After a two-episode hiatus, Brad is back this week to join Evan for episode 124 of the UNSECURITY Podcast. In this episode, the duo attempts to answer as many questions about passwords as they possibly can and offer some password hygiene tips. Finally they touch on some company happenings like the CISSP Mentor Program and S2 updates.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Evan Francen: Welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. Today is episode I’m sorry. This is episode 124. The date is March 23rd, 2021. Back from taking a couple of weeks out from the show is my good friend and co host Brad Nigh. Welcome back Brad.
[00:00:40] Brad Nigh: It’s good to be back. Have a nice to have decompressed and get a little bit of a break. It’s been way too long or it had been so
[00:00:48] Evan Francen: I missed you. It’s not like, you know Ryan’s chopped liver or anything, but he’s no Brad. So I like having my Brad back.
[00:00:57] Brad Nigh: Yeah. Like I said, I’m glad to be back. It’s fun doing things.
[00:01:03] Evan Francen: All right. We’ve got a good show plan for today for the listeners today. I want to talk about passwords. Everybody just loves passwords, passwords. But I want to take this. I want to take those many common questions as we can about passwords. Uh, and uh, you know, nail it in one show. So the first question, you know that I have is you know what? I think a lot of times when we talk to people, you know, non security people, we just assume that they know why passwords are important. Yeah. Why we have them in the first place. So that’s the first question. Why do we need passwords in the first place?
[00:01:45] Brad Nigh: Yeah. Well you have it there. It’s the it’s part of authentication. It’s not all, well shouldn’t be all of the only part of authentication you want multi factor but it’s not proving you are who you say you are.
[00:02:02] Evan Francen: Well exactly. I think you know we profess you know that for listeners and for people who you know maybe just take this stuff for granted. You know there’s identity and there’s authentication right? After that comes authorization and accounting. Right? So we we talk about these things like triple A right identity, you know, authentication, authorization and accounting. Yeah. We assumed you know we kind of treat these things mix them together. They’re very closely related. But identity is just professing who you are, right? Professing an identity to a system or to somebody else. Right? The second piece is to prove that identity. So you know without the authentication you just have to take my word for it. Right.
[00:02:49] Brad Nigh: Right. Yeah. So your identity, you know, think of your user name right then password is your authentication. That’s how you get into the system. Exactly. It would be like similar to I’m trying to simplify it a little bit but you know, not exactly the same. But like if you know the code to your keypad for your garage door. Right? That would be enough medication, right? Not necessarily unification because it’s there, but Yeah.
[00:03:21] Evan Francen: Well and you know, a lot of times, you know, when I meet people, when you attend the meeting, it’s rare for people to, you know, ask for my id. Uh they don’t ask for my driver’s license or my passport. So certain systems, certain things, certain people, I don’t need to authenticate with them. They take my word for it. So I say, hey, I’m having francine and they’re like, all right,
[00:03:44] Brad Nigh: right. Right.
[00:03:45] Evan Francen: So that’s just identity without authentication. It’s when, you know, let’s say I’m crossing the border from Mexico into the United States or vice versa. You know, I profess that I am Evan francine, but they’re not going to take my word for it. Right. They need some proof that I actually am who I say I am, that I came from where I said I was coming from. Uh so you know, you have to produce your passport or something like that. So that’s that proof of, that’s authenticating Me too. You know, maybe customs. Right, yep. And the same thing sort of happens with futures because I tell a computer that my user name is e francine. Okay, great, anybody can come to my computer at any time and profess the same thing, right? If there’s no proof. Yeah. Right. Yes,
[00:04:35] Brad Nigh: exactly.
[00:04:37] Evan Francen: And that’s fine in some sense. And I think it’s fine. In some situations to not have to authenticate, you know, we browse the internet all the time without authenticating, it’s when I need to do something, you know maybe a transaction or maybe something that’s a little more critical sensitive. That’s when I need to authenticate.
[00:04:54] Brad Nigh: It’s when you’re doing something that you want to protect. Right? Right. You know you’re logging into your bank, you’re logging into work, there’s something sensitive going on. Right? That’s when you want to make sure there’s an authentication ahead of it.
[00:05:10] Evan Francen: And so so users, you know when they ask, well why do we need passwords to begin with? Well it’s it’s to prove your identity to our system, prove your identity. Use the same thing when you go to the bank. The same thing when you go to the T. M. The same thing when you get carded for alcohol or you know at the bar right? You need to authenticate it proves something about your identity that they’ll accept as okay it’s valid. You’re going to continue. Mhm. So if that’s that then what happens when a password is compromise? Why is that a big deal? Why would I care if a password is compromised or not?
[00:05:49] Brad Nigh: Well that goes to that last a of of accountability right. As soon as your password gets compromised, that person is acting as if it’s you or whatever they do looks like it came from you which is angry. You know I think about that from a bank standpoint. You know they transfer all the money out? Well they’ve logged in as you how is banking and all the difference.
[00:06:15] Evan Francen: Right? Exactly. So it’s it’s impersonation, right? Somebody else acts like they’re me. That means they can do things that are reserved for me. Things that I only I want to be able to do. Right? Imagine an imposter like coming into your house, you know what I mean? Deepfakes style like they look exactly like you, they act like you right? They’ve authenticated with your wife. They’ve authenticated with your kids, but it’s not you.
[00:06:43] Brad Nigh: Right? Yeah.
[00:06:45] Evan Francen: And then think of the damage they can do.
[00:06:47] Brad Nigh: Right? And that’s basically what’s happening digitally.
[00:06:50] Evan Francen: Exactly. Yeah. I think a lot of times when people can make that, that an analogy that cross between this is what I see it physically. Because I’m used to physical, right? I can relate to it more. You can use vision. I can use other senses that I can’t use digitally. But it’s essentially the same thing, right? If you impersonate me physically and Impersonating me digitally. Different mechanisms but essentially the same potential outcome,
[00:07:19] Brad Nigh: right? Yes.
[00:07:20] Evan Francen: You destroy somebody’s life if you do it right?
[00:07:23] Brad Nigh: Oh, and we’ve seen it happen. Yeah sucks.
[00:07:28] Evan Francen: It totally sucks. So, okay, so that that’s what happens when somebody compromises potentially my password, right? You need to have the identity piece to write, you need to have my user name. But that’s pretty trivial because usually share you use your name openly.
