401 Access Denied Ep.09 | Password Rules You *Have* to Break

401 Access Denied Podcast Icon

Joseph Carson & Mike Gruen cover all things password today. Are all passwords created equally? As you attempt to balance usability vs security, what should you focus on more? We’ll learn why your children are now a target for hackers and if we can really dream of a password-less society someday.

Hosted by: Mike Gruen, CISO at Cybrary, Joseph Carson
Length: 40 minutes
Released on: August 26th, 2020
401 Access Denied Podcast Icon
Listen to the Audio
Watch the Video
Enjoyed this podcast?
Share it with friends now!

Joseph: Hi, everyone. Welcome to another episode of 401 Access Denied, and we're really excited to be back with you to share some more interesting discussions. Hopefully another educational format for you. We took a whole different approach at the beginning of this week's episode to really introduce your host and give you a little bit more background. So, so you basically get a little bit more familiar who we are and what we do. So my name is Joseph Carson. I'm actually based in Tallinn, Estonia. So you know, small country, the other side of the world. And, my role is I'm the chief security scientist and advisory says what's psychotic. And really what I'm doing a lot of research, sometimes getting involved in penetration testing. I've been in this industry now for more than 25 years. So this is where a lot of these gray hairs and wrinkles come from. This is a lot of the Wars and the, you know, the experiences, I would say, and the lessons learned over the years. So, you know, really in depth in security industry, it worked for many years in different capacities. But truly cannot really, my goal is to really share my experience and knowledge with you. So I'm one of the cohost of the show. I'm really excited to, to also have my group. Who's another cohost with me. And so Mike, if you wanna give a little bit of background about yourself and, and share with the audience.

Mike: Yeah definitely. So, yeah, Mike Rohan, I'm the VP of engineering and CSO at Cybrary. Like Joe, I've been, in the sort of technology space for over 25 years, don't have all the gray hair to show for it, but, I definitely have been doing it. I started as a software developer and have always been in sort of a cybersecurity adjacent spaces. My last company was doing, user entity, behavioral analytics, so a security platform. And so it's sort of a natural fit as I came here, to take on more and more of the security role, in turn and in addition to, managing the engineering team and all the technology that we have here. So, yeah, I'm really excited that we're doing these podcasts. I'd love talking to Joe and look forward to getting started.

Joseph: Awesome and today's topic is one that's probably been a pain during our entire careers.

Mike: Ah, yes

Joseph: That's one that is really, that, it's repetitive and we don't seem to get away from it is you know the bad passwords, passwords just pick up so many bad habits over the years, and we seem to get in this rut and there's, there's been numerous discussions. Passwords are going to go, they're gonna disappear and we've been you know hearing that for the last 20 years, at least you know repetitively. And I don't feel, you know, in my jobs and roles and what I do, I honestly don't feel that we're getting any further away from them. What I do feel as I, I'm, I'm less, let's say typing them in are interacting with them. Rather than I would have been before us having to keep trying to remember and reset and so forth. But there's a lot of bad habits out there. So Mike you know, what, what's your experience and what bad habits have you seen in the industry?

Mike: Yeah. I mean, my experience is similar to yours in that I think, with all of the tools we have now between SSO and password managers and things, I am happy that I only have to remember like a handful of passwords. I think it's down to three or four and then everything else is remembered for me. And a lot of just sort of clicking and saying yes. But in terms of bad habits, I've seen, I mean, everything from patterns. I know, like even on, not even on personal passwords, like I remember working at companies where the wifi password was Spring 2017, Fall 2017, you know, that's, that was the rotation. It was sort of like, what's the point of rotating it. If it's going to be something that we can all guess after we leave the company. That type of stuff or, and you know, there's the typical password reuse? I think one of the ones that's most common is like when you're, and we were talking about this just as we got started, when you're signing up for service and, you know, it's asking for a user and password and maybe your password manager, it doesn't pop up to automatically fill it in. So you're like, Oh, I'll take care of this later. And whatever you put in some. Some password and maybe you don't ever get back to it. Maybe you don't have a password manager and it's just like, you use some sort of default like, Oh, easy to remember password. I think those are some of the, some of the big, you know, the, the most common, bad habits we've seen. I'm curious what your experiences are.

