8th Layer Insights 1.24.23
Ep 30 | 1.24.23

Season 3 finale: What's the deal with Authentication, MFA, and Password Managers?

Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights." Just a quick announcement before we get started. I mentioned last time that I'm collecting listener questions, and at that time, my plan was to include them in today's episode. But I decided to hold off on that for two reasons. No. 1 is so that we can collect just a few more questions. So check the show notes on how to submit those. And the second reason is because the interview content for today's episode is extremely detailed, timely and very important. So I ultimately didn't want to do anything to distract from that topic, which probably has you asking the question, what is that topic?

Perry Carpenter: Well, I thought we'd talk about something that has been in the news quite a lot recently - authentication and password managers. As security professionals, we've decried the password for decades. Multifactor authentication, or MFA, has started to gain popularity, but it's not without its own issues. Security leaders and tech teams have somehow once again hoped for a silver bullet, only to be disappointed to find out that crafty attackers can easily bypass MFA. We've also been touting the benefits of password managers for quite a while as a way to hold and store and automatically inject all these complex passwords that we humans need to manage but that nobody can find a good way to do. I mean, after all, in a world where most of us have to manage upwards of 200 passwords in a year, who can keep up? No human can have great password hygiene across all those accounts. But password managers also face their own problems, as illustrated by a recent high-profile incident. 

Perry Carpenter: My guest today is Roger Grimes. He has a multi-decade cybersecurity career and is the author of 13 cybersecurity books, countless articles and is a highly sought-after industry luminary. Oh, and if you know Roger, he also has opinions. And so on today's show, listen in as Roger and I discuss the current state of authentication, MFA, password managers and more. Welcome to "8th Layer Insights." This podcast is a multi-disciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights," Season 3, Episode 10. I'm Perry Carpenter. We'll be right back after this message. 

Perry Carpenter: As I mentioned in the intro, today's guest is Roger Grimes. And here's a quick disclaimer. Roger and I work together at KnowBe4, and KnowBe4 is also a sponsor of the show. But the reason that I wanted to bring Roger on is because there's been quite a bit of news recently about the LastPass security incident. And that's naturally caused people to question the validity of password managers. We are weighing the risk of having a keys-to-the-kingdom problem with the reward of having a system that can create, store and automatically inject complex passwords on a user's behalf, doing something that we mere mortals are not good at. So all of that was in my mind. And then I saw that Roger published an article that I think captures the moment, and he was also working on a webinar covering the same material. And it was titled "Password Managers Can Be Hacked Lots of Ways and Yes, You Should Still Use One." And so when I saw that, I knew that I had to get him on the show so that he could share that perspective while it is fresh in everyone's minds. Oh, and Roger has been studying the intricacies of passwords, password policies, multifactor authentication systems and other related authentication issues and technologies for quite a while. And so he brings a depth of wisdom and experience that's super valuable. OK, enough intro. Let's get to the interview. 

Roger Grimes: Hi. I'm Roger Grimes. I'm the data-driven defense evangelist for KnowBe4. I've been doing computer security for at least 34, 35 years, earned all the gray hair on my head if you ever get to see me in person. I've written 13 books and probably 1,300 magazine articles on cybersecurity. My first book was an e-book on passwords and password hacking for... 

Perry Carpenter: Wow. 

Roger Grimes: ...Windows & .NET Magazine many years ago - so long ago that I can't find a copy of it to even post to show people, but - so I've been talking about not only cybersecurity but password security for decades. 

Perry Carpenter: That's super cool. So when you think about passwords and the fact that people have been decrying the lonely password for decades now, why haven't we shifted away from passwords to something, quote-unquote, "better" yet? 