[00:07:45] Brad Nigh: Right? Because I mean realistically that’s not sensitive. A confidential type of information. I mean it’s you have to declare who you are.
[00:07:56] Evan Francen: Right? Exactly, yep. Right? So that’s that’s how, you know that that’s the reason why I think, you know, for users that you know, we stress password security. Um so then if that’s the importance of protecting my password, then how could my password potentially be compromised so that I can identify ways that I need to be active in protection.
[00:08:27] Brad Nigh: Right. Well, I mean, you know, you have a listener, I think the most common is probably gonna be the disclosure where you know, you’ve logged into a service that wasn’t protecting those passwords correctly. They weren’t getting too technical, they were assaulting or hashing passwords are stored in clear text so that anybody could read them, right? They weren’t obligated in any way. Um Yeah, you know, I think and you hear about those all the time and the week when I actually have a really good story about that. So in I want to say 2017, maybe 2018 but three shows 2017 I did a security training for a city government and part of our awareness training is how to create a good we we don’t use password, please pass phrase we’re trying to get people away from thinking password because at this point length is really the the best way to protect it, but you know, like, okay, well what are some bad passwords and it was like spring 2017, you know you know like common things for that area you know you know Vikings one or whatever. It was after I had like four or five examples and after the training head of someone come up to me and go so if I saw my password on your presentation I should change it. Yeah, probably right. I mean
[00:10:11] Evan Francen: yeah. Well he well I think you know to simplify like simple you know me man if I can take something complex and break it down into components and and make it simple because simple it’s easier to manage simple. It’s easier for me to understand. So I think there are two major ways that passwords are compromised. It’s either caused by you or it’s caused by somebody you shared your password with right? Caused by someone. What else. And I think the two primary ways that happens when it’s caused by you is either I disclosed it meaning I told it to somebody I shouldn’t have told it to or I was just weak to begin with. Right? It was something that was easily guessed. It was something that was easily derived from any number of different variables but it was just a weak password.
[00:10:59] Brad Nigh: Right Well and give you an idea and I don’t know the exact number but last kind of anecdotally the from our pin test team I think when they get to do an internal pin test and get hash obviously we have Cracking rig and these, you know the rainbow tables in different tools. But typically they get 25-30 of passwords when they do those right. Just because people aren’t doing the right thing because I think more often than not it’s it’s a lack of awareness. Not like intentional.
[00:11:35] Evan Francen: Sure
[00:11:36] Brad Nigh: as I say that I think is it’s a recurring theme that we keep coming back to is a lot of these there it comes down to a lack of awareness regardless when you have but a normal person having issues.
[00:11:51] Evan Francen: All right. And I think, you know, it’s rare to find somebody who is not aware, right? When you talk to somebody about passwords, you know anybody on the street, they get it. They get like, oh yeah, you know I’ve been told that it needs to be strong whether I know what that means or not a different thing. But I think another thing that we do often is we overcomplicate stuff. That’s why simple for me always wins. It’s like all right. Your password is going to be compromised or either because you did it or uh somebody shared it with. Right. And so what can I do to protect myself from disclosure or weak passwords? Well, if I want to protect myself from disclosure, I have to be very very careful with who I share my password with. Right? Um like my password. I’ll just tell you, you know at home. Uh Nobody actually nobody in the world anywhere nose my password safe password. Nobody haven’t shared it with anybody. Right. It’s it’s a unique password to open up my password safe so I can get access to all my other passwords. I don’t reuse that anywhere else. It’s that is such an important
[00:13:03] Brad Nigh: password.
[00:13:05] Evan Francen: And where I do have that password stored is in a safety deposit box. So should I die? Mm My wife can, my wife knows it’s there, right? But I’ll also know if she goes and gets it right. Which is, it’s not that I don’t trust my wife. It’s just that as soon as I tell somebody else, anybody else my password that is now disclosed. Right? Yeah. So that one’s, it’s in a, it’s in an envelope in the safety deposit box because you know I will die and chances are I’ll probably die before my wife because she’s healthier than me. You know, she knows that to go get it. This is the, this is the procedure that you need to go through if something happens to me because then you have access to all of my accounts, which somebody has to, somebody has to take care of that. Yes. So that’s the disclosure peace. Now I don’t, in terms of other passwords always ask like anybody who’s ever asking me anywhere for me to approve my identity to them. Why? Why do you need my identity? Why do you need my password? Mhm. So every email I get, I’m always skeptical like oh yeah, who are you?
[00:14:19] Brad Nigh: Yeah, it comes from the, you know the bank or credit card or whatever. I never click the link in the email. I always go directly to the site or open the app and you know you go in that way. You know, the other thing is, you know, using a password manager password safe. A lot of them if you do click the link, they’re not going to auto Philip. It’s the wrong U. R. L. Right. So it does add an additional level of protection if if you click a link in your, you know, whatever you’re using and there’s a bunch of really good ones. Doesn’t auto fill. It would actually be a red flag right away.
[00:14:57] Evan Francen: Yeah. You should definitely make you question things. So password disclosures either come from me meaning I disclosed to somebody that I shouldn’t have. I would say that I did disclose to somebody that I shouldn’t have immediately go and change the password. Right? Change that authenticator. The other way that a password compromise can be caused by me because there’s only two ways that I disclosed it or I made it weak to begin with is to learn what makes a password strong. Uh It is a learned habit. Trust me, I don’t, it’s not something that came, I didn’t fall out of my mother’s womb knowing how to create strong passwords. I had to learn
[00:15:36] Brad Nigh: it. Yeah. And you know I think the thing that I always like to do when I’m doing the training or the um the I see the volunteering for the parents is giving examples and it’s always you can see the people the light bulbs going off and going I didn’t know you could do that right. Like use a phrase you use proper grammar like use spaces and commas and numbers and upper and lower case the more complex in terms of that combination. Not necessarily again keeping it simple, afraid that you’re going to remember but using that variety is going to be stronger and I don’t think so. We are you know you’re talking about that. I have my personal password manager, my work password manager, my uh domain log in my recovery email for personal and my bank account. Everything else is all in a password manager. Those are the five passwords. Yeah, that’s it. I have five that I need to know. And they’re all different. Right. I mean you look at I think I have like 60 passwords and are in the work password.
