products and I've had so many, you know, I remember administrators dragging and dropping an image file and missing the folder because the latency rate between the interface and the target, and they dropped it onto basically all computers and within seconds, PXE boot, all of, you know, thousands of machines being reimaged at once. And those scenarios it's like, when you think about it, that's where privileged access and least privilege prevents you from doing those things.

Mike: Right.

Joe: And that's what, you know, that's why it's kinda wrong is that you have to prevent those, you know, accidental mistakes as well.

Mike: Yeah, exactly. I mean that, I have a similar story with my first job back in the nineties, when web servers back then, people would run web services as root. That was common. You know, that was a practice, right? Cause it needed to run on privileged boards and whatever. And so, you need to install our software's root and sometimes really bad things would happen. If you didn't answer the question, the installation, the software that I've written, which was the install software, if you didn't answer those questions, right. Some really bad things would happen.

Joe: That's always important. Some of the things that, you know, there's some innovations and stuff, things that's been happening and there's some prioritization. So in the industry, you’ve seen, of course, you know, a large adoption of things like single sign on. And probably the biggest mistake that many companies make is they see single sign on as a security solution, but it's not. It does help reduce cyber fatigue. It helps people have to remember less passwords and it helps provide them one account that allows them log into multiple services. But it's not security. It's going back to that. Similar password manager side of things. It's giving you one key, too many doors and many rooms. It means that, you know, when you do single sign on, it's important that you enhance the security at the same time. You compliment it with additional security controls, especially if you're getting into single sign on leverages things, you know, biometrics. You want to make sure you, additionally add things like two factor, multi factor authentication at a minimum. So single sign on that’s some of the approaches that people mistake and they see as a security ability, but in fact what's really doing it is reducing cyber fatigue. It’s reducing the amount of passwords a person has to remember. It has to maintain and enter, but at the same time, it's one bigger door to many different services that the person has access to. And therefore it means that you have to be more cautious by things like auditing and those things. So It’s important to look at single sign on is that definitely is something that organizations should do. But they shouldn't see it as a security kinda measure.

Mike: I agree. I think it's mostly convenience matters, you know, convenience and other things. The one security benefit, I think, we see, we get out of our SSO system is that when we terminate an employee, their access is at that point terminated for 90% of our systems that we can connect to that SSO. Joe: Absolutely, It helps with the provisioning, onboarding and deprovisioning.

Mike: Right. Exactly and but that's where it sort of begins and ends and then even then SSO and this is the way, you know, Cybrary has implemented right now. It's one of those things we want to move more on is towards skim where we can do the auto provisioning and deprovisioning. There's plenty of systems that support SSO, but also allow the user to continue login with the username and password. And so even after they get deprovisioned from our SSO. You know, all right, identity provider. They're theoretically still have access to that account. If they remember the username password.

Joe: Yeah,I think that support as well, you know, especially as people change rules and organizations that those gives you the automation to make sure that what used to happen is, is used to clone accounts for people, you know, or add them to the same group that people's been for years.

Mike: Right

Joe: I've heard this overly a month of access and privileges rather than building it up to what their job is specifically for. And that's what's really important. That's what identity access management is, can really allows you to make sure that you're provisioning for the job that they're doing. Not cloning existing people's access and giving it to a new person.

Mike: Right

Joe: That really helps that. Especially as that person moves through the organization over years, it makes sure that they had the minimum access, but not overly privileged as well.

Mike: Yeah, definitely the removing access. I can't remember all the systems where I would just accumulate more and more access. Nobody ever took anything away. They just kept on giving you more. If we trusted you back then why wouldn't we continue to trust you?

Joe: Yeah

Mike: So you sort of touched on. I'm sorry.

Joe: Yeah, there's probably biometrics as well. I touched a bit on biometrics. There is, this is a pet peeve of mine. Is that. And I've seen, I've actually seen it more and more even recently was like, you know, the end of passwords, you know, biometrics will replace passwords and we've heard it many times over, over, you know, from different people. Different organizations have said that end of passwords is near. Biometrics will replace them. And this was really, gets into is that we, this is actually a myth because biometrics do not replace passwords.