Roger Grimes: That is a great question. Let me say, I wrote my first passwords are going away soon, I think, in 1990 and then again, like, in 1993, 1995. I don't write the articles anymore. I think passwords are going to be with us at least another decade, if not decades, if not forever. And that's because, you know, as bad as they are, they work for very - you know, for most of our stuff. I mean, we're not - most of us aren't protecting nuclear secrets. You know, if I'm going to log in to my cat club or my car club or my literary club, I possibly don't need to have phishing-resistant, multi-factor authentication. It works with everything. Nothing that replaces it, if you added it up - so all the things that replace it - multifactor authentication, passwordless, passkey - if you were to currently add up everything possible that would be not a password to securely authenticate, it probably wouldn't cover 2% of the world's websites and services. And, you know, every time they keep talking about passwords are going away, it makes me want to invest in a password manager company. But the reason why that - they're around is that they kind of work. I mean, I don't know about you, Perry, but I've seen 2-year-olds putting in small passwords on their parents'... 

Perry Carpenter: Right. 

Roger Grimes: ...Phones to, like, buy apps. And I've seen 99-year-old women in nursing homes putting in, you know, passwords. You know, so young and old can use them. They - you know, they work kind of well. You know, I've been using password forever. And for the most part, they haven't caused me any problems. But they certainly are a big, big problem. And ultimately, one day, if we can get rid of them and go to something like zero trust or password lists or, you know, whatever it might be, if we can go to something that's frictionless, which means the... 

Perry Carpenter: Yeah. 

Roger Grimes: ...End user doesn't have to do anything - imagine, you turn on your device, and you do what you want to do without being encumbered. If we can get there one day, that would be a great thing. But I think we're decades away from that. 

Perry Carpenter: Yeah. So part of this, as you said, is it kind of works. I think there's another bit in that it's probably just easy and known. It's something super easy to implement in code because if you can write a form, you can ask for a password, which also means that the reverse of that is one of the reasons that we're not getting away from passwords. It's because it's a little bit unfamiliar, and it's a little bit harder to implement from a technical perspective or from a societal expectation perspective. Do you think that that's somewhere near the ballpark? 

Roger Grimes: I think - yeah, I think you're spot on. I think that's a really tremendous observation. And matter of fact, there have been some really good studies by some top-level universities looking at the usability of different things - tokens, biometrics, that sort of stuff. And it's amazing. If you take - like, there was this great study - I forget whether it was Columbia, Harvard or Princeton. I forget now. It's in my book "Hacking Multifactor Authentication." But in this study, they got a bunch of people to volunteer, and they gave them the easiest type of MFA. They don't tell you what it is, but it sounds like a YubiKey, where you plug it into the USB port and you touch it. And out of that - it was either over half - just over half - or just under half, couldn't use it. 

Perry Carpenter: Wow. 

Roger Grimes: That some people thought that the touch thing was a fingerprint reader. Other people plugged it in upside down. And let me say, that's - even within our own company, where we use YubiKeys, the help desk will tell you one of the top calls they get are people saying, my YubiKey login's not working, and they're just plugging it in wrong - upside down. 

Perry Carpenter: Yeah. 

Roger Grimes: Not only this, at the end of the - what's amazing about this study is that not only did it have a huge error rate for people just trying to implement, follow the instructions and use it on a day-to-day basis. At the end of the thing, they told the people, OK, your prize for participating in this research project is you get to keep it and use it. And they followed up a month or two later, and found out that every single person was not using it... 

Perry Carpenter: Wow. 

Roger Grimes: ...Which means people innately just don't like to use things, and number - or different things. And No. 2, I forget - it was, like, a third of them had actually given it away or put it into, like, a corporate box where you could share stuff. So that - they thought it was like a USB key where you could do storage. 

Perry Carpenter: Oh, man. 

Roger Grimes: Instead, they were giving away their identity, that if you plugged in to the - you know, put in their login name, plug in to laptop, touch it, then that person could log in as them. 

Perry Carpenter: Yeah. So there's an intuitiveness issue with that. One is that you've got a form factor where you can reverse plug something in, and it's not effective anymore. So that's a form factor issue - specifically with some of the ways that YubiKey gets created and distributed in the low-cost ways. Another one is there's not a societal understanding about what to do with this thing that you plugged it in, in the same way that maybe we have a better baked-in understanding of the way that password works because we've grown up with that. But we also have maybe a better baked-in way of understanding the way that SMS second-factor authentication works, if you want to call it an actual second factor, because you just get that - you intuitively know, I plugged these numbers into this. Even though we might not consider that phishing-resistant, it gains traction because it's easier to understand and more familiar in some ways. So I think we're always dealing with these things about, what does society expect or what does the end user expect whenever they get this thing? How easy is it to use? How much does it conform with prior behavior patterns? And so on. 