[00:16:55] Evan Francen: Like I was gonna I was gonna go through that in a little bit too about how many passwords are actually in my vault. The uh so choosing a so here’s a couple of places that people can go places that I go regularly just because I like to play around with stuff. So if you go to how secure is my password. dot net right? And there’s other password checkers out there just throw password in there now don’t use a password that you’re actively using. Use example passwords just to see what makes a password strong. You know, if I if I choose the password, you know Evan space is space a space cool space guy exclamation point, that’s actually a very strong password right? Because long is strong, yep.
[00:17:44] Brad Nigh: Yeah, minimum 16 Yeah, I mean realistically at this point,
[00:17:50] Evan Francen: so that’s one place I go. The other place I go to mess around with passwords as have I been phoned? Mhm. Because there’s a link there where you can type in passwords to see if they’ve been owned before to see if they’ve been cracked before. Not now, it’s not going to be 100% effective obviously, but the really well known passwords that have been compromised through various breaches, you know, they’ll show up there, You know? So if you take, you know, spring 2000, I don’t know, take spring 2020 or 2021 and put it in there. Yeah, do that.
[00:18:26] Brad Nigh: So another one I just put it in a chat that I like is it’s by Gibson Research corp Haystack, How well is your needle hidden and you get the same thing, you can put in a test password again, I would not use the here you real one but use a similar one. Right? If you have free words that are, you know each four letters and a space between use the same uh huh construct but don’t use the same your real password.
[00:19:00] Evan Francen: Right? And then it goes to so Disclosure is one way using a weak password is another way. So there’s a couple of tools that people can you use to choose or 10 ft what’s what’s a strong password and what’s not the third way is some of you shared your password with gets compromised or they didn’t take you know, they didn’t secure your password as well as you are securing your password. That’s another area of compromise. And that’s the reason why I wouldn’t choose. We were saying don’t use your real password in these sites protesting because you don’t know if they’re protecting it. You don’t know if it’s going to be stored somewhere. Um and that’s another reason why you know, I hate the guidance that we’ve received recently that changing passwords is a bad practice and we’re no longer going to force users to change passwords. Well that would be fine if all three of those things were true meaning I didn’t disclose it to anybody. I chose a strong password and everybody that I shared it with didn’t disclose it.
[00:20:04] Brad Nigh: Well and I get asked that all the time. And my answer is what’s your risk tolerance if that password gets compromised? Yeah. And you don’t know about it. How long are you willing to have your account potentially accessed or domain accounts access before you’re going to lock the person out? And people like Yeah. Okay. Exactly. You know it I would say multi factor definitely helps. Right? You have to train your users. We’ve had incidents where uh, you know, the user. Okay. The multi factor even though they weren’t logging in and let an attacker in. So you stuffed to train your users, it’s not a like, can I see that here all? But you know, personally, I wouldn’t have an issue if you’re using multi factor six months, maybe 12 depending
[00:20:58] Evan Francen: on the service. And let’s get to multi factor to after we get through the password stuff. Because I think a lot of times to we assume that the everyday, you know, user the consumer at home even knows what multifactor is. We use it all the time to us. It’s second nature is part of our language. But I’ve used multifactor many times, you know, as a word and they looked at me like, mm I’ve heard it before, but I don’t know what that is. Yeah. You know. So. All right. So passwords caused by you disclosed for a week caused by them. That’s you know, one of the reasons why we make you or want you to change your password on a regular basis because even if you are the best password manager person ever, right? You you are a master of choosing the strongest best passwords ever. And you’re a master of not falling for phishing attacks or giving your passwords out to anybody. You still need to change your password because you do have to give it out to somebody in order to authenticate.
[00:21:55] Brad Nigh: Um Right. Yeah at some point it’s shared with
[00:21:59] Evan Francen: someone. Yeah you can’t you just can’t get away from that. All right. So one of the things that we’ve been working on, you know because we have the s to me at security studio and one of the things that uh Panesar lead developer started putting together a a new password strength slash score algorithm. So it’s not going to be the same as what you see in um
[00:22:27] Brad Nigh: I think it’s going to be swelling. It’s it’s similar to what the haystack link that I sent you. If you look at that I think it would be very it’s gonna be so in that same vein which I like more
[00:22:38] Evan Francen: Right one It’ll be we’re going to insert it in between your account creation and storage in the database. Yes. So we’re gonna run it through the algorithm so we’re never gonna know it other than theirs that brief, you know, split half second when it does get transferred from here to there. You know and that happens all in memory on the server and stuff. So you’re always gonna have that
[00:23:02] Brad Nigh: you can never get away from that otherwise you can’t indicate.
[00:23:06] Evan Francen: Exactly. So the but yeah so when you create your account We’re going to tell you hey your password score was 420 You know that’s on a scale of 350. So that’s not good. And then we’ll tell you why.
[00:23:23] Brad Nigh: Yeah. Right. Yeah. I don’t like I don’t like some of those password strength I think it gives a false sense of security. I agree. Right? Like let’s let’s give let’s look at it slightly differently in terms of you know how many combinations what are what’s good? What’s bad? Why is this not good or bad?
[00:23:46] Evan Francen: Yeah because a lot of those password you know testers and things online we’ll tell you well it takes x number of days to crack your password and you’re not really sure where that math comes from anyway. Because Like if you tell me it’s going to take three million years to compromise my password yet. Quantum computing is like on our doorstep You’re three million years is B. S. Right? Because you know computing processing speed calculations happen much quicker when you get quicker processing. So you know, So the way our math works we have 18 rules with weights applied kind of according to risk and we can manipulate it based on things that change in the real world. But number one rule number one and you hit a dead on is password length right? The good length. You know basically what would be You know essentially a six I’m not going to give away the math but Between would be in the good to excellent range would be password longer than 16 characters. If it’s shorter than 16 characters it’s not a good password as it gets shorter and shorter it becomes a worse and worse password. So That’s rule number one strong, strong as long Number two is only numbers and the reason why only numbers is important is because I’m sorry. Yeah, only numbers is because then that’s the only name space.