Joseph: I mean, I agree. I mean, one of the things that I think that, that has probably changed over the years in my view as well, it was, we stopped these you know the thing about people writing them down and paper as well. You know, that that used to be the, putting them on the Post-it notes. You know, when I used to remember going around I worked in the foreign exchange and money markets and trading floors and you simply just lift up the keyboard, look underneath, or, you know, behind the monitor, and you'll find passwords written down and even I remember doing penetration tests on, on maritime vessels and on a lot of navigational systems on the bridge and a lot of computer systems that's on the bridge of the ship. We simply, there'll be a Post-it note with 4 numbers written and stuck to every device so that the crew would be able to know what it was so they could easily access them. But my view on that, that has to be changed a bit is that I think, you know, for the average person that's at home that may not be as tech savvy, it's bringing them down, not keeping it. I think that's one of the problems is you're putting them in maybe a locked drawer or a locked location or somewhere that's harder for people to get access to so really when it comes into, there's some bad habits that people, you know, that have changed over the years but I think even to the point where even the password reuse is probably, that's the one that we need to get pied off is where people continue reusing the same password, and even to the point where they're just saving simply using those smaller variations, I went to a lot of hotels, you know, even airports where the password has been the same for like three, four years, no one's ever changed it and that means that what, even, what's the point of having it, if it's something that becomes static and even public searchable as well. So there's a lot of bad habits that people have out there and I think my, my goal eventually is I look, I separate them into two different buckets is the ones that we use as humans and the ones that we use in systems and automation and I think we have to treat those differently. The ones that we use in systems automation can be very complicated and complex and long, and, and it's going to be rotated very frequently but the ones that we enter as humans, I think we need to get to the point where humans have to less enter them or use them or even, even they should not even be creating them in the first place. So that's something that I would like to see moving forward.

Mike: Yeah, I agree. I mean, I think, I think about my own like Wifi password at home, which you know, I went through the process of setting up, profiles I could push out to all my iOS devices, so I could go with a really complicated WiFi password and then as soon as we had guests coming over and my wife was like, how do I get people on our WiFi? And it's like, well, yeah, kind of don't cause it's really long. And so having to set up a separate Vlan for you know, and guests, and again, it's coming up with a password that's easy for us to remember. That's good for our guests. We probably don't rotate it nearly enough on our, you know, cause we can give it to friends and family but I think about those things as well. I think those are some, you know, the more, you know, the more we can sort of move towards devices, remembering passwords and having more complicated passwords. I think the better off we are, even for the ones that are, you know, Let's try and identify the ones that we don't have to enter as humans and try and limit it to just that few. That's always, my goal is to limit the number of passwords. I have to remember.

Joseph: Yeah, and the limit, and but that we have to manage them as well you know. We want to have systems to do it in the background for us, so we don't have to. I think it's the less humans interact with them, the safer we ultimately, and the, the, the least the risk of them becomes reduced. Even to your point is, you know when I tell my family and, you know, and your kids, Oh, you know, guess what's happening this weekend, we're changing the home WiFi password. It's not the most exciting time for the week. So, and I do change it on a regular basis and it does mean that it's a pain to reconnect some things. Again, it's a, it's a real pain in order to get devices, which you have to sometimes even reset them to factory settings so that you can actually get to the point where you can actually re-add them back to the network and that becomes very problematic. And even for you mentioning about, you know, guests coming over and they want that WiFi access and especially, you know, in Estonia you would have international guests more frequently where it's all about, you know, okay if you're in a country and you have, you know, 4g, whatever and your phone is perfectly fine, but if you have people coming internationally, then it's cost money for them to use mobile internet.

Mike: Right, right.

Joseph: So they're like, okay, I need the Wi-Fi, Wi-Fi password and you're like, I didn't end up doing that. So and so, cause you, cause I have segregated networks at home then you're like, okay, now I need to open up a guest network.

Mike: Exactly.

