September 25, 2025 • 26 mins
Ever wonder what happens behind the scenes when you tap "Login" on your favorite app? Authentication is the invisible guardian standing between your personal data and potential attackers, and it's more sophisticated than you might think.
Authentication systems rely on three critical principles: Confidentiality keeps your credentials private, Integrity ensures no one can fake their way past security, and Availability guarantees you can access your accounts when needed. These principles form the foundation of digital security across every platform you use.
The strongest protection comes from combining multiple authentication factors. Your passwords represent "something you know," while those codes texted to your phone verify "something you have." Fingerprint and facial recognition add "something you are" to the equation. When companies layer these factors together, they create robust security that can stop 99% of automated attacks according to Microsoft research.
Despite advances in authentication technology, passwords remain the primary defense for most accounts. Security experts now recommend longer passphrases over complex combinations with special characters. A memorable phrase like "Purple Dungeon eats pizza at noon!" creates a formidable 27-character barrier against brute force attacks. Password managers have become essential tools for generating and storing unique credentials for each service, protecting against credential stuffing attacks where hackers try stolen login information across multiple sites.
Beyond basic authentication lies the world of access control – determining what you can do once your identity is verified. Modern systems implement various models from Discretionary Access Control to Attribute-Based Access Control, applying the principle of least privilege to minimize potential damage from compromised accounts or insider threats.
Ready to strengthen your digital security? Start by enabling multi-factor authentication on your critical accounts today. Consider using a password manager to generate strong, unique passwords for each site. Remember that authentication isn't just about keeping the bad guys out – it's about protecting what matters most to you online.
If you want to help me with my research please e-mail me.
Professorjrod@gmail.com
If you want to join my question/answer zoom class e-mail me at
Professorjrod@gmail.com
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
e (00:27):
And welcome to Technology Tap.
I'm Professor J Rod.
In this episode we'll talkabout passwords and multi-factor
authentication.
Let's get into it.
(01:03):
All right, welcome toTechnology Tap.
I'm Professor Jay Rod.
So we're going to do something alittle bit different going
forward, so here's a little bitof housekeeping, as I like to
call it.
W e joined the PodMatch network, so hopefully that's going to
help us in getting morelisteners.
(01:23):
Two we're going to do threeepisodes a week and they're
going to be released Tuesdays,Thursdays and Sundays.
Tuesdays and Thursdays aregoing to be chapter episodes on
a topic, either security or A+,and then on Sunday we're going
to go over the modern thehistory of computing.
Right, like what we're doingwith the floppy.
(01:44):
We did the 8-inch floppy floppy, we did the eight inch floppy,
next we have the five and aquarter floppy, and then we'll
go to three and a half and soforth.
So that is how it's going to gofrom now on.
So hopefully this format willbring more listeners and bring
more enjoyment to everyone whois listening.
All right, so welcome toTechnology Tap, the show where
we take complex technology andbreak them down into stories.
(02:05):
You can relate.
I'm Professor J Ron, and todaywe're diving into something that
affects every single person whouses a computer, smartphone or
tablet authentication.
Think about the morning routine.
You wake up, check your phone,maybe log into your email or
social media.
Every one of these actionsbegins with a question Are you
really you?
That question and thetechnology behind answering is
(02:28):
what we'll be exploring today.
We'll look into passwords,password managers, multi-factor
authentication, biometrics andeven passwordless future tech,
and I promise you'll come awayfrom this episode with practical
steps you can take to staysecure.
Let's tap in.
Authentication is simplyproviding your identity to a
(02:50):
system, but in cybersecurity, wealways think in terms of CIA
confidentiality, integrity andavailability.
Confidentiality means yourcredentials, like your password,
are private.
Integrity means no one can faketheir way past the login screen
.
And availability means thesystem works reliably, even at 2
(03:11):
am when you're trying to resetyour password before deadline
and for my students, theirhomework assignments, we'll roll
the sample.
Think about online banking.
Confidentiality ensures no oneelse can see your credentials.
Integrity ensures a hacker canbypass the login screen with a
fake cookie.
Availability ensures you cancheck your balance on payday
without getting locked out.
(03:33):
And to make authenticationstrong, we use the following
factors Something that you know,like the password for your
Netflix account, something thatyou have.
Your bank might text you a codeto prove you have your phone.
Something that you have.
Your bank might text you a codeto prove you have your phone.
Something that you are.
Face ID or fingerprint scan onyour iPhone.
Someone where you are.
Your employer may only let youlog in from your office VPN.
(03:55):
Something that you do.
Your smartwatch might know.
The way you walk is unique.
When companies combine thesefactors, they are creating
layered security.
Passwords are the oldest form ofauthentication and still the
most common.
Let's talk length first.
Longer is stronger.
(04:16):
Think of password cracking liketrying every combination on a
bike lot.
The more characters you add,the more combinations a hacker
has to try.
Real breach story In 2012,linkedin suffered a data breach
that exposed millions ofpasswords.
Many were things like 123456 orLinkedIn Attackers guessed them
instantly.
Modern guidelines from NISTactually says we should stop
(04:40):
forcing people to changepasswords every 60 days unless
there's evidence of compromise.
Why?
Because humans are predictable.
People would just pick upsomething like summer 2023, then
fall 2023.
Hackers guess these patterns.
Instead, the focus is on usinglong passphrase.