[00:25:17] Brad Nigh: Yeah,
[00:25:18] Evan Francen: yeah characters that we go
[00:25:20] Brad Nigh: Back to search probably grant in their training. If you think about it, you’ve got 26 upper case 26 4 case 10 numbers zero through 9 and then a special characters kind of vary but usually around 50 ish. So use all of those your upwards of 100 you know they there’s some good tools out there that will show you exactly that and say hey, you know, and I I do like that. I really think that’s a much better approach.
[00:25:56] Evan Francen: Absolutely. Yeah, that’s financial. Rule number two is only numbers. Rule number three is only lower case numbers are only lower case letters. So it has taken numbers out of the equation. Only if it’s only lower case letters. This is going to be, you know this calculation only uppercase letters. More calculation only letters. Um well what’s the next rule I have only letters character wait for passwords, another one. Mixed letters and numbers. So no upper lower case. So we’re still reducing that. We call it a key space you know the space needed to crack the password and then we usual seven so the number of times passwords are you know that we know about have been compromised in the breach. And I gave you one example of a place where you can go find that if you’re interested is have I been phoned? You can type in a password and see if it’s been that’s one place there’s multiple places where you can go to see if a password is already in the wild you know as part of a breach disclosure. Now the reason why that’s important is because if I was an attacker and I was gonna load up my tables I would make sure that I account for all those passwords that have been breached in the past in the past. Yeah and it’s just good seeds. Yeah. Uh does a password exists in the dictionary? So there’s two types of attacks three really nowadays but you know two primary types of attacks is a dictionary attack in a password crack where you go through the key space, you know you’ve got you know, combinations using rainbow tables and such. But if it’s in the dictionary that’s the fastest way to crack a password.
[00:27:32] Brad Nigh: Yeah. Yeah. You know to go to your point You can have a long password over that 16 character length and have it still be weak Right? Like you know I just put in there. That university of Illinois Chicago has a has something kind of it’s a little bit wonky to look at but 19 character all lower case and it really poor. It wouldn’t take very long to crack it because it’s dictionary words and it’s only 26 letters in each one. That doesn’t take long to get rid of.
[00:28:09] Evan Francen: No exactly. So you have to take into all these rules, there’s actually 18 rules but from a user perspective uh choose a long password. Right? And we use
[00:28:22] Brad Nigh: variety.
[00:28:23] Evan Francen: Yeah exactly. And even if you have a long password with variety at the end because we used to tell you to mix them up right? We tell you to put special characters inside of words as opposed to on the ends of words. That’s that holds more true in smaller shorter passwords but in longer passwords you still you know pushed that key space. So you’re usually okay.
[00:28:47] Brad Nigh: A thing that I like to um Uh huh A good example that really gets people’s attention. That makes it like, hey this doesn’t have to be complicated. Now obviously you’re not gonna want to use this but a phrase very famous one to be or not to be. That is the question right, comma spaces and a period you know that gives you a You know 41 or Let’s see I can’t I don’t even know what that is. Is search pages is 1.29 times 10 to the 79th. Okay. Uh that’s gonna take You know even looking at 100 trillion guesses a second, it’s going to take trillions of centuries to go through brute force right now that’s brute force. In fact password is being used and they know it it’s gonna be a lot shorter than that, which is why it’s so important to um you know use different passwords in different places.
[00:29:51] Evan Francen: Right okay. How many passwords does the average person have?
[00:29:58] Brad Nigh: You know? That’s a really good question.
[00:30:01] Evan Francen: There was a study that was done I think last year that said the average person has 100 passwords.
[00:30:11] Brad Nigh: Yeah so I looked uh closed it, hang on. Mhm. I have so I will say I do have I do share a last pass with my wife just because we do have a lot of joint accounts but there are like you said there are passwords, she doesn’t know she has access to it in an emergency but I have between the two of us. 100 Fiji Probably close to 200. It’s not a little higher.
[00:30:50] Evan Francen: Hi there I’m looking at my my password database right now and I have uh 317 passwords.
[00:30:59] Brad Nigh: Yeah
[00:31:01] Evan Francen: I don’t know how you could possibly do this without a password manager without you know and certainly given the other benefits with a password manager. A Good one. A reputable one. Uh It’s a an absolute necessity.
[00:31:17] Brad Nigh: Well and so I have uh 93 work in my work one. Oh wait, no more than that. That’s just over 100 on that one too. So you know between the two, how how what’s up?
[00:31:34] Evan Francen: No, no, it’s not man. And you know, you know benefits that I like about password managers as well as reminders to change passwords for certain accounts. I can put account, I can, I can organize my accounts according to sensitivity. So the ones that are more sensitive, I can put, You know, reminders to change them more often. Maybe every 30 days may be over 45 whatever my risk tolerance says. And then the other passwords that are just like, yeah, this is a test account somewhere. I don’t care if it gets compromised. I may not ever, but pastor managers allow me to do all that stuff or there are times when I’m like in a rush and I don’t have time to think of a strong pastor that I’m actually going to remember. I’ll have the password manager just create a damn password for me according to these rules and populate it and store it. And I’ll come back to it later.
[00:32:26] Brad Nigh: I’ll be honest. I almost don’t always use a generated password with and I will always do, you know the complexity, all four of those different um, character sets. And as long as you know the length that the longest length that whatever service will support. Right? Because I don’t have to remember it. So if it’s 50 characters. Great. I don’t care. I don’t I’m not going to be very worried about that getting broken anytime soon because I know it’s strong length and complexity to it but I don’t have to try and remember it.
[00:33:06] Evan Francen: Yeah that’s true. I mean you could put a gun to my head on most of my passwords and say disclose your password. I’m like I I honestly don’t know what it is
[00:33:13] Brad Nigh: right? Like I said I know like five passwords.
[00:33:17] Evan Francen: Yeah and I actually I probably don’t know how many actually. No no But the one I really no it’s just the one open my password state and I have forgotten that password before. Thank God. You know there’s recovery mechanisms because if I were to lose that and not have the ability to recover that password I would have my life would come to an end basically. I mean my digital life.
[00:33:44] Brad Nigh: Right Well and that’s why you know last past had that issue years ago where uh they basically reset passwords because they you know the passwords were compromised and because they were salted and hashed so it would be very difficult to actually get the passwords but you know they changed passwords. Well people couldn’t log in because they didn’t know their recovery email password because it was in last past. So that’s one of the things that I always like to recommend is whatever you use for your recovery mechanism, don’t he had, that is a separate password. Don’t have that story. You’re going to need to know that one.
