June 26, 2023 • 56 mins
A conversation between Nick Mellem, Eric Palms, and Matt Starland about the future of passwords through the lens of IT. The team notes a general lag time behind current threats and the technology already available to upgrade security protocols and the lack of large-scale adoption and upgrades. Passwords may eventually have to be left behind for new technologies such as biometrics. It is largely agreed that there needs to be a change to a password-less approach to mitigate end-user security risks. Join us for this stimulating and timely discussion. Help us spread this important info by liking, downloading, subscribing and inviting your friends to listen to The Audit. Video version now available on our YouTube channel.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Eric Brown (00:05):
You're listening to the Audit presented by IT Audit
Labs.
Nick Mellem (00:14):
All right, everybody, welcome to another
episode of the Audit.
Today I've got my good friendsEric Palms and Matt Starland,
and today we're going to jumpinto the future, or what the
future looks like, withpasswords.
I think we all spend a lot oftime figuring out how to
navigate the world of IT, andpasswords is oftentimes one of
(00:36):
the biggest parts of it.
So welcome guys.
Matt Starland (00:39):
Thanks, hey, thank you, can't complain.
Today it's 85 degrees out inMinnesota.
I heard that.
Nick Mellem (00:46):
So it's a heat wave and people in minnesota are
probably unthought a little tooquick.
Maybe that's a problem.
Matt Starland (00:51):
People are probably forgetting their
passwords we still got 20 feetof snow in a target parking lot.
So we're still.
We still got winter, stillgetting dug out well.
Nick Mellem (00:59):
Yeah, guys, I appreciate you guys jumping on,
like I said wanted to.
You know, talk all things,passwords.
So if we're jumping right intoit, what's your guys' thoughts
on how passwords are progressingor not progressing?
Matt Starland (01:13):
So yeah, I guess where passwords have always been
kind of a big problem for ITand organizations for many years
organizations for many yearsOne of the things you look at
from the attack vectors socialengineering, whether it's
through email communication orsomebody calling up a service
(01:34):
desk phone number and acting asmaybe an employee and then
getting that password reset thatway and it's funny.
It reminds me of a quote thatI've heard a few times, whether
it's from certain pen testingorganizations, but one of the
quotes was what you call hacking.
I call taking your password andlogging in.
(01:56):
So when it comes down to atechnical expertise, to do
something like this doesn't takemuch, and so that's why you see
so many phishing emails comeinto organizations trying to
just build a fake web page andhave the you know employee log
or think they're logging into aweb page to gain access using
(02:18):
username and password.
So traditionally we've beenusing that methodology for so
many years now.
But we look to the government,you know, to maybe actually make
a change there.
This is a good thing from agovernment side of the world
because of just the top secretdata that they have to work with
, but they've been using catcards, I think in the military
(02:41):
Maybe some of you have seen thatbefore.
Maybe in being in the Marines Iused one, yeah, exactly, and so
it's got a chip on that thatwould maintain a certificate
Similar to your debit card.
Yep, exactly, certificationprotocol, piv protocol, which
(03:03):
acts as kind of the card, issomething you have and that
certificate on there is you'retied to your identity to get
into a system and then you alsohave some sort of a pin code to
unlock that.
So they've been going.
You know, the government at thefederal level has been has this
for almost, I think, 20 yearsor so, but it's interesting to
(03:25):
see how a lot of the industryhas not fully caught up with
that yet, even though, with allof these you know social
engineering techniques, it seemsto be that we've tried to
band-aid it.
You know, using certain toolsto prevent, you know those
phishing and processes andprocedures, but there is
(03:48):
technology that's, you know,been around for a little bit to
actually help, you know, preventthis, these passwords being
stolen.
So so it's interesting to seewhere the history has been and I
feel like with with Microsoft,of course, playing a big role.
(04:28):
No-transcript, I'm not to sellOkta and Ping and all those
identity providers short, butfor a good part.
Still, when it comes toon-premises, you think it's got
to be what?
99% active directory?
Absolutely, I mean, I I don'tknow if you guys, have you guys
(04:49):
seen anything, anything ofNovell in the past 15 years?
No, I haven't.
So so, yeah, so, exactly, soyou look at it takes, you know,
an organization like that tokind of push that forward and
people are going to start, Ithink, getting on board with it
or not, have a choice.
Well, I can go on that part fora while, I know I don't know.
(05:13):
Yeah, palms, what is your kindof thoughts on this future here
and what are you seeing inregards to some of the news and
articles out there that?
Eric Palms (05:24):
exist.
I think that passwords aregoing to have to eventually go
the way of the dinosaur Betweenall of the phishing emails, like
you mentioned, that just showup.
It's hundreds and thousandsthat are getting hit each
organization daily, and a lot oforganizations have fairly good
(05:45):
filters nowadays to filter outthe majority of them, but it
only takes one to get through tocompromise.
A company is the problem andall they need is that username
and password.
Nick Mellem (05:55):
Yeah, and that's too what you're saying there.
That's just the phishing part.
We haven't even got into thesocial engineering right that is
.
You know, one of my if you'velistened to any of our previous
episodes, you know that's likeone of my favorites is social
engineering.
I've been practicing it foryears and that is what everybody
wants to know is can you get mypassword Right?
(06:17):
So we're trying to compareapples to apples here.
But one thing that's so hardfor us to protect is the social
engineering aspect, because wecan look up the stats all day
long.
What is it?
Between 80 and 90 percent ofall issues you know with
malicious intent start with anend user and it's directly
related to their password.
I mean so, with that being said, or is it just inevitable that
(06:39):
we have to go passwordless orbiometrics or whatever the case
is?
Matt Starland (06:43):
but to me that's kind of where things have to
shift to, and I think that'swhere the conversation is going
yeah, and folks you know, withnick's background on social
engineering, you can clearly seethat he is social engineering
you right now on this episode tobuy some services.
So look for some future saleevents here coming up.
Eric Palms (07:04):
Yeah, I know that's what your ulterior motive is on
this.
Matt Starland (07:10):
I cannot confirm nor deny, if only everyone could
see the grin on his face rightnow.
Yes, and how red he's turning.
Nick Mellem (07:17):
Yeah, we're turning the cameras off.
I'm kidding.
Matt Starland (07:22):
No, but in all seriousness, no, it's, yeah,
it's time to.
There needs to be a change inthe industry, and I kind of look
at it too.
Is that there's a cost savingsbenefit here, which I know we
can definitely geek out here ina little bit.
You know, when you're gettinginto the cost of some of these,
what are some of this?
What are these passwordless youknow tools look like, but let's
(07:44):
say, you go passwordless, okay,um, what does that mean now for
some of the products that youcurrently have, products or
platforms that you currentlyhave today that are designed to
prevent maybe social engineeringusually that's the human aspect
, so I don't know, maybe that'sprocess procedure there, but
designed to prevent maybe socialengineering Usually that's the
(08:05):
human aspect.
So, I don't know, maybe that'sprocess procedure there, but
let's think of it from thethreat vector.
So email, that's one of thosethreat vectors.
So what are we using today forwhen I say we me as a society or
culture IT industry, what arewe using today to help stop
(08:28):
those service, you know thosetypes of attacks?
Well, we are using, I guess, ifyou're in Microsoft 365 Cloud
and you pay for their you knowE9462 license, whatever it is
that you're.
You know the suite of buffetthat they give you to, whatever
it is that you're.
You know the suite of buffetthat they give you to.
You know, for every log secondyou want.
(08:48):
You know what I mean Nickel anddime, you kind of thing, you
know.
So you've got their ATP, theiranti-spam, phishing, or maybe
you buy.
There's a lot of money rightnow involved in those
technologies and services.
(09:09):
So what does that mean if you gopasswordless?
So, okay, great, I click onthis.
You know this, this email thatcomes in and they have a fake
page that looks like myorganization and needs my
password or whatever, and Ithink I'm giving them my
password.
Well, if I'm passwordless, whatam I giving them?
You know.
So if you're looking at it fromthe multi factor authentication
perspective, there's a lot of.
(09:37):
This password list is a randomgenerated code or a pin that you
have memorized to unlock adevice that then has that
certificate on it to prove youridentity.
So I guess to the basic enduser, they're going to think,
well, maybe this is my fourdigit or six or eight digit pin
on my device that I need to typein.
Okay, great, so I give thatphishing web page my pin number.
(10:00):
Okay, so now the attacker hasmy username and you know, or if
I gave my username or made myemail address and they're now
using that six digit pin to tryand log into a um web
application or some sort of vpnthat allows me into my
organization, it does nothingbecause that pin is associated
(10:23):
directly to that device, to evenunlock it or to gain access to,
I guess from a general termsyou know, to prove that
certificates or hash, whatever Ihave on that to prove my
identity.
So it means nothing.
So you've got that tool thatyou've used to help prevent that
(10:46):
situation from happening isirrelevant now.
Eric Palms (10:51):
Yes and no, I would say that it also blocks a lot of
malware and such as well thosesystems.
So I think they'll go less inon phishing and more in on
malware detection, especiallywhen you get to lay-of-the-land
malware.
This will build the script onthe device from an email from
(11:14):
just opening it, Like the latestMicrosoft vulnerability for
Outlook, where all you had to dowas Outlook had to receive the
message to become compromisedbefore if you weren't patched.
I think it's going to be a lotmore stuff like that in a
passwordless future, and that isa very great point.
Matt Starland (11:39):
So, while, yeah, it prevents, so those phishing
or those types of organizations,yeah, they would have to.
It's not that they wouldn't be,that's irrelevant, but it's all
the other services that theyprovide are going to have to
ramp up, because I think thatleads into a great point there,
eric.
So, ok, this prevents maybethat social engineering or your
(12:00):
password on the Internet gettingbreached.
You know kind of all that leaksand everything, or a hash of
your password getting cracked.
But it now goes into adifferent vulnerability or a
security measure now that thoseattackers are going to be
looking to try and circumventand that's going to be like
replay attacks.
So, once you authenticate, whatdo you get?
(12:25):
You get a security token, samltoken, a Kerberos tickets,
something along those lines thatproves that you have.
So they're no longer going tobe looking for a password, but
they're going to try to.
How do we exfiltrate or get ahold of that ticket or token to
(12:51):
replay it and gain access?
Nick Mellem (12:54):
Matt, this is just like the conversation that you
and I have had before aboutauthenticating a person versus
authenticating a machine.
Yep, right for multi-factorauthentication.
At what point have you skippedthat right?
That's the issue and that'swhat you know for the listeners.
Matt and I have debated thisbefore.
(13:15):
At what point are you justskipping it and not
authenticating the actual person, but just authenticating the
machine?
Yes, the machine belongs to ournetwork.
That's where we're going to getnickel and dimey, I think, or
you're going to have your issues.
Eric, do you have thoughts onthat?
Eric Palms (13:32):
Yes, yeah, especially when it's getting
certificates involved at thatpoint.
So there's going oh, some VPNsolutions are notorious for just
running certificate-based only.
So you get along with devicehas a certificate, you're on the
VPN.
Or, let's say you can do thesame thing with a website
(13:54):
instead.
As long as that device has acertificate, they're good to go
in, which is kind of scary in mymind.
That's where I like, where youcan do things with devices where
, if it's an expected locationor an unexpected location,
either based off of geolocation,off IP, you're going to say
they're in their corporateoffice.
(14:15):
Let's say you only run in theUS and all of a sudden you have
the machine You're trying to geta login from I don't know India
, yeah, and then it's like well,that's weird.
You have to look at otherfactors as well.