Imagine Purple Dungeon eatspizza at noon.
(05:02):
That's 27 characters toremember plus the exclamation
point Very hard to brute forceand never reuse passwords.
When one website gets hacked,attackers try the same email
password combo everywhere.
That's called credentialstuffing, and they do that right
.
If Netflix gets hacked,whatever username and password
(05:23):
that you have, they're going totry it on Amazon, they're going
to try it on Hulu, they're goingto try it on you know all your
stuff Hotmail, gmail.
So password manager?
Here's the problem.
No one can remember 200 uniquepasswords.
That's where the passwordmanagers come in.
Think of them as your digitalkeychain.
They generate and store strongpasswords for each site.
(05:45):
You unlock the keychain withone master password.
So yes, your master passwordneeds to be very strong.
Real world example let's say youuse Bitwarden.
You log into your vault withyour master password and maybe a
code from your phone.
The vault decrypts locally onyour device.
Even Bitwarden servers can'tsee your password because
(06:06):
they're encrypted.
End-to-end Security tip Choosea reputable manager with zero
knowledge.
Encryption.
Turn on MFA for your passwordmanager account.
Back up your vault, becauselosing your master password
usually means you're locked outpermanently.
And here's a kicker.
A password manager can alsoprotect you from phishing.
(06:27):
If you land on a fake PayPalsite, the manager won't autofill
because the domain doesn'tmatch Multi-factor
authentication.
Let's say you have a strongpassword, can attackers still
get in?
Yes, if they trick you withphishing or if the site gets
hacked.
That's why multi-factorauthentication is so powerful.
(06:50):
It adds another wall.
We'll roll the example.
Remember the 2020 Twitter hack?
Attackers called employeespretending to be IT and tricked
them into giving up credentials.
Accounts of high-profile usersElon Musk, barack Obama were
taken over.
Twitter now enforces MFA formany internal tools.
Mfa options include hardwaretokens like RSA, secure IDFOPs,
(07:16):
apps like Google Authenticatorthat generate time-based codes,
push notifications that let youtap approve on your phone, and
biometrics combined with a pin.
Mfa can stop 99% of automatedaccount attacks, according to
Microsoft.
If you haven't enabled it onyour email and bank accounts, do
it today.
Don't just pause this and thengo and do that right.
(07:39):
Handle your business, guys, andI always like to say you know
the.
The.
I always tell my students youknow, there's something that you
are, something that you have.
You know has been around for along time.
It's been around for years.
Think about it when you takemoney out of a bank, right, you
(08:01):
need your card, which issomething that you know, and you
need your pin something thatyou have.
So you know that's been aroundfor a long time.
You know, we just haven't, wejust haven't taken advantage of
it or that much advantage of itnow.
Plus, as I was telling one ofmy classes, you know it takes a
long time for people to get usedto things, right, you know it's
(08:24):
now that we're doing, you know,multi-factor authentication
that sends a code to your phone.
Right, I love that, but it'staking us a long time for people
to get used to that, right,because, again, you know, they
want to make things convenientfor everybody on the commercial
side, on the customer side, andthat usually means giving up
(08:48):
security.
But I think people are gettingused to it now.
So now that's becoming a thingnow where you know you log into
something and then a code getssent to your phone, which I
absolutely love.
I mean, I think you know that's.
I mean, can you get hacked?
Yes, but what are the chancesof you getting hacked?
Right, that's the thing.
Right, it's lower than justhaving password 123 on your
(09:11):
account, right?
Biometrics?
Biometrics uses your body asthe password and they're
everywhere.
Your phone might scan your face.
Disney theme parks usefingerprint readers to match
guests' tickets.
Airports uses facialrecognition to speed boarding.
But biometrics are important.
Systems can reject you that'scalled false rejection or worse,
(09:33):
accept someone who isn't you,which is a false acceptance.
Real story Researchers haveshown that cheap 3D print masks
can bypass some facialrecognition systems.
That's why most secure systemscombine biometric with something
else, like a pen, and, unlikepasswords, you can't change your
fingerprints.
If it gets stolen from adatabase, yes, that's happening.
(09:55):
You just can't pick a new one.
That's why protectingbiometrics data is critical, and
you know it's.
It's a whole.
It's a whole new thing that weneed to be a little bit more
security conscience.
Right, there's a on YouTube Ifyou could look it up there's.
If you look up jimmy kimmel,social engineering, you know
(10:19):
those people.
You know they try to get theirpasswords and people freely give
it to them like they askquestions, and next thing, you
know they've given up theirpassword.
It's, it's.
It's an amazing video.
I show it up in all my classes.
There's actually two videos ofthat when they walk over to
people and they ask them theirpassword.
At first they they initiallysay no, but eventually they give
(10:41):
them the password, which isabsolutely insane.
Yeah, it's crazy.
You should watch it.
Look it up.
It's on youtube.
All right, let's wrap it up.
Today, we explore authentication, passwords, passwords managers,
mfa and biometrics all the wayswe prove who we are online.
So here's your homework Pickone account that doesn't have
(11:03):
MFA enabled.
Turn it on today.
Download a password manager andgenerate strong, unique
passwords.
Experiment with passphrasesinstead of random gibberish.
They're easier to remember andjust as strong.
Alright, welcome back toTechnology Tap.
I'm Professor J-Rod.
