Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | Google Podcasts

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 1

Busting Password Myths

EPISODE SUMMARY

In this podcast, Joseph Carson from Thycotic and Mike Gruen from Cybrary dive deep into the world of passwords to celebrate World Password Day. We’ll examine password best practices, fallacies, and envision a future without passwords. Our resident white hat hacker will even share how long it actually takes to crack a password.

Browser-stored passwords make it easy for hackers to get inside your network.

Pinpoint risky stored passwords in minutes

Our free Browser-Stored Password Discovery Tool finds those sneaky passwords

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Joseph Carson:

Welcome to the 401 Access Denied Podcast. My name is Joseph Carson, chief security scientist at Thycotic and co-host of the show. This podcast is all about making cybersecurity easy, usable, and fun. Come back every two weeks to listen in and learn about what's the latest news, or even submit your own questions via the community.

Mike Gruen:

Welcome, Joe, back again. Today, we're going to be talking about passwords, and authentication, and authorization.

Joseph Carson:

Absolutely, and it's a pleasure to be here. This is one of my, probably, most passionate areas. It's been one of my pain points for many, many years and is something that I've been researching a lot on. I've been looking into different ways, and technologies, and innovations, how to really reduce the pain just that little bit further. Because passwords today, while it is our way to access things, but it's also one of the most challenging and painful things. That's actually, probably, for most people it's probably one of the biggest things for cyber fatigue in many employees and people around the world.

Mike Gruen:

Yeah, I agree. Passwords is one of those things that I'm super passionate about. I think probably a great place to start would really just be, what are we talking about? What do we mean by passwords, and what does that encompass?

Joseph Carson:

Absolutely. I mean, one of the things I always look at, I'm very embedded in the digital world, and I always look at things digitally, but for me, one of my things, through my education past, the way I've always looked at things is to try and see, what does that look like in the physical world? That's why when you go to events, that's why you see people passionate about things like lock picking, because lock picking is really that essential. Once you see it in a physical sense, it helps you adopt that to understand it better in a digital world.

I mean, passwords have been around for centuries. They're nothing new. In the past, they used to be called passcodes, or passwords, or passphrases. They were also called watch words. Abracadabra, open sesame, all of those famous things you see in the movies have all came through history because they were really to verify and authenticate people who should be there.

It was to open doors. It was to gain access to things like vaults, so in the physical world I'm always looking to that in order to better understand it. Then I try to convert that into the digital sense. Then we get into the digital scenario, since passwords have been around for a long time, they've very cost-effective, they're very cheap. The problem is always that exchange, is exchanging passwords, make sure only the person and the system are actually knowledgeable of it.

But passwords in a digital sense have been around since, I think it was the 1960s. It came really from even the late '60s, early '70s, where Robert Morris was looking at how to make sure that multiple people could use a Unix operating system. Therefore that it wasn't just you type in a username and you gain access, that you wanted to have that shared system and shared experience within these mainframe. Therefore introduce, back in the Unix, the first generations of digital passwords.

For many years, and even still today, the password is the difference between a cyber criminal, an attacker gaining access to sensitive data in a digital sense. We really haven't come a long way, a lot of the best practices really haven't evolved that much. We're really get into a point where there's been a lot of discussions about the future of passwords, where they're going. But there has been a major difference since around, I think, the late '90s, early 2000s.

Because during that time from the '60s and '70s until the early 2000s, most of us really only had one password to remember. It was just one. But in the last 20 years with social media and internet services, the acceleration of those accounts, we've actually went for where it was the first 10 years up until about 2010, where maybe we had to have 5 to remember. But then the internet boom, social media, new internet services means the average person has somewhere between 30 and upwards of 100 different passwords they need to remember. This is what's accelerated the pain.

Mike Gruen:

Yeah, definitely. I think talking a little bit about the history and where things are going, I think one of the things that's really, so much is based on that original '80s, '90s Unix system, or in '60s, eight characters, this and this. So many best practices started there, and then we sort of didn't really evolve in thinking about passwords, and their length, and how that actually is more important than say their complexity and things like that. I think there's a lot that's sort of locked up in this historical, where did passwords come from and how did we get to where we are?

Joseph Carson:

Absolutely, because the concept of passwords was that they looked at best practices from individually into, this is the best practices for a password.

Mike Gruen:

Right.