Joseph: and you'll pull up a guest network for those guests and then you have this very simple password, or are you going to have a complex, complicated password, but, and have it as a QR code that they can scan and have that QR code were well hidden away. So you really need to get to the point where it is simple enough for people to use and gain access, but at the same time, making it secure and safe and protecting what matters to you. So it's, it's a, it's a challenge between usability and security.

Mike: Yep.

Joseph: that's something we always have to find that that can middle area.

Mike: Yeah and I think another thing we've talked to our, I think one of the things, yeah I know, I was just gonna say and we've talked about it in the past, which is people not really realizing how much depends on their email and the how important, a strong email password and multifactor authentication, things like that are for email. Given that any website you go to, you can use forgot password and so even if you are doing, you know, being really good about not reusing passwords, the only password that really matters in the long cases as the one to your email now. And so just making sure that that one's being changed regularly and that you enable whatever you can to, you know, multifactor, as I said, to, to protect it.

Joseph: Yeah, absolutely. One of the things is that I look at different accounts from different risk factors of what they're protecting. Cause not, not every password is equal. That's the most important thing is that not all passwords are equal and not all accounts we are protecting as equal and I look at it different things from, and whether it will be my Twitter account or it's just a byte, you know, it's about my opinions and thoughts.

Mike: Right

Joseph: I look to my email account, as you said, it could be much more sensitive information such as, you know, my location or my ad preferences or my contact details, or, you know, what messages I've been sending with friends and contacts and also password resets. I've even heard, you know, a lot of people even just email themselves their password so they can remember and our email account becomes the Password manager.

Mike: Right

Joseph: Because this is where they simply search for, you know, where's my username and password and they will find it. So it comes up it's really, and also the bank account as well. So you have to look at them that not all accounts equal, not all passwords are equal, so therefore, I classify them. I always have them classified in this separate classifications of risk, meaning that the ones that I don't care about, they're just these one time only, or it can, the information behind them is not so sensitive than the password itself. It just needs to be a complicated password, you know, something that's complex and I prefer even not to have the type of it. So I do use password managers to mean that I only need to know a few very long, complex, good passwords, which I rotate, you know, typically not every 30 days or every three months that, you know, because that just becomes over and dated. But my passive routine is that the password rotations between six months in a year. And it means that at least, you know, cause I look at it from the algorithm mathematical perspective is that it, my passwords are long and strong and good and unique than any password cracking technology. Some of the best out there I could take up to a year to crack and so my year as my thresholds is that none of my passwords should be longer than a year and I have this kind of routine of every product, saying that I have a report, which passwords are aids and then I go into rotate them and that's for my personal side. So even, you know from the corporate side, of course, going beyond password managers and using things like privileged access where it even separates authentication and the authorization side and odds must more controls such as Multi-site factor authentication, Single sign on reducing, you know, the, the, even the times where I need to change the passwords itself, it will change it for me so I never need to do that. So there's different things is they shouldn't treat them all equally and should look at it from a risk perspective. You know, it's like, I guess the cards in your wallet. You've got loyalty cards, which you don't mind if somebody, you know, gets access and swipes because they're adding points to your system,

Mike: Right.

Joseph: then you get things where those loyalty is money, and then you get your bank card and how you protect each of those is probably very different filling.

Mike: Yeah, definitely. I think things that I take into consideration and that sort of. When I look at like risk is anything that's really tied to my identity. I don't, you know, even if it is just thoughts and ideas, the idea that it is, my identity is definitely in a very high category right up there, pretty close to like banking and other things. Because if someone is able to impersonate me, that's not good. And so it sort of goes from there all the way down. So like, do I really care if somebody like where to get access to this game that I play? Like there's no, there's nothing tied to it. So, but yeah, it's definitely,

Joseph: Yeah, there's no link. There's no major impact other than losing points. Cause that's really,