(14:38):
And then hit them with anotherauthentication method, like,
okay, let's bring up that MFAtoken at that point, so
re-authenticate you to know thisis where you are, because 20
minutes ago you said you were inLA and now you're in India.
I mean, it's certainly possiblewith VPN solutions out there
right now, but it's veryunlikely, especially in the
(15:01):
corporate world, to have someonemove that fast.
Nick Mellem (15:05):
And you know too.
You're bringing up some greatpoints, eric, and the problem
also is because of the nowwork-from-home landscape.
We've opened up a landslide ofopportunities for people to
travel work from other locations.
People are getting airbnbs inmexico for a month to escape the
winter, and it doesn't matterwhere they are, as long as they
(15:26):
got internet right yeah, yeahand that.
Matt Starland (15:29):
So, yeah, trying to detect that anomalous
behavior.
I think pre-covid was one thing.
Some of the organizations I'veseen and been at you know it's
where they were almost 100%in-person kind of work.
You still came into the office,you did your IT job, so to
detect anomalous behavior backthen it was a little bit easier.
(15:50):
Now it's much more difficultbecause of some of that
flexibility of being able todrop your vehicle off at the
dealership and I'm going to workfrom there.
You know, not saying that thatdidn't exist pre-COVID, but what
I'm saying is because ofpost-COVID.
Here hybrid workforce is a normnow or people are looking to be
(16:17):
full, remote, uh, and thatmakes that anomalous detection a
little bit more difficult.
Nick Mellem (16:23):
So that's that's interesting.
You bring up, you know, the preand post covid into the
password topic, and I say thatbecause do you think that sped
up potentially goingpasswordless or just the future
of passwords period?
Do you think that that actuallypushes into the future?
Because you know, we look at itlike I think we've definitely
(16:44):
fast forwarded from COVID justto work from home.
For us, right, it wasinevitable, it was going to
happen, but did it happen a lotfaster because of it?
Do you think it had the sameeffect on passwords evolving
right?
Are we getting new technologiesquicker?
Because it's holy crap, peopleare scattered all over the place
.
We need this.
Matt Starland (17:00):
Well, yeah, I would say so because you know,
again, thinking about somecertain organizations that were
very in-person work, you knowsome of those organizations
looked at their trust level asbeing well.
I gained access to the facility, you know, with my badge.
So now I'm in a securedfacility where my network
(17:21):
servers and resources data islocated.
So now I can, just now that I'mplugged into my local network
or wireless, I can authenticatejust fine because I'm coming
from within the trusted walls ofmy physical location.
So kind of.
I know it's not multi-factorauthentication but it's a form
(17:43):
of trust that I'm coming fromwithin the network.
And I realized this is the 21stcentury.
We're all on this big zerotrust kick now because you, just
because of just how technologyand everything's connected has
grown.
But I believe there was a shiftin mentality, at least what
I've seen there, because of that.
And so now you're coming infrom all over the different
(18:06):
Internet locations and we allknow accessing a resource, an
organization's resource, fromoutside, within the physical
walls, poses a whole anotherdifferent level of risk to which
you want to have multi-factorauthentication.
You know, you, that extra layerto prove who you say you are,
not the device you come from,nick, just who you say you are.
(18:28):
I say that tongue-in-cheek.
Going back to what you said,said earlier, our fun debate we
had in this passwordless, youknow this, the looking at like
the FIDO2 technology, like a, akey like that, or or maybe this
Microsoft authenticator typething where you type a pin in
something you know and then itunlocks to either present some
(18:51):
sort of certificate that youhave, um, you know, now you're
gaining access.
So I would say there's whethera lot of organizations have, you
know, determined that or not,but I definitely see the shift
going that way, at least fromthe big players like Microsoft
and you know, and the FIDO2technologies of the world.
(19:12):
So, yeah, I don't know Palms,what's your thoughts?
So, yeah, I don't know Palmswith your thoughts.
Eric Palms (19:17):
Since COVID, I have seen multi-factor explode
compared to free, because it'sexactly what you're saying, matt
it's oh, people aren't in theoffice anymore.
How can we verify that someone?
Because let's say they're attheir cabin and let's say
(19:39):
they're cabined in another statein the middle of nowhere.
Well, that could easily be them, but we don't know for sure.
So that's where multi-factorhas come in real well, to help
with that.
I don't think it's perfect,because there are plenty of ways
to snag multi-factor.
I've seen, with some of the newphishing emails, or it'll even,
(20:00):
or it's it's almost like I'm inin the middle to gain access
and grab that token.
Matt Starland (20:05):
So, yeah, I I I hear you on that part like the
token piece, because that goes.
So, going back to themulti-factor authentication
again for everyone that'slistening just because you
proved your identity throughmulti-factor authentication
again for everyone that'slistening just because you
proved your identity throughmulti-factor authentication, you
still get that token.
Now, for any of you that lookat Azure AD logs, for example,
(20:27):
and are using Azure MFA, you'llnotice in those logs that claim
was previously satisfied by MFAtoken and because of your
identity provider proving thatyou've already supplied that MFA
credential or that secondfactor, you then get that token
that shows, yep, they did theMFA, but so now that threat
(20:50):
actor, let's just find thatsecurity token and how we replay
that and then they go fromthere it's really interesting
topic and I think we could youknow, you can continue and
continue on this.
Nick Mellem (21:01):
I think there's a certain point that we reached
during covid that we all kind ofwere so uncomfortable with how
things were going.
And I say uncomfortable meaningkind of like pants down moment.
We're like oh crap, we have somany different things to sweep
in with our network things kindof I don't want to say out of
control, right, but with so manythings we had to bring in or
(21:22):
speed up.
So we got, instead of being alittle bit more lackadaisical or
going through that whole changemanagement process of how we
want to do things, also, we gotpushed so fast when I that's
what I mean being uncomfortable,we got pushed so fast to a
point where we had to becomfortable being uncomfortable.
Does that make sense?
Eric Palms (21:42):
Yes, I definitely have to be beginning of COVID.
Matt Starland (21:47):
Nick, I understand you, but this sounds
like circular reasoning in a way.
Nick Mellem (21:51):
No, I'm playing devil's advocate here, but there
is a truth to it all.
Like what you guys are saying,I I believe that I'm with you
guys.
100, I think it was justinevitable.
I think that's answered thequestion that there's no, we
were always going to end up here, but are we here five years
faster than we might have been?
Are we getting technologiesquicker?
(22:12):
Are companies releasing thingsfaster?
Because it right, companies aregrabbing at different
technologies because of, likewhat eric said, somebody's at
their cabin, it's in the middleof the woods in upper peninsula,
michigan or whatever.
So we're trying to rope allthis in really quickly, but
we're doing it uncomfortablybecause we're not used to this.
(22:32):
Well, just ask chat gpt, it'lltell you man, I was going to
bring up something else too, buteven that's six months old
already.
Matt Starland (22:42):
So I mean, sheesh , they'd only scraped the
internet.
What six months ago?
Eric Brown (22:45):
So anyways, I don't want to digress off that topic.
Matt Starland (22:48):
You know something else for another day.
Nick Mellem (22:51):
I was just going to bring up the fact that, well,
you touched on it.
Let's clarify something.
You touched on the cost.
Well, you touched on.
Let's clarify something.
You touched on the cost.
Are you thinking the cost isgoing to be it's really great to
implement this stuff, or is itreally high cost?
Or are you saying the cost isso great that big companies are
going to lobby against somethingbecause the cost of these
(23:11):
things are expensive and theywant to keep that revenue?
Matt Starland (23:16):
What was your thought process behind that?
So now, when you you're talkingabout costs, like to implement,
like, yeah, all licensing, allof it I think part of it is
either one and not understandingwhat goes into it.
You know all the technology and, and I think going back to what
I was saying earlier, you know,with microsoft, say you kind of
promoting their windows hellofor business and making that
(23:38):
much more, um, known.
I don't think a lot oforganizations, because of maybe
certain regulatory compliancethings that they didn't have to
abide by, just didn't see maybethe worth, you know the time and
effort to even look at it as aneed, um, you know.
So.
So, going back, why is thefederal government, you know, or
(24:00):
military, been in this for 20years?
well, because they had veryhighly regulated data, very
sensitive data.
So now that is your driver anddemand um.
Now it's not saying that healthcare companies, um and pci and
all those didn't have that.
But I don't know, maybe thefederal government, just because
(24:23):
of how that data was socritical and sensitive to them,
they decided to find thatpasswordless way to just needing
to make it work.
So that was the driver and so Ithink part of that was just not
people realizing the cost and Ibelieve, personally believe
that with now, with the WindowsHello for Business I don't mean
(24:46):
to keep kicking that one, that'sjust one I'm familiar.
The most familiar with is, youknow, making more awareness
around it.
And you have the new FIDO2, Iput new air quotes around you.
I'm a few years old or whatever.
Standard out.
This makes it a little bit more, you know, viable because of
(25:06):
there's a little bit more easeof implementation than
necessarily the personalidentification, personal
identity and verification, youknow, protocol to stand up,
because a lot of these cloudproviders like OctaPing and
Azure AD, have that FIDO2support built in and now a lot
(25:28):
of web applications are startingto build support for it.
So you're starting to see itgrow more and I think as people
start hearing about it more andalso seeing the cost benefit.
So I think that the initialimplementation is going to be
rough because there is noteverything supports FIDO2,
(25:48):
especially from a non-premisesstandpoint.
So for those organizations thathave adopted the cloud identity
provider of the Azure, ad, pingand octas of the world and
where they're using OpenID andSAML to connect all of their
cloud applications and maybesome of their on-premise
applications too, they have areally simple step forward in
(26:10):
actually adopting something likethose FIDO2 keys.
However, those who have someon-premises applications that
are still using forms-basedauthentication or you know along
those lines, they're going tohave to figure out what are
those apps.
And then, of course, can wemove either one changing that
(26:31):
app over to a SAML, openidintegrated with their you know
identity provider, or can theygo to a Windows authentication,
which then means once I'velogged into my device using my
FIDO2, let's say, key or otherpasswordless technology, then it
(26:52):
can pass my credentials throughto that application without
asking me for them, because I'veproven my identity coming
through my workstation.
So there's that aspect of theimplementation phase that
there's going to be a big upcost there, but I think long
term it's going to be lowbecause you can go and buy these
(27:16):
keys.
They range from 20 to 80dollars depending on what
features you want on thembecause it's just not the phyto2
protocol.
There's some that have the pivprotocol.
There's some that have.
What is it, eric?
What was the one?
Um top p is it?
Eric Palms (27:34):
Top P.
Some of them are FIPS certifiedas well.
Matt Starland (27:39):
Yeah, FIPS certified.
So it depends on what all thenecessities you want on there,
maybe for some backwardscompatibility like at the PIV or
whatever.
But let's just say, if we juststart with a FIDO2 key, you're
looking at roughly $20.
So $20 a person.
But now what does that longterm cost look like?
(27:59):
From a okay, breach perspective?
What did you know?
Now we don't have to.
You know how many breaches nowdoes this prevent?
From a just social engineeringperspective, do we get to now
dial back on some of thelicensing or technologies that
we had that was designed toprevent licensing, or
(28:19):
technologies that we had thatwas designed to prevent, again,
phishing?
You know, not saying that wecan completely go away from just
all email security in general,but, like you know, you'd
brought up that good point, eric, earlier but would be as just
you know there might be somecost savings there too.
And then also even support deskcalls.
How much time is wasted frompeople forgetting their
passwords, didn't sign up forthe self-service password reset.
(28:41):
You go on and on and those whatwe'd call what soft dollars.