If you joined us the last time,we explored how we prove who we
(11:25):
are authentication passwords,multi-factor authentication and
biometrics.
But proving who you are is justone step.
Once the system knows it's you,it faces the next big question
what are you allowed to do?
This is where access controlcomes in.
Today, we'll explore the majoraccess control model
(11:47):
discretionary, mandatory,role-based and attribute-based.
We'll talk about the principleof least privilege, account
provisioning and deprovisioning,account restriction and
privileged access management.
And, of course, I'll sharereal-world examples, from
insider threats to IT horrorstories, to help make these
(12:07):
concepts stick.
All right, let's start Accesscontrol models.
Once you authenticate, thesystem uses access control to
determine which files, systemsor actions you can access.
Think of it like a bouncer at aclub.
You show your ID at the club.
That's authentication, but thebouncer still checks if you're
(12:28):
on the VIP list or just ageneral guest authorization.
Right, that'll be authorization.
Discussionary access control orDAC.
Dac is an owner control.
If you create a file, youdecide who gets read, write or
execute permission.
So here's an example ImagineAlice creates a Google Doc and
shares it with Bob, giving himedit rights.
(12:51):
Bob can then share it withCharlie if he wants.
That flexibility is great, butalso risky.
Malware or compromised accountscan spread access quickly in a
DAC system.
Mandatory access control, mac orMAC.
Mac is stricter.
Access is based on securitylevels and system-enforced
(13:11):
policies.
Users can't just decide toshare data.
Example in the military, adocument labeled secret can only
be opened by someone withsecret clearance or higher.
You can't just give a friendaccess.
The system enforces it.
Mac is used in government anddefense environments where
leakage of information can becatastrophic.
(13:33):
Next we go to Role-Based AccessControl or RBAC.
Rbac assigns permissions toroles, not individual users.
Example when a new HR employeejoins, it assigns them the HR
role.
That role gives them access topayroll data automatically.
No need to configure accessmanually every time somebody
(13:54):
joins or leaves.
This is scalable, easy tomanage and great for
organizations with well-definedjob functions Attribute-based
access control, or ABAC.
Abac is even more dynamic.
It grants access based onattributes like user department,
device trust level, location,time of day and risk score.
(14:16):
Here's an example Imagine afinance analyst can access the
quarterly budget report, butonly from a company issues
laptop on the corporate VPNduring business hours.
Try to log in from a personaltablet at 2 am from a foreign
country.
Access denied.
Abac powers modern zero-daymodels, zero-trust models Never
(14:38):
trust.
Trust always verifies.
And then we have rule based orrule back.
This model uses presets rules.
For example, deny all log after6 pm, block connections from
outside the US or allow accessonly if antivirus is up to date.
You probably experience this ifyour VPN locks you out until
(14:59):
you install the latest securitypatches.
Next we're going to move to theprinciple of least privilege,
which says users should have theminimum access needed to do
their job.
Nothing more, nothing less.
Case study In 2013, edwardSnowden had brought access to
the NSA data far more than heneeded for his role as a
(15:21):
contractor.
That access allowed him to leakclassified documents.
This is why modern systemsimplemented just-in-time access,
giving admin rights onlytemporarily.
Practical steps Reviewpermission regularly, remove
stale accounts and useprivileged access management
tools to grant temporaryelevation.
(15:44):
Next, user provisioning anddeprovisioning.
Provisioning is the process ofcreating, configuring and
maintaining user accounts.
For example, onboarding, whenSarah is hired in marketing, hr
triggers an automatic workflow.
An active directory account iscreated, email, slack and VPN
access are granted, and awelcome packet reminds her of
(16:05):
the security policies though Iwould not give somebody who just
started VPN access as soon asthey start, unless if they're
working from home.
Right, but the provisioning isjust as critical.
When Sarah leaves the company,her account must be disabled
immediately.
Yes, at the minimum right.
Maximum is deleting the account.
The minimum is disablingimmediately.
(16:26):
Horror story 2021 report foundthat 25% of former employees at
some companies still had accessto cloud files, which is
incredibly unbelievable.
That's an insider threatwaiting to happen.
Imagine a disgruntledex-employee downloading
sensitive data after they leave.
It happens more often than youthink.
(16:48):
Next, talk about accountattributes and access policy.
Every account has attributeslike username, security, id,
role, department, access history.
Access control systems usethese attributes to apply
policies.
For example, users in thefinance user groups get access
to budget files.
Group policy objects applyrestrictions like disabling USB
(17:13):
drives, and conditional accessmay block loggings from risky IP
addresses.
This is why logging in from anew country sometimes triggers
an email alert or MFA prompt.
The system noticed somethingunusual.
You get this sometimes when youif you always download in New
York City I'm sorry, you alwayslog in in New York City to your
(17:33):
Gmail account Every day, everyday, all day, every seven days a
week, 365.
And then one day you go to LAand you log in and not your
computer but somebody else'scomputer.
It might trigger something.
It might say hey, you neverlogged in in LA from this PC
before, let's make sure it's you, especially if it's in another
country, right, if it's like inthe Philippines, not, you know,
(17:55):
hitting up, not making fun of myPhilippine people or anything,
but you know somewhere thatyou've never gone, it's going to
trigger that Accountrestrictions.
To further reduce risk,companies use location-based and
time-based controls.