Joseph Carson:

But they really didn't really think of it as a collective, as you've got 10s of, 50, 100 passwords you need to remember. That's where password best practices really need to evolve, is how to remember the mass, how to remember the collection. This is really what the challenge has become. Where really, probably the worst practice and bad hygiene that people have is reusing passwords. The reusing a password is probably what most people, causes them to become victims of cyber crime.

Mike Gruen:

Right. That, and I know people and I used to have to ... As someone who is responsible for security, I would have to remind people not to do this, which was patterns, right? Like, "Oh, every so often I have to change my password. So it will be fall 2019, then it'll be spring 20 ..." whatever, and so if you figured out what the pattern was you forever have access to their account.

Joseph Carson:

Absolutely. It's even these small variations, there's so many password cracking tools out there. As long as you've got one example in the past of a used password, what you can do is based on the knowledge of social data or personal information that's available publicly. What was crazy the last couple of years is you get into what used to be the security questions. That was how you reset a password.

Mike Gruen:

Toyota. Sorry.

Joseph Carson:

Absolutely. It became what was your first dog? What was your pet name? What's your favorite book? What's your mother's ... All these things are ... Then what became the craze was, is that then the surveys came. All the surveys were, what was your first concert? What was your first car? All of the things related to security. You're simply, just to participate in the survey, you're giving up all the answers to security questions. That's the most ridiculous thing that I've ever seen. I mean, one of the guys, Rick Ferguson I always loved his comment, is that you don't always have to be honest when you're answering the security question.

Mike Gruen:

Oh, yeah. No, mine are totally non-sequitur. What's your favorite dog? The New York Rangers. Not that I use that because everybody knows I'm a Rangers fan, but that type of thing, just try to make it as non-sequitur as possible. Then use a secrets manager to keep track of, what answer did I give on that particular place if I had to give one?

Joseph Carson:

Absolutely. In addition to that, one of the things that when you have to remember not only the history, and some misunderstandings as well as some people say use, for example, pass phrases instead of passwords. But that's incorrect terminology because ultimately the password is the top level entity. Actually above a password is what's known as a secret, and a passphrase, and a pin, and a passcode, all of those are variations of methods of creating passwords.

What we're teaching them to do is make a better password. That's what the actual usage and terminology… passphrase comes from, which really means is you want to get the password as long as possible. Those are techniques of creating them. Then also there's a lot of misunderstandings as well as, we have to make sure that, one is usernames is really the identifier. That's where you get into. Then it's the password, which is really the, let's say authentication or the verifier portion so the heart of the system really knows that you really are who you say you are. The problem that we've got today is that anyone who's created a login system, and those 30 to 100 that we all have to remember, in my case it's ridiculous, I've got well over 500 at this point because of penetration testing and ethical hacking, you had to have different identities and personas.

But with that we look at, not all systems have created them equally. There's no standard. You can have simple things where it accepts anywhere between 4 to 8 characters. You can have systems that accept up to 64. I think the maximum is somewhere around, I think it's 127 as the maximum size of password you can create in a Windows system. This really gets into that, yes all systems have these various different complexities, sizes, lengths. Some require only numbers, some require, characters, some required lowercase only. The problem is that that means that we get into these situations where whatever the system that takes the least type of security controls, sometimes becomes the baseline of all our other passwords, which is a really bad practice as well because there's so many tools out trip to guess and to crack those passwords.

Mike Gruen:

I also think, though, that when you start adding all of those additional constraints on, it's actually limiting the space in some ways, right? Like, oh you can't have this, you can't have that, you can't have two letters that are the same in a row. There's a point at which some of those constraints are just making it that much harder to create a password, remember a password, and then also eliminate some of the space.

Joseph Carson:

Yeah. Complexity doesn't work. Frequent rotation doesn't work, especially for human interactive types of passwords. That just forces people to use simple, common, easy to remember, easy to guess passwords.

Mike Gruen:

Or write them down.

Joseph Carson:

Yeah, or write them down. In some cases rather than does not a bad thing, as long as they store them in a secure location. For people at home, writing them done in a notebook and keeping it in a locked drawer is perfectly okay. It comes into, what I will say is that, choosing the right solution method is always about what you're protecting and where the access of that protection starts and ends. It's all about what you're trying to protect with the security control. So some cases writing them down, for people who live alone, and put them in a locked drawer, is perfectly okay. If you're in a shared area and you've got people that might have access to that, then that's probably not a good thing. You may want to then, for individuals at home, elevate into a password manager and use something that allows you to then create all of those passwords, let's say using system generated.