You know, like of just timethere, that now you don't have
to change the pin on your keycard because if somebody knows
it well, I mean you can alwayschange it yourself.
But even if they know it, theywould still have to have that.
So I see a big cost savingshere.
Nick Mellem (29:04):
You took the words right out of my mouth and I was
going to say how much time, costand effort goes into a help
desk answering calls solelybecause somebody's locked out,
can't remember their password,so on and so forth.
Eric Palms (29:20):
It's insane.
Nick Mellem (29:22):
It's egregious.
Eric Palms (29:24):
The amount of lockouts and passwords that have
been forgotten because they'reon the 90 day password rotation
schedule.
And what is it now?
Is it 12 or did it go up to 14character?
Is NISTL 12 or is it now?
Is it 12?
Or did it go up to 14 character?
Is NIST still at 12 or is thatat 14?
Matt Starland (29:41):
No, NIST is actually down to 8.
They're down to 8?
.
Nick Mellem (29:46):
They were at 12 for a while, weren't they?
Matt Starland (29:47):
Only if you have MFA, though, they're down to 8.
No password changes, butthere's two other criteria there
.
One you have to have MFA on itand two the password has to be
checked against a database ofknown breached accounts.
So like have I been pulling Yep?
Eric Palms (30:09):
Yep, okay, I know a lot of organizations require
nowadays like 12 or 15 characterpasswords and then they're
doing the 180 day reset or oneyear reset still, and it's like,
okay, a 15 character password,you try when you try and you
kept, even if you had for a yearto try and go.
Oh, I changed it.
(30:29):
And then let's say the next day, what was my password?
It's 15 characters.
Matt Starland (30:34):
It's probably a phrase at this point now well,
and the other thing too, to yourpoint.
Your point on that is, eventhough NIST suggests or has that
, that again is just NIST,because there's other
requirements behind some ofthose organizations that have to
do the 12, 14, 16, and 180 daybecause of certain regulatory
(30:54):
compliance.
So it is funny how thedifferent regulatory compliance
there's some, I almost feel, alot of subjectivity, depending
on who's doing it, becausethey're not all necessarily
aligned either.
You know, we always look to notalways, but a lot of the
industry.
You know cybersecurity industrydoes look to, nist to.
(31:16):
You know, have done theirhomework, their analysis,
testing, et cetera.
But I find it interesting thateven you look at that being a
federal government standardGuideline.
Yeah, guideline is this likeCJIS, criminal justice
information systems.
That regulatory compliance,though, will say the only way
you can go to a one yearpassword rotation is, if you're
(31:37):
like, I believe don't quote meon this I believe it's like
almost like 16 or 20 characters,but then also the, the password
has to be hashed and salted ina way that it can never be, you
know, taken offline with bruteforce.
So if you can't get to thatwhich everyone knows, active
(31:59):
Directory is still using an oldhashing algorithm that as long
as you get the NTDS dump you can, as long as it's got the right
care, you know you can takethose off and start cracking
those.
That's almost hard.
So I look at it.
It that might be some sort ofproprietary not proprietary, but
some other identity providerthat can hash that.
(32:21):
But if you can't meet that,that hashing requirements, then
to your point, eric, like you'resaying, you got to go to a 90
day and you can have it be youknow 14 characters or whatever,
but it has to be now 90 days,and so again every 90 days.
Hey, look at that.
Look at that spike in the helpdesk calls that occurs for
characters or whatever, but ithas to be now 90 days, and so
again every 90 days.
Hey, look at that spike in thehelp desk calls that occurs for
(32:42):
that particular group of peoplethat have to abide by that
regulatory compliance.
Eric Palms (32:49):
And then you get the people who start putting
numbers either before or aftertheir same password.
Yeah right yeah, unless theyhave a password double check
application, then it's just allthe systems to go.
Well, the hash isn't the same,so OK.
Nick Mellem (33:04):
Yeah, and that's interesting too, that you you're
bringing that up.
You guys all have iPhones, I'mpretty sure, right.
Matt Starland (33:11):
If I told you I'd have to kill you.
Nick Mellem (33:12):
So, either way, you can keep our word and I offline
, but I'm pretty sure you do,because I think your bubbles are
blue Either way.
Have you guys seen Apple's kindof doing this whole initiative
of hide your email and they willsuggest a password for you and
it will be stored within on-premin your iPhone?
(33:33):
So let's say, you sign up forsome subscription, right, and
you're setting up your accountright, you have the option to
hide your email and they'll putin some fake email that will
still come to you, but you knowit's putting that wall up
secondary.
They're suggesting a passwordand it's a very long password.
I think you know.
Somebody can correct me if I'mwrong.
I think it's like 16 characters, but it's just, it's not even a
(33:55):
phrase, it's all the thingsright, but it's getting.
It's not even a phrase, it'sall the things right, but it's
getting stored on your phone soyou don't have to remember the
password anymore because yourphone's remembered it.
So every time you come back tothat website, it knows just like
LastPass or other services,dash all those different
services and just implements, orsorry, just puts everything in,
fills out everything out foryou and logs you in Thoughts on
that.
Matt Starland (34:19):
Maybe you didn't know about that matt.
You sound like I'm, as you seemy facial expression.
I am a iphone.
I mean I'm, I'm not.
I mean I, I can't tell you whatmy you know phone is.
Nick Mellem (34:26):
Um, no, we're keeping a secret people yeah,
we're yeah top secret signal.
Yeah, so it's.
Uh, I just I have beenoblivious to that.
Matt Starland (34:36):
I, yeah, I didn't even realize that because I use
some other password keepers todo that, so I haven't really
used their built-in stuff before.
So I do find that fast, I meanbecause of those other password
keepers.
Yes, that makes sense.
You know, of course, keep adifferent password for
everything, so that way youlimit your risk Something gets
breached.
But I didn't know about thatemail perspective.
(34:58):
That is fascinating.
Nick Mellem (35:01):
yes, like sorry, go ahead about that.
Eric Palms (35:04):
I don't personally use it because I use another
solution.
But they do the same thing withwhen you do the sign in with
your apple account, exceptthat's that's essentially in sO
at that point.
But they will also hide youremail there as well and they'll
just forward it along from somerandom characters like
(35:28):
fakeapplecom or something, Idon't remember the exact formula
.
But they do the exact samething there as well, for when
you sign in for Apple.
So let's say you're going tobuy some subscription from the
App Store I don't know, but HBOMax, when you sign up, you can
sign up through Apple for thesubscription.
(35:48):
It'll just give HBO acompletely random email address
and basically Apple sets up aforwarder to your email.
So they never actually haveyour email.
So in the off chance that thecompany gets breached as well,
okay, they have a fake email foryou that just gets forwarded
(36:09):
along.
So they can't go and go.
Oh, this person has a Gmailemail address, let's try their
credentials there and try andget in.
It's complete randomness.
Nick Mellem (36:22):
Right, yeah, and so I've been kind of participating
in this.
And when I say participating,what I've been doing is I'll let
, if you know, on my Mac oriPhone, I'll let it create the
password, right, and I'll dothat.
And then my last, I useLastPass and it'll come up on
the side and they'll do usremember it.
So I have Apple create thepassword and then I put it into
LastPass.
So it's like you know, right,you see where I'm going with
(36:45):
this, so I've been using it.
It's.
It's like you know, right, yousee where I'm going with this,
so I've been using it.
It's.
I think it's awesome, right.
I think I wish more people woulduse it right, like our moms and
dads, grandma, grandpa, whoeverright, that's, that's really
who I feel like this should begetting trickled out to as well,
because you know, all of ushave got the call from our moms
and dads or whoever.
It is right.
They're having issues withpasswords or can't remember or
(37:07):
whatever it is.
So then all the passwords foreverything are the same, right,
and that's just inevitable.
And that's where something likethis is really cool to see this
technology coming out.
So it brings me full circle tothink have we gotten to this
point because we just outgreweight characters, right, or was
(37:28):
it a?
Is a money thing right, or isit just?
The malicious intended actorshave gotten so good that this is
the only way we can keep upwith them, and it's not really a
question, but it just makes methink like, wow, we're coming
full circle right now, but howdid we actually get here right?
So it's just interesting allthese things that are going
around with differenttechnologies and I know maybe
(37:49):
you guys can comment on, you'reworking on a project now to go
passwordless yeah, I mean sothat the project and stuff that
you know we're working on is, um, there's a lot of drivers to
that.
Matt Starland (38:02):
Besides, you know just even the cost perspective,
you know.
So I think it's been acombination of things that we've
been talking about for the past.
You know half hour or so helpdesk calls.
You know for the organizationthat we are working on to do
this, there's a lot ofregulatory compliance that is
involved.
So you have all of thesecertain groups that don't have
(38:27):
to abide by this particularregulatory compliance.
It's extremely strict.
And then you have this groupover here and so you start
getting into okay, wait, whichpassword?
Policy?
You know you try to find thisfine balance between usability
and also security and you know,as we all know, if you make
things so super secure, well,sometimes it makes it difficult
(38:51):
to be effective operationally.
And then you start to increasehelp desk calls or issues
(39:13):
because a lot strict you knowrequirements maybe meets the
NIST requirements, regulatorycompliance that isn't NIST, and
then they have a different oneand then your service desk is
getting calls of like, wait,which one are you?
Okay, this is the here you know.
So you don't want to makethings complex for your
(39:33):
organization too.
But then then you get into thesituation where, well, crap I
gotta do.
Nick Mellem (39:40):
I just set one standard now for everybody that
they have to be this secure andhardened, and that's not
subjective, though, to yourindustry and that's where I
think the conversation starts toturn right is if you, if you're
government or private orwhatever that it really is
subjective to that point.
Matt Starland (40:00):
So continue on that I derail you when you say
subjective to that point.
Can you articulate on that alittle bit more?
So like what?
Nick Mellem (40:05):
I mean, is you have a different set of standards?
Matt Starland (40:08):
oh, if you're a government entity.
Nick Mellem (40:09):
You have to follow these rules for a reason you're
financial, you're in a, you're abank or or whatever.
You have to meet theseguidelines.
Matt Starland (40:16):
Yeah, and I think that's and that's kind of what
I'm referring to is that youknow, and I've seen in the
government industries because ofhow you know, like for you know
some counties where you've got25 different departments or
something and those departmentsare like separate entities, like
you know what I'm saying, soyou know if I'm working for a
(40:37):
Medtronic of the world or somehealthcare company, what is?
Eric Brown (40:40):
my focus.
Matt Starland (40:41):
Healthcare.
You know, I might, I'll bedoing HIPAA.
Okay, so we need to abide byHIPAA and that's.
This is our niche, our thing wecan focus on.
Maybe we might touch a littlebit on PCI, because payments or
whatever.
Maybe I offload that to anotherorganization to handle the PCI
stuff because of the cost.
(41:01):
But for the government industry,because of those different
departments, you've gothealthcare industry, because of
those different departments,you've got healthcare, you've
got criminal justice, you've gotsome IRS rate, there's all over
the board.
And so for that organizationand that kind of goes back to
what I was saying is like here'sone.
They've got these users, theyare divided by this and this,
and it starts to create thissituation.
(41:22):
Then do we just take the mostmost restrictive, which now,
yeah, we're under compliance,but only a quarter or maybe less
, or I don't know, maybe, let'sjust say, for using example,
only needed to abide by that,and now the whole organization
has to buy by that.
And, oh boy, now we've got alot more service desk calls
coming up.
(41:42):
So I guess the kind of circlingback what, what, where does this
?
You know, why is this soimportant, to go to this type of
technology?
Well, one, it's because it'ssimple to use.