Location example a hospital mayblock all logins from outside
the US to protect patient data.
(18:16):
Time example contractors mayonly be able to log in during
business hours and the systemmay detect impossible travel.
Logging in from New York andthen Tokyo five minutes later.
That's a flag and it'ssuspicious because it's
impossible.
These restrictions help reducethe attack surface If you work
for a bank, right banks are notgoing to let you be there until
(18:37):
like 8 o'clock, 9 o'clock atnight, after I think it's 7 pm.
Most banks will lock you outautomatically and you can't log
in.
I think you have to wait to 8am.
If you work in the branch, yougot to wait to 8 am to log in.
Maybe 7, 7.30.
But like you can't go in thereat 6 in the morning and start
doing work, they won't.
The computers won't turn off.
(18:58):
Privileged Access Management, orPAM.
Pam is all about controllingadministrators and super user
accounts.
In 2017, not paid attack.
Malware stole domain admincredentials from infected
machines and spread rapidlyacross networks.
Organizations that use PAMtools were able to limit the
(19:27):
blast radius by rotating admincredentials and requiring MFA
Key.
Pam practice zero standingprivileges.
No one keeps permanent adminrights.
They get them temporarily whenneeded Credentials.
Admin passwords expire quicklyand rotate automatically.
Password vaulting privilegedcredentials are stored securely
and admins check them out like alibrary book.
This approach drasticallyreduces insider threat risk and
(19:50):
limits damage from accountcompromise.
Now on to the questions.
Now that we've gone throughthese topics, I'm going to ask
you four questions and I'm goingto give you time to think about
it and then you're going toanswer the question.
Let's see if we can get fourout of four.
All right, which access controlmodel is owner controlled and
(20:13):
commonly used in personal orcommercial systems?
A, mac, b, dac, c, rbac.
A, mac, b, dac, c, rbac, d,abac.
(20:36):
I'll read it again which accesscontrol model is
owner-controlled and commonlyused in personal or commercial
systems?
A, mac, b, dac, c, rbac?
Answer is B DAC DiscretionaryAccess Control.
The resource owner decidespermission For MAC.
This is system enforced.
Rbac uses roles and ABAC usesattributes.
So the answer is B.
(20:57):
Next question number two so theanswer is B.
Next question number two theprinciple of least privilege
helps organizations by A givingusers admin access for
efficiency.
B assigning only the permissionnecessary for a task.
C allowing employees to shareaccounts freely.
D removing the need forauthentication entirely.
(21:17):
I'm going to read it again theprinciple of least privilege
helps organizations by A givingusers admin access for
efficiency.
B assigning only the permissionnecessary for tasks.
C allowing employees to shareaccounts freely.
And.
D removing the need forauthentication entirely.
So I'll give you five secondsto think about it.
See what the answer is Five,four, three, two, one.
(21:43):
And the answer is B, assigningonly the permissions necessary
for the task.
On principle, these privilegesminimize risk by restricting
access to just what's needed.
Giving admin rights is A orsharing account C increases the
risk, while removingauthentication undermines
(22:04):
security entirely, right?
So then, why even have peoplelogging in?
If you're going to do that, allright.
Question three which accesscontrol model is policy-based,
dynamic and context-aware, oftenused in cloud and zero-trust
environments?
A, dac, b, rbac, c, abac, d,mac?
(22:26):
I'll do it again which accesscontrol model is policy-based,
dynamic and context-aware, oftenused in cloud and zero-trust
environments?
A, dac, b, rbac, c, abac or DMAC?
I'll give you five seconds tothink about it.
Five, four, three, two, one,all right, the answer is C, abac
(22:51):
.
Attribute-based access controlconsiders attributes like user
role, device, location and time,right, dac is owner-based, rbac
is role-based and less flexible, and MAC is rigid and
policy-enforced.
Hope you got that right.
Now, last one, let's go forfour, for four, hopefully, right
(23:14):
, and we got three of them rightand this will be the number
four, all right.
What is the main purpose of PAM,privileged Access Management?
A to remove the need for userprovisioning.
B to store encryption keys forend users.
C to secure, monitor and limitaccounts and elevated rights,
(23:36):
and D to replace MFA for allaccounts.
I'll read it again what is themain purpose of Privileged
Access Management?
A to remove the need for userprovisioning.
B to store encryption keys forend users.
C to secure, monitor and limitaccounts with elevated rights.
And.
D to replace MFA for allaccounts.
I'll give you five seconds tothink about that.
Five, four, three, two, one.
(24:00):
And the answer is C to secure,monitor and limit accounts with
elevated rights.
Pam protects powerful accountslike domain admins or root by
limiting their use, requiringjust-in-time elevation and
monitoring activity.
A provisioning.
A is more like provisioning,it's separate encryption keys.
(24:20):
B are unrelated and PAM doesn'treplace MFA, it just
complements it.
All right, that was pretty good.
Hopefully we got four out offour right, which I'm sure we do
right.
We got a lot of smart listenersout there, especially my
listeners in Georgia and mylisteners in Texas, and I think
I have a listener in Athens,greece, that likes to listen to
(24:43):
my podcast.
So shout out to you guys forlistening.
I appreciate it.
All right, let's wrap it up.
Today we saw how systemsdecided what you can access
after logging.
We covered DAC, mac, rbac, abacand lease privilege account
restrictions in PAM andprovisioning.
