Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Nick Mellem: 0:14

All right, everybody, welcome to another episode of the Audit. Today I've got my good friends Eric Palms and Matt Starland, and today we're going to jump into the future, or what the future looks like, with passwords. I think we all spend a lot of time figuring out how to navigate the world of IT, and passwords is oftentimes one of the biggest parts of it. So welcome guys.

Matt Starland: 0:39

Thanks, hey, thank you, can't complain. Today it's 85 degrees out in Minnesota. I heard that.

Nick Mellem: 0:46

So it's a heat wave and people in minnesota are probably unthought a little too quick. Maybe that's a problem.

Matt Starland: 0:51

People are probably forgetting their passwords we still got 20 feet of snow in a target parking lot. So we're still. We still got winter, still getting dug out well.

Nick Mellem: 0:59

Yeah, guys, I appreciate you guys jumping on, like I said wanted to. You know, talk all things, passwords. So if we're jumping right into it, what's your guys' thoughts on how passwords are progressing or not progressing?

Matt Starland: 1:13

So yeah, I guess where passwords have always been kind of a big problem for IT and organizations for many years organizations for many years One of the things you look at from the attack vectors social engineering, whether it's through email communication or somebody calling up a service desk phone number and acting as maybe an employee and then getting that password reset that way and it's funny. It reminds me of a quote that I've heard a few times, whether it's from certain pen testing organizations, but one of the quotes was what you call hacking. I call taking your password and logging in. So when it comes down to a technical expertise, to do something like this doesn't take much, and so that's why you see so many phishing emails come into organizations trying to just build a fake web page and have the you know employee log or think they're logging into a web page to gain access using username and password. So traditionally we've been using that methodology for so many years now.

Matt Starland: 2:26

But we look to the government, you know, to maybe actually make a change there. This is a good thing from a government side of the world because of just the top secret data that they have to work with, but they've been using cat cards, I think in the military Maybe some of you have seen that before. Maybe in being in the Marines I used one, yeah, exactly, and so it's got a chip on that that would maintain a certificate Similar to your debit card. Yep, exactly, certification protocol, piv protocol, which acts as kind of the card, is something you have and that certificate on there is you're tied to your identity to get into a system and then you also have some sort of a pin code to unlock that. So they've been going. You know, the government at the federal level has been has this for almost, I think, 20 years or so, but it's interesting to see how a lot of the industry has not fully caught up with that yet, even though, with all of these you know social engineering techniques, it seems to be that we've tried to band-aid it. You know, using certain tools to prevent, you know those phishing and processes and procedures, but there is technology that's, you know, been around for a little bit to actually help, you know, prevent this, these passwords being stolen. So so it's interesting to see where the history has been and I feel like with with Microsoft, of course, playing a big role.

Matt Starland: 4:28

No-transcript, I'm not to sell Okta and Ping and all those identity providers short, but for a good part. Still, when it comes to on-premises, you think it's got to be what? 99% active directory? Absolutely, I mean, I I don't know if you guys, have you guys seen anything, anything of Novell in the past 15 years? No, I haven't. So so, yeah, so, exactly, so you look at it takes, you know, an organization like that to kind of push that forward and people are going to start, I think, getting on board with it or not, have a choice. Well, I can go on that part for a while, I know I don't know. Yeah, palms, what is your kind of thoughts on this future here and what are you seeing in regards to some of the news and articles out there that?

Eric Palms: 5:24

exist. I think that passwords are going to have to eventually go the way of the dinosaur Between all of the phishing emails, like you mentioned, that just show up. It's hundreds and thousands that are getting hit each organization daily, and a lot of organizations have fairly good filters nowadays to filter out the majority of them, but it only takes one to get through to compromise. A company is the problem and all they need is that username and password.

Nick Mellem: 5:55

Yeah, and that's too what you're saying there. That's just the phishing part.

Nick Mellem: 5:59

We haven't even got into the social engineering right that is. You know, one of my if you've listened to any of our previous episodes, you know that's like one of my favorites is social engineering. I've been practicing it for years and that is what everybody wants to know is can you get my password Right? So we're trying to compare apples to apples here. But one thing that's so hard for us to protect is the social engineering aspect, because we can look up the stats all day long. What is it? Between 80 and 90 percent of all issues you know with malicious intent start with an end user and it's directly related to their password. I mean so, with that being said, or is it just inevitable that we have to go passwordless or biometrics or whatever the case is?

Matt Starland: 6:43

but to me that's kind of where things have to shift to, and I think that's where the conversation is going yeah, and folks you know, with nick's background on social engineering, you can clearly see that he is social engineering you right now on this episode to buy some services. So look for some future sale events here coming up.

Eric Palms: 7:04

Yeah, I know that's what your ulterior motive is on this.

Matt Starland: 7:10

I cannot confirm nor deny, if only everyone could see the grin on his face right now. Yes, and how red he's turning.

Nick Mellem: 7:17

Yeah, we're turning the cameras off. I'm kidding.