But then, two, it meets all ofthose regulatory compliance of
multi-factor authentication andmaking that authentication so
(42:04):
much secure.
So that's kind of one of thereasons why the project that
Eric and I are on is to helpmeet that keep it simple but
still with good security.
And is it going to be fullysecure to the point where, oh,
we will never have a breachedaccount again?
No, because, like what Eric wassaying earlier, you still got
(42:26):
the risk of somebody tryingaccount again.
You know.
No, because, like what eric wassaying earlier, you still got.
You know.
Now you still got the risk ofsomebody trying to replay your
tokens or tickets.
But I would think, though,that's much more difficult.
It takes much more technicalskill set to try to somehow get
that piece of software on therenot saying that couldn't happen
from an email, because now theuser goes out and downloads it.
(42:49):
So there's still that aspect toit.
But at least you maybe takesome of the other humans' social
engineering over the phone nowor might make it a little bit
more challenging.
At least that's what I'menvisioning.
But who knows, somebody willget creative again and find
another way to get that tokenoff your computer.
I'm sure that's a guaranteeSomething's going to go full
(43:13):
swing.
We all went to the cloud Watch.
Now we're all scared of thecloud.
We're all going to come backon-premises someday.
You know who knows, but I thinkthat's you know.
That project that we're onthat's one of the reasons is
because of you know trying to besimple.
That's that's one of thereasons is because of you know
trying to be simple.
But it looks like it increasessecurity and meets all those
different regulatory compliance.
And yeah, it's been a challengebecause of the initial
(43:36):
implementation of all thesystems that need to get adapt
to that.
But yeah, I don't know, that'sup, eric, what's kind of what's
your been take on, kind ofseeing you know implementing
this and you know where some ofthe challenges and hiccups you
think are going to be and wherethey have been.
Eric Palms (43:54):
The core setup is simple for passwordless because,
like Microsoft, okta, duo, allof them support it natively and
it's included with most licenses.
The harder part is getting themore like the SSO setup going to
(44:18):
all of these different apps.
Now, most third-partySaaS-based apps support it
already.
Saas-based apps support it.
I've seen plenty of companieswho are actually moving away
from on-prem to SaaS because ofthe integration into, for a
single sign-on.
Stuff is already.
They all have it implementedand stuff.
The hardest part is youron-prem apps, especially the
(44:40):
apps that may have been aroundfor a decade or longer, that
have been used and maybe thepeople who originally wrote it
are no longer there.
So no one truly understands howit works on the back end at
this point and they have to goin and try to modify it without
breaking it to support thesenewer things like SAML.
(45:01):
Well, saml is super new butit's one of the better ones out
there.
So that's the harder part.
Is that right there?
Or if they have an app, it'stoo old and it's not worth
setting it up and they want tolook into migrating to a SaaS
application Okay, well, now thatdepartment has to set up a new
project to start migrating,whatever it may be over to a
(45:24):
SaaS application, which then,depending on the size of it,
could take a year or longer.
If it's a major system, itcould take two years.
So that's the difficult part.
It's not the oh, you have asecurity key, you plug it in and
enter your PIN.
That's simple.
It takes 30 seconds to set itup.
It's the getting everythingback and into it, because I've
(45:47):
noticed that there are so many,at least at the beginning of
COVID.
There are so many disjointedsystems and everyone has
different credentials to getinto every system, so they may
have 100 logins because they use100 different systems.
And now when you're trying toset up these single sign-on
(46:08):
systems and then you can set uplike passwordless with them,
it's getting them all tocommunicate with each other.
Again is the truly the actualhard part in it.
Like you can set up a securitykey in Azure AD in five minutes,
you can go in.
You can literally from admin.
Probably takes you five, tenminutes to create the policies.
(46:30):
Give someone a key, get them toset it up and they can use that
for Microsoft login.
Now, getting Azure AD if that'swhat you want to be is your
identity provider to go to allthe other services.
That's the hard part.
Matt Starland (46:43):
Well, it also takes.
You know you got to get buy-innow too.
So this is where it comes, keybecause of those challenges that
you talked about with you know,having you know, certain
applications, whoever's owningthem or whatever departments
might be involved with that, andmaybe, depending on how
budgeting works and just becauseIS has a lot of control of some
(47:05):
of this technology, but theymight not be the actual owners
or however their budget is inregards to that app.
You know that could be this oldlegacy app departments or
leaders involved and aware of itto see one the benefits, but
also understand, hey, this iswhat's going to cost us to get
(47:37):
here and here's what we predictour ongoing cost will be post
getting there.
Because, again, like I said, ifwe can, you know, market it in a
way that, look, we're going tosave money here on password
resets and time spent on thephone with you know well, time
saved for employees getting intotheir workstations because they
forgot their password or nowthey got to unlock it, or
whatever Time saved at theservice desk or help desk level
(48:00):
now of being on the phone withthat employee that is losing
productivity because they can'tget in with that employee that
is losing productivity becausethey can't get in, you know,
having to pay for a password,self-service reset system, you
know, and then maybe some othertechnologies that were to help
prevent you know passwords fromgetting leaked or whatever.
So I think that it's very keyto also get some good marketing
(48:25):
at your leadership level andbuy-in and getting you know this
spread to all those differentdepartments to get on board and
see the value of it and then, um, then, then hopefully you can
then get those resources toreact quicker to to your
implementation.
Nick Mellem (48:42):
So yes, it's a change management issue, right?
Yeah, just get everybody onboard and that's, that's a big
piece.
Matt Starland (48:49):
There too, is that wait, how do I use this
thing?
You know?
How do I, you know, plug it in,or you know, because it go.
Yeah, so to you know, I know,eric, you said it's simple to
register too, but, like a lot ofpeople, like you know, to
figure out, wait, how do I loginto this and do this?
And you know it's also to theuh, what does the service desk
(49:09):
do, or help desk, now have to?
How do we, how many of these dowe, keep on site?
You know what happens ifsomebody loses it, so there's a
lot of that change management.
That needs to be developed aswell.
Um, but I think once you get iteverything along, there's
definitely some good long-termcost-benefit analysis here.
Nick Mellem (49:33):
Like we were saying , the change management portion
is huge, getting that buy-infrom everybody and making
everybody understand why we'redoing it this way.
Not everybody understands thetechnical side of the house, and
rightfully so.
They just don't understand, andthat's fine's fine.
So then then I think, right,here's our next question is at
(49:53):
what point is it too much?
Right are we going?
I'm not saying we are here withthis technology, but is the
next step too far?
Are we already?
Have we already gone too far?
At what point are we pushing?
I don't want to say securityright, because we're always
getting better.
Every single day we're learningthings that we didn't know
yesterday.
But at what point have we gonetoo far?
(50:14):
At what point is it just anaccepted risk?
It's inevitable.
We can only do so much.
Eric, do you have any quick hitthoughts on that?
Eric Palms (50:26):
I know a lot of people that hate typing in
passwords.
So the people I've talked to,I've actually had people come up
to me with this project.
Like wait, we don't have to usepasswords anymore.
Like not with this project.
No, you just have to remember akey, a security key, and while
(50:51):
most organizations have somesort of a badge system to get
into buildings and whatnotanyways, you just keep it with
that.
So then they're much lesslikely to lose it at that point,
because, well, if they losetheir badge, they can't get into
the building anyways, or accessequipment and whatnot.
For people who are hybrid or inthe office every day.
(51:12):
But the idea of, oh, I only haveto remember a PIN, a PIN that
doesn't have an expiration datebecause it's only tied to said
device.
So if the device gets stolen,then they don't have the pin and
they're a pretty short lockouton those.
(51:34):
If someone tries to brute forceit, I think its fault is like
five times, before it locks itit needs to be reset by an
administrator.
So the people I've talked toare before it locks it and needs
to be reset by an administrator.
So, yeah, so the people I'vetalked to are the end users I've
talked to have been excitedabout it.
It's more of the app users.
(51:56):
Where I've seen is the pullbackand such like, where it's for
going too far.
It's those are the people whoare going to go.
Well, this is a lot of work andis this worth it, but it's the
end users who actually reallyare enjoying this because then
it's like it's much simpler andthey're small, they're easy to
(52:16):
keep on you like, or people keepon the key ring because
everyone carries their.
Well, at least for the timebeing, everyone carries their
car keys unless they have, like,a Tesla or some other other ev
vehicle where they've gone tolike.
Right, your phone lock-in, soyeah for the time being, though,
your keys for your house andstuff are still around, so it's
it's easy to keep it on theretoo, otherwise so I'm kind of
(52:38):
having some thoughts andopinions on my own question and
I I don't think we probablycould ever go too far.
Nick Mellem (52:44):
And the reason I say that is because if somebody
told our parents or whoever itwas you know, 25, 30, 40 years
ago, when cell phones juststarted to come out, that a key
was going to get sent or a token, whatever, was going to get
sent to your phone, a codewhatever that you were going to
type into a computer toauthenticate yourself, we would
have thought you were crazy.
(53:04):
Right, there's just no way thatwould ever happen.
But we're here.
So the question I'm asking islike well, we depends on where
we're going to be in five or 10years.
We just don't ever know.
We're always evolving.
But, matt, go ahead, youobviously have some thoughts.
Matt Starland (53:17):
Well, I mean, yeah, I mean that's you're
talking.
That's like trying toprophesize some major things.
There's so many.
You know who would havepredicted COVID would have
changed the way we lived andworked.
You know it took a major eventto just alter life so
differently as from just working.
(53:38):
So, while we can do our best toanalyze, you know, the
information we have today, it's,there's so many different.
There's either market factors,there's geopolitical factors,
there's the malicious actorfactor.
That's malicious actor factor.
Huh, the MFF, I don't know that.
(53:59):
Anyways, I anyways I had asquirrel moment there.
But yeah, there's, you know,there's so many different things
I can change it.
So, but yeah, there's so manydifferent things I can change it
.
So, just viewing what we knowtoday, it definitely seems like
it's the way to go based off ofthe information we have.
But I guess I'll just ask chatGPT tonight and see what it says
(54:21):
.
Yeah, report back on that, I'llreport back on that and then
I'll make that as my finaldecision.
Eric Palms (54:27):
Yeah, you come to like.
You bring up chat GPT and stufflike passwords.
A computer like chat GPT has alot of power behind it.
It can crack so fast if someonewere to teach it how to or
explain how to, you can chat GPT.
You can even write code.
(54:47):
It's good code or like Java orwhatnot.
It's not too far to go.
Oh, I want you to crack thisuser's password.
Matt Starland (54:58):
Chat.
Gpt write me a piece of malwarethat replays the SAML token.
Done Game over, alright.
So now what do we got to do tofix that one?
We went passwordless, but theyfound the new weakness in
Kerberos tickets and securitytokens and we're in change
management meetings all overagain.
(55:19):
Yeah, so no, it's just how theindustry changes and we're doing
what we can with the knowledgewe have at this point in time
and thinking this is what we canwith the knowledge we have at
this point in time, and thinkingthis is what we can do best,
and something else will comealong and we'll figure something
else, All right guys.
Nick Mellem (55:36):
Well, I think we beat passwords to death.
Unless you guys got any otherclosing thoughts, I think we can
leave it there and maybe havean episode 2.0.
Matt Starland (55:46):
Any thoughts?
I'm good here.
I brain dumped everything.
Eric Palms (55:51):
I am good as well.
Nick Mellem (55:53):
Well, awesome guys.
Once again, we reallyappreciate you guys coming on
and can't wait to have you onanother one coming up, but
appreciate your guys' time.
Thanks again.
Matt Starland (56:02):
Yeah, have a great day, See ya.