[00:34:23] Evan Francen: Right. Right. And if you have to I mean truly if you have to uh write it down and store it somewhere safe in your home or the in a safety deposit box because the risk of being disclosed there is less lessened because you know, it’s not digitally, it’s not connected to the rest of the world, right? You know, I do know people good, really solid solid solid info sec people that actually store their master password or recovery password in their wallet,
[00:35:01] Brad Nigh: you know? Well
[00:35:02] Evan Francen: at least their risk tolerance, I’m not gonna, you know,
[00:35:05] Brad Nigh: I think as long as you don’t have you know the service of the what you’re using or the user name, the identifier. I mean yes, you could guess those things, but at least it’s somewhat safer. Yeah, I’m with you know, I wouldn’t do that. No.
[00:35:23] Evan Francen: So the average person has 100 passwords, I have a lot, you have a lot more than that. And so um when you think about it, you know a lot of these passwords have access to really sensitive parts of your life. Uh I think it’s a good idea for people because we we we advise the same thing at work, you know for you know, business clients you have to take inventory of these things, You have to take inventory where what identities do you have? Where are your digital identities? Uh And there’s no single tool that’s just going to go out there and scour the web and tell you what they all are at some point. You just need to and I wouldn’t even if you if you’ve never done that before, I wouldn’t even attempt to do them. All right. Now what I would do is say get a password manager or something like that where you can start tracking your digital identities and just start using it eventually it will start to become populated and you’ll have identities that you haven’t used in years that you probably you didn’t need any way. Maybe some of those might still be sensitive. But uh you know out of sight out of mind until something happens I guess on some of those we just won’t know. Yeah but you have to take an inventory of this stuff. Um I have an inventory of all my accounts and they’re all of my password, save the computers. Um All the computers that I use including my work computer, my home computer by multiple work computers. My ipad, my iphone I’ll have password managers on them.
[00:37:03] Brad Nigh: Yeah I’m looking through my personal one and I’ve seen some and I’m like yeah I probably haven’t used that one in 10 years,
[00:37:13] Evan Francen: Right? And some of those accounts, you know uh you know might be a good idea just to you know, I want to win and close it up.
[00:37:22] Brad Nigh: I’m sure that some of these have been kicked out because of an activity.
[00:37:28] Evan Francen: Right? And if you look up, if you go to uh you know, have I been postponed any type in my email address? You’ll see that my email address has been phoned in 17 data breaches.
[00:37:47] Brad Nigh: Mhm. I’m lucky. I’ve only had five.
[00:37:52] Evan Francen: Right? If I use my other email address it’s zero. So there are there are I mean if you get a little more sophisticated with your identities and things like that, I’ll use one email address for things for accounts and account sign ups where I expect 17 2030 data breaches over the lifetime of that I d then I have other ones where it’s like I only use this one in very sensitive accounts. And so if I ever did get an alert on that one, that would be a really big deal
[00:38:19] Brad Nigh: For 100%. I have really like for emails that they exactly that it’s whatever. If it gets postponed it gets boned, it’s nothing sensitive. You know, you know, log into I don’t know some some website to read news. Right. Right. Right. And then going up in sensitivity levels and they’re all different. Right? It’s not like there’s a pattern to them per se. So I I know and I will say I do use Gmail which you know it is what it is but it’s
[00:38:56] Evan Francen: easy to you’ll never get away from google, you
[00:38:58] Brad Nigh: know, but the one that I use that for the least sensitive things. But one of the things that I really like about that is you can do a plus and then something afterwards. So let’s just say my email is and this is not it. But if it was B and I at gmail dot com, I could do B’nai plus uh yeah, CNN dot com or CNN at gmail dot com or you know, the United Plus Washington post or WP whatever you’re logging into and gmail sees it all the same and then you can set alerts and if you do get it won’t, you know, who leaked it?
[00:39:39] Evan Francen: Yeah. Yeah. It’s like it’s it’s own little digital watermark. Alright. So in, you know, saying for, you know, everyday users, you know, we’re talking about things, you know, I think strategies that we use and I think for a couple of reasons, one we’ve been speaking this language longer, right? It’s not a question of intelligence or anything like that. It’s just a question of the language we speak, you know, the longer you speak at the more you master it. So, you know, we do stuff like this,
[00:40:11] Brad Nigh: you know, I think because
[00:40:12] Evan Francen: of that
[00:40:13] Brad Nigh: medical professionals parking medical and it’s just it’s what, when you do it and it’s what you do, it just comes naturally when you’ve been doing it this long,
[00:40:23] Evan Francen: right? And the thing with everyday users is that information security, some of this stuff that we’ve talked about in this podcast, our life skills.
[00:40:33] Brad Nigh: I mean at this point, yes, absolutely.
[00:40:36] Evan Francen: Yes. To managing your own identity, meaning taking inventory as much as you can about where your identity is being used. And I would start to start with a password manager and as you’re using the password manager, you will start populating with your identities.
[00:40:51] Brad Nigh: And so if you’re curious to now it’s not it was more aimed at at businesses, but a lot of them do you have uh free home um versions? See I’m trying to find it, we actually put together kind of a comparison of password managers because we get asked that so many times. So let me see if I can find that and I’ll give that, I’ll send that over to you here in a second. Yeah, you can send that out and the or
[00:41:26] Evan Francen: you can add and I never mind sharing what I use. I mean I get asked, I think more than I get asked about which one is a good one I get asked about which one do you use? I mean I used last pass like last past because it does span across different systems so I can use it on my IOS devices. I can use it on my Windows devices. I don’t know if it works on Lenox or not. I never really uh much account stuff from Roxbury. Yeah, so I like it. Simulators.