Because the worst thing that I ever see is, we should never let humans create internet account passwords. This gets into the problem, because when you let humans create them, we create the easiest choice possible that's easy to remember, and sometimes small variations of the previous ones. Where humans are allowed to create passwords is somewhat inheriting into the problem as well.

Mike Gruen:

Let's talk about password managers a little bit. I'm curious, what are some of the key features you would say you would look for in a password manager?

Joseph Carson:

In a password manager, I mean, some of the key features is really that central vault about being able to make sure that you have them all locked. Sometimes keeping them in the operating system, keeping them the browser that means that once again, access to the system, you've got access to all the passwords. That sometimes is not a good approach. It might be okay for individuals, consumers at home. But it means that you're locking all of your accounts equally, meaning that your bank, your Twitter account, your Facebook, and all of those social media accounts is equal to all accounts. It means, is that you want to also make sure that you can create different types of security controls for all of those.

Putting them into what's more of a focused, dedicated password manager really allows you to get that centralized vault. It allows you to auto-populate so you don't have to type them in. We have these auto-fill forms as well. You want to be able to share them with people so that they have access for a period of time. Maybe you're on vacation, maybe you're away, maybe you want somebody else to access an account for you. Making the ability to system generate passwords, giving you known integration with vulnerabilities, for example, where passwords are being compromised, therefore you might change them. Or giving you also password strength and password age, and integration into things like two-factor, multifactor authentication is also important.

But as we grow those number of passwords that we put in, reporting and… is also increasingly becoming more important as well. Then become multifunctional as well. You can start putting in identity information, or connecting information, or you can start organizing them. You can put more information into those vaults. A lot of those features are really about the basic, and then the ability to show them through multiple devices becomes important as well, as we have-

Mike Gruen:

Yeah. The multi-device one, I think, in this day and age is one of the more important ones. Whereas in the past, right, if you had encrypted file or whatever, it was just local, that was probably fine to a point, but now there's so many different devices. I also think one of the features that it's definitely on the more advanced side, but that I'd like to look for is, can it actually automatically rotate passwords for me pretty easily and stuff like that, and manage that for me so I, again, I just don't have to worry about it too much.

Joseph Carson:

Absolutely. In that case what you're really moving into is more the small business, medium business, or even large business side of things. What you're really thinking about is getting into privileged access management. Password managers are good for consumers and good for individuals, but when you get into for businesses, you need to move beyond password managers. Because password manager, what you're really doing is you're still delegating accountability and responsibility to the employee.

With privileged access management what you're doing is you're taking that centrally. It means you're getting consistent security. You're getting more accountability between the auditability as well. You also getting scalability, integration into enterprise type tools whether it be active directory, or seams, or vulnerability scanners, and so forth. It also gives you, in many cases, API that allows that more automation. So yes, absolutely, as you get into more of the business side, privileged access management gives you a much more enterprise ready ability to rotate passwords to the point where my goal is always to get to the disclosure rate of passwords to be as minimal as possible. Because your disclosure rate also means that who has access to what, and they want to keep that as minimal because that reduces the risk, ultimately, of not just external types of threats, but also insider abuse as well.

Mike Gruen:

Right. And I think, raises an interesting point when you talk about access controls and the notion of least privilege, right? There's the making sure that people who are admins should have admin access and so on and so forth, that's sort of that escalation, but there's also the, how much should you have, if you don't have a use on that system, maybe you don't have an account on that system. I think that's one of the ones that people frequently overlook when they think about least privilege, is-

Joseph Carson:

Absolutely. Least privilege, for me, has been one of the areas that ... I always look back, I was a data center domain administrator 20 years ago. This was really where I moved into really focusing on passwords. Because as a domain administrator I was responsible for a hundred thousand servers, and I had one account that had access to everything, across multiple companies.

I remember going into the data center cages and I had to go through the security gates with people, armed guards, and had to go through all these IDs, and I had to get the key, and the big furry coat on an ear muffs, these cold data centers. I remember I had to get into the gates, you'd be locked in the cage, and of course that was the only cage you're allowed into in that time. Everything was, in the physical sense, completely segregated, isolated, separated. But I could go home and get on my laptop, open up the VPM connection and access whatever I wanted.

What happened was at that time it really made me realize that I was that stopgap between compromise and security. That made me realize that I should never have that access all the time, every day, every time I access a system. It made me realize that we do need to get to where no one's a domain administrator. No one's a local administrator. What we have is, we operate in standard accounts. I do this practice at home. I operate on a standard account and anytime I need to elevate, I actually have to give the right credentials in order to gain that elevated access.