Here's your action list.
Privilege account restrictionsin pam and provisioning.
(25:05):
Here's your action list.
Order your own accounts.
Do you have access to thingsyou no longer need?
Turn on conditional access ortime-based restrictions where
possible.
If you're in it, startexploring pam tools like cyber
arc or beyond trust, justremember.
Authentication gets you in thedoor, but authorization
determines what rooms you canenter.
(25:25):
I'm Professor J Ron and untilnext time, keep tapping into
technology.
And welcome to Technology Tap.
I'm Professor J Rod.
In this episode we'll talkabout passwords and multi-factor
authentication.
Let's get into it.
(01:03):
All right, welcome toTechnology Tap.
I'm Professor Jay Rod.
So we're going to do something alittle bit different going
forward, so here's a little bitof housekeeping, as I like to
call it.
W e joined the PodMatch network, so hopefully that's going to
help us in getting morelisteners.
(01:23):
Two we're going to do threeepisodes a week and they're
going to be released Tuesdays,Thursdays and Sundays.
Tuesdays and Thursdays aregoing to be chapter episodes on
a topic, either security or A+,and then on Sunday we're going
to go over the modern thehistory of computing.
Right, like what we're doingwith the floppy.
(01:44):
We did the 8-inch floppy floppy, we did the eight inch floppy,
next we have the five and aquarter floppy, and then we'll
go to three and a half and soforth.
So that is how it's going to gofrom now on.
So hopefully this format willbring more listeners and bring
more enjoyment to everyone whois listening.
All right, so welcome toTechnology Tap, the show where
we take complex technology andbreak them down into stories.
(02:05):
You can relate.
I'm Professor J Ron, and todaywe're diving into something that
affects every single person whouses a computer, smartphone or
tablet authentication.
Think about the morning routine.
You wake up, check your phone,maybe log into your email or
social media.
Every one of these actionsbegins with a question Are you
really you?
That question and thetechnology behind answering is
(02:28):
what we'll be exploring today.
We'll look into passwords,password managers, multi-factor
authentication, biometrics andeven passwordless future tech,
and I promise you'll come awayfrom this episode with practical
steps you can take to staysecure.
Let's tap in.
Authentication is simplyproviding your identity to a
(02:50):
system, but in cybersecurity, wealways think in terms of CIA
confidentiality, integrity andavailability.
Confidentiality means yourcredentials, like your password,
are private.
Integrity means no one can faketheir way past the login screen
.
And availability means thesystem works reliably, even at 2
(03:11):
am when you're trying to resetyour password before deadline
and for my students, theirhomework assignments, we'll roll
the sample.
Think about online banking.
Confidentiality ensures no oneelse can see your credentials.
Integrity ensures a hacker canbypass the login screen with a
fake cookie.
Availability ensures you cancheck your balance on payday
without getting locked out.
(03:33):
And to make authenticationstrong, we use the following
factors Something that you know,like the password for your
Netflix account, something thatyou have.
Your bank might text you a codeto prove you have your phone.
Something that you have.
Your bank might text you a codeto prove you have your phone.
Something that you are.
Face ID or fingerprint scan onyour iPhone.
Someone where you are.
Your employer may only let youlog in from your office VPN.
(03:55):
Something that you do.
Your smartwatch might know.
The way you walk is unique.
When companies combine thesefactors, they are creating
layered security.
Passwords are the oldest form ofauthentication and still the
most common.
Let's talk length first.
Longer is stronger.
(04:16):
Think of password cracking liketrying every combination on a
bike lot.
The more characters you add,the more combinations a hacker
has to try.
Real breach story In 2012,linkedin suffered a data breach
that exposed millions ofpasswords.
Many were things like 123456 orLinkedIn Attackers guessed them
instantly.
Modern guidelines from NISTactually says we should stop
(04:40):
forcing people to changepasswords every 60 days unless
there's evidence of compromise.
Why?
Because humans are predictable.
People would just pick upsomething like summer 2023, then
fall 2023.
Hackers guess these patterns.
Instead, the focus is on usinglong passphrase.
Imagine Purple Dungeon eatspizza at noon.
(05:02):
That's 27 characters toremember plus the exclamation
point Very hard to brute forceand never reuse passwords.
When one website gets hacked,attackers try the same email
password combo everywhere.
That's called credentialstuffing, and they do that right
.
If Netflix gets hacked,whatever username and password
(05:23):
that you have, they're going totry it on Amazon, they're going
to try it on Hulu, they're goingto try it on you know all your
stuff Hotmail, gmail.
So password manager?
Here's the problem.
No one can remember 200 uniquepasswords.
That's where the passwordmanagers come in.
Think of them as your digitalkeychain.
They generate and store strongpasswords for each site.
(05:45):
You unlock the keychain withone master password.
So yes, your master passwordneeds to be very strong.
Real world example let's say youuse Bitwarden.
You log into your vault withyour master password and maybe a
code from your phone.
The vault decrypts locally onyour device.
Even Bitwarden servers can'tsee your password because
(06:06):
they're encrypted.
End-to-end Security tip Choosea reputable manager with zero
knowledge.
Encryption.
Turn on MFA for your passwordmanager account.
Back up your vault, becauselosing your master password
usually means you're locked outpermanently.
And here's a kicker.
A password manager can alsoprotect you from phishing.