Roger Grimes: That's a really good observation, I think. You know, it's funny. I do a lot of these talks about passwords and MFA, and I haven't heard anybody say that before. But I think you're very much right. You know, that it has to do what's kind of baked into the culture today. And passwords are baked into the culture. The SMS-, MFA-based is kind of baked into the culture. You know, and that - maybe that's even part of the problem of going to an alternative, is that there's so many different types of alternatives, right? It's not just YubiKeys... 

Perry Carpenter: Right. 

Roger Grimes: ...It's biometrics. What type of biometrics? What type of device, what type? So once you say, well, OK, I don't want to do passwords, I want to do something else, you have the problem that whatever MFA solution you choose will not work with most of what you log into. 

Perry Carpenter: Right. 

Roger Grimes: Like, if each - you know, YubiKeys are great, but they only work with things that understand YubiKeys. And if you go to what's called FIDO keys, which could include YubiKeys, that's probably one of the most widespread options - still doesn't work on 2% of the world's websites and services. If you get a Google key, it only works with Google browser or on things that have been rolled in the Google browser application. If you go with Microsoft's, Microsoft authentication only works on the Microsoft ecosystem. 

Roger Grimes: So what's happened today is that we now - not only do we all have, like, a hundred-plus passwords, but now I've got to have 20 or 30 different types of multifactor authentication. And I use the Symantec one when I log in to my stock accounts, and I use the YubiKey when I go to work, and I use this perimeter ID badge when I go to my parking garage, and I use SMS - you know, so, like, it's really a co-mingled mess right now. And part of the other problem of going to a new cultural standard is that there isn't a single standard or a single device or a single method. And I don't know about you, but every time something diversifies - like Linux distros - it kind of destroys the ecosystem. 

Perry Carpenter: Right. 

Roger Grimes: It doesn't support the ecosystem. It ends up - you know, everybody's got their little take on it. And then it ends up causing there not to be a standard, and, you know, it ends up causing implementation issues. 

Perry Carpenter: Yeah. And I think you really hit on something there when you talk about all the different types of MFA, and even potentially good MFA types that exist out there, that are fairly strong and fairly resistant in a lot of ways. So we have a richness of choice, but then a poverty of ecosystem in which some of those choices work. It's like, you know, I could use this really good system that's strong, but it only works in this one environment. And because it only works in that one environment, unless I'm plugged in to that, I'm going to be conditioned to maybe dismiss that. And if I've got an SMS alternative, I'm going to throw away this thing that's stronger because I understand SMS better. And why keep track of this one thing that only works in this one ecosystem when I'm really dealing, on a yearly basis, with 200, 300 different ecosystems because of one-time use cases with things like, you know, tax systems that I only touch once a year or so on? So how do we start to solve this? You play a part in a lot of different pivotal discussions on how people are trying to solve this. How do we move this in a more positive direction? 

Roger Grimes: I think we're finally getting the few - if we're talking non-passwords. I think with password, really the answer is becoming, if you have to use passwords that you should use a password manager. And there's a lot of debate around that. But - and I hope we can get into some of that today. 

Perry Carpenter: Yeah. 

Roger Grimes: But if you talk non-passwords, I do think - you know, the best thing would be that - and let me say, I don't like government interference. But it'd be great if some government god, global internet god's like, you have to use FIDO keys or you have to use passkeys or you have to - whatever it is. That would be the best thing. And that's never going to happen. But I do think that we are going to - you're going to see - there's a new standard out. It's got a push by FIDO, which is Fast - what? - Fast ID Online alliance. It's called passkey, and Microsoft and Google and lots and lots of people are adopting it. And it's kind of an in-between. You can use your YubiKey device, your biometric device, but you don't have to. It's passwordless. 