Mike: Maybe, maybe unless they're really good and they want to, you know, get my high score up there, but yeah, it's, yeah. It's one of those it's it's I think, I think it's assessing rescue is one of those areas, you know, it's, it's adjacent to passwords. And I think it's one thing that humans are notoriously bad at. I think trying to assess risk in a, in a reasonable way is, there's a lot of people who are over. Overdo it, I probably fall into that category started over and then there's people who totally underestimate. So I think risk assessment is one of the harder ones and maybe something for a future, a future podcast. Not that this is all about identity, but I think you mentioned the whole social scene, you know, I'm sorry. Credit rating and stuff I think people don't realize that they need to, as soon as their kid gets a social security card, that there's the potential that they have their identity stolen before they even go to get their first credit card and stuff like that and it's, it's, there's just, it's just tough to manage and tough to stay on top of. But, but yeah, so, I think we sort of,

Joseph: Yeah, one of the things related to that,

Mike: Yeah.

Joseph: Yeah. One of the things that related to that, I remember I did research, I did a project that was called back to schools in Estonia, and it was about me going into schools and, you know, I thought I was going to educate kids, but I learned more from that project from the kids that taught me.

Mike: Oh Interesting.

Joseph: And one of the things I realized was, and I was looking at what age group, when I recently went to, and I thought it was around the 12 and 13 year olds where I could have the most impact that I can actually go make the most influence and when that project, when I actually went in and did the education, I find that I was already too late. I was actually already getting to the point where they already had bad habits. They were actually not password protecting anything. Everything was unlocked.

Mike: Right

Joseph: Their friends knew their passwords. They were, we using passwords all over the place. If they even had one and it became a really bad habit and bad trend. And I decided that I wanted to find out how young I needed to go to in order to be okay to change, you know, the future rather than re you know educate and what ultimately ended up happening was, it was six years old. That's where basically that you need to get to, and actually cyber criminals that's where they're targeting kids is actually at the age of six.

Mike: Right.

Joeseph: Because at that point in time, if they do identity theft of a six or seven year old or eight year old, whatever it is, they've got one was good credit rating and so, and it's identity theft and the parents will not know that their identity has been stolen until they're about 15 or 16, when they start getting a bank account opened or start going and doing, it might be a scholarship or something, you know, applying for universities and colleges.

Mike: Right.

Joseph: That's when they find out, when you start looking at that, you know, once you start looking at these social security numbers, they start applying for other types of identities and that's when they find that their identity has been stolen and that gives the criminals years

Mike: Right.

Joseph: Of staying hidden and abusing that before it gets detected.

Mike: Yeah, absolutely. And I think, you know, it's funny, you mentioned the whole kids thing, cause I, I get a little frustrated. I mean, I have kids, I have younger kids, in elementary school and middle school. And you know, do a pretty good job with passwords. I think for them, it's, you know, writing it down on a piece of paper and keeping it someplace in a, in a locked drawer is important just because my wife and I need to be able to access it, for them. Cause they can't remember passwords. But what I hear goes on at school is interesting where they have Chromebooks and they have their Google classroom accounts and so, so forth and all of the administrators of the school, their teachers, whatever have access to their accounts. That's fine. They have their passwords and they have their passwords written down on a long sheet of paper that the, you know, for all the kids, because they might forget their password. And my son coming home and telling me he changed his password and then it stopped working because they had changed it back to the one that the teachers use and it was like, that seems a little, you know, like, and they went back to whatever the standard one is and I think that that's, in some ways sort of teaching a little bit of a bad habit, like here's a kid who took the initiative to go ahead and change his password. I get why they probably, but if they have administrative privileges, they probably could get into, clearly they could get into the account if they needed to, cause they were able to change the password. So not exactly sure what the, what the reason or rationale behind that was but, but yeah, I think it's, I think we need to do more than just educating kids. I think we need to make sure that we're also educating the people who are educating kids.

Joseph: Oh, absolutely. And that was one of the things as well, is that as I was doing that research on projects, I was learning a lot from, from doing a project. It did teach me a lot that actually you need to go and it gets into the parents as well. It gets into the teachers and into the influence because ultimately, you know, if we're talking about bad password behavior, that's where it starts. It starts with school. It starts in the education system that will be willing to make a difference. We need to make sure that it's the beginning, that they should start really early and that they actually get good hygiene. And if you're getting to the point where they're, you know, the, the teachers are giving them simple passwords or rather than done, and having it all on a piece of paper and on the table.