Matt Starland: 7:22

No, but in all seriousness, no, it's, yeah, it's time to. There needs to be a change in the industry, and I kind of look at it too. Is that there's a cost savings benefit here, which I know we can definitely geek out here in a little bit. You know, when you're getting into the cost of some of these, what are some of this? What are these passwordless you know tools look like, but let's say, you go passwordless, okay, um, what does that mean now for some of the products that you currently have, products or platforms that you currently have today that are designed to prevent maybe social engineering usually that's the human aspect, so I don't know, maybe that's process procedure there, but designed to prevent maybe social engineering Usually that's the human aspect. So, I don't know, maybe that's process procedure there, but let's think of it from the threat vector.

Matt Starland: 8:13

So email, that's one of those threat vectors. So what are we using today for when I say we me as a society or culture IT industry, what are we using today to help stop those service, you know those types of attacks? Well, we are using, I guess, if you're in Microsoft 365 Cloud and you pay for their you know E9462 license, whatever it is that you're. You know the suite of buffet that they give you to, whatever it is that you're. You know the suite of buffet that they give you to. You know, for every log second you want. You know what I mean Nickel and dime, you kind of thing, you know. So you've got their ATP, their anti-spam, phishing, or maybe you buy. There's a lot of money right now involved in those technologies and services.

Matt Starland: 9:09

So what does that mean if you go passwordless? So, okay, great, I click on this. You know this, this email that comes in and they have a fake page that looks like my organization and needs my password or whatever, and I think I'm giving them my password. Well, if I'm passwordless, what am I giving them? You know. So if you're looking at it from the multi factor authentication perspective, there's a lot of.

Matt Starland: 9:37

This password list is a random generated code or a pin that you have memorized to unlock a device that then has that certificate on it to prove your identity. So I guess to the basic end user, they're going to think, well, maybe this is my four digit or six or eight digit pin on my device that I need to type in. Okay, great, so I give that phishing web page my pin number. Okay, so now the attacker has my username and you know, or if I gave my username or made my email address and they're now using that six digit pin to try and log into a um web application or some sort of vpn that allows me into my organization, it does nothing because that pin is associated directly to that device, to even unlock it or to gain access to, I guess from a general terms you know, to prove that certificates or hash, whatever I have on that to prove my identity. So it means nothing. So you've got that tool that you've used to help prevent that situation from happening is irrelevant now.

Eric Palms: 10:51

Yes and no, I would say that it also blocks a lot of malware and such as well those systems. So I think they'll go less in on phishing and more in on malware detection, especially when you get to lay-of-the-land malware. This will build the script on the device from an email from just opening it, Like the latest Microsoft vulnerability for Outlook, where all you had to do was Outlook had to receive the message to become compromised before if you weren't patched. I think it's going to be a lot more stuff like that in a passwordless future, and that is a very great point.

Matt Starland: 11:39

So, while, yeah, it prevents, so those phishing or those types of organizations, yeah, they would have to. It's not that they wouldn't be, that's irrelevant, but it's all the other services that they provide are going to have to ramp up, because I think that leads into a great point there, eric. So, ok, this prevents maybe that social engineering or your password on the Internet getting breached. You know kind of all that leaks and everything, or a hash of your password getting cracked. But it now goes into a different vulnerability or a security measure now that those attackers are going to be looking to try and circumvent and that's going to be like replay attacks. So, once you authenticate, what do you get? You get a security token, saml token, a Kerberos tickets, something along those lines that proves that you have. So they're no longer going to be looking for a password, but they're going to try to. How do we exfiltrate or get a hold of that ticket or token to replay it and gain access?

Nick Mellem: 12:54

Matt, this is just like the conversation that you and I have had before about authenticating a person versus authenticating a machine. Yep, right for multi-factor authentication. At what point have you skipped that right? That's the issue and that's what you know for the listeners. Matt and I have debated this before. At what point are you just skipping it and not authenticating the actual person, but just authenticating the machine? Yes, the machine belongs to our network. That's where we're going to get nickel and dimey, I think, or you're going to have your issues. Eric, do you have thoughts on that?

Eric Palms: 13:32

Yes, yeah, especially when it's getting certificates involved at that point. So there's going oh, some VPN solutions are notorious for just running certificate-based only. So you get along with device has a certificate, you're on the VPN. Or, let's say you can do the same thing with a website instead. As long as that device has a certificate, they're good to go in, which is kind of scary in my mind. That's where I like, where you can do things with devices where, if it's an expected location or an unexpected location, either based off of geolocation, off IP, you're going to say they're in their corporate office. Let's say you only run in the US and all of a sudden you have the machine You're trying to get a login from I don't know India, yeah, and then it's like well, that's weird. You have to look at other factors as well.

Eric Palms: 14:38

And then hit them with another authentication method, like, okay, let's bring up that MFA token at that point, so re-authenticate you to know this is where you are, because 20 minutes ago you said you were in LA and now you're in India. I mean, it's certainly possible with VPN solutions out there right now, but it's very unlikely, especially in the corporate world, to have someone move that fast.

Nick Mellem: 15:05

And you know too. You're bringing up some great points, eric, and the problem also is because of the now work-from-home landscape. We've opened up a landslide of opportunities for people to travel work from other locations. People are getting airbnbs in mexico for a month to escape the winter, and it doesn't matter where they are, as long as they got internet right yeah, yeah and that.