Thank you.
Eric Brown (56:07):
Want security leadership without the headcount
.
As an extension of the team, ITAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
remediation to improve cyberposture while reducing risk.
(56:29):
Contact IT Autolabs to find outmore.
You're listening to the Audit presented by IT Audit
Labs.
Nick Mellem (00:14):
All right, everybody, welcome to another
episode of the Audit.
Today I've got my good friendsEric Palms and Matt Starland,
and today we're going to jumpinto the future, or what the
future looks like, withpasswords.
I think we all spend a lot oftime figuring out how to
navigate the world of IT, andpasswords is oftentimes one of
(00:36):
the biggest parts of it.
So welcome guys.
Matt Starland (00:39):
Thanks, hey, thank you, can't complain.
Today it's 85 degrees out inMinnesota.
I heard that.
Nick Mellem (00:46):
So it's a heat wave and people in minnesota are
probably unthought a little tooquick.
Maybe that's a problem.
Matt Starland (00:51):
People are probably forgetting their
passwords we still got 20 feetof snow in a target parking lot.
So we're still.
We still got winter, stillgetting dug out well.
Nick Mellem (00:59):
Yeah, guys, I appreciate you guys jumping on,
like I said wanted to.
You know, talk all things,passwords.
So if we're jumping right intoit, what's your guys' thoughts
on how passwords are progressingor not progressing?
Matt Starland (01:13):
So yeah, I guess where passwords have always been
kind of a big problem for ITand organizations for many years
organizations for many yearsOne of the things you look at
from the attack vectors socialengineering, whether it's
through email communication orsomebody calling up a service
(01:34):
desk phone number and acting asmaybe an employee and then
getting that password reset thatway and it's funny.
It reminds me of a quote thatI've heard a few times, whether
it's from certain pen testingorganizations, but one of the
quotes was what you call hacking.
I call taking your password andlogging in.
(01:56):
So when it comes down to atechnical expertise, to do
something like this doesn't takemuch, and so that's why you see
so many phishing emails comeinto organizations trying to
just build a fake web page andhave the you know employee log
or think they're logging into aweb page to gain access using
(02:18):
username and password.
So traditionally we've beenusing that methodology for so
many years now.
But we look to the government,you know, to maybe actually make
a change there.
This is a good thing from agovernment side of the world
because of just the top secretdata that they have to work with
, but they've been using catcards, I think in the military
(02:41):
Maybe some of you have seen thatbefore.
Maybe in being in the Marines Iused one, yeah, exactly, and so
it's got a chip on that thatwould maintain a certificate
Similar to your debit card.
Yep, exactly, certificationprotocol, piv protocol, which
(03:03):
acts as kind of the card, issomething you have and that
certificate on there is you'retied to your identity to get
into a system and then you alsohave some sort of a pin code to
unlock that.
So they've been going.
You know, the government at thefederal level has been has this
for almost, I think, 20 yearsor so, but it's interesting to
(03:25):
see how a lot of the industryhas not fully caught up with
that yet, even though, with allof these you know social
engineering techniques, it seemsto be that we've tried to
band-aid it.
You know, using certain toolsto prevent, you know those
phishing and processes andprocedures, but there is
(03:48):
technology that's, you know,been around for a little bit to
actually help, you know, preventthis, these passwords being
stolen.
So so it's interesting to seewhere the history has been and I
feel like with with Microsoft,of course, playing a big role.
(04:28):
No-transcript, I'm not to sellOkta and Ping and all those
identity providers short, butfor a good part.
Still, when it comes toon-premises, you think it's got
to be what?
99% active directory?
Absolutely, I mean, I I don'tknow if you guys, have you guys
(04:49):
seen anything, anything ofNovell in the past 15 years?
No, I haven't.
So so, yeah, so, exactly, soyou look at it takes, you know,
an organization like that tokind of push that forward and
people are going to start, Ithink, getting on board with it
or not, have a choice.
Well, I can go on that part fora while, I know I don't know.
(05:13):
Yeah, palms, what is your kindof thoughts on this future here
and what are you seeing inregards to some of the news and
articles out there that?
Eric Palms (05:24):
exist.
I think that passwords aregoing to have to eventually go
the way of the dinosaur Betweenall of the phishing emails, like
you mentioned, that just showup.
It's hundreds and thousandsthat are getting hit each
organization daily, and a lot oforganizations have fairly good
(05:45):
filters nowadays to filter outthe majority of them, but it
only takes one to get through tocompromise.
A company is the problem andall they need is that username
and password.
Nick Mellem (05:55):
Yeah, and that's too what you're saying there.
That's just the phishing part.
We haven't even got into thesocial engineering right that is
.
You know, one of my if you'velistened to any of our previous
episodes, you know that's likeone of my favorites is social
engineering.
I've been practicing it foryears and that is what everybody
wants to know is can you get mypassword Right?
(06:17):
So we're trying to compareapples to apples here.
But one thing that's so hardfor us to protect is the social
engineering aspect, because wecan look up the stats all day
long.
What is it?
Between 80 and 90 percent ofall issues you know with
malicious intent start with anend user and it's directly
related to their password.
I mean so, with that being said, or is it just inevitable that
(06:39):
we have to go passwordless orbiometrics or whatever the case
is?
Matt Starland (06:43):
but to me that's kind of where things have to
shift to, and I think that'swhere the conversation is going
yeah, and folks you know, withnick's background on social
engineering, you can clearly seethat he is social engineering
you right now on this episode tobuy some services.
So look for some future saleevents here coming up.
Eric Palms (07:04):
Yeah, I know that's what your ulterior motive is on
this.
Matt Starland (07:10):
I cannot confirm nor deny, if only everyone could
see the grin on his face rightnow.
Yes, and how red he's turning.
Nick Mellem (07:17):
Yeah, we're turning the cameras off.
I'm kidding.
Matt Starland (07:22):
No, but in all seriousness, no, it's, yeah,
it's time to.
There needs to be a change inthe industry, and I kind of look
at it too.
Is that there's a cost savingsbenefit here, which I know we
can definitely geek out here ina little bit.
You know, when you're gettinginto the cost of some of these,
what are some of this?
What are these passwordless youknow tools look like, but let's
(07:44):
say, you go passwordless, okay,um, what does that mean now for
some of the products that youcurrently have, products or
platforms that you currentlyhave today that are designed to
prevent maybe social engineeringusually that's the human aspect
, so I don't know, maybe that'sprocess procedure there, but
designed to prevent maybe socialengineering Usually that's the
(08:05):
human aspect.
So, I don't know, maybe that'sprocess procedure there, but
let's think of it from thethreat vector.
So email, that's one of thosethreat vectors.
So what are we using today forwhen I say we me as a society or
culture IT industry, what arewe using today to help stop
(08:28):
those service, you know thosetypes of attacks?
Well, we are using, I guess, ifyou're in Microsoft 365 Cloud
and you pay for their you knowE9462 license, whatever it is
that you're.
You know the suite of buffetthat they give you to, whatever
it is that you're.
You know the suite of buffetthat they give you to.
You know, for every log secondyou want.
(08:48):
You know what I mean Nickel anddime, you kind of thing, you
know.
So you've got their ATP, theiranti-spam, phishing, or maybe
you buy.
There's a lot of money rightnow involved in those
technologies and services.
(09:09):
So what does that mean if you gopasswordless?
So, okay, great, I click onthis.
You know this, this email thatcomes in and they have a fake
page that looks like myorganization and needs my
password or whatever, and Ithink I'm giving them my
password.
Well, if I'm passwordless, whatam I giving them?
You know.
So if you're looking at it fromthe multi factor authentication
perspective, there's a lot of.
(09:37):
This password list is a randomgenerated code or a pin that you
have memorized to unlock adevice that then has that
certificate on it to prove youridentity.
So I guess to the basic enduser, they're going to think,
well, maybe this is my fourdigit or six or eight digit pin
on my device that I need to typein.
Okay, great, so I give thatphishing web page my pin number.
(10:00):
Okay, so now the attacker hasmy username and you know, or if
I gave my username or made myemail address and they're now
using that six digit pin to tryand log into a um web
application or some sort of vpnthat allows me into my
organization, it does nothingbecause that pin is associated
(10:23):
directly to that device, to evenunlock it or to gain access to,
I guess from a general termsyou know, to prove that
certificates or hash, whatever Ihave on that to prove my
identity.
So it means nothing.
So you've got that tool thatyou've used to help prevent that
(10:46):
situation from happening isirrelevant now.
Eric Palms (10:51):
Yes and no, I would say that it also blocks a lot of
malware and such as well thosesystems.
So I think they'll go less inon phishing and more in on
malware detection, especiallywhen you get to lay-of-the-land
malware.
This will build the script onthe device from an email from
(11:14):
just opening it, Like the latestMicrosoft vulnerability for
Outlook, where all you had to dowas Outlook had to receive the
message to become compromisedbefore if you weren't patched.
I think it's going to be a lotmore stuff like that in a
passwordless future, and that isa very great point.
Matt Starland (11:39):
So, while, yeah, it prevents, so those phishing
or those types of organizations,yeah, they would have to.
It's not that they wouldn't be,that's irrelevant, but it's all
the other services that theyprovide are going to have to
ramp up, because I think thatleads into a great point there,
eric.
So, ok, this prevents maybethat social engineering or your
(12:00):
password on the Internet gettingbreached.
You know kind of all that leaksand everything, or a hash of
your password getting cracked.
But it now goes into adifferent vulnerability or a
security measure now that thoseattackers are going to be
looking to try and circumventand that's going to be like
replay attacks.
So, once you authenticate, whatdo you get?
(12:25):
You get a security token, samltoken, a Kerberos tickets,
something along those lines thatproves that you have.
So they're no longer going tobe looking for a password, but
they're going to try to.
How do we exfiltrate or get ahold of that ticket or token to
(12:51):
replay it and gain access?
Nick Mellem (12:54):
Matt, this is just like the conversation that you
and I have had before aboutauthenticating a person versus
authenticating a machine.
Yep, right for multi-factorauthentication.
At what point have you skippedthat right?
That's the issue and that'swhat you know for the listeners.
Matt and I have debated thisbefore.
(13:15):
At what point are you justskipping it and not
authenticating the actual person, but just authenticating the
machine?
Yes, the machine belongs to ournetwork.
That's where we're going to getnickel and dimey, I think, or
you're going to have your issues.
Eric, do you have thoughts onthat?
Eric Palms (13:32):
Yes, yeah, especially when it's getting
certificates involved at thatpoint.
So there's going oh, some VPNsolutions are notorious for just
running certificate-based only.
So you get along with devicehas a certificate, you're on the
VPN.
Or, let's say you can do thesame thing with a website
(13:54):
instead.
As long as that device has acertificate, they're good to go
in, which is kind of scary in mymind.
That's where I like, where youcan do things with devices where
, if it's an expected locationor an unexpected location,
either based off of geolocation,off IP, you're going to say
they're in their corporateoffice.
(14:15):
Let's say you only run in theUS and all of a sudden you have
the machine You're trying to geta login from I don't know India
, yeah, and then it's like well,that's weird.
You have to look at otherfactors as well.
(14:38):
And then hit them with anotherauthentication method, like,
okay, let's bring up that MFAtoken at that point, so
re-authenticate you to know thisis where you are, because 20
minutes ago you said you were inLA and now you're in India.
I mean, it's certainly possiblewith VPN solutions out there
right now, but it's veryunlikely, especially in the
(15:01):
corporate world, to have someonemove that fast.
Nick Mellem (15:05):
And you know too.