[00:41:55] Brad Nigh: Yeah, there’s, you know the other one. Uh, well we hear a lot, right? There’s a lot of of options. I’ve heard, you know, a lot of good things about dash lightning. Um one password is another very common one
[00:42:12] Evan Francen: when I think a lot of times to for people like don’t get wrapped around the axle about which password manager is the best password manager. Just use the damn password manager. You know what I mean? It’s like because you may ask me, it’s like which antivirus is best. Mhm depends on who you ask. Right? If you ask me and you might even depend on the day you’re asking me, you may have just had a crappy experience of last Pastor and I’m like, don’t use that one, right? You know, But so just use one. And then um, the question I get a lot too is because then we’re gonna go into multifactor. We’re going to multi factor really quick. But I want to talk about, are we going to be stuck with passwords forever. Okay.
[00:42:58] Brad Nigh: Yeah. I mean until we have some other form of authentication, you know, and biometrics to me is not good because you can never change it. So if it’s not implemented correctly and you’re algorithm, you get compromised. Like you need your fingerprint or whatever so that I don’t I’m offer biometrics as an identifier. Not as an authenticator. Uh, so, you know, you’re gonna have some form of this fur the foreseeable future. I mean unless you go to like a physical device. Right? Yeah I
[00:43:44] Evan Francen: agree with you. You’re you are going to be stuck with passwords forever. Uh Because when you think about ways to prove your identity to somebody else and that leads to our factors. Right? So there’s three factors and authentication today. Some some people will argue 1/4. But really there’s only three. It’s something I know something I have and something I am. And so there’s something I know peace is those are passwords. Now I could use something I am like you said like uh you know biometrics you know retina scan, a hand geometry scanner. You know, fingerprint whatever. But like you said changing those things is very difficult. So what happens if there’s a compromise of the image of my thumbprint? How will I change that?
[00:44:37] Brad Nigh: Right. Well and and the other thing is we talk about this and it will be a nice transition. But in the mentor program there’s my ability and security concerns with that because if you have diabetes that will change your eye or if you’re pregnant that can change things. And we’ve heard the stories of you know somebody that you know kept having to get their scan, I scan updated. It turns out they had diabetes and didn’t realize it.
[00:45:07] Evan Francen: Right? Yeah. I know there’s the geeky ones out there saying well they don’t actually store the image. They start the minutia right? So you’re not actually storing my fingerprint image which are storing is mathematical calculations from the world’s and things on my fingerprint. That’s true if you’re playing by the rules but you know that there are people out there who take shortcuts all the damn time. So everybody who’s using but you know that as authentication. Are they following their rules? Are they strong my whole image Because if they’re strong my whole image boom gone
[00:45:42] Brad Nigh: well and not only that but we know people aren’t doing it right. How many password breaches have passwords stored in clear text? You hear about that all the time. That’s that is development. And one of the one like if you can’t do that you shouldn’t be a developer, you shouldn’t be putting out anything. And we still hear about it. So how how can I trust that these companies are are storing that data correctly.
[00:46:09] Evan Francen: Exactly. Exactly. So so and then that that third form something I know something I have. Well that changes right? I can lose things. I can I can pick something up and put something down. Now. I know there’s been discussions about you know implants putting implants into people and things like that. Sorry that’s not going to happen here. You’re not putting an implant into my body that you can use for authentication. I don’t trust you
[00:46:37] Brad Nigh: right? And then it leads to a whole another host of of concerns and issues you have to deal with. Right. The organization not just as an individual.
[00:46:46] Evan Francen: Exactly. And so if those them, so getting away from those things like uh passwords are just they’re not going away. I don’t see it happening. What I do. You know, you see things like um, you know large global single sign on, you know, efforts, things like that where I just need to authenticate with a centralized service and it we’ll authenticate me to everything else that still doesn’t get you away from passwords. Maybe it’s it’s less passwords but you still have to have passwords.
[00:47:18] Brad Nigh: I mean it’s similar to using a password manager. You don’t have to know those passwords. You still have to have the password though.
[00:47:26] Evan Francen: Right? Exactly. So when we talk about multi factor authentication, we’re talking about two of those three factors. Right? Something I know something I have. It’s something I am and you can put them in whatever order you want. You don’t need to get technical about which order they go in fun. And I love using the example because people can relate to it. Most of us have gone to the ATM machine before. That’s multifactor authentication. Right? It’s something you have the KTM card and it’s something, you know with your pin
[00:47:57] Brad Nigh: number.
[00:47:58] Evan Francen: I only have one of those two. I’m not getting any money out of the A T M I need to know birth. Exactly. And so the same thing applies when I go and browse the internet. You know the multifactor authentication. It’s going to be something I know which is typically a password or passcode and then it’s either going to send uh maybe a text to my phone. Maybe I’ve got a key fob, maybe got a UBI key, I’ve got something else that’s going to be required for me to complete that authentication sequence. Yeah. And I don’t want to get into the wrapped around the axle either about well but you know sms you know second factor is weak, weak, weak and it’s like okay it’s I get it, you can crack it but it’s stronger than just using your damn password. So I actually got to start start there.
[00:48:45] Brad Nigh: Right? Yeah. Again it’s not ideal but it’s better than nothing, right? You know and luckily there are some really good um authentication apps, you know Microsoft has one google obviously has one last pass I believe has one, you know most of password managers have something like that that are free, right? They’re really easy to set up. If you go to these sites, they put a QR code a little funky square like
[00:49:14] Evan Francen: google authenticator right? There
[00:49:16] Brad Nigh: you go. Um But they’ll have that QR code, you open your password, uh your authenticator app, hold it up to the screen. That’s it. It’s super simple to do. I mean you know uh The way I like try to do training is because it is easy to talk over people uh do it like I’m talking to my mom, right? I try to imagine that love her to death. Not technical. She was able to do it. So you know, I know you can do it right?
[00:49:50] Evan Francen: Oh well that’s it man. You know, and if you need to start with smS and that’s when you feel comfortable with feel free, you know, start there, you know, most of the attacks against sms, you know that have been successful. Well, I mean it was sim swapping attacks, right? So you would know when to swim a sim swap happened because your phone would stop working. Right? That’s a telltale like why did my phone stop working? And you call the phone? They’re like, well because you know, whatever, it’s pretty easy to figure that out pretty quickly. Um So yeah, anyway, I think this was a good discussion because I think that we take for granted passwords a lot. We just assumed that people know, you know, a lot of these things I don’t like passwords. I don’t think anybody likes passwords because they’re a pain in the ass. Right. I mean 300 passwords, are you kidding me? All right. What’s up the password manager? It makes life simpler. I don’t like when my password manager times out, which means, you know, I’m browsing the internet and I have to re authenticate with my damn password manager again. Is that password as hard as hell to type every time.