Matt Starland: 15:29

So, yeah, trying to detect that anomalous behavior. I think pre-covid was one thing. Some of the organizations I've seen and been at you know it's where they were almost 100% in-person kind of work. You still came into the office, you did your IT job, so to detect anomalous behavior back then it was a little bit easier. Now it's much more difficult because of some of that flexibility of being able to drop your vehicle off at the dealership and I'm going to work from there. You know, not saying that that didn't exist pre-COVID, but what I'm saying is because of post-COVID. Here hybrid workforce is a norm now or people are looking to be full, remote, uh, and that makes that anomalous detection a little bit more difficult.

Nick Mellem: 16:23

So that's that's interesting. You bring up, you know, the pre and post covid into the password topic, and I say that because do you think that sped up potentially going passwordless or just the future of passwords period? Do you think that that actually pushes into the future? Because you know, we look at it like I think we've definitely fast forwarded from COVID just to work from home. For us, right, it was inevitable, it was going to happen, but did it happen a lot faster because of it? Do you think it had the same effect on passwords evolving right? Are we getting new technologies quicker? Because it's holy crap, people are scattered all over the place. We need this.

Matt Starland: 17:00

Well, yeah, I would say so because you know, again, thinking about some certain organizations that were very in-person work, you know some of those organizations looked at their trust level as being well. I gained access to the facility, you know, with my badge. So now I'm in a secured facility where my network servers and resources data is located. So now I can, just now that I'm plugged into my local network or wireless, I can authenticate just fine because I'm coming from within the trusted walls of my physical location. So kind of. I know it's not multi-factor authentication but it's a form of trust that I'm coming from within the network.

Matt Starland: 17:48

And I realized this is the 21st century. We're all on this big zero trust kick now because you, just because of just how technology and everything's connected has grown. But I believe there was a shift in mentality, at least what I've seen there, because of that. And so now you're coming in from all over the different Internet locations and we all know accessing a resource, an organization's resource, from outside, within the physical walls, poses a whole another different level of risk to which you want to have multi-factor authentication. You know, you, that extra layer to prove who you say you are, not the device you come from, nick, just who you say you are. I say that tongue-in-cheek.

Matt Starland: 18:31

Going back to what you said, said earlier, our fun debate we had in this passwordless, you know this, the looking at like the FIDO2 technology, like a, a key like that, or or maybe this Microsoft authenticator type thing where you type a pin in something you know and then it unlocks to either present some sort of certificate that you have, um, you know, now you're gaining access. So I would say there's whether a lot of organizations have, you know, determined that or not, but I definitely see the shift going that way, at least from the big players like Microsoft and you know, and the FIDO2 technologies of the world. So, yeah, I don't know Palms, what's your thoughts? So, yeah, I don't know Palms with your thoughts.

Eric Palms: 19:17

Since COVID, I have seen multi-factor explode compared to free, because it's exactly what you're saying, matt it's oh, people aren't in the office anymore. How can we verify that someone? Because let's say they're at their cabin and let's say they're cabined in another state in the middle of nowhere. Well, that could easily be them, but we don't know for sure. So that's where multi-factor has come in real well, to help with that. I don't think it's perfect, because there are plenty of ways to snag multi-factor. I've seen, with some of the new phishing emails, or it'll even, or it's it's almost like I'm in in the middle to gain access and grab that token.

Matt Starland: 20:05

So, yeah, I I I hear you on that part like the token piece, because that goes. So, going back to the multi-factor authentication again for everyone that's listening just because you proved your identity through multi-factor authentication again for everyone that's listening just because you proved your identity through multi-factor authentication, you still get that token. Now, for any of you that look at Azure AD logs, for example, and are using Azure MFA, you'll notice in those logs that claim was previously satisfied by MFA token and because of your identity provider proving that you've already supplied that MFA credential or that second factor, you then get that token that shows, yep, they did the MFA, but so now that threat actor, let's just find that security token and how we replay that and then they go from there it's really interesting topic and I think we could you know, you can continue and continue on this.

Nick Mellem: 21:01

I think there's a certain point that we reached during covid that we all kind of were so uncomfortable with how things were going. And I say uncomfortable meaning kind of like pants down moment. We're like oh crap, we have so many different things to sweep in with our network things kind of I don't want to say out of control, right, but with so many things we had to bring in or speed up. So we got, instead of being a little bit more lackadaisical or going through that whole change management process of how we want to do things, also, we got pushed so fast when I that's what I mean being uncomfortable, we got pushed so fast to a point where we had to be comfortable being uncomfortable. Does that make sense?

Eric Palms: 21:42

Yes, I definitely have to be beginning of COVID.

Matt Starland: 21:47

Nick, I understand you, but this sounds like circular reasoning in a way.

Nick Mellem: 21:51

No, I'm playing devil's advocate here, but there is a truth to it all. Like what you guys are saying, I I believe that I'm with you guys. 100, I think it was just inevitable. I think that's answered the question that there's no, we were always going to end up here, but are we here five years faster than we might have been? Are we getting technologies quicker? Are companies releasing things faster? Because it right, companies are grabbing at different technologies because of, like what eric said, somebody's at their cabin, it's in the middle of the woods in upper peninsula, michigan or whatever. So we're trying to rope all this in really quickly, but we're doing it uncomfortably because we're not used to this.