This means that there should be no domain administrators. We should be elevation on demand. That's what… to that least privilege approach, meaning that we only have access to that system or that application when there's an authorized business reason, justification to do so. That reduces abuse, and it reduces the ability that attackers elevating and abusing accounts more and more. Least privilege is really the gold standard of where we really need to get to.

Mike Gruen:

Right. I think they also reduce just human error. I remember my first lesson in why having all the users on their Linux systems, all the developers were admins on their boxes and that was the account that they frequently used. When one of our users was reformatting his machine, he forgot to unmount something and started reformatting our entire repository. It was like, whoa. Things like that, you realize, you learn the hard way sometimes.

Joseph Carson:

Absolutely. I've got so many war stories of those scenarios over the years. I mean, I've seen, you probably remember tools like rapid deployment solution or ghosting. You probably remember ghosting those were some of the solutions I was responsible for. I used to run the support services for those products. I've had some many, I remember administrators dragging and dropping an image file and missing the folder because of the latency rate between the interface and the target. They dropped it onto basically all computers. Within seconds, PXE boot, all of thousands of machines being re-imaged at once. Those scenarios, when you think about it, that's where that's where privileged access least privilege prevents you from doing those things.

Mike Gruen:

Right.

Joseph Carson:

That's what … want to do is to prevent those accidental mistakes as well.

Mike Gruen:

Yeah, exactly. I mean, I have a similar story with my first job back in the '90s when web servers, back then people would run web services root. That was common. That was a practice, right, because it needed to run on privilege ports and whatever. So you needed to install our software as root and sometimes really bad things would happen if the software that I had written, which was the install software, if you didn't answer this questions right some really bad things would happen.

Joseph Carson:

That's always important. There's some innovations and stuff, things that's been happening, and there's some prioritization. In the industry we're seeing, of course, a large adoption of things like single sign-on. The biggest mistake that many companies make is they see single sign-on as a security solution, but it's not. It does help reduce cyber fatigue. It helps people have to remember less passwords, and it helps provide them one account that allows them to log into multiple services, but it's not security. It's going back to that, similar to password manager side of things, it's giving you one key to many doors and many rooms. It means that when you do single sign-on, it's important that you enhance the security at the same time, you compliment it with additional security controls.

Especially if you're getting into single sign-on that leverages things like biometrics you want to make sure you additionally add things like two-factor, multifactor authentication at a minimum. Single sign-on, that's some of the approaches that people mistake and they see as a security ability. In fact, what it's really doing, it is reducing cyber fatigue, it's reducing the amount of passwords a person has to remember, and has to maintain, and enter. But at the same time, it's one bigger door to many different services that that person has access to. Therefore it means that you have to be more cautious about things like bottling and those things. It's important to look at single sign-on as, definitely it is something that organizations should do, but they shouldn't see it as a security measure.

Mike Gruen:

I agree. I think it's mostly convenience. Another thing, the one security benefit, I think we see, we get out of our SSO system is that when we terminate an employee their access is at that point terminated for 90% of our systems that we can connect to that SSO.

Joseph Carson:

Absolutely. It helps with the provisioning, onboarding, and deprovisioning.

Mike Gruen:

Right, but that's about it.

Joseph Carson:

Absolutely. That process becomes-

Mike Gruen:

Exactly, but that's where it sort of begins and ends. Even then SSO, and this is the way Cybrary has implemented right now, it's one of those things we want to move more on is towards SCIM where we can do the auto-provisioning and deprovisioning. There's plenty of systems that support SSO but also allow the user to continue to log in with the username and password, so even after they get deprovisioned from our SSO, our identity provider, they're, theoretically still have access to that account if they remember the username and password.

Joseph Carson:

Yeah. I think that's important as well, especially as people change roles in organizations, that this gives you the automation to make sure that ... What used to happen is, you used to clone accounts for people, or add them to the same group that people's been in for years. You have this overly amount of access and privileges rather than building it up to what their job was specifically for. That's just really important. That's where identity access management and SCIM really allows you to make sure that you're provisioning for the job that they're doing, not cloning existing people's access and giving it to a new person. That really helps out especially as that person moves through the organization over years, it makes sure that they had the minimum access, but not overly privileged as well.

Mike Gruen:

Yeah, definitely. The removing access, I can't remember all of the systems where I would just accumulate more and more access. Nobody ever took anything away. They just kept on giving you more. Well if we trusted you back then, why wouldn't we continue to trust you?