Mike: Right.

Joseph: Then that's setting the wrong example to begin with. So we really need to look at how can we make sure that one is we start, you know, making sure that from, from the early age, that there is good practices that they can get into because even the same with my kids as well, which I even get surprised with, you know, they, they choose wise path as well, and actually I've taught them well, but at the same time, if they do forget it, then, you know, resetting it, the process is somewhat, you know, sending it in an SMS or sending it in a text, you know, you start looking at your stuff, okay that's, and we're already going down a bad path to that perspective,

Mike: Right

Joseph: but we do absolutely. You know, this to really start repairing and getting away from, from the password bad habits that we have a result in the workplace today. It does need to start an education system. You just start really, really early.

Mike: Yep. Yeah, I, I totally agree. I think, you know, and getting back to our earlier point about, you know, getting away from people, remembering passwords, I know we've talked in the past. I know you have a lot of opinions about moving to, you know, what's password plus. And what does that mean? It's, a topic that's come up at Cybrary a couple of times as we look ahead to how we want to do authentication and I'm curious what your thoughts are on sort of trying to move to sort of, sort of password less thing, and maybe you could explain, you know, what that means.

Joseph: Sure. I mean passwordless I'm very, very passionate about the terms a way I look at passwordless, to me, you know, I've had a lot of discussions with journalists over the years and we've had back and forward. You know, when they're asking you by password less, new technologies comes up and for me, it's not, password less what it is, it's less passwords. We have the, the, the right words just in the wrong order, and what it means is that humans are entering passwords less, but we're doing it less frequently. So there still is, I think passwords will eventually turn into not the, the password function and we use it today for authentication. It will be mostly used for a backup as a recovery password that blows you too, to type it in, but you won't use it frequently. It's like, You know where, I think the iPhone example is probably the best example where they're using a less password feature when they're using biometrics. So when you basically, you know, start up your iPhone and you log, you know, enter your passcode or passphrase that allows you unlock the phone, then you can do all the functions. But when the, the iPhone gets rebooted, and we'll ask you again for that passcode, and I think that's the example where I think it's really good, you know, for those to really understand that it's not, it's not removing the passcode, and I remember listening recently to a podcast that actually took the person through creating a fingerprint biometric on a phone. And they were like, Oh, why do I need to put a passcode in? And it was because of that reboot inability, or that you go to do maybe a pay function, that it will request you additional security. And I think that's where the password's going when we talk about password lists, it's less interaction with passwords, but password will become a backup recovery key in the future. We still need to have some type of either reprovisioning purpose or that, you know, the security risk has changed. So therefore you need to really make sure that person is the authenticated person and therefore it does become a recovery key in some regards.

Mike: Yeah, I mean, and the context that came up at Cybrary is as we are adding more and more sort of SSO capabilities and, and social, you know, social login, you know, at some point at what percent, at what point do we hit a percentage of our users that don't need to use a username and password to authenticate into our system where we've offloaded our, that, that whole process to whether it's their company's SSO or to Google Facebook, Apple, there's a bazillion of them. And so at what point can we just have a totally, you know, there's no password and for those users that don't want to use those systems, maybe it is just a put in your email address and we'll send you a magic link. And that'll get you access for some period of time, that type of, that type of system and then it really offloads a lot of responsibility from us. Like. Great. We got hacked, not great, but if we do get hacked, like we don't have to worry about like some password table that just also gets exported and sort of limits our risk as well.

Joseph: I really mean for the, for the setting up of accounts, I really loved the magic links concept.

Mike: Yeah.

Joseph: You know, the ability to, to do that one, one time only link or but it does mean that, it means that, you, I have to really protect your email accounts. Yeah it comes that your email account becomes a much more security needed control. So it means that yes, you may not want your email account to be just protected by a password by itself. You may want to have additional multifactor into that account. That account becomes almost equal to that of a bank account. In regards to its risks. So I do like the ability to have password less, you know, provisioning and the ability to set those up but at the same time that means that the risk is offset it's another occasion.