Nick Mellem: 22:32

Well, just ask chat gpt, it'll tell you man, I was going to bring up something else too, but even that's six months old already.

Matt Starland: 22:42

So I mean, sheesh, they'd only scraped the internet. What six months ago?

Eric Brown: 22:45

So anyways, I don't want to digress off that topic.

Matt Starland: 22:48

You know something else for another day.

Nick Mellem: 22:51

I was just going to bring up the fact that, well, you touched on it. Let's clarify something. You touched on the cost. Well, you touched on. Let's clarify something. You touched on the cost. Are you thinking the cost is going to be it's really great to implement this stuff, or is it really high cost? Or are you saying the cost is so great that big companies are going to lobby against something because the cost of these things are expensive and they want to keep that revenue?

Matt Starland: 23:16

What was your thought process behind that? So now, when you you're talking about costs, like to implement, like, yeah, all licensing, all of it I think part of it is either one and not understanding what goes into it. You know all the technology and, and I think going back to what I was saying earlier, you know, with microsoft, say you kind of promoting their windows hello for business and making that much more, um, known. I don't think a lot of organizations, because of maybe certain regulatory compliance things that they didn't have to abide by, just didn't see maybe the worth, you know the time and effort to even look at it as a need, um, you know. So. So, going back, why is the federal government, you know, or military, been in this for 20 years?

Matt Starland: 24:03

well, because they had very highly regulated data, very sensitive data. So now that is your driver and demand um. Now it's not saying that health care companies, um and pci and all those didn't have that. But I don't know, maybe the federal government, just because of how that data was so critical and sensitive to them, they decided to find that passwordless way to just needing to make it work. So that was the driver and so I think part of that was just not people realizing the cost and I believe, personally believe that with now, with the Windows Hello for Business I don't mean to keep kicking that one, that's just one I'm familiar.

Matt Starland: 24:48

The most familiar with is, you know, making more awareness around it. And you have the new FIDO2, I put new air quotes around you. I'm a few years old or whatever. Standard out. This makes it a little bit more, you know, viable because of there's a little bit more ease of implementation than necessarily the personal identification, personal identity and verification, you know, protocol to stand up, because a lot of these cloud providers like OctaPing and Azure AD, have that FIDO2 support built in and now a lot of web applications are starting to build support for it. So you're starting to see it grow more and I think as people start hearing about it more and also seeing the cost benefit. So I think that the initial implementation is going to be rough because there is not everything supports FIDO2, especially from a non-premises standpoint. So for those organizations that have adopted the cloud identity provider of the Azure, ad, ping and octas of the world and where they're using OpenID and SAML to connect all of their cloud applications and maybe some of their on-premise applications too, they have a really simple step forward in actually adopting something like those FIDO2 keys.

Matt Starland: 26:13

However, those who have some on-premises applications that are still using forms-based authentication or you know along those lines, they're going to have to figure out what are those apps. And then, of course, can we move either one changing that app over to a SAML, openid integrated with their you know identity provider, or can they go to a Windows authentication, which then means once I've logged into my device using my FIDO2, let's say, key or other passwordless technology, then it can pass my credentials through to that application without asking me for them, because I've proven my identity coming through my workstation. So there's that aspect of the implementation phase that there's going to be a big up cost there, but I think long term it's going to be low because you can go and buy these keys. They range from 20 to 80 dollars depending on what features you want on them because it's just not the phyto2 protocol. There's some that have the piv protocol. There's some that have. What is it, eric? What was the one? Um top p is it?

Eric Palms: 27:34

Top P. Some of them are FIPS certified as well.

Matt Starland: 27:39

Yeah, FIPS certified. So it depends on what all the necessities you want on there, maybe for some backwards compatibility like at the PIV or whatever.

Matt Starland: 27:49

But let's just say, if we just start with a FIDO2 key, you're looking at roughly $20. So $20 a person. But now what does that long term cost look like? From a okay, breach perspective? What did you know? Now we don't have to. You know how many breaches now does this prevent?

Matt Starland: 28:06

From a just social engineering perspective, do we get to now dial back on some of the licensing or technologies that we had that was designed to prevent licensing, or technologies that we had that was designed to prevent, again, phishing? You know, not saying that we can completely go away from just all email security in general, but, like you know, you'd brought up that good point, eric, earlier but would be as just you know there might be some cost savings there too. And then also even support desk calls. How much time is wasted from people forgetting their passwords, didn't sign up for the self-service password reset. You go on and on and those what we'd call what soft dollars. You know, like of just time there, that now you don't have to change the pin on your key card because if somebody knows it well, I mean you can always change it yourself. But even if they know it, they would still have to have that. So I see a big cost savings here.

Nick Mellem: 29:04

You took the words right out of my mouth and I was going to say how much time, cost and effort goes into a help desk answering calls solely because somebody's locked out, can't remember their password, so on and so forth.

Eric Palms: 29:20

It's insane.

Nick Mellem: 29:22

It's egregious.

Eric Palms: 29:24

The amount of lockouts and passwords that have been forgotten because they're on the 90 day password rotation schedule. And what is it now? Is it 12 or did it go up to 14 character? Is NISTL 12 or is it now? Is it 12? Or did it go up to 14 character? Is NIST still at 12 or is that at 14?