Mike: Right

Joe: And that's fundamentally, they're not secrets. The fundamental of a password is the definition of it's a secret. By the most definition, it's a memorized secret. Biometrics, They're not secrets. They’re something that you are and have .Fingerprints, your facial scan, whatever it might be. What biometrics do replace is they replace usernames. And they make a stronger, better, harder to replicate username, which is good. So I do see Biometrics replacing usernames. They don't replace passwords. It means that yes, with a stronger username, you can compliment it with additional security controls, whether it being simply a pin much less to remember, but complimenting that harder to replicate, harder to clone biometric. Absolutely. And then you get into things like push notification, push authentication, multi factor authentication, and privileged access. All of those things should be combined. And of course, depending on the risk, the more security controls you require.

Mike: Right.

Joe: And that's ultimately what you get into. So biometrics do have a place, but it's replacing the username, not the password.

Mike: Oh no. Yeah. And I agree. I think of the biometrics as being a secret handshake, right? Like. Do you want to be part of a secret organization? There's sometimes a handshake or whatever, but it's not all that secret and that's not enough. Just identifies you as being a member of the club. That's not really a particular secret. And so are there any other myths that you sort of see in this space?

Joe: Absolutely the another one, that's kind of I’ve overly comment in this all the time. And it's really is that, you know, moving to passwordless world, you know, and this really gets into me is that, you know what, it's also incorrectly assumed. We have people are assuming it wrongly. We're not moving to a passwordless world. It's not, that's not happening. Passwords are gonna happen in the background. What we're doing is we're changing the interaction between the employee and the password, that's what's changing. So in definition, we're not moving to a passwordless world. What we're doing is less password interaction world, meaning that, yes, biometrics will help with that augmentation, that compliment, you know, complimentary side of things, where you're actually able to identify better. What you're doing is you're having that person have to type it in less, meaning that the password still exists. It's been exchanged in a different method. It might be a certificate. It might be a key. It might be a token. It might be still a password or an application password is being exchanged between the system for authentication. It still means that what happens is the user less enters it, but security and the management team and the IT teams still need to manage that. It means that the security is not being replaced, is not being removed. It's just being changed, the location of where we need to focus our time and manage it. So it's not in any case, either reducing costs sometimes actually increases costs, but those technologies, but it does mean that people need to enter it less, which means that there's less opportunities for cybercriminals to compromise them. In that regard in that interaction, meaning that things like, you know, phishing scams or enter your password into, you know, malicious websites. That becomes less and less because people have to enter them less but it does mean into there's a lot of challenges because that means that the target, where they're going to look at is actually in the system, they can access the system. They can then watch the passwords being exchanged. They can do session hijacking just like pass the hash happens. And also gets into the point where then migration recovery becomes and what's more problem for employees in order to get new devices or to move to new operating systems and so forth or upgrade or replace devices. So in those cases, yes, it's less password interaction. And the password really then changes and evolves, become a must for a recovery key or password recovery approach. So there's still something, you know, eventually if you're using your thumbprint to access the device and you injure your finger or thumb, then you can no longer access device. So you have to have a mechanism backup way of regaining access. And that's why Apple really still have the pin.

Mike: Right

Joe: You know, you restart the device, you’d have to reenter the pin. It's different elements of risk and different elements of security controls. And that will always be the case because you also need that recovery ability.

Mike: Yeah. And I think one of the other ones, you and I were talking a little bit about before this was, Speaking of recovery is how important your email account is to your identity and to you know, and protecting your access. Because if somebody gets access to your email, chances are they can use any number of forgot password capabilities to get into almost every account you've ever created.

Joe: Absolutely, Email today is your digital identity. To be honest

Mike: Right

Joe: It is, you know, 20 years ago, It was just a simple messaging exchange. So it was a post it note to your colleague to give them, you know, be here, meet you for lunch, needs to do this task. Today, Email is replaced, it's your digital identity. It means that it's all your history about your browsing history, your advertisement preferences, who you’ve met, who you're gonna meet. It's you know, your location information. It's your sensitive document, access your photographs. And in many cases, it's all the internet services is that you ever signed up for because they all want your email address and they will send you a thank you. Here's your password and here's your password recovery. Here's the link to reactivate. And it means that any type of attacker that gets access to email, he actually really gets to understand you much more personally, since sometimes you might even know yourself.