Mike: Yeah, but, and I think to sort of counter that, I mean, we're already at that point where your email address is, as we said earlier, right? I mean, anybody can use a forgot password, if they get into your email and they use a forgot password, sort of, it's already, that risk is already there. We already have that in our system today. I there's actually plenty of systems. That's funny. There's things that never made it into my password manager, for whatever reason, like the, like this syncing didn't work out, and so I don't know what the password is. It doesn't show up in my password manager. It's clearly something hard and, where I just used forgot password and that's it. Like I entered, I have to access those systems so infrequently that I don't even bother, you know remember, putting the password into the password manager at this point, cause it's, you know, and so I'll just use round passwords.

Joseph: Yeah. It becomes the work around between people, people, but also we'll do that as well as like. Oh, I'll go access some email. I'll just use my email as my password manager. And that becomes the reset, reset, and just becomes that frequent reset where all of a sudden now, and it becomes that's for the bad habit is into even reuse of passwords. Now I do password reset. It gives me a link and now I have to create a new one. I'm like, Oh, well, I don't want to forget it again so might as well use the one I remember and this and this, the one that last one. Look that you created it for another site so it gets into a lot of bad habits and I, and I think that we need to have, and that people get into even started using browsers to store passwords as well. So there's a password manager to the browser and that worries me as well but yeah, I think that it has to be a balanced trade off between usability and oh, and the risks for offsetting, maybe for the consumer and the average person, you know, that isn't technical storing the browser, you know, as long as they're making complex unique passwords using that function, it might be okay. But for organizations that are protecting sensitive systems, that's definitely you know not a good habit to get into and they always definitely need to make sure because if an attacker, you know, all of a sudden installs a compromised browser extension and now that browser extension can access their full hard drive and they compromise the local account and have access to all those passwords is stored in the browser. So, you know, there's a lot of ways around that. So it means that yes, that there has to be this trade off balance between what is the risk we're protecting and should that even be a possible work, you know, kind of let's say bypass that, you know, attackers should be able to use. How do we protect it? It means that yes, now, you have to think about, okay, I've a password now for logging into my laptop. I know I need a password for logging into my Browser password manager, and then I need another. So it becomes that, you know, the incremental increase of passwords.

Mike: Yep and I think the other thing that's related to that is people not really realizing that, if somebody has physical access to your computer, that means that they can, unless you encrypt the hard drive, they have access to everything that's on there. It's pretty, you know, you can pull the hard drive and you can plug it in and if it's not encrypted, then anything that's on there is also, you know, readable. And so when you're getting rid of a computer, making sure to wipe it, I mean, just generally using full disk encryption, it can be a little, it's a little frustrating that computers don't ship with that, you know, operating systems. Don't just enable that by default, that's still on the user to check that box. But I think people sort of, you know, forget about physical access.

Mike: Yeah.

Joseph: Yup. That's where some password managers ended up getting is between password managers, that people are still accountable for, for responsibility for doing it themselves and for making this, the selection that, you know, they're, they're responsible for rotating them responsible for medics and responsible for keeping them tidy, keeping them unique, choosing the right complexity. This is where, you know, I think right, organizations, and businesses are looking to, to really get away from bad password, highly on password managers, and moving into the privilege access management cause that's where it starts getting into more centrally controlled. It gets into more centrally, policies and it takes away the responsibility, accountability from the user themselves. So it allows more centralized, more consistent controls and it takes away that password hygiene problem from actually having, you know, and this was really beginning to is that the less we have people to think about and need to be securing and focusing on security. If we take that pain away, the more secure that actually they've become over time.