Matt Starland: 29:41

No, NIST is actually down to 8. They're down to 8?.

Nick Mellem: 29:46

They were at 12 for a while, weren't they?

Matt Starland: 29:47

Only if you have MFA, though, they're down to 8. No password changes, but there's two other criteria there. One you have to have MFA on it and two the password has to be checked against a database of known breached accounts. So like have I been pulling Yep?

Eric Palms: 30:09

Yep, okay, I know a lot of organizations require nowadays like 12 or 15 character passwords and then they're doing the 180 day reset or one year reset still, and it's like, okay, a 15 character password, you try when you try and you kept, even if you had for a year to try and go. Oh, I changed it. And then let's say the next day, what was my password? It's 15 characters.

Matt Starland: 30:34

It's probably a phrase at this point now well, and the other thing too, to your point. Your point on that is, even though NIST suggests or has that, that again is just NIST, because there's other requirements behind some of those organizations that have to do the 12, 14, 16, and 180 day because of certain regulatory compliance. So it is funny how the different regulatory compliance there's some, I almost feel, a lot of subjectivity, depending on who's doing it, because they're not all necessarily aligned either. You know, we always look to not always, but a lot of the industry. You know cybersecurity industry does look to, nist to. You know, have done their homework, their analysis, testing, et cetera. But I find it interesting that even you look at that being a federal government standard Guideline. Yeah, guideline is this like CJIS, criminal justice information systems.

Matt Starland: 31:30

That regulatory compliance, though, will say the only way you can go to a one year password rotation is, if you're like, I believe don't quote me on this I believe it's like almost like 16 or 20 characters, but then also the, the password has to be hashed and salted in a way that it can never be, you know, taken offline with brute force.

Matt Starland: 31:55

So if you can't get to that which everyone knows, active Directory is still using an old hashing algorithm that as long as you get the NTDS dump you can, as long as it's got the right care, you know you can take those off and start cracking those. That's almost hard. So I look at it. It that might be some sort of proprietary not proprietary, but some other identity provider that can hash that. But if you can't meet that, that hashing requirements, then to your point, eric, like you're saying, you got to go to a 90 day and you can have it be you know 14 characters or whatever, but it has to be now 90 days, and so again every 90 days. Hey, look at that. Look at that spike in the help desk calls that occurs for characters or whatever, but it has to be now 90 days, and so again every 90 days. Hey, look at that spike in the help desk calls that occurs for that particular group of people that have to abide by that regulatory compliance.

Eric Palms: 32:49

And then you get the people who start putting numbers either before or after their same password. Yeah right yeah, unless they have a password double check application, then it's just all the systems to go. Well, the hash isn't the same, so OK.

Nick Mellem: 33:04

Yeah, and that's interesting too, that you you're bringing that up. You guys all have iPhones, I'm pretty sure, right.

Matt Starland: 33:11

If I told you I'd have to kill you.

Nick Mellem: 33:12

So, either way, you can keep our word and I offline, but I'm pretty sure you do, because I think your bubbles are blue Either way. Have you guys seen Apple's kind of doing this whole initiative of hide your email and they will suggest a password for you and it will be stored within on-prem in your iPhone? So let's say, you sign up for some subscription, right, and you're setting up your account right, you have the option to hide your email and they'll put in some fake email that will still come to you, but you know it's putting that wall up secondary. They're suggesting a password and it's a very long password. I think you know.

Nick Mellem: 33:51

Somebody can correct me if I'm wrong. I think it's like 16 characters, but it's just, it's not even a phrase, it's all the things right, but it's getting. It's not even a phrase, it's all the things right, but it's getting stored on your phone so you don't have to remember the password anymore because your phone's remembered it. So every time you come back to that website, it knows just like LastPass or other services, dash all those different services and just implements, or sorry, just puts everything in, fills out everything out for you and logs you in Thoughts on that.

Matt Starland: 34:19

Maybe you didn't know about that matt. You sound like I'm, as you see my facial expression. I am a iphone. I mean I'm, I'm not. I mean I, I can't tell you what my you know phone is.

Nick Mellem: 34:26

Um, no, we're keeping a secret people yeah, we're yeah top secret signal. Yeah, so it's. Uh, I just I have been oblivious to that.

Matt Starland: 34:36

I, yeah, I didn't even realize that because I use some other password keepers to do that, so I haven't really used their built-in stuff before. So I do find that fast, I mean because of those other password keepers. Yes, that makes sense. You know, of course, keep a different password for everything, so that way you limit your risk Something gets breached. But I didn't know about that email perspective. That is fascinating.

Nick Mellem: 35:01

yes, like sorry, go ahead about that.

Eric Palms: 35:04

I don't personally use it because I use another solution. But they do the same thing with when you do the sign in with your apple account, except that's that's essentially in sO at that point. But they will also hide your email there as well and they'll just forward it along from some random characters like fakeapplecom or something, I don't remember the exact formula. But they do the exact same thing there as well, for when you sign in for Apple. So let's say you're going to buy some subscription from the App Store I don't know, but HBO Max, when you sign up, you can sign up through Apple for the subscription. It'll just give HBO a completely random email address and basically Apple sets up a forwarder to your email. So they never actually have your email. So in the off chance that the company gets breached as well, okay, they have a fake email for you that just gets forwarded along. So they can't go and go. Oh, this person has a Gmail email address, let's try their credentials there and try and get in. It's complete randomness.