(06:27):
If you land on a fake PayPalsite, the manager won't autofill
because the domain doesn'tmatch Multi-factor
authentication.
Let's say you have a strongpassword, can attackers still
get in?
Yes, if they trick you withphishing or if the site gets
hacked.
That's why multi-factorauthentication is so powerful.
(06:50):
It adds another wall.
We'll roll the example.
Remember the 2020 Twitter hack?
Attackers called employeespretending to be IT and tricked
them into giving up credentials.
Accounts of high-profile usersElon Musk, barack Obama were
taken over.
Twitter now enforces MFA formany internal tools.
Mfa options include hardwaretokens like RSA, secure IDFOPs,
(07:16):
apps like Google Authenticatorthat generate time-based codes,
push notifications that let youtap approve on your phone, and
biometrics combined with a pin.
Mfa can stop 99% of automatedaccount attacks, according to
Microsoft.
If you haven't enabled it onyour email and bank accounts, do
it today.
Don't just pause this and thengo and do that right.
(07:39):
Handle your business, guys, andI always like to say you know
the.
The.
I always tell my students youknow, there's something that you
are, something that you have.
You know has been around for along time.
It's been around for years.
Think about it when you takemoney out of a bank, right, you
(08:01):
need your card, which issomething that you know, and you
need your pin something thatyou have.
So you know that's been aroundfor a long time.
You know, we just haven't, wejust haven't taken advantage of
it or that much advantage of itnow.
Plus, as I was telling one ofmy classes, you know it takes a
long time for people to get usedto things, right, you know it's
(08:24):
now that we're doing, you know,multi-factor authentication
that sends a code to your phone.
Right, I love that, but it'staking us a long time for people
to get used to that, right,because, again, you know, they
want to make things convenientfor everybody on the commercial
side, on the customer side, andthat usually means giving up
(08:48):
security.
But I think people are gettingused to it now.
So now that's becoming a thingnow where you know you log into
something and then a code getssent to your phone, which I
absolutely love.
I mean, I think you know that's.
I mean, can you get hacked?
Yes, but what are the chancesof you getting hacked?
Right, that's the thing.
Right, it's lower than justhaving password 123 on your
(09:11):
account, right?
Biometrics?
Biometrics uses your body asthe password and they're
everywhere.
Your phone might scan your face.
Disney theme parks usefingerprint readers to match
guests' tickets.
Airports uses facialrecognition to speed boarding.
But biometrics are important.
Systems can reject you that'scalled false rejection or worse,
(09:33):
accept someone who isn't you,which is a false acceptance.
Real story Researchers haveshown that cheap 3D print masks
can bypass some facialrecognition systems.
That's why most secure systemscombine biometric with something
else, like a pen, and, unlikepasswords, you can't change your
fingerprints.
If it gets stolen from adatabase, yes, that's happening.
(09:55):
You just can't pick a new one.
That's why protectingbiometrics data is critical, and
you know it's.
It's a whole.
It's a whole new thing that weneed to be a little bit more
security conscience.
Right, there's a on YouTube Ifyou could look it up there's.
If you look up jimmy kimmel,social engineering, you know
(10:19):
those people.
You know they try to get theirpasswords and people freely give
it to them like they askquestions, and next thing, you
know they've given up theirpassword.
It's, it's.
It's an amazing video.
I show it up in all my classes.
There's actually two videos ofthat when they walk over to
people and they ask them theirpassword.
At first they they initiallysay no, but eventually they give
(10:41):
them the password, which isabsolutely insane.
Yeah, it's crazy.
You should watch it.
Look it up.
It's on youtube.
All right, let's wrap it up.
Today, we explore authentication, passwords, passwords managers,
mfa and biometrics all the wayswe prove who we are online.
So here's your homework Pickone account that doesn't have
(11:03):
MFA enabled.
Turn it on today.
Download a password manager andgenerate strong, unique
passwords.
Experiment with passphrasesinstead of random gibberish.
They're easier to remember andjust as strong.
Alright, welcome back toTechnology Tap.
I'm Professor J-Rod.
If you joined us the last time,we explored how we prove who we
(11:25):
are authentication passwords,multi-factor authentication and
biometrics.
But proving who you are is justone step.
Once the system knows it's you,it faces the next big question
what are you allowed to do?
This is where access controlcomes in.
Today, we'll explore the majoraccess control model
(11:47):
discretionary, mandatory,role-based and attribute-based.
We'll talk about the principleof least privilege, account
provisioning and deprovisioning,account restriction and
privileged access management.
And, of course, I'll sharereal-world examples, from
insider threats to IT horrorstories, to help make these
(12:07):
concepts stick.
All right, let's start Accesscontrol models.
Once you authenticate, thesystem uses access control to
determine which files, systemsor actions you can access.
Think of it like a bouncer at aclub.
You show your ID at the club.
That's authentication, but thebouncer still checks if you're
(12:28):
on the VIP list or just ageneral guest authorization.
Right, that'll be authorization.
Discussionary access control orDAC.
Dac is an owner control.
If you create a file, youdecide who gets read, write or
execute permission.
So here's an example ImagineAlice creates a Google Doc and
shares it with Bob, giving himedit rights.
(12:51):
Bob can then share it withCharlie if he wants.
That flexibility is great, butalso risky.
Malware or compromised accountscan spread access quickly in a
DAC system.