[00:51:01] Brad Nigh: My mind is like 28 characters but it’s afraid you know and then I not just a phrase it changes. I have some uh basically assaulting you know adding some different characters to the beginning and the end to change what the hash looks like. But kind of core does say they’re saying because It’s you know 24 character it’s gonna be really hard to figure out.
[00:51:28] Evan Francen: Yeah absolutely. So there you go there’s there’s the guidance on passwords. Yeah. Other things I wanted to talk about just briefly and then we’ll get to some news because we’re coming up against time. The C. I. S. Sp mentor program, the fr securities free family who hasn’t listened to us before. It’s 100% free. There’s never strings attached. We don’t you can sign up with a bogus you know name. We don’t care right? It’s the ability to help people get prepared for their C. S. SP or just learn more about security. We have tons of people who take this program that never ever take the exam. Well that’s fine.
[00:52:09] Brad Nigh: We’ve had sales people and you know well Renee took it last year. Uh Ceo odds are very high. She will never take the exam but it makes her better at her job so you get a lot of people that that do. Exactly for that reason and I’m all for it.
[00:52:27] Evan Francen: Yeah me too man. So this year as of yesterday morning we were told that there are 4,701 registrations in that program today. That’s very awesome.
[00:52:38] Brad Nigh: Mind boggling. We, at this point we have more this year then all the other years combined.
[00:52:45] Evan Francen: Yeah. Last year was the record at what? 2400 something?
[00:52:48] Brad Nigh: 23, right in that range.
[00:52:51] Evan Francen: Yeah. So it’s really cool. Uh, the instructors are, you know, me, you and brian,
[00:52:57] Brad Nigh: so a lot of moderators, a lot of people helping out behind the scenes. You’ve got, you know, Charles has volunteered to help out this year. You got chad Ryan and Lori that have all done it in the past. Megan’s helped out. Yeah. Patsy I think has helped out as well. So yeah, it’s a team effort.
[00:53:16] Evan Francen: Super cool man. The program keeps off 20 days from today. So that will be the first class. It’ll be april 12th at six I think PM Central daylight time.
[00:53:29] Brad Nigh: I’m not doing security models this year at Ryan’s.
[00:53:33] Evan Francen: Yeah, we’ll see man. I don’t know. We’ll just see how it flips out. But yeah, we’ll give it to Ryan. I know I’m not doing it. I did it the first, You know, 7, 8 years. I don’t, I don’t want to do it again. Uh, so we’re pretty sure we’re gonna top 5000, which is, which was our goal and we’ve got people who have been recruiting, you know, also, you know, I got a couple of nonprofits that have, you know, you brought it up to their membership because it took a long time to get this level of trust with people that like, no, really, it’s free and there are no strings attached.
[00:54:07] Brad Nigh: Yeah. I mean, people asked why and you know, I actually had somebody harassing me almost about trying to monetize the podcast and I was like, no, that’s not the point. Like for me, it’s getting back and helping mentor because I didn’t have that and it would have made my life so much easier. So if I can help somebody else, why wouldn’t I give back? It’s only going to make my job
[00:54:32] Evan Francen: easier in the long run. Exactly when it always goes back to me to about priorities, right. If you focus on the mission, you will make money. If you focus on the money, you will not make the mission. And I just, I always have to keep, because I’m human being, just like everybody else, man, I got things that, Ooh, that’s cool Brent blinky light thing, I’d like to have that, whatever. And if I focus so much and then then I’ll compromise other things. Whereas if I focus on the mission, I find that, oh, I’ve got money for that now or you know what I mean? It’s just like given that just
[00:55:03] Brad Nigh: great, I mean, yeah, do it right and roared will come.
[00:55:08] Evan Francen: It’s absolutely true. Uh, that’s good stuff. And I just want to mention some new things that we’re doing at security studio which is kind of cool. We did uh we developed actually develop this a while back at the was sitting at um with the sea sort of a really really really large multinational company and I asked him what his biggest challenge was and he said it’s accountability and I said let’s talk about that. So we end up white boarding it and we came up with the way to assess risk in these types of organizations and then force accountability back through the pipe is to do nested entities which means instead of a single risk assessment we have many many many risk assessments and they’re all related to each other and how they’re related to each other and all that stuff. So that was finally pushed into production. Uh
[00:56:00] Brad Nigh: All right.
[00:56:01] Evan Francen: Yeah. Yeah that’s kind of cool because I think it’ll really help with the States.
[00:56:06] Brad Nigh: Well I have one multinational company that’s a V. C. Cell that has 40 or 50 offices. Nice, we’re I’m going to be bringing that up to him and saying, hey let’s let’s work on getting these figured out because it’s going to make it make visibility right? I really like you said,
[00:56:26] Evan Francen: yeah when I’m very very very interested to hear your input to as you work through that, you know what I mean? Because now we’ve got to take it to the next level which is you enabling dynamic movement because companies merge you know cos divest pieces of their organization. So being able to almost like you move tiles around on a board. You know being able to move those kinds of relationships around. Yeah. Uh That would be pretty fun. Uh Yes to me instant score actually made that this weekend. That’s pretty cool. So what that is is essentially rather than having to go through the entire assessment you know which it’s not that bad it’s like 10 15 minutes. But people don’t like 10 15 minutes. I like They don’t even like 10/15 for waiting for something. So when you create your account it’s gonna be a user name and I’m sorry first name last name, email address and password to create your account and through all of that will create an s to me instant score based on Probably 20 yourself criteria
[00:57:31] Brad Nigh: have if the email shows up and have been toned if the password shows up in these very cool
[00:57:36] Evan Francen: and stuff and stuff we can scrape from your browser.
[00:57:40] Brad Nigh: Yeah good point.
[00:57:42] Evan Francen: You can find your source type we can tell you based on your source type whether using a VPN or not. Probably uh We can also tell um geo location to some extent. Um And then give you some crime rate information, international threat data. Very cool. Yeah but I tell what operating system you’re running uh not individuals. So if you’re running Windows me that’s gonna knock your score down quite a bit
[00:58:10] Brad Nigh: of an out of date browser.