Nick Mellem: 36:22

Right, yeah, and so I've been kind of participating in this. And when I say participating, what I've been doing is I'll let, if you know, on my Mac or iPhone, I'll let it create the password, right, and I'll do that. And then my last, I use LastPass and it'll come up on the side and they'll do us remember it. So I have Apple create the password and then I put it into LastPass. So it's like you know, right, you see where I'm going with this, so I've been using it. It's. It's like you know, right, you see where I'm going with this, so I've been using it. It's. I think it's awesome, right.

Nick Mellem: 36:54

I think I wish more people would use it right, like our moms and dads, grandma, grandpa, whoever right, that's, that's really who I feel like this should be getting trickled out to as well, because you know, all of us have got the call from our moms and dads or whoever. It is right. They're having issues with passwords or can't remember or whatever it is. So then all the passwords for everything are the same, right, and that's just inevitable. And that's where something like this is really cool to see this technology coming out.

Nick Mellem: 37:18

So it brings me full circle to think have we gotten to this point because we just outgrew eight characters, right, or was it a? Is a money thing right, or is it just? The malicious intended actors have gotten so good that this is the only way we can keep up with them, and it's not really a question, but it just makes me think like, wow, we're coming full circle right now, but how did we actually get here right? So it's just interesting all these things that are going around with different technologies and I know maybe you guys can comment on, you're working on a project now to go passwordless yeah, I mean so that the project and stuff that you know we're working on is, um, there's a lot of drivers to that.

Matt Starland: 38:02

Besides, you know just even the cost perspective, you know. So I think it's been a combination of things that we've been talking about for the past. You know half hour or so help desk calls. You know for the organization that we are working on to do this, there's a lot of regulatory compliance that is involved. So you have all of these certain groups that don't have to abide by this particular regulatory compliance. It's extremely strict. And then you have this group over here and so you start getting into okay, wait, which password? Policy?

Matt Starland: 38:36

You know you try to find this fine balance between usability and also security and you know, as we all know, if you make things so super secure, well, sometimes it makes it difficult to be effective operationally. And then you start to increase help desk calls or issues because a lot strict you know requirements maybe meets the NIST requirements, regulatory compliance that isn't NIST, and then they have a different one and then your service desk is getting calls of like, wait, which one are you? Okay, this is the here you know. So you don't want to make things complex for your organization too. But then then you get into the situation where, well, crap I gotta do.

Nick Mellem: 39:40

I just set one standard now for everybody that they have to be this secure and hardened, and that's not subjective, though, to your industry and that's where I think the conversation starts to turn right is if you, if you're government or private or whatever that it really is subjective to that point.

Matt Starland: 40:00

So continue on that I derail you when you say subjective to that point. Can you articulate on that a little bit more? So like what?

Nick Mellem: 40:05

I mean, is you have a different set of standards?

Matt Starland: 40:08

oh, if you're a government entity.

Nick Mellem: 40:09

You have to follow these rules for a reason you're financial, you're in a, you're a bank or or whatever. You have to meet these guidelines.

Matt Starland: 40:16

Yeah, and I think that's and that's kind of what I'm referring to is that you know, and I've seen in the government industries because of how you know, like for you know some counties where you've got 25 different departments or something and those departments are like separate entities, like you know what I'm saying, so you know if I'm working for a Medtronic of the world or some healthcare company, what is?

Eric Brown: 40:40

my focus.

Matt Starland: 40:41

Healthcare. You know, I might, I'll be doing HIPAA. Okay, so we need to abide by HIPAA and that's. This is our niche, our thing we can focus on. Maybe we might touch a little bit on PCI, because payments or whatever. Maybe I offload that to another organization to handle the PCI stuff because of the cost.

Matt Starland: 41:01

But for the government industry, because of those different departments, you've got healthcare industry, because of those different departments, you've got healthcare, you've got criminal justice, you've got some IRS rate, there's all over the board. And so for that organization and that kind of goes back to what I was saying is like here's one. They've got these users, they are divided by this and this, and it starts to create this situation. Then do we just take the most most restrictive, which now, yeah, we're under compliance, but only a quarter or maybe less, or I don't know, maybe, let's just say, for using example, only needed to abide by that, and now the whole organization has to buy by that. And, oh boy, now we've got a lot more service desk calls coming up.

Matt Starland: 41:42

So I guess the kind of circling back what, what, where does this? You know, why is this so important, to go to this type of technology? Well, one, it's because it's simple to use. But then, two, it meets all of those regulatory compliance of multi-factor authentication and making that authentication so much secure. So that's kind of one of the reasons why the project that Eric and I are on is to help meet that keep it simple but still with good security. And is it going to be fully secure to the point where, oh, we will never have a breached account again?

Matt Starland: 42:23

No, because, like what Eric was saying earlier, you still got the risk of somebody trying account again. You know. No, because, like what eric was saying earlier, you still got. You know. Now you still got the risk of somebody trying to replay your tokens or tickets. But I would think, though, that's much more difficult. It takes much more technical skill set to try to somehow get that piece of software on there not saying that couldn't happen from an email, because now the user goes out and downloads it.