You're bringing up some greatpoints, eric, and the problem
also is because of the nowwork-from-home landscape.
We've opened up a landslide ofopportunities for people to
travel work from other locations.
People are getting airbnbs inmexico for a month to escape the
winter, and it doesn't matterwhere they are, as long as they
(15:26):
got internet right yeah, yeahand that.
Matt Starland (15:29):
So, yeah, trying to detect that anomalous
behavior.
I think pre-covid was one thing.
Some of the organizations I'veseen and been at you know it's
where they were almost 100%in-person kind of work.
You still came into the office,you did your IT job, so to
detect anomalous behavior backthen it was a little bit easier.
(15:50):
Now it's much more difficultbecause of some of that
flexibility of being able todrop your vehicle off at the
dealership and I'm going to workfrom there.
You know, not saying that thatdidn't exist pre-COVID, but what
I'm saying is because ofpost-COVID.
Here hybrid workforce is a normnow or people are looking to be
(16:17):
full, remote, uh, and thatmakes that anomalous detection a
little bit more difficult.
Nick Mellem (16:23):
So that's that's interesting.
You bring up, you know, the preand post covid into the
password topic, and I say thatbecause do you think that sped
up potentially goingpasswordless or just the future
of passwords period?
Do you think that that actuallypushes into the future?
Because you know, we look at itlike I think we've definitely
(16:44):
fast forwarded from COVID justto work from home.
For us, right, it wasinevitable, it was going to
happen, but did it happen a lotfaster because of it?
Do you think it had the sameeffect on passwords evolving
right?
Are we getting new technologiesquicker?
Because it's holy crap, peopleare scattered all over the place
.
We need this.
Matt Starland (17:00):
Well, yeah, I would say so because you know,
again, thinking about somecertain organizations that were
very in-person work, you knowsome of those organizations
looked at their trust level asbeing well.
I gained access to the facility, you know, with my badge.
So now I'm in a securedfacility where my network
(17:21):
servers and resources data islocated.
So now I can, just now that I'mplugged into my local network
or wireless, I can authenticatejust fine because I'm coming
from within the trusted walls ofmy physical location.
So kind of.
I know it's not multi-factorauthentication but it's a form
(17:43):
of trust that I'm coming fromwithin the network.
And I realized this is the 21stcentury.
We're all on this big zerotrust kick now because you, just
because of just how technologyand everything's connected has
grown.
But I believe there was a shiftin mentality, at least what
I've seen there, because of that.
And so now you're coming infrom all over the different
(18:06):
Internet locations and we allknow accessing a resource, an
organization's resource, fromoutside, within the physical
walls, poses a whole anotherdifferent level of risk to which
you want to have multi-factorauthentication.
You know, you, that extra layerto prove who you say you are,
not the device you come from,nick, just who you say you are.
(18:28):
I say that tongue-in-cheek.
Going back to what you said,said earlier, our fun debate we
had in this passwordless, youknow this, the looking at like
the FIDO2 technology, like a, akey like that, or or maybe this
Microsoft authenticator typething where you type a pin in
something you know and then itunlocks to either present some
(18:51):
sort of certificate that youhave, um, you know, now you're
gaining access.
So I would say there's whethera lot of organizations have, you
know, determined that or not,but I definitely see the shift
going that way, at least fromthe big players like Microsoft
and you know, and the FIDO2technologies of the world.
(19:12):
So, yeah, I don't know Palms,what's your thoughts?
So, yeah, I don't know Palmswith your thoughts.
Eric Palms (19:17):
Since COVID, I have seen multi-factor explode
compared to free, because it'sexactly what you're saying, matt
it's oh, people aren't in theoffice anymore.
How can we verify that someone?
Because let's say they're attheir cabin and let's say
(19:39):
they're cabined in another statein the middle of nowhere.
Well, that could easily be them, but we don't know for sure.
So that's where multi-factorhas come in real well, to help
with that.
I don't think it's perfect,because there are plenty of ways
to snag multi-factor.
I've seen, with some of the newphishing emails, or it'll even,
(20:00):
or it's it's almost like I'm inin the middle to gain access
and grab that token.
Matt Starland (20:05):
So, yeah, I I I hear you on that part like the
token piece, because that goes.
So, going back to themulti-factor authentication
again for everyone that'slistening just because you
proved your identity throughmulti-factor authentication
again for everyone that'slistening just because you
proved your identity throughmulti-factor authentication, you
still get that token.
Now, for any of you that lookat Azure AD logs, for example,
(20:27):
and are using Azure MFA, you'llnotice in those logs that claim
was previously satisfied by MFAtoken and because of your
identity provider proving thatyou've already supplied that MFA
credential or that secondfactor, you then get that token
that shows, yep, they did theMFA, but so now that threat
(20:50):
actor, let's just find thatsecurity token and how we replay
that and then they go fromthere it's really interesting
topic and I think we could youknow, you can continue and
continue on this.
Nick Mellem (21:01):
I think there's a certain point that we reached
during covid that we all kind ofwere so uncomfortable with how
things were going.
And I say uncomfortable meaningkind of like pants down moment.
We're like oh crap, we have somany different things to sweep
in with our network things kindof I don't want to say out of
control, right, but with so manythings we had to bring in or
(21:22):
speed up.
So we got, instead of being alittle bit more lackadaisical or
going through that whole changemanagement process of how we
want to do things, also, we gotpushed so fast when I that's
what I mean being uncomfortable,we got pushed so fast to a
point where we had to becomfortable being uncomfortable.
Does that make sense?
Eric Palms (21:42):
Yes, I definitely have to be beginning of COVID.
Matt Starland (21:47):
Nick, I understand you, but this sounds
like circular reasoning in a way.
Nick Mellem (21:51):
No, I'm playing devil's advocate here, but there
is a truth to it all.
Like what you guys are saying,I I believe that I'm with you
guys.
100, I think it was justinevitable.
I think that's answered thequestion that there's no, we
were always going to end up here, but are we here five years
faster than we might have been?
Are we getting technologiesquicker?
(22:12):
Are companies releasing thingsfaster?
Because it right, companies aregrabbing at different
technologies because of, likewhat eric said, somebody's at
their cabin, it's in the middleof the woods in upper peninsula,
michigan or whatever.
So we're trying to rope allthis in really quickly, but
we're doing it uncomfortablybecause we're not used to this.
(22:32):
Well, just ask chat gpt, it'lltell you man, I was going to
bring up something else too, buteven that's six months old
already.
Matt Starland (22:42):
So I mean, sheesh , they'd only scraped the
internet.
What six months ago?
Eric Brown (22:45):
So anyways, I don't want to digress off that topic.
Matt Starland (22:48):
You know something else for another day.
Nick Mellem (22:51):
I was just going to bring up the fact that, well,
you touched on it.
Let's clarify something.
You touched on the cost.
Well, you touched on.
Let's clarify something.
You touched on the cost.
Are you thinking the cost isgoing to be it's really great to
implement this stuff, or is itreally high cost?
Or are you saying the cost isso great that big companies are
going to lobby against somethingbecause the cost of these
(23:11):
things are expensive and theywant to keep that revenue?
Matt Starland (23:16):
What was your thought process behind that?
So now, when you you're talkingabout costs, like to implement,
like, yeah, all licensing, allof it I think part of it is
either one and not understandingwhat goes into it.
You know all the technology and, and I think going back to what
I was saying earlier, you know,with microsoft, say you kind of
promoting their windows hellofor business and making that
(23:38):
much more, um, known.
I don't think a lot oforganizations, because of maybe
certain regulatory compliancethings that they didn't have to
abide by, just didn't see maybethe worth, you know the time and
effort to even look at it as aneed, um, you know.
So.
So, going back, why is thefederal government, you know, or
(24:00):
military, been in this for 20years?
well, because they had veryhighly regulated data, very
sensitive data.
So now that is your driver anddemand um.
Now it's not saying that healthcare companies, um and pci and
all those didn't have that.
But I don't know, maybe thefederal government, just because
(24:23):
of how that data was socritical and sensitive to them,
they decided to find thatpasswordless way to just needing
to make it work.
So that was the driver and so Ithink part of that was just not
people realizing the cost and Ibelieve, personally believe
that with now, with the WindowsHello for Business I don't mean
(24:46):
to keep kicking that one, that'sjust one I'm familiar.
The most familiar with is, youknow, making more awareness
around it.
And you have the new FIDO2, Iput new air quotes around you.
I'm a few years old or whatever.
Standard out.
This makes it a little bit more, you know, viable because of
(25:06):
there's a little bit more easeof implementation than
necessarily the personalidentification, personal
identity and verification, youknow, protocol to stand up,
because a lot of these cloudproviders like OctaPing and
Azure AD, have that FIDO2support built in and now a lot
(25:28):
of web applications are startingto build support for it.
So you're starting to see itgrow more and I think as people
start hearing about it more andalso seeing the cost benefit.
So I think that the initialimplementation is going to be
rough because there is noteverything supports FIDO2,
(25:48):
especially from a non-premisesstandpoint.
So for those organizations thathave adopted the cloud identity
provider of the Azure, ad, pingand octas of the world and
where they're using OpenID andSAML to connect all of their
cloud applications and maybesome of their on-premise
applications too, they have areally simple step forward in
(26:10):
actually adopting something likethose FIDO2 keys.
However, those who have someon-premises applications that
are still using forms-basedauthentication or you know along
those lines, they're going tohave to figure out what are
those apps.
And then, of course, can wemove either one changing that
(26:31):
app over to a SAML, openidintegrated with their you know
identity provider, or can theygo to a Windows authentication,
which then means once I'velogged into my device using my
FIDO2, let's say, key or otherpasswordless technology, then it
(26:52):
can pass my credentials throughto that application without
asking me for them, because I'veproven my identity coming
through my workstation.
So there's that aspect of theimplementation phase that
there's going to be a big upcost there, but I think long
term it's going to be lowbecause you can go and buy these
(27:16):
keys.
They range from 20 to 80dollars depending on what
features you want on thembecause it's just not the phyto2
protocol.
There's some that have the pivprotocol.
There's some that have.
What is it, eric?
What was the one?
Um top p is it?
Eric Palms (27:34):
Top P.
Some of them are FIPS certifiedas well.
Matt Starland (27:39):
Yeah, FIPS certified.
So it depends on what all thenecessities you want on there,
maybe for some backwardscompatibility like at the PIV or
whatever.
But let's just say, if we juststart with a FIDO2 key, you're
looking at roughly $20.
So $20 a person.
But now what does that longterm cost look like?
(27:59):
From a okay, breach perspective?
What did you know?
Now we don't have to.
You know how many breaches nowdoes this prevent?
From a just social engineeringperspective, do we get to now
dial back on some of thelicensing or technologies that
we had that was designed toprevent licensing, or
(28:19):
technologies that we had thatwas designed to prevent, again,
phishing?
You know, not saying that wecan completely go away from just
all email security in general,but, like you know, you'd
brought up that good point, eric, earlier but would be as just
you know there might be somecost savings there too.
And then also even support deskcalls.
How much time is wasted frompeople forgetting their
passwords, didn't sign up forthe self-service password reset.
(28:41):
You go on and on and those whatwe'd call what soft dollars.
You know, like of just timethere, that now you don't have
to change the pin on your keycard because if somebody knows
it well, I mean you can alwayschange it yourself.
But even if they know it, theywould still have to have that.
So I see a big cost savingshere.
Nick Mellem (29:04):
You took the words right out of my mouth and I was
going to say how much time, costand effort goes into a help
desk answering calls solelybecause somebody's locked out,
can't remember their password,so on and so forth.