[00:58:12] Evan Francen: Exactly, yep. So it would be pretty fun. I’ll share that with you. You know, the math for that one and the next two pcs coming
[00:58:19] Brad Nigh: to the game. That’s gonna be awesome.
[00:58:23] Evan Francen: Yeah. And I was talking to the development team this morning about that and they’re like, yeah, you know, because I’ve been pushing them, I’m like, where’s that? You know, these guys need it, they’re ready to go with it. Like, well, you know, we’re, we had to cancel, I think a demo because they weren’t ready and I’m like, well, like that’s gotta stop. Yeah. So, all right, news, I’m gonna hit it really quick. The first one is uh, the title is computer giant Acer Hit by $50 million dollar ransom wear attack. This comes from bleeping computer. Yeah, nobody’s immune. This is our evil thank you. Already, you’re bunch of jerks. Yeah, but I also, uh, so I mean that’s, that’s why it’s newsworthy because I’ve never seen a surrogate hit the ransomware attack before.
[00:59:17] Brad Nigh: That’s big, big company.
[00:59:20] Evan Francen: Yeah. And yesterday I shared one of the things that I’ve been using for a while and I didn’t realize that I said, I sent it to Oscar and he’s like, oh yeah, this is Goldman. I’ve never seen this before. So there’s a link in in the show notes too. A list of amputee groups and their operations, it’s a list that’s maintained by a group of a group of people and uh, it’s some really good quality information there. So, in terms of like, ones originating from china Russia, you know?
[00:59:53] Brad Nigh: Yeah, this is amazing,
[00:59:56] Evan Francen: right? So I figured that clark Exactly, and you can download it to him, you know, And I’m guessing if you wanted to, you know, in your own eye, our work, if you wanted to contribute, you can reach out to one of those, uh well, those folks there and contribute to. Yeah, it’s a good, really, really good resources. I’m trying to figure out, you know, sometimes we’re trying to figure out like who is this group, and I wonder if they’re listing somewhere and what attacks might they be associated with according to, you know, which vendor
[01:00:29] Brad Nigh: it like this exchange where, you know, you can identify a pts groups that are exploiting that known? Well, our IOC is going to be good across all time. What should we be looking for? What type of behavior? So that’s going to be really nice.
[01:00:49] Evan Francen: Yeah, I didn’t realize I didn’t show it. Really. I got that. Alright. I think chris roberts had given that to me a while back.
[01:00:55] Brad Nigh: Fantastic.
[01:00:57] Evan Francen: Yeah. So, anybody who wants that list go out there, It’s it’s a public list, so you can grab a copy if you want. Uh, the next article I’ve got is, and this one takes me off of it because I hate anybody who attacks. I mean, the big thing, the big motivator for everything about security for me is I cannot stand people taking advantage of other people. The worst damn thing ever. When, when you take advantage of the weakest of us, it just gives me that much more anger. And so this one from threat post is critical security bugs fixed in virtual learning software. This is the Netapp application and it affects our kids. Right? So that’s why I get ticked off about it. they were disclosed to net up in December 11 and they weren’t patched until late february. So about, you know, so it’s a couple of months that they sat there sort of open and did anybody know about it, you know, was was are there any breaches associated with it? I don’t know. But the fact that it’s sad their ticks me off. Yeah, two kids. And then then that app software, I think it’s used for controlling your students, uh computer, you know, for the teacher. Right? And this one, the last one is from beta News, three billion spoofed emails sent each day. It’s lower than I expected. Yeah, me too. I think I get probably half of those. What uh the part that takes, this is another thing that just irritates me, you know, we have demarche Denmark has been around for a while now. And the market just a to validate the identity of mail systems and mail servers, you know using DNS and other things that would significantly reduce the number of these emails And I just got a just got a message right now, we just hit 5000 sign ups the CIA’s history Alex just to send the message now. Uh so if you’re not using demark use the mark for crying out line, right, and now I’m gonna go now watch, I’m gonna go do and then let’s look up on our secure and find out we’re not, you better be, we’ll find out.
[01:03:24] Brad Nigh: I’m trying to remember. I know we hadn’t been, we were using what’s the other one? Um
[01:03:31] Evan Francen: Oh yes. Policy
[01:03:34] Brad Nigh: forward. Yeah, so we have that in place. Um and Jeff is, that’s one of the things on the road map. I just don’t know if he’s gotten to it yet.
[01:03:43] Evan Francen: I’m gonna look right now when I look at what we’re done uh because there is a demarche analyzer, if you’re not sure there’s plenty of sites out there that will test your demarche to make sure that it is implemented correctly, so feel free to go do that. Oh my gosh, that’s it. Good talk. Thank you brad. Seriously brother. So good to see your face again. I’m happy that you’re back. Happy that you’re healthy. Uh and thank you to our listeners. You got any shout outs for anybody this week.
[01:04:11] Brad Nigh: Yeah, I actually got a couple. So first um thanks shout out to Ryan for, you know, covering last week. Um shot to my family for putting up with me last week and then shout out to all the people helping with the mentor program behind the scenes. I mentioned some of them but Brandon and Alex and jess and just everybody that if I didn’t mention, you know, I appreciate all the help makes our lives much easier.
[01:04:41] Evan Francen: Absolutely, yeah, I’m just going to give a shout out calm, have a generic one to you know, to all the people sort of behind the scenes that you know, sit behind the keyboard all day long every day trying to fight the good fight during the battles and but you know a lot of times people don’t realize the work that’s going on behind the scenes. You know, certainly you know somebody to get a hospital patient for instance who walks in the front door. Um they just assume that somebody is protecting their identity, protecting their health care information and everything and you know, people are doing their best to try to do that. You know, they will get any accolades, They won’t get any like, hey thanks for protecting my identity. You know, it’s just those people, you know that’s my shut up. Alright, so thank you to our listeners, send us things by email at firstname.lastname@example.org. I’m gonna go check that mail box soon. Uh if you have, if you’re the social type, you want to socialize with us on twitter. I’m @EvanFrancen, Brad’s @BradNigh, we also have other twitter handle, twitter handles for places where we work on security. Twitter is @UnsecurityP security studio is @StudioSecurity and FRSecure is @FRSecure