Matt Starland: 42:49

So there's still that aspect to it. But at least you maybe take some of the other humans' social engineering over the phone now or might make it a little bit more challenging. At least that's what I'm envisioning. But who knows, somebody will get creative again and find another way to get that token off your computer. I'm sure that's a guarantee Something's going to go full swing.

Matt Starland: 43:14

We all went to the cloud Watch. Now we're all scared of the cloud. We're all going to come back on-premises someday. You know who knows, but I think that's you know. That project that we're on that's one of the reasons is because of you know trying to be simple. That's that's one of the reasons is because of you know trying to be simple. But it looks like it increases security and meets all those different regulatory compliance. And yeah, it's been a challenge because of the initial implementation of all the systems that need to get adapt to that. But yeah, I don't know, that's up, eric, what's kind of what's your been take on, kind of seeing you know implementing this and you know where some of the challenges and hiccups you think are going to be and where they have been.

Eric Palms: 43:54

The core setup is simple for passwordless because, like Microsoft, okta, duo, all of them support it natively and it's included with most licenses. The harder part is getting the more like the SSO setup going to all of these different apps. Now, most third-party SaaS-based apps support it already. Saas-based apps support it. I've seen plenty of companies who are actually moving away from on-prem to SaaS because of the integration into, for a single sign-on. Stuff is already. They all have it implemented and stuff. The hardest part is your on-prem apps, especially the apps that may have been around for a decade or longer, that have been used and maybe the people who originally wrote it are no longer there. So no one truly understands how it works on the back end at this point and they have to go in and try to modify it without breaking it to support these newer things like SAML. Well, saml is super new but it's one of the better ones out there. So that's the harder part. Is that right there? Or if they have an app, it's too old and it's not worth setting it up and they want to look into migrating to a SaaS application Okay, well, now that department has to set up a new project to start migrating, whatever it may be over to a SaaS application, which then, depending on the size of it, could take a year or longer. If it's a major system, it could take two years. So that's the difficult part.

Eric Palms: 45:33

It's not the oh, you have a security key, you plug it in and enter your PIN. That's simple. It takes 30 seconds to set it up. It's the getting everything back and into it, because I've noticed that there are so many, at least at the beginning of COVID. There are so many disjointed systems and everyone has different credentials to get into every system, so they may have 100 logins because they use 100 different systems. And now when you're trying to set up these single sign-on systems and then you can set up like passwordless with them, it's getting them all to communicate with each other. Again is the truly the actual hard part in it. Like you can set up a security key in Azure AD in five minutes, you can go in. You can literally from admin. Probably takes you five, ten minutes to create the policies. Give someone a key, get them to set it up and they can use that for Microsoft login. Now, getting Azure AD if that's what you want to be is your identity provider to go to all the other services. That's the hard part.

Matt Starland: 46:43

Well, it also takes. You know you got to get buy-in now too. So this is where it comes, key because of those challenges that you talked about with you know, having you know, certain applications, whoever's owning them or whatever departments might be involved with that, and maybe, depending on how budgeting works and just because IS has a lot of control of some of this technology, but they might not be the actual owners or however their budget is in regards to that app. You know that could be this old legacy app departments or leaders involved and aware of it to see one the benefits, but also understand, hey, this is what's going to cost us to get here and here's what we predict our ongoing cost will be post getting there.

Matt Starland: 47:40

Because, again, like I said, if we can, you know, market it in a way that, look, we're going to save money here on password resets and time spent on the phone with you know well, time saved for employees getting into their workstations because they forgot their password or now they got to unlock it, or whatever Time saved at the service desk or help desk level now of being on the phone with that employee that is losing productivity because they can't get in with that employee that is losing productivity because they can't get in, you know, having to pay for a password, self-service reset system, you know, and then maybe some other technologies that were to help prevent you know passwords from getting leaked or whatever. So I think that it's very key to also get some good marketing at your leadership level and buy-in and getting you know this spread to all those different departments to get on board and see the value of it and then, um, then, then hopefully you can then get those resources to react quicker to to your implementation.

Nick Mellem: 48:42

So yes, it's a change management issue, right? Yeah, just get everybody on board and that's, that's a big piece.

Matt Starland: 48:49

There too, is that wait, how do I use this thing? You know? How do I, you know, plug it in, or you know, because it go.

Matt Starland: 48:56

Yeah, so to you know, I know, eric, you said it's simple to register too, but, like a lot of people, like you know, to figure out, wait, how do I log into this and do this? And you know it's also to the uh, what does the service desk do, or help desk, now have to? How do we, how many of these do we, keep on site? You know what happens if somebody loses it, so there's a lot of that change management.

Matt Starland: 49:19

That needs to be developed as well. Um, but I think once you get it everything along, there's definitely some good long-term cost-benefit analysis here.