Mike: I agree. Although I do think that there's plenty of companies and corporations that put these password policies in place that don't even realize that they are, they're actually counterproductive. Hey, we're going to make you rotate your password every 30 days or every 90 days. And it's going to have to have this complexity and it has to, you know, you start putting all these rules in place. The next thing you know, people are actually, the passwords are hard to remember. Easy for computer to crack and, you know, and having to change them all the time just leads to other bad habits and I think, you know, it's one of those things, that's definitely a pet peeve of mine when I'm selling out, you know, these security questionnaires from, from various companies and they're like, what's your password policy? Does it have this, this, this, this? And it's like, well, actually I think ours is better than that. And, and then I have to go and sort of explain it to someone about what we actually do. So I think that there's, you know, we're still operating from these. You know, ideas that were born in the eighties and nineties, especially the nineties, that need to like be revisited. I think, and, and I think a lot of people have, and I know that even this put out the new standard around password and policies, but people will still slow to adopt.

Joseph Yeah. It was a bit kind of, I agreed with some of this recommendations, but I also disagree with some of them and there's, there's still a continuous debate into it as well, yeah.

Mike: Yes.

Joseph: The difference between today is that yes. You know, the, the password rotation was, was originally designed when we only had one password to remember not only had 30 or 40 or a hundred and it was,

Mike: and it was a maximum of eight characters.

Joseph: Yes. And we had a maximum of eight, correct and that complexity meant that yes, it was much more easier for people to remember and use, and that was acceptable, but now it's not scalable in how we use them today and where they made the changes to. Yeah. You know, as long as you use multifactor authentication and you have a long password, it doesn't matter in complexity, you don't need to change it and that's where I think some of the security industry, including myself, we can like we're drawing the line game. No. And this is where I've learned even. I did a, a, a recent webinar that was based on instant response. And how do you detect that you've been breached and one of the methods that I've found is is that if you're unpredictable and it means that you, you may not change all passwords, every x amount of time, but there's certain accounts that you might decide that let's, let's do a random password change and 5% of our system accounts or services account passwords out there, let's just do random and that random check and random change, which is unpredictable and unplanned can actually sometimes uncover it and surface up, you know, detective breaches that you may have not been aware of. So there's a different debate out there that I, I think that never changing passwords until you have been breached is not a good,

Mike: Yeah, no, I agree that right. There's there's right. There's a, as you said earlier, you have to base it on, you have to take the mathematics into account, right? If the, if the password can be cracked in a year or six months or whatever it is, that's how you have to rotate it. I do like your random thing. I also do that, but mostly to find out who has access to an account, like sometimes, you know, you can't get around. There's certain systems or that still have, there's the one service account and it's a shared username password. There's nothing we can do about it. And we use password managers to sort of help manage that and our SSO system, but I'm changing that every now and then just to see who reaches out to me and like, Hey, I can't log in. Like, did somebody change the password? It's like, yeah, actually I did. And I didn't know, you knew.

Joseph: So, yeah, this year, the shared passwords, that's always a major challenge and then I think it's more frequently not so much for internal systems, but it's got more frequent things like a cloud-based applications. That's where it's been, coming things like social media PR accounts.

Mike: Yeah, absolutely. That's what I'm talking about.

Joseph: Drives. Yeah, absolutely.

Joseph: It gets a bit concerning as well.

Mike: Yup. Yeah. So things that just weren't initially designed for multi, multiple users to use. Right. And so there's only the one account because it's just the one account. It is what it is. And trying to secure, those is always a challenge and, and, you know, the, the sharing passwords is inevitable. And then next thing, you know, somebody is like, Oh, I need to, you know, this person's on vacation. So, I need access to that. So they sort of that password gets shared a little bit beyond who the scope was originally intended for and stuff like that.

Joseph: Absolutely. And it gets into even audibility is that, you know, when you have those, you know, those accounts even take some companies' Twitter accounts that you've got, like, you know, actually more people that are actually using those or even the company marketing accounts or their WordPress accounts and you get into. Yeah, people resharing and reusing, and they don't want to log out and log in just because saves some time, saves time, and just, you know, make sure that they actually have consistent access and you get into well, okay. When you do the auditing, not everything looks like, it looks like you're, you know, was it a WordPress admin account? It looks like you're, you know, the same account that's logged in to Twitter all the time and you're going, who is the person behind that? I'm to point some of those accounts where you reset the password and people come to you. That's when you find out that that's what really, you know, that's what privileged access is all about is about having the separation between the authentication and the privileged account and that's where it turns into, you know, Joe Carson is his root account, right or Joe Carson is the admin account. Not that I have to find out who is admin and try to, you know, backward step it, it actually reveals it uncovers. It provides that accountability and transparency. And I think that's where definitely when you're using shared accounts, privileged access, it almost becomes mandatory. It was regards to making sure that you have that consistent accountability.

