Passwords and password management is probably the biggest problem we have in cybersecurity

Photo From logmeonce

Originally Posted On: https://www.logmeonce.com/blog/interviews/passwords-and-password-management-is-probably-the-biggest-problem-we-have-in-cybersecurity/

 

“We all see data breaches and hacks being discussed on the news almost every day. But unfortunately, there isn’t a lot of education in the news about how to prevent your passwords or data from being exposed.”

At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe.

However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online.

Today, Logmeonce had the opportunity to chat with Tom Eston, the co-host of the Shared Security Podcast about his experience in the cybersecurity space. In the interview below we dive deep into topics relating to password management.

We have an exciting interview planned for you today, so without further ado, let’s jump in!

The Interview

Hello and thank you for taking the time to chat with our cybersecurity blog readers today about your experience in the cybersecurity space Tom. Can you help us kick off this interview by telling us what is was about the cybersecurity space that pulled in you and never let you go?

Cybersecurity is always changing and evolving. Staying up-to-date on the latest data breaches, hacks, tools, and techniques is one of the best aspects of working in cybersecurity. I learn something new every day and get the opportunity to help people and businesses be more secure. In my opinion, cybersecurity is one of the most exciting career fields because of the new ways that attackers are always looking to break into computer systems and, of course, humans!

You have done such a wonderful job producing some of the best cybersecurity podcasts that I’ve ever listened to. They are short, but full of actionable insights that regular people can use to better protect themselves. You’ve produced quite a few episodes that deal primarily with security issues revolving around passwords. In one podcast on the topic of passwords, you mentioned that Microsoft conducted a study and they found 44 million compromised password matches for customers who use Microsoft Azure or Microsoft Services. This doesn’t mean there was any breach, it just means that 44 million accounts could fairly easily be compromised because they were reusing already known passwords. In your experience as a cybersecurity educator, is this an issue of needing to better teach people that hacks don’t exist in silos? Do you find that most people think that if an account is compromised, that the hack stops there? For example, if someone’s Facebook account gets hacked, in your experience do the majority of people think only to update their FB password and continue on with their day? If so, what are the consequences of this way of thinking?

Thank you for the kind words about the podcast! Passwords and password management is probably the biggest problem we have in cybersecurity. We all see data breaches and hacks being discussed on the news almost every day. But unfortunately, there isn’t a lot of education in the news about how to prevent your passwords or data from being exposed. It’s always, “look at this latest cool hack and all the personal data that was exposed!” which makes for great TV. It’s important that people understand how easy you can get hacked by using the same password for everything as well as by continuing to use a weak or guessable passwords. I’m still surprised that picking passwords based on personal details like pets, names of significant others, and hobbies is still extremely popular. This is how many social media accounts are hacked. All an attacker has to do is a quick look at your social media account and often times that’s all that’s need to guess a password. And if that doesn’t work, many of your personal details are available through a quick Google search by looking up your email address in one of the thousands of databases up stolen or hacked credentials from previous data breaches available on the Internet.

In another podcast you talk about how the Cyber Security firm Hypr came out with a report about how people use, treat and manage passwords. In that report they talked about how often people will only add or change one character when they update their passwords. You mention that even with more awareness, people still continue to use bad habits when it comes to protecting themselves online. What do you think this is caused by? People feeling they have nothing valuable to protect? Laziness? Lack of education on the topic? Something else? What do you think needs to be done to better protect the general public? Is education the key or do we need better technology that takes the responsibility out of the public’s hands?

The biggest reason for bad cybersecurity and password management is because as humans we are lazy and for most people managing passwords appears to be a very daunting task. The majority of everyday people don’t give cybersecurity, let alone their password management, much thought. I believe that you need to have both better education as well as the technology to work together to make it seamless for people to manage passwords. It’s clear that what we have today isn’t working based on the data we see from previous data breaches that show the passwords people select. The good news is that there is more innovation with cybersecurity education these days, like gamification, and the password management and authentication technology is getting better too.

On a similar note, as you mention on your site, the UK’s National Cybersecurity Center released an analysis of the most common passwords of recent data breaches and hacking campaigns. The password 123456 wasn’t just used 1000 times, or 10,000 times, or even 100,000 times. No, it was used 22.3 million times! Now previously I asked why people may reuse passwords, but in your opinion, is the cause of using weak passwords caused by something different? What’s your reaction personally when you find out that over 22 million people have the password 123456?