Eric Palms (29:20):
It's insane.
Nick Mellem (29:22):
It's egregious.
Eric Palms (29:24):
The amount of lockouts and passwords that have
been forgotten because they'reon the 90 day password rotation
schedule.
And what is it now?
Is it 12 or did it go up to 14character?
Is NISTL 12 or is it now?
Is it 12?
Or did it go up to 14 character?
Is NIST still at 12 or is thatat 14?
Matt Starland (29:41):
No, NIST is actually down to 8.
They're down to 8?
.
Nick Mellem (29:46):
They were at 12 for a while, weren't they?
Matt Starland (29:47):
Only if you have MFA, though, they're down to 8.
No password changes, butthere's two other criteria there
.
One you have to have MFA on itand two the password has to be
checked against a database ofknown breached accounts.
So like have I been pulling Yep?
Eric Palms (30:09):
Yep, okay, I know a lot of organizations require
nowadays like 12 or 15 characterpasswords and then they're
doing the 180 day reset or oneyear reset still, and it's like,
okay, a 15 character password,you try when you try and you
kept, even if you had for a yearto try and go.
Oh, I changed it.
(30:29):
And then let's say the next day, what was my password?
It's 15 characters.
Matt Starland (30:34):
It's probably a phrase at this point now well,
and the other thing too, to yourpoint.
Your point on that is, eventhough NIST suggests or has that
, that again is just NIST,because there's other
requirements behind some ofthose organizations that have to
do the 12, 14, 16, and 180 daybecause of certain regulatory
(30:54):
compliance.
So it is funny how thedifferent regulatory compliance
there's some, I almost feel, alot of subjectivity, depending
on who's doing it, becausethey're not all necessarily
aligned either.
You know, we always look to notalways, but a lot of the
industry.
You know cybersecurity industrydoes look to, nist to.
(31:16):
You know, have done theirhomework, their analysis,
testing, et cetera.
But I find it interesting thateven you look at that being a
federal government standardGuideline.
Yeah, guideline is this likeCJIS, criminal justice
information systems.
That regulatory compliance,though, will say the only way
you can go to a one yearpassword rotation is, if you're
(31:37):
like, I believe don't quote meon this I believe it's like
almost like 16 or 20 characters,but then also the, the password
has to be hashed and salted ina way that it can never be, you
know, taken offline with bruteforce.
So if you can't get to thatwhich everyone knows, active
(31:59):
Directory is still using an oldhashing algorithm that as long
as you get the NTDS dump you can, as long as it's got the right
care, you know you can takethose off and start cracking
those.
That's almost hard.
So I look at it.
It that might be some sort ofproprietary not proprietary, but
some other identity providerthat can hash that.
(32:21):
But if you can't meet that,that hashing requirements, then
to your point, eric, like you'resaying, you got to go to a 90
day and you can have it be youknow 14 characters or whatever,
but it has to be now 90 days,and so again every 90 days.
Hey, look at that.
Look at that spike in the helpdesk calls that occurs for
characters or whatever, but ithas to be now 90 days, and so
again every 90 days.
Hey, look at that spike in thehelp desk calls that occurs for
(32:42):
that particular group of peoplethat have to abide by that
regulatory compliance.
Eric Palms (32:49):
And then you get the people who start putting
numbers either before or aftertheir same password.
Yeah right yeah, unless theyhave a password double check
application, then it's just allthe systems to go.
Well, the hash isn't the same,so OK.
Nick Mellem (33:04):
Yeah, and that's interesting too, that you you're
bringing that up.
You guys all have iPhones, I'mpretty sure, right.
Matt Starland (33:11):
If I told you I'd have to kill you.
Nick Mellem (33:12):
So, either way, you can keep our word and I offline
, but I'm pretty sure you do,because I think your bubbles are
blue Either way.
Have you guys seen Apple's kindof doing this whole initiative
of hide your email and they willsuggest a password for you and
it will be stored within on-premin your iPhone?
(33:33):
So let's say, you sign up forsome subscription, right, and
you're setting up your accountright, you have the option to
hide your email and they'll putin some fake email that will
still come to you, but you knowit's putting that wall up
secondary.
They're suggesting a passwordand it's a very long password.
I think you know.
Somebody can correct me if I'mwrong.
I think it's like 16 characters, but it's just, it's not even a
(33:55):
phrase, it's all the thingsright, but it's getting.
It's not even a phrase, it'sall the things right, but it's
getting stored on your phone soyou don't have to remember the
password anymore because yourphone's remembered it.
So every time you come back tothat website, it knows just like
LastPass or other services,dash all those different
services and just implements, orsorry, just puts everything in,
fills out everything out foryou and logs you in Thoughts on
that.
Matt Starland (34:19):
Maybe you didn't know about that matt.
You sound like I'm, as you seemy facial expression.
I am a iphone.
I mean I'm, I'm not.
I mean I, I can't tell you whatmy you know phone is.
Nick Mellem (34:26):
Um, no, we're keeping a secret people yeah,
we're yeah top secret signal.
Yeah, so it's.
Uh, I just I have beenoblivious to that.
Matt Starland (34:36):
I, yeah, I didn't even realize that because I use
some other password keepers todo that, so I haven't really
used their built-in stuff before.
So I do find that fast, I meanbecause of those other password
keepers.
Yes, that makes sense.
You know, of course, keep adifferent password for
everything, so that way youlimit your risk Something gets
breached.
But I didn't know about thatemail perspective.
(34:58):
That is fascinating.
Nick Mellem (35:01):
yes, like sorry, go ahead about that.
Eric Palms (35:04):
I don't personally use it because I use another
solution.
But they do the same thing withwhen you do the sign in with
your apple account, exceptthat's that's essentially in sO
at that point.
But they will also hide youremail there as well and they'll
just forward it along from somerandom characters like
(35:28):
fakeapplecom or something, Idon't remember the exact formula
.
But they do the exact samething there as well, for when
you sign in for Apple.
So let's say you're going tobuy some subscription from the
App Store I don't know, but HBOMax, when you sign up, you can
sign up through Apple for thesubscription.
(35:48):
It'll just give HBO acompletely random email address
and basically Apple sets up aforwarder to your email.
So they never actually haveyour email.
So in the off chance that thecompany gets breached as well,
okay, they have a fake email foryou that just gets forwarded
(36:09):
along.
So they can't go and go.
Oh, this person has a Gmailemail address, let's try their
credentials there and try andget in.
It's complete randomness.
Nick Mellem (36:22):
Right, yeah, and so I've been kind of participating
in this.
And when I say participating,what I've been doing is I'll let
, if you know, on my Mac oriPhone, I'll let it create the
password, right, and I'll dothat.
And then my last, I useLastPass and it'll come up on
the side and they'll do usremember it.
So I have Apple create thepassword and then I put it into
LastPass.
So it's like you know, right,you see where I'm going with
(36:45):
this, so I've been using it.
It's.
It's like you know, right, yousee where I'm going with this,
so I've been using it.
It's.
I think it's awesome, right.
I think I wish more people woulduse it right, like our moms and
dads, grandma, grandpa, whoeverright, that's, that's really
who I feel like this should begetting trickled out to as well,
because you know, all of ushave got the call from our moms
and dads or whoever.
It is right.
They're having issues withpasswords or can't remember or
(37:07):
whatever it is.
So then all the passwords foreverything are the same, right,
and that's just inevitable.
And that's where something likethis is really cool to see this
technology coming out.
So it brings me full circle tothink have we gotten to this
point because we just outgreweight characters, right, or was
(37:28):
it a?
Is a money thing right, or isit just?
The malicious intended actorshave gotten so good that this is
the only way we can keep upwith them, and it's not really a
question, but it just makes methink like, wow, we're coming
full circle right now, but howdid we actually get here right?
So it's just interesting allthese things that are going
around with differenttechnologies and I know maybe
(37:49):
you guys can comment on, you'reworking on a project now to go
passwordless yeah, I mean sothat the project and stuff that
you know we're working on is, um, there's a lot of drivers to
that.
Matt Starland (38:02):
Besides, you know just even the cost perspective,
you know.
So I think it's been acombination of things that we've
been talking about for the past.
You know half hour or so helpdesk calls.
You know for the organizationthat we are working on to do
this, there's a lot ofregulatory compliance that is
involved.
So you have all of thesecertain groups that don't have
(38:27):
to abide by this particularregulatory compliance.
It's extremely strict.
And then you have this groupover here and so you start
getting into okay, wait, whichpassword?
Policy?
You know you try to find thisfine balance between usability
and also security and you know,as we all know, if you make
things so super secure, well,sometimes it makes it difficult
(38:51):
to be effective operationally.
And then you start to increasehelp desk calls or issues
(39:13):
because a lot strict you knowrequirements maybe meets the
NIST requirements, regulatorycompliance that isn't NIST, and
then they have a different oneand then your service desk is
getting calls of like, wait,which one are you?
Okay, this is the here you know.
So you don't want to makethings complex for your
(39:33):
organization too.
But then then you get into thesituation where, well, crap I
gotta do.
Nick Mellem (39:40):
I just set one standard now for everybody that
they have to be this secure andhardened, and that's not
subjective, though, to yourindustry and that's where I
think the conversation starts toturn right is if you, if you're
government or private orwhatever that it really is
subjective to that point.
Matt Starland (40:00):
So continue on that I derail you when you say
subjective to that point.
Can you articulate on that alittle bit more?
So like what?
Nick Mellem (40:05):
I mean, is you have a different set of standards?
Matt Starland (40:08):
oh, if you're a government entity.
Nick Mellem (40:09):
You have to follow these rules for a reason you're
financial, you're in a, you're abank or or whatever.
You have to meet theseguidelines.
Matt Starland (40:16):
Yeah, and I think that's and that's kind of what
I'm referring to is that youknow, and I've seen in the
government industries because ofhow you know, like for you know
some counties where you've got25 different departments or
something and those departmentsare like separate entities, like
you know what I'm saying, soyou know if I'm working for a
(40:37):
Medtronic of the world or somehealthcare company, what is?
Eric Brown (40:40):
my focus.
Matt Starland (40:41):
Healthcare.
You know, I might, I'll bedoing HIPAA.
Okay, so we need to abide byHIPAA and that's.
This is our niche, our thing wecan focus on.
Maybe we might touch a littlebit on PCI, because payments or
whatever.
Maybe I offload that to anotherorganization to handle the PCI
stuff because of the cost.
(41:01):
But for the government industry,because of those different
departments, you've gothealthcare industry, because of
those different departments,you've got healthcare, you've
got criminal justice, you've gotsome IRS rate, there's all over
the board.
And so for that organizationand that kind of goes back to
what I was saying is like here'sone.
They've got these users, theyare divided by this and this,
and it starts to create thissituation.
(41:22):
Then do we just take the mostmost restrictive, which now,
yeah, we're under compliance,but only a quarter or maybe less
, or I don't know, maybe, let'sjust say, for using example,
only needed to abide by that,and now the whole organization
has to buy by that.
And, oh boy, now we've got alot more service desk calls
coming up.
(41:42):
So I guess the kind of circlingback what, what, where does this
?
You know, why is this soimportant, to go to this type of
technology?
Well, one, it's because it'ssimple to use.
But then, two, it meets all ofthose regulatory compliance of
multi-factor authentication andmaking that authentication so
(42:04):
much secure.
So that's kind of one of thereasons why the project that
Eric and I are on is to helpmeet that keep it simple but
still with good security.
And is it going to be fullysecure to the point where, oh,
we will never have a breachedaccount again?
No, because, like what Eric wassaying earlier, you still got
(42:26):
the risk of somebody tryingaccount again.