Mandatory access control, mac orMAC.
Mac is stricter.
Access is based on securitylevels and system-enforced
(13:11):
policies.
Users can't just decide toshare data.
Example in the military, adocument labeled secret can only
be opened by someone withsecret clearance or higher.
You can't just give a friendaccess.
The system enforces it.
Mac is used in government anddefense environments where
leakage of information can becatastrophic.
(13:33):
Next we go to Role-Based AccessControl or RBAC.
Rbac assigns permissions toroles, not individual users.
Example when a new HR employeejoins, it assigns them the HR
role.
That role gives them access topayroll data automatically.
No need to configure accessmanually every time somebody
(13:54):
joins or leaves.
This is scalable, easy tomanage and great for
organizations with well-definedjob functions Attribute-based
access control, or ABAC.
Abac is even more dynamic.
It grants access based onattributes like user department,
device trust level, location,time of day and risk score.
(14:16):
Here's an example Imagine afinance analyst can access the
quarterly budget report, butonly from a company issues
laptop on the corporate VPNduring business hours.
Try to log in from a personaltablet at 2 am from a foreign
country.
Access denied.
Abac powers modern zero-daymodels, zero-trust models Never
(14:38):
trust.
Trust always verifies.
And then we have rule based orrule back.
This model uses presets rules.
For example, deny all log after6 pm, block connections from
outside the US or allow accessonly if antivirus is up to date.
You probably experience this ifyour VPN locks you out until
(14:59):
you install the latest securitypatches.
Next we're going to move to theprinciple of least privilege,
which says users should have theminimum access needed to do
their job.
Nothing more, nothing less.
Case study In 2013, edwardSnowden had brought access to
the NSA data far more than heneeded for his role as a
(15:21):
contractor.
That access allowed him to leakclassified documents.
This is why modern systemsimplemented just-in-time access,
giving admin rights onlytemporarily.
Practical steps Reviewpermission regularly, remove
stale accounts and useprivileged access management
tools to grant temporaryelevation.
(15:44):
Next, user provisioning anddeprovisioning.
Provisioning is the process ofcreating, configuring and
maintaining user accounts.
For example, onboarding, whenSarah is hired in marketing, hr
triggers an automatic workflow.
An active directory account iscreated, email, slack and VPN
access are granted, and awelcome packet reminds her of
(16:05):
the security policies though Iwould not give somebody who just
started VPN access as soon asthey start, unless if they're
working from home.
Right, but the provisioning isjust as critical.
When Sarah leaves the company,her account must be disabled
immediately.
Yes, at the minimum right.
Maximum is deleting the account.
The minimum is disablingimmediately.
(16:26):
Horror story 2021 report foundthat 25% of former employees at
some companies still had accessto cloud files, which is
incredibly unbelievable.
That's an insider threatwaiting to happen.
Imagine a disgruntledex-employee downloading
sensitive data after they leave.
It happens more often than youthink.
(16:48):
Next, talk about accountattributes and access policy.
Every account has attributeslike username, security, id,
role, department, access history.
Access control systems usethese attributes to apply
policies.
For example, users in thefinance user groups get access
to budget files.
Group policy objects applyrestrictions like disabling USB
(17:13):
drives, and conditional accessmay block loggings from risky IP
addresses.
This is why logging in from anew country sometimes triggers
an email alert or MFA prompt.
The system noticed somethingunusual.
You get this sometimes when youif you always download in New
York City I'm sorry, you alwayslog in in New York City to your
(17:33):
Gmail account Every day, everyday, all day, every seven days a
week, 365.
And then one day you go to LAand you log in and not your
computer but somebody else'scomputer.
It might trigger something.
It might say hey, you neverlogged in in LA from this PC
before, let's make sure it's you, especially if it's in another
country, right, if it's like inthe Philippines, not, you know,
(17:55):
hitting up, not making fun of myPhilippine people or anything,
but you know somewhere thatyou've never gone, it's going to
trigger that Accountrestrictions.
To further reduce risk,companies use location-based and
time-based controls.
Location example a hospital mayblock all logins from outside
the US to protect patient data.
(18:16):
Time example contractors mayonly be able to log in during
business hours and the systemmay detect impossible travel.
Logging in from New York andthen Tokyo five minutes later.
That's a flag and it'ssuspicious because it's
impossible.
These restrictions help reducethe attack surface If you work
for a bank, right banks are notgoing to let you be there until
(18:37):
like 8 o'clock, 9 o'clock atnight, after I think it's 7 pm.
Most banks will lock you outautomatically and you can't log
in.
I think you have to wait to 8am.
If you work in the branch, yougot to wait to 8 am to log in.
Maybe 7, 7.30.
But like you can't go in thereat 6 in the morning and start
doing work, they won't.
The computers won't turn off.
(18:58):
Privileged Access Management, orPAM.
Pam is all about controllingadministrators and super user
accounts.
In 2017, not paid attack.
Malware stole domain admincredentials from infected
machines and spread rapidlyacross networks.
Organizations that use PAMtools were able to limit the
(19:27):
blast radius by rotating admincredentials and requiring MFA
Key.
Pam practice zero standingprivileges.
No one keeps permanent adminrights.
They get them temporarily whenneeded Credentials.
Admin passwords expire quicklyand rotate automatically.
Password vaulting privilegedcredentials are stored securely
and admins check them out like alibrary book.