My first reaction is that I’m not surprised. As I had mentioned, people are lazy and 123456 just so happens to be close to where your fingers are on the keyboard. The other password I find just as funny is “qwerty”. That’s even easier to type on keyboard since someone doesn’t have to reach that far. And even though web browsers like Safari on your iPhone actually suggest and securely store strong and unique passwords when creating new accounts for sites, many people ignore those suggestions and stick to that one, easy to remember password. This is where education can help. If you explain (in basic terms) what Safari is actually doing here and helping improve their security, you have a better chance of them adopting better security habits. I think we also need to show people “what’s in it for them”. Just telling someone to use a password manager may not always work but if you tell them that if they want to better protect their personal data, and give them examples of what could happen if they don’t use a password manager, then you have a more compelling argument for why they should use one.

Let’s talk a little bit more about how passwords are being used to gain access to other devices. In one of your podcasts you talk about how a Ring Camera was compromised and a hacker gained access to a camera in an 8 year old girl’s room. The camera itself wasn’t hacked, but it appears the hacker gained access by simply using re-used passwords to gain access to the camera. In your opinion, how much does the general public know about the topic of how passwords can be used to access IoT devices or other hardware devices?

Based on how this news story was communicated, people really don’t understand how devices like Ring and other Internet connected devices are really hacked. Unfortunately, people automatically assumed that their Ring camera’s could be accessed by anyone, so everyone started to freak out based on some really poor news reporting. I saw a lot of “everyone panic! the sky is falling!” and other sensational news stories about this particular issue mostly on the local news channels (which most people listen to and believe as being 100% accurate). Unfortunately, in the better news stories, I only saw that “password reuse” or “credential stuffing” was the cause of the attack. Many people don’t know what those two things actually mean so they just think that their Ring camera’s are hackable and insecure.

You talk about the idea of passwords being completely eliminated in the future. I’m sure you’re following the progress in this space closely. What passwordless technology makes you feel optimistic?

I’m very encouraged by newer types of multi-factor authentication and biometrics, such as new industry standards like WebAuthn, which will hopefully eliminate passwords all together one day. This is why I encourage my podcast listeners to always use multi-factor and biometrics authentication whenever possible. It’s going to take apps and sites a long time to eliminate passwords but the more proactive you can be now, the better off you’ll be down the road.

A lot of people might feel that password expiration policies might help reduce many of the problems we’ve talked about above. However, you don’t believe that’s the case. Why is that?

More organizations like Microsoft and NIST (which sets US government security standards) are recommending removing password expiration policies. Mainly because its been shown that when someone’s password expires, people are more likely to choose another poor password. For example, if your password was “Password1” many people would change it to “Password2” once their password expires. Also, if you found out your password was compromised, you would want to change your password immediately and not wait until it expired. The industry is now moving towards multi-factor authentication as well as using banned password lists to check for poor passwords before password creation to replace password expiration policies.

Lastly, I want to talk with you about a topic that not a lot of people talk about, although I’m sure it’s something a lot of people think about. There is a story on your site about how a cryptocurrency exchange owes its users 198 million dollars, not due to any breach or fraud, but because the CEO of the company passed away, and he was the only one who knew the password to the exchange’s cold storage wallet. This brings up an issue that many of of should think about and talk to our families and loved ones about. Who have we designated as our password manager if we were to not be here tomorrow? What advice would you give to people to put a plan like this in place?

This is a very interesting topic as many of us don’t like to think about what happens to our accounts and digital assets when we die but the master password for your password manager, passcode for your smart phone, and other digital secrets should be kept locked away in a safety deposit box or other trusted and secure location. You should also designate someone you trust who would handle your “digital estate” if you did suddenly die so that they know how to access your password manager if needed. Under no circumstances should you ever put passwords or any account credentials in your will. Your will becomes public record when they go through the probate process after your passing! I highly suggest you consult a lawyer about your particular situation as I’m not one, nor do I play one on TV.

Great ending Tom! Thank you for taking the time to chat with Logmeonce’s blog readers today about your experience in the cybersecurity space. It’s been a fascinating discussion. To our readers, if you’d like to learn more about Tom, his podcast or the work he does you can follow him on Twitter or visit his website here.