You know.
No, because, like what eric wassaying earlier, you still got.
You know.
Now you still got the risk ofsomebody trying to replay your
tokens or tickets.
But I would think, though,that's much more difficult.
It takes much more technicalskill set to try to somehow get
that piece of software on therenot saying that couldn't happen
from an email, because now theuser goes out and downloads it.
(42:49):
So there's still that aspect toit.
But at least you maybe takesome of the other humans' social
engineering over the phone nowor might make it a little bit
more challenging.
At least that's what I'menvisioning.
But who knows, somebody willget creative again and find
another way to get that tokenoff your computer.
I'm sure that's a guaranteeSomething's going to go full
(43:13):
swing.
We all went to the cloud Watch.
Now we're all scared of thecloud.
We're all going to come backon-premises someday.
You know who knows, but I thinkthat's you know.
That project that we're onthat's one of the reasons is
because of you know trying to besimple.
That's that's one of thereasons is because of you know
trying to be simple.
But it looks like it increasessecurity and meets all those
different regulatory compliance.
And yeah, it's been a challengebecause of the initial
(43:36):
implementation of all thesystems that need to get adapt
to that.
But yeah, I don't know, that'sup, eric, what's kind of what's
your been take on, kind ofseeing you know implementing
this and you know where some ofthe challenges and hiccups you
think are going to be and wherethey have been.
Eric Palms (43:54):
The core setup is simple for passwordless because,
like Microsoft, okta, duo, allof them support it natively and
it's included with most licenses.
The harder part is getting themore like the SSO setup going to
(44:18):
all of these different apps.
Now, most third-partySaaS-based apps support it
already.
Saas-based apps support it.
I've seen plenty of companieswho are actually moving away
from on-prem to SaaS because ofthe integration into, for a
single sign-on.
Stuff is already.
They all have it implementedand stuff.
The hardest part is youron-prem apps, especially the
(44:40):
apps that may have been aroundfor a decade or longer, that
have been used and maybe thepeople who originally wrote it
are no longer there.
So no one truly understands howit works on the back end at
this point and they have to goin and try to modify it without
breaking it to support thesenewer things like SAML.
(45:01):
Well, saml is super new butit's one of the better ones out
there.
So that's the harder part.
Is that right there?
Or if they have an app, it'stoo old and it's not worth
setting it up and they want tolook into migrating to a SaaS
application Okay, well, now thatdepartment has to set up a new
project to start migrating,whatever it may be over to a
(45:24):
SaaS application, which then,depending on the size of it,
could take a year or longer.
If it's a major system, itcould take two years.
So that's the difficult part.
It's not the oh, you have asecurity key, you plug it in and
enter your PIN.
That's simple.
It takes 30 seconds to set itup.
It's the getting everythingback and into it, because I've
(45:47):
noticed that there are so many,at least at the beginning of
COVID.
There are so many disjointedsystems and everyone has
different credentials to getinto every system, so they may
have 100 logins because they use100 different systems.
And now when you're trying toset up these single sign-on
(46:08):
systems and then you can set uplike passwordless with them,
it's getting them all tocommunicate with each other.
Again is the truly the actualhard part in it.
Like you can set up a securitykey in Azure AD in five minutes,
you can go in.
You can literally from admin.
Probably takes you five, tenminutes to create the policies.
(46:30):
Give someone a key, get them toset it up and they can use that
for Microsoft login.
Now, getting Azure AD if that'swhat you want to be is your
identity provider to go to allthe other services.
That's the hard part.
Matt Starland (46:43):
Well, it also takes.
You know you got to get buy-innow too.
So this is where it comes, keybecause of those challenges that
you talked about with you know,having you know, certain
applications, whoever's owningthem or whatever departments
might be involved with that, andmaybe, depending on how
budgeting works and just becauseIS has a lot of control of some
(47:05):
of this technology, but theymight not be the actual owners
or however their budget is inregards to that app.
You know that could be this oldlegacy app departments or
leaders involved and aware of itto see one the benefits, but
also understand, hey, this iswhat's going to cost us to get
(47:37):
here and here's what we predictour ongoing cost will be post
getting there.
Because, again, like I said, ifwe can, you know, market it in a
way that, look, we're going tosave money here on password
resets and time spent on thephone with you know well, time
saved for employees getting intotheir workstations because they
forgot their password or nowthey got to unlock it, or
whatever Time saved at theservice desk or help desk level
(48:00):
now of being on the phone withthat employee that is losing
productivity because they can'tget in with that employee that
is losing productivity becausethey can't get in, you know,
having to pay for a password,self-service reset system, you
know, and then maybe some othertechnologies that were to help
prevent you know passwords fromgetting leaked or whatever.
So I think that it's very keyto also get some good marketing
(48:25):
at your leadership level andbuy-in and getting you know this
spread to all those differentdepartments to get on board and
see the value of it and then, um, then, then hopefully you can
then get those resources toreact quicker to to your
implementation.
Nick Mellem (48:42):
So yes, it's a change management issue, right?
Yeah, just get everybody onboard and that's, that's a big
piece.
Matt Starland (48:49):
There too, is that wait, how do I use this
thing?
You know?
How do I, you know, plug it in,or you know, because it go.
Yeah, so to you know, I know,eric, you said it's simple to
register too, but, like a lot ofpeople, like you know, to
figure out, wait, how do I loginto this and do this?
And you know it's also to theuh, what does the service desk
(49:09):
do, or help desk, now have to?
How do we, how many of these dowe, keep on site?
You know what happens ifsomebody loses it, so there's a
lot of that change management.
That needs to be developed aswell.
Um, but I think once you get iteverything along, there's
definitely some good long-termcost-benefit analysis here.
Nick Mellem (49:33):
Like we were saying , the change management portion
is huge, getting that buy-infrom everybody and making
everybody understand why we'redoing it this way.
Not everybody understands thetechnical side of the house, and
rightfully so.
They just don't understand, andthat's fine's fine.
So then then I think, right,here's our next question is at
(49:53):
what point is it too much?
Right are we going?
I'm not saying we are here withthis technology, but is the
next step too far?
Are we already?
Have we already gone too far?
At what point are we pushing?
I don't want to say securityright, because we're always
getting better.
Every single day we're learningthings that we didn't know
yesterday.
But at what point have we gonetoo far?
(50:14):
At what point is it just anaccepted risk?
It's inevitable.
We can only do so much.
Eric, do you have any quick hitthoughts on that?
Eric Palms (50:26):
I know a lot of people that hate typing in
passwords.
So the people I've talked to,I've actually had people come up
to me with this project.
Like wait, we don't have to usepasswords anymore.
Like not with this project.
No, you just have to remember akey, a security key, and while
(50:51):
most organizations have somesort of a badge system to get
into buildings and whatnotanyways, you just keep it with
that.
So then they're much lesslikely to lose it at that point,
because, well, if they losetheir badge, they can't get into
the building anyways, or accessequipment and whatnot.
For people who are hybrid or inthe office every day.
(51:12):
But the idea of, oh, I only haveto remember a PIN, a PIN that
doesn't have an expiration datebecause it's only tied to said
device.
So if the device gets stolen,then they don't have the pin and
they're a pretty short lockouton those.
(51:34):
If someone tries to brute forceit, I think its fault is like
five times, before it locks itit needs to be reset by an
administrator.
So the people I've talked toare before it locks it and needs
to be reset by an administrator.
So, yeah, so the people I'vetalked to are the end users I've
talked to have been excitedabout it.
It's more of the app users.
(51:56):
Where I've seen is the pullbackand such like, where it's for
going too far.
It's those are the people whoare going to go.
Well, this is a lot of work andis this worth it, but it's the
end users who actually reallyare enjoying this because then
it's like it's much simpler andthey're small, they're easy to
(52:16):
keep on you like, or people keepon the key ring because
everyone carries their.
Well, at least for the timebeing, everyone carries their
car keys unless they have, like,a Tesla or some other other ev
vehicle where they've gone tolike.
Right, your phone lock-in, soyeah for the time being, though,
your keys for your house andstuff are still around, so it's
it's easy to keep it on theretoo, otherwise so I'm kind of
(52:38):
having some thoughts andopinions on my own question and
I I don't think we probablycould ever go too far.
Nick Mellem (52:44):
And the reason I say that is because if somebody
told our parents or whoever itwas you know, 25, 30, 40 years
ago, when cell phones juststarted to come out, that a key
was going to get sent or a token, whatever, was going to get
sent to your phone, a codewhatever that you were going to
type into a computer toauthenticate yourself, we would
have thought you were crazy.
(53:04):
Right, there's just no way thatwould ever happen.
But we're here.
So the question I'm asking islike well, we depends on where
we're going to be in five or 10years.
We just don't ever know.
We're always evolving.
But, matt, go ahead, youobviously have some thoughts.
Matt Starland (53:17):
Well, I mean, yeah, I mean that's you're
talking.
That's like trying toprophesize some major things.
There's so many.
You know who would havepredicted COVID would have
changed the way we lived andworked.
You know it took a major eventto just alter life so
differently as from just working.
(53:38):
So, while we can do our best toanalyze, you know, the
information we have today, it's,there's so many different.
There's either market factors,there's geopolitical factors,
there's the malicious actorfactor.
That's malicious actor factor.
Huh, the MFF, I don't know that.
(53:59):
Anyways, I anyways I had asquirrel moment there.
But yeah, there's, you know,there's so many different things
I can change it.
So, but yeah, there's so manydifferent things I can change it
.
So, just viewing what we knowtoday, it definitely seems like
it's the way to go based off ofthe information we have.
But I guess I'll just ask chatGPT tonight and see what it says
(54:21):
.
Yeah, report back on that, I'llreport back on that and then
I'll make that as my finaldecision.
Eric Palms (54:27):
Yeah, you come to like.
You bring up chat GPT and stufflike passwords.
A computer like chat GPT has alot of power behind it.
It can crack so fast if someonewere to teach it how to or
explain how to, you can chat GPT.
You can even write code.
(54:47):
It's good code or like Java orwhatnot.
It's not too far to go.
Oh, I want you to crack thisuser's password.
Matt Starland (54:58):
Chat.
Gpt write me a piece of malwarethat replays the SAML token.
Done Game over, alright.
So now what do we got to do tofix that one?
We went passwordless, but theyfound the new weakness in
Kerberos tickets and securitytokens and we're in change
management meetings all overagain.
(55:19):
Yeah, so no, it's just how theindustry changes and we're doing
what we can with the knowledgewe have at this point in time
and thinking this is what we canwith the knowledge we have at
this point in time, and thinkingthis is what we can do best,
and something else will comealong and we'll figure something
else, All right guys.
Nick Mellem (55:36):
Well, I think we beat passwords to death.
Unless you guys got any otherclosing thoughts, I think we can
leave it there and maybe havean episode 2.0.
Matt Starland (55:46):
Any thoughts?
I'm good here.
I brain dumped everything.
Eric Palms (55:51):
I am good as well.
Nick Mellem (55:53):
Well, awesome guys.
Once again, we reallyappreciate you guys coming on
and can't wait to have you onanother one coming up, but
appreciate your guys' time.
Thanks again.
Matt Starland (56:02):
Yeah, have a great day, See ya.
Thank you.
Eric Brown (56:07):
Want security leadership without the headcount
.
As an extension of the team, ITAudit Labs will provide the
experts to guide and counselyour company.
We will start by creating acustom security program that
caters to your industry whileproviding transparency and
remediation to improve cyberposture while reducing risk.
(56:29):
Contact IT Autolabs to find outmore.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.