Nick Mellem: 49:33

Like we were saying, the change management portion is huge, getting that buy-in from everybody and making everybody understand why we're doing it this way. Not everybody understands the technical side of the house, and rightfully so. They just don't understand, and that's fine's fine. So then then I think, right, here's our next question is at what point is it too much? Right are we going? I'm not saying we are here with this technology, but is the next step too far? Are we already? Have we already gone too far? At what point are we pushing? I don't want to say security right, because we're always getting better. Every single day we're learning things that we didn't know yesterday. But at what point have we gone too far? At what point is it just an accepted risk? It's inevitable. We can only do so much. Eric, do you have any quick hit thoughts on that?

Eric Palms: 50:26

I know a lot of people that hate typing in passwords. So the people I've talked to, I've actually had people come up to me with this project. Like wait, we don't have to use passwords anymore. Like not with this project. No, you just have to remember a key, a security key, and while most organizations have some sort of a badge system to get into buildings and whatnot anyways, you just keep it with that. So then they're much less likely to lose it at that point, because, well, if they lose their badge, they can't get into the building anyways, or access equipment and whatnot. For people who are hybrid or in the office every day.

Eric Palms: 51:12

But the idea of, oh, I only have to remember a PIN, a PIN that doesn't have an expiration date because it's only tied to said device. So if the device gets stolen, then they don't have the pin and they're a pretty short lockout on those. If someone tries to brute force it, I think its fault is like five times, before it locks it it needs to be reset by an administrator. So the people I've talked to are before it locks it and needs to be reset by an administrator. So, yeah, so the people I've talked to are the end users I've talked to have been excited about it.

Eric Palms: 51:54

It's more of the app users. Where I've seen is the pullback and such like, where it's for going too far. It's those are the people who are going to go. Well, this is a lot of work and is this worth it, but it's the end users who actually really are enjoying this because then it's like it's much simpler and they're small, they're easy to keep on you like, or people keep on the key ring because everyone carries their. Well, at least for the time being, everyone carries their car keys unless they have, like, a Tesla or some other other ev vehicle where they've gone to like.

Eric Palms: 52:27

Right, your phone lock-in, so yeah for the time being, though, your keys for your house and stuff are still around, so it's it's easy to keep it on there too, otherwise so I'm kind of having some thoughts and opinions on my own question and I I don't think we probably could ever go too far.

Nick Mellem: 52:44

And the reason I say that is because if somebody told our parents or whoever it was you know, 25, 30, 40 years ago, when cell phones just started to come out, that a key was going to get sent or a token, whatever, was going to get sent to your phone, a code whatever that you were going to type into a computer to authenticate yourself, we would have thought you were crazy. Right, there's just no way that would ever happen. But we're here. So the question I'm asking is like well, we depends on where we're going to be in five or 10 years. We just don't ever know. We're always evolving. But, matt, go ahead, you obviously have some thoughts.

Matt Starland: 53:17

Well, I mean, yeah, I mean that's you're talking. That's like trying to prophesize some major things.

Matt Starland: 53:23

There's so many. You know who would have predicted COVID would have changed the way we lived and worked. You know it took a major event to just alter life so differently as from just working. So, while we can do our best to analyze, you know, the information we have today, it's, there's so many different. There's either market factors, there's geopolitical factors, there's the malicious actor factor. That's malicious actor factor. Huh, the MFF, I don't know that. Anyways, I anyways I had a squirrel moment there. But yeah, there's, you know, there's so many different things I can change it. So, but yeah, there's so many different things I can change it. So, just viewing what we know today, it definitely seems like it's the way to go based off of the information we have. But I guess I'll just ask chat GPT tonight and see what it says.

Matt Starland: 54:21

Yeah, report back on that, I'll report back on that and then I'll make that as my final decision.

Eric Palms: 54:27

Yeah, you come to like. You bring up chat GPT and stuff like passwords. A computer like chat GPT has a lot of power behind it. It can crack so fast if someone were to teach it how to or explain how to, you can chat GPT. You can even write code. It's good code or like Java or whatnot. It's not too far to go. Oh, I want you to crack this user's password.

Matt Starland: 54:58

Chat. Gpt write me a piece of malware that replays the SAML token. Done Game over, alright. So now what do we got to do to fix that one? We went passwordless, but they found the new weakness in Kerberos tickets and security tokens and we're in change management meetings all over again.

Matt Starland: 55:19

Yeah, so no, it's just how the industry changes and we're doing what we can with the knowledge we have at this point in time and thinking this is what we can with the knowledge we have at this point in time, and thinking this is what we can do best, and something else will come along and we'll figure something else, All right guys.

Nick Mellem: 55:36

Well, I think we beat passwords to death. Unless you guys got any other closing thoughts, I think we can leave it there and maybe have an episode 2.0.

Matt Starland: 55:46

Any thoughts? I'm good here. I brain dumped everything.

Eric Palms: 55:51

I am good as well.

Nick Mellem: 55:53

Well, awesome guys. Once again, we really appreciate you guys coming on and can't wait to have you on another one coming up, but appreciate your guys' time. Thanks again.

Matt Starland: 56:02

Yeah, have a great day, See ya. Thank you.

Eric Brown: 56:07

Want security leadership without the headcount. As an extension of the team, IT Audit Labs will provide the experts to guide and counsel your company. We will start by creating a custom security program that caters to your industry while providing transparency and remediation to improve cyber posture while reducing risk. Contact IT Autolabs to find out more.