This approach drasticallyreduces insider threat risk and
(19:50):
limits damage from accountcompromise.
Now on to the questions.
Now that we've gone throughthese topics, I'm going to ask
you four questions and I'm goingto give you time to think about
it and then you're going toanswer the question.
Let's see if we can get fourout of four.
All right, which access controlmodel is owner controlled and
(20:13):
commonly used in personal orcommercial systems?
A, mac, b, dac, c, rbac.
A, mac, b, dac, c, rbac, d,abac.
(20:36):
I'll read it again which accesscontrol model is
owner-controlled and commonlyused in personal or commercial
systems?
A, mac, b, dac, c, rbac?
Answer is B DAC DiscretionaryAccess Control.
The resource owner decidespermission For MAC.
This is system enforced.
Rbac uses roles and ABAC usesattributes.
So the answer is B.
(20:57):
Next question number two so theanswer is B.
Next question number two theprinciple of least privilege
helps organizations by A givingusers admin access for
efficiency.
B assigning only the permissionnecessary for a task.
C allowing employees to shareaccounts freely.
D removing the need forauthentication entirely.
(21:17):
I'm going to read it again theprinciple of least privilege
helps organizations by A givingusers admin access for
efficiency.
B assigning only the permissionnecessary for tasks.
C allowing employees to shareaccounts freely.
And.
D removing the need forauthentication entirely.
So I'll give you five secondsto think about it.
See what the answer is Five,four, three, two, one.
(21:43):
And the answer is B, assigningonly the permissions necessary
for the task.
On principle, these privilegesminimize risk by restricting
access to just what's needed.
Giving admin rights is A orsharing account C increases the
risk, while removingauthentication undermines
(22:04):
security entirely, right?
So then, why even have peoplelogging in?
If you're going to do that, allright.
Question three which accesscontrol model is policy-based,
dynamic and context-aware, oftenused in cloud and zero-trust
environments?
A, dac, b, rbac, c, abac, d,mac?
(22:26):
I'll do it again which accesscontrol model is policy-based,
dynamic and context-aware, oftenused in cloud and zero-trust
environments?
A, dac, b, rbac, c, abac or DMAC?
I'll give you five seconds tothink about it.
Five, four, three, two, one,all right, the answer is C, abac
(22:51):
.
Attribute-based access controlconsiders attributes like user
role, device, location and time,right, dac is owner-based, rbac
is role-based and less flexible, and MAC is rigid and
policy-enforced.
Hope you got that right.
Now, last one, let's go forfour, for four, hopefully, right
(23:14):
, and we got three of them rightand this will be the number
four, all right.
What is the main purpose of PAM,privileged Access Management?
A to remove the need for userprovisioning.
B to store encryption keys forend users.
C to secure, monitor and limitaccounts and elevated rights,
(23:36):
and D to replace MFA for allaccounts.
I'll read it again what is themain purpose of Privileged
Access Management?
A to remove the need for userprovisioning.
B to store encryption keys forend users.
C to secure, monitor and limitaccounts with elevated rights.
And.
D to replace MFA for allaccounts.
I'll give you five seconds tothink about that.
Five, four, three, two, one.
(24:00):
And the answer is C to secure,monitor and limit accounts with
elevated rights.
Pam protects powerful accountslike domain admins or root by
limiting their use, requiringjust-in-time elevation and
monitoring activity.
A provisioning.
A is more like provisioning,it's separate encryption keys.
(24:20):
B are unrelated and PAM doesn'treplace MFA, it just
complements it.
All right, that was pretty good.
Hopefully we got four out offour right, which I'm sure we do
right.
We got a lot of smart listenersout there, especially my
listeners in Georgia and mylisteners in Texas, and I think
I have a listener in Athens,greece, that likes to listen to
(24:43):
my podcast.
So shout out to you guys forlistening.
I appreciate it.
All right, let's wrap it up.
Today we saw how systemsdecided what you can access
after logging.
We covered DAC, mac, rbac, abacand lease privilege account
restrictions in PAM andprovisioning.
Here's your action list.
Privilege account restrictionsin pam and provisioning.
(25:05):
Here's your action list.
Order your own accounts.
Do you have access to thingsyou no longer need?
Turn on conditional access ortime-based restrictions where
possible.
If you're in it, startexploring pam tools like cyber
arc or beyond trust, justremember.
Authentication gets you in thedoor, but authorization
determines what rooms you canenter.
(25:25):
I'm Professor J Ron and untilnext time, keep tapping into
technology.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cardiac Cowboys
The heart was always off-limits to surgeons. Cutting into it spelled instant death for the patient. That is, until a ragtag group of doctors scattered across the Midwest and Texas decided to throw out the rule book. Working in makeshift laboratories and home garages, using medical devices made from scavenged machine parts and beer tubes, these men and women invented the field of open heart surgery. Odds are, someone you know is alive because of them. So why has history left them behind? Presented by Chris Pine, CARDIAC COWBOYS tells the gripping true story behind the birth of heart surgery, and the young, Greatest Generation doctors who made it happen. For years, they competed and feuded, racing to be the first, the best, and the most prolific. Some appeared on the cover of Time Magazine, operated on kings and advised presidents. Others ended up disgraced, penniless, and convicted of felonies. Together, they ignited a revolution in medicine, and changed the world.