Mike: Right

Joe: So they're able to understand your personal identity and through your email access. And then sometimes if you're not really good at managing and you don't use a password manager, privileged access management. It means that attacker can simply let it go and abuse your password resets and be able to gain access to any account that you've used your email as a medium of communication for password resets.

Mike: Right. And they can potentially lock you out of your own email account, which

Joe: They will do eventually which means that makes it harder for you to recover. And I've heard many cases in the past where there, well, digital identity theft, well, you know, in the financial side, it used to be credit card theft and in the industry per se, you know, it's easier to get your money back from the bank than it is to get your digital identity back. So that's, you know, that's so ours significantly, isn't it? If you are also looking at dark web as well? You look at the cost credit card, you know, cost about, you know, fake credit card online or stolen credit card, is cheaper than actually putting on the dental cost. So much of the commodity, the value and attackers do see your identity as a prime value.

Mike: Interesting. Well. I think this has been a really educational and enlightening conversation. Any final thoughts or last things to lead people?

Joe: I mean, some of the best practices I have is, really getting into, you know, people really need to understand that, you know, a password should never be the only security control that's protecting your sensitive information. Do use a long passphrase, you know, put spaces in between letters and stuff. Use the spacebar, get into really the optimum life, you know, is really beyond 16, 18 characters. So the longer you make it, the more difficult it becomes to compromise. You know, my best practices is my human created, is minimum 25 characters just because I know the hashing algorithm that's used to create and they strengthen and the challenges to break that, also logged in systems when you're not using them, don't stay logged in because that's an opportunity for an attacker to gain your hash, don't reuse passwords, use a password manager, rotate them using my timeframe. My personal use is one every year, I rotate all my passwords yearly, just because of the cryptic, you know, the cracking machines are of cryptography ability is that, you know, the best computers keep, cracking my password yearly. So therefore that's my time is knowing the cryptography algorithms, multi factor authentication for all sense of accounts, where you really have information. Do you want to give anyone access to, good auditing of your activity and really you can, don't be afraid to ask people for advice. Don't be afraid to go out there. And ask people, you know, what's good practice, you know, Can you help me? Look for cyber ambassadors inside the Metro center that we can really point you in the right direction.

Mike: That's great advice. Actually, I'll take advantage of that right now. So for a long time, for systems where I have to remember the password, I can't rely on a password manager for whatever reason. In the past, I've used full sentences of things like, one of my, really long time ago, password was some girls wander by mistake into the mess of the scalpels make. Now, if you know, Leonard Cohen know that I'm a big Leonard Cohen fan, you might've been able to get there, but would you say having something so well formatted, even though it has spaces and punctuation and the rest of it, but the fact that it's a complete sentence and sort of follows English rules is weaker in some way or.

Joe: I think it can be because we get into all those natural process, language ability in hacking and password cracking .Today, It's getting really good. It does make it longer the process to do, but using those language processing rules in hacking tools today, it can eventually get there. It really comes down to hardware in your system. How many TPUs you have, and how much hashes per second that you can actually crack. My recommendation is that you create a long sentence like that and all you need to do is put one special character in any location of that. Just one special character will then, you know, make the problem of cracking it much more difficult.

Mike: Right. Well, one special character beyond the, what the regular punctuation that would be found in there. Yep.

Joe: Correct. Just simply changing it, you know, one letter to number or one thing to, you know, an ASCII character.

Mike: Right.

Joe: And it only needs to be one, put a random space in between word. It may not be a space between word but put around a spacing, will also create that complexity too.

Mike: For me, it's that I'm a horrible speller. So typically those sentences had a misspelling in there and I didn't even realize it. Well, thanks again for joining us. I always, I enjoy our conversations.

Joe: Absolutely. It's a pleasure being here and you know, ultimately out there, yes, passwords are not going away. They will be around for a long time. Let's just use them wisely. Let's use them to benefit and yes, we will get to the point where we will interact less with them, but they'll still exist.

Mike: Great. Thanks.