Roger Grimes: I - there's a lot of passwordless options out there, but I think the passkey probably is going to have one of the faster, stronger adoptions out there. And anybody can participate in it. It's just the problem is you've got all these, you know, kinds of websites that aren't going to participate. But I do think you are at least going to - I think you're eventually going to come down to kind of, like, the FIDO option, the passkey option, and then we're going to see different biometric options. But I think we will see some consolidation in the biometric industry and the password industry. You'll always have a hundred different flavors. But I think we are going to see - certainly around passkeys and FIDO, they're finally starting to make some good movement in there. But then the question, you know, becomes, what do you do with all the passwords you're still going to have? 

Perry Carpenter: Right. Well, and when it comes to adoption of one or more of these potentially good options out there when it comes to an MFA way of approaching this, you do have large ecosystems, like Amazon and potentially even Microsoft Azure and others, that are saying in order to access these systems, you have to use one of these devices. And I think that is probably the private enterprise version of a government regulation, is we have all these people that have bought into these - there's only a few ecosystems like those that exist out there that are widely used - AWS, Azure, you've got Google, you've got, you know, maybe a few others that serve specific industries that are out there. 

Perry Carpenter: But it's those moves by private enterprise that are saying, we need to be able to start to address this because of the huge vulnerabilities surface that exist. If we don't start to do something, it's at least going to move potentially a part of the population - right? - the people that are more techno-savvy, that are likely to need to use those backend systems. 

Roger Grimes: Yeah, yeah, yeah. 

Perry Carpenter: That - does that move the needle at all or no? Because that's one segment of the population. It's not the consumer population that's, you know, dwarfs this other ecosystem. 

Roger Grimes: Yeah. I mean, you definitely have Microsoft and Google and lots - Amazon Salesforce. If you are going to be a Salesforce customer, you have to use MFA. So you're definitely seeing these larger ecosystems say, you have to go to MFA. The problem is is many times, it's many different types of MFA - again, no standard. Or you have to use a particular type. And, hey, I have to use that type for that thing, but I can't use that same token or method for another thing. So, you know, we're - I sometimes feel like we're going to end up with a collection of tokens on a keyring - you know? - like a really big jailer's keyring that we carry around with us so we can do everything we want. And let me say, they're all half measures that really are not the ultimate solution. The ultimate solution is this, again, frictionless thing where we don't really even know we're doing it. Like, when you go to use your credit card, it mostly works. But occasionally, the credit card company will go, is this you buying the large-screen TV at Walmart, you know? Or we're going to let you know. We think your card has been compromised, and they call you out of the blue to tell you that. I think eventually we're going to get to this authentication that, you know, ties us to our device and to our location and then looks at our behavior and does what's called the zero-trust thing. 

Perry Carpenter: Yeah. 

Roger Grimes: You know, so that's when I look at passwords - like, even biometrics - people go, oh, biometrics, you know, that's the ultimate solution. It's a horrible authentication solution because it's a biometric attribute that can be copied and used by anyone. 

Perry Carpenter: Right. Right. 

Roger Grimes: I've had my - I'm part of 5 million people that had their fingerprints stolen when there was this Chinese advanced persistent threat attack in 2015, and they stole 5.6 million people's fingerprints - anybody that applied for a U.S. government security clearance, even if you didn't pass. 

Perry Carpenter: Yeah. 

Roger Grimes: Well, the Chinese have all 10 of my fingerprints. How can any system - and today, our world's becoming hugely remote - trust that it is me logging in to the system? People go, well, they'll do geofencing. That way, you know, if it's - only if it's coming from your house. The problem with that is that VPNs make me appear to be from many different places. 

Perry Carpenter: Yeah. 

Roger Grimes: And I can buy a VPN that puts me in your neighborhood or puts me - at least puts me in your city, you know? It's - you know, it's an interesting dilemma, and we don't have the ultimate answer. We're really just - I think our grandkids will laugh at - you know, it could be kind of like - to me, I'd liken it to having the television with four channels that you had to get up manually to go change. 

Perry Carpenter: Exactly. 