Joseph Carson:

Yeah, absolutely

Mike Gruen:

You sort of touched on ... I'm sorry.

Joseph Carson:

Yeah. There's probably biometrics as well. I touched a bit on biometrics. This is a pet peeve of mine, and I've actually seen it more and more even recently, is the end of passwords, biometrics will replace passwords. We've heard it many times, over and over from different people. Different organizations have said the end the passwords is near, biometrics will replace them. This really gets into, is that this is actually a myth because biometrics do not replace passwords.

Mike Gruen:

Right.

Joseph Carson:

That's fundamentally, they're not secrets. The fundamental of a password is the definition of, it's a secret, by the utmost definition. It's a memorized secret. Biometrics, they're not secrets. There's something that you and have. Fingerprints, your facial scan, whatever it might be, what biometrics do replace, is they replace user names. They make a stronger, better, harder to replicate username, which is good. I do see biometrics replacing usernames.

They don't replace passwords. It means that yes, with a stronger username, you can compliment it with additional security controls, whether it be simply a pin, much less to remember, but complimenting that harder to replicate, harder to clone biometric. Absolutely. Then you get into things like push notification, push authentication, multifactor authentication, and privileged access. All of those things should be combined. Of course, depending on the risk, the more security controls you require. That's ultimately what you get into. Biometrics do have a place, but it's replacing the username, not the password.

Mike Gruen:

Oh, no, yeah. I agree. I think of the biometrics as being a secret handshake, right? You want to be part of a secret organization, there's sometimes a handshake or whatever, but it's not all that secret, and that's not enough. It just identifies you as being a member of the club. It's not really particularly secret. Are there any other myths that you see in the space?

Joseph Carson:

Absolutely. Another one, and I overly comment in this all the time, it really is that we're moving to passwordless world. This really gets into me is that, it's also incorrectly assumed. People are assuming it wrongly. We're not moving to a passwordless world. That's not happening. Passwords are going to happen in the background. What we're doing is we're changing the interaction between the employee and the password, that's what's changing. In definition, we're not moving to a passwordless world. What we're doing is, we're less password interaction world, meaning that yes biometrics will help with that augmentation, that complimentary side of things where you're actually able to identify better, but what you're doing is you're having that person have to type it in less.

Meaning that the password still exists, it's been exchanged in a different method. It might be a certificate. It might be a key. It might be a token. It might be still a password, or an application. A password is being exchanged between the system for authentication. It still means that what happens is the user less enters it but security, and the management team, and the IT team still need to manage that. It means that the security is not being replaced, it's not being removed. It's just being changed, the location of where we need to focus our time and manage it.

It's not, in any case, either reducing costs, it sometimes actually increases costs, by those technologies. But it does mean that people need to enter it less, which means that there's less opportunities for cyber criminals to compromise them in that regard in that interaction. Meaning that things like phishing scams, or enter your password into malicious websites, that becomes less and less because people have to enter them less. But it does mean there's a lot of challenges because that means that the target, where they're going to look at, is actually in the system. If they gain access the system they can, then watch the passwords being exchanged. They can do session hijacking, just like pass the hash happens. It also gets them to the point where then migration recovery becomes a much more problem for employees in order to get new devices, or to move to new operating systems, and so forth, when they upgrade or replace devices.

In those cases, yes, it's the last password interaction. The password really then changes and evolves to become much more of a recovery key or a password recovery approach. There's still something ... Eventually if you're using your thumb print to access a device and you injure your finger or thumb, then you can no longer access the device. You have to have a mechanism, a backup way of regaining access. That's why Apple really still have the pin. If you restart the device you have to reenter the pin. It's different elements of risk and different elements of security controls. That will always be the case because you will still need that recovery ability.

Mike Gruen:

Yeah. I think one of the other ones that you and I were talking a little bit about before this was, speaking of recovery, is how important your email account is to your identity, and protecting your access. Because if somebody gets access to your email, chances are they can use any number of forgot password capabilities to get into almost every account you've ever created.

Joseph Carson:

Absolutely email today is your digital identity, to be honest.

Mike Gruen:

Right.

Joseph Carson:

20 years ago it was just a simple messaging exchange. It was a post-it note to your colleague to give them, "Be here, meet you for lunch," "Need to do this task." Today email is replaced, it's your digital identity. It means that it's all your history about your browsing history, your advertisement preferences, who you've met, who you're going to meet. It's your location information, it's your sensitive document access, your photographs. In many cases, it's all the internet services that you ever signed up for it because they all want your email address and they will send you a thank you, here's your password, and here's your password recovery. Here's the link to reactivate.