Mike: Yep, definitely. And auditability.

Joseph: For me, visibility is important part is that, you know, and you can account that this person was actually, Joe was the root account on the system at this time or you may find that. Okay. There's two users on the success with this time and now I actually have accountability, not just to their using route, but what actions they're also performing at that time as well. So I can say Joe was installing this application and you know, another person or whatever John is doing a patch upgrade of this particular application. They may be doing two different, you know, service desk tasks at the time, but you can not have that kind of complete accountability in regards to who's doing what with what and how, and what's the, you know, what's the accountability of that.

Mike: Yeah and that's, I mean, when you talk about like AWS and some of the stuff, you know, or just the sort of, I am role being able to do things as a role for some temporary period of time. I think those are some of the important things where you can say, you know, give someone access to a system that they're still authenticating themselves, but they're acting in this role sort of the pseudo, if you will. And so I think those are, you know, I would love to see. The Twitters and Facebooks of the world, try and figure out a way to sort of solve that so that we can have multiple people authenticate into those. I do at least appreciate the ones that have the, hey, here are the different devices that have logged in and you can actually the different sessions and you can go in and audit that and log those. I at least appreciate when, when that's available to me. But yeah.

Joseph: Yeah, that's what I mean. It's important. I think that's when we really get into the ability of applying least privilege to things like cloud and SAS based applications where you start with no full act, not having full access, things might be blurred out. You might have little buttons that says I want to access this, so I need to not provide justification. So this is where it gets into at least privileged everywhere.

Mike: Right

Joseph: It's not just an on-premise, not just laptops and desktops and servers, it's cloud applications. It's web interfaces that now that we have to, you know, if we want to do something, I might be logged in as the Administrator, but things might be not visible until I provide some type of justification and that really provides that accountability and even gets to the point where if you might be sending all of this off to a seam, and now the analyst is looking through the same logs. They say, admin, admin, admin, Erica, who is admin, what does that mean to my log files? And this provides that ability to backtrack and say, well, it was on this system this time. And this is the user. If you checked out or you access that account during that time. So going back to that accountability, auditability, especially one year, you know, you're doing, you know, just ugly thing, your security analysts filter through logs and those log files don't have any tie back then they become almost useless.

Mike: Yep.

Joseph: So, so I'm really, I'm hoping that the audience is really getting a cast that this was a big problem and it has many different facets that it gives into. And I think that, you know, I think all of us need to probably take a step back and think about, you know, maybe even just, you know, let's do I really like when we get into, you know, hack yourself type of thing. Yeah. And I think about, okay, what's my security console and you find out what comes back.

Mike: Right

Joseph: We need to do that kind of audit on our password hygiene. You know, is there accounts out there that you forgot about? You know, is there passwords that you've reuse many, many locations? Have you even went to places like, have I been pawned to check of accounts that you've used have

Mike: Actually, it's funny that you mentioned that cause. That was one of the websites I was going to recommend is have I been pawned? I mean, like, for a company we have ourselves set up as a domain, so we get, periodic emails from them when there's a new breach and then for my own personal, I check it pretty regularly. So yeah, I think that, you know, looking for those and, you know, when it comes to accounts, you may have forgotten about or accounts you don't use anymore. I think it's, it's easy to add things. It's tough to remove things. So going and like, you know what, the, one of the nice things about GDPR is this like right to be forgotten. There's probably a bunch of accounts you don't need anymore and you can just go ahead and delete and like, feel pretty comfortable that, you know, if they're GDPR compliant, that they're going to remove everything about it and anything going through and looking for those is another great way to sort of reduce your risk and reduce your exposure.