Roger Grimes: That's where we are. You know, we're in this world where our grandkids are just going to kind of laugh 'cause they're just going to go to their device, go to their car, their clothing will be computerized or something - everything. And it will just recognize them and do it. And it will work a lot better than what we have today, and it won't be stolen all the time. But we're just a couple of decades from that being a reality. 

Perry Carpenter: Yeah, well, I remember - it's been over 15 years, I guess - when I was really deep into identity and access management - closer to 15, 20 years. And back then, that's when things like keystroke dynamics and all of that started to get fairly big, as far as very passive authentication or continual authentication and assurance-giving mechanisms in certain fraud environments. And I think that that's - ultimately, when you get to those continuous authentication or frictionless authentication, those are the kind of things you're thinking of. So it's not something you have, something you know, something you are, like a biometric, but it is a persistent behavioral profile that's always looking at the context and the behavior of somebody and the ways that they're doing. On mobile phone, it's, you know, a combination of geolocation, a lot of the behavioral analysis, things like gait mapping - you know, the way that somebody walks, the way that somebody moves because of the gyroscope in the device. There's lots and lots of things. 

Perry Carpenter: There's also a - you know, a camera and a microphone on that that can do some pretty interesting things, as well, when you use those in creative ways. So I think we're getting there, but the discouraging thing for somebody like - or people like us that have been looking at this for a couple decades is that this technology has existed for a long time, and it's been used in limited ways for long periods of time. How do we get it to where it's mass adopted and consumerized? 

Roger Grimes: Besides dictator - besides global dictatorship? 

Perry Carpenter: Yeah. I guess cost has got to be a piece, right? So cost, pluggability - as far as the ways to integrate that into different code libraries. 

Roger Grimes: Yeah. Yeah, yeah. That's - you know, I think that you hit on it 10 minutes ago when you said, well, we have the different ecosystems, like Microsoft and Apple and Google or whatever. And I will say that they seem to be coalescing again around the FIDO standard or - so either through the devices or through the passkey. Let me say, I think it's a good thing. FIDO is a - out of all the authentication standards, FIDO is on the upper end of more secure. Anything can be hacked... 

Perry Carpenter: Right. 

Roger Grimes: ...But FIDO is a good option. It's stronger than a lot of them. It's stronger than 80% of the stuff that's out - 80% of multifactor authentication out there is almost junk. And that's the sad thing is that - you know, unfortunately, when your company or you go with a particular MFA option, the average person has no idea, is it really a good option or a bad option? Well, I've looked at all of it, and most of it's fairly bad. And even the vendors don't know. Like, I was surprised. I went and talked at the Authenticate conference in Seattle this year. I did it last year, as well. It's one of the largest - a FIDO conference - and it's one of the largest biometric conferences in the world, probably in the top two. And I did my standard - I show a Kevin Mitnick hacking video where he hacks LinkedIn's multi-factor authentication. 

Perry Carpenter: Right. 

Roger Grimes: You know, a social engineering attack. I've been showing this talk - or Kevin Mitnick's hacking demo around MFA- probably for close to five years to - at thousands of presentations. So I'm at this Authenticate conference. I'm talking to MFA people and MFA - mostly MFA vendors. And when I show them how Kevin hacks it, their mouth is open wide. They're just like all the audiences I talk to that are clueless about MFA. And I'm like, this is not a good sign that most of the vendors are clueless. Let me say, yesterday - vendor - I get contacted by someone trying to show me their new, incredible multi-factor authentication passwordless option almost every day, if not five times a day. And I have to blow them off, and they're mostly junk. And they've not sold with anybody, but, you know, sometimes they'll wear me down. And this one person had worn me down. They were trying to show me their five-factor way to authenticate someone. And, like, it's - you can't be man-in-the-middled, can't be man-in-the-middled. We're FIDO. By the way, if you're FIDO, you can't be man-in-the-middled, at least by this traditional Kevin Mitnick attack I talked about, which is just where someone sends you a phishing email, gets you to click on a rogue link, it takes you to a fake website, which is a man-in-the-middle website, that then takes you to your real website. But it's able to capture and interact with anything you type. And in doing that, they can capture your MFA credentials