It means that any type of attacker that gets access to your email actually really gets to understand you much more personally, since sometimes you might even know yourself. They're able to understand your personal identity through your email access. Then sometimes if you're not really good at managing, and you don't use a password manager or privileged access management, it means that attacker can simply then go and abuse your password resets and be able to gain access to any account that you've used your email as a medium of communication for password reset,

Mike Gruen:

Right, and they can potentially lock you out of your own email account, which ...

Joseph Carson:

They will do eventually.

Mike Gruen:

Exactly.

Joseph Carson:

Which makes it harder for you to recover it. I've heard many cases in the past where, digital identity theft, where ... In the financial side it used to be credit card theft. In the industry they say it's easier to get your money back from the bank than it is to get your digital identity back. That's shows you how significant it is. If you also look at the dark web as well, you look at the cost, the cost of a fake credit card online or a stolen credit card is cheaper than actually what an identity costs. It really shows the commodity and the value, and attackers do see your identity as a prime value.

Mike Gruen:

Interesting. Well, I think this has been a really educational and enlightening conversation. Any final thoughts or last things to leave people with?

Joseph Carson:

I mean, some of the best practices I have is really getting into, people really need to understand that a password should never be the only security control that's protecting your sensitive information. Do use a long passphrase. Put spaces in between letters and stuff. Use the space bar. Get into really, the optimum length is really beyond 16, 18 characters. The longer you make it, the more difficult it becomes to compromise. My password best practices, my human created is minimum 25 characters just because I know the hashing algorithms that's used to create and the strength and the challenges to break that. Also, log out of systems when you're not using them. Don't stay logged in because that's another opportunity for an attacker to gain your hash.

Don't reuse passwords, use a password manager, rotate them using my timeframe, my personal use one every year. I rotate all my passwords yearly just because of, the cracking machines are cryptography ability is that the best computers out there could crack my password yearly. Therefore, that's my timeframe is knowing the cryptography algorithms. Multifactor authentication for all sensitive accounts, where you really have information you don't want to give anyone access to. Good auditing of your activity. Really don't be afraid to ask people for advice. Don't be afraid to go out there and ask people, "What's good practice? Can you help me?" Look for cyber ambassadors and cyber mentors out there that can really point you in the right direction.

Mike Gruen:

That's great advice, actually, I'll take advantage of that right now. For a long time, for systems where I have to remember the password, I can't rely on a password manager for whatever reason in the past I've used full sentences of things like, one of my really long time ago passwords was "Some girls wandered by mistake into the mess that scalpels make."

Now, if you know Leonard Cohen, know that I'm a big Leonard Cohen fan, you might have been able to get there. But would you say having something so well formatted, even though it has spaces and punctuation and the rest of it, but the fact that it's a complete sentence and sort of follows English rules is weaker in some way?

Joseph Carson:

I think it can be because we get into what's called those natural process language ability in hacking and password cracking today, it's getting really good. It does make it longer process to do, but using those natural language processing rules in hacking tools today, it can eventually get there. It really comes down to however old your system is, and how… you have and how much hashes per second that you can actually crack. My recommendation is that you create a long sentence like that. All you need to do is put one special character in any location… Just one special character will then make the problem of cracking it much more difficult.

Mike Gruen:

Right. One special character beyond the regular punctuation that would be found in there. Yeah.

Joseph Carson:

Correct. Just simply changing one letter to a number or one thing to an ASCII character. It only needs to be one.

Mike Gruen:

Right. Exactly.

Joseph Carson:

Put a random space in between where it might may be a space between words, but putting a random space in would also create that complexity too.

Mike Gruen:

for me it's that I'm a horrible speller, so typically those sentences had a misspelling in there and I didn't even realize it.

Joseph Carson:

Which is a good thing.

Mike Gruen:

Exactly. Well, thanks again for joining us. I always, I enjoy our conversations.

Joseph Carson:

Absolutely. It's a pleasure being here. Ultimately out there, yes, passwords are not going away. They will be around for a long time. Let's just use them wisely. Let's use them for benefit. Yes, we will get to a point where we will interact less with them, but they'll still exist.

Mike Gruen:

Great. Thanks.

Outro:

Learn how your team can get a free trial of Cybrary for business by going to www.Cybrary.IT/business. That's C-Y-B-R-A-R-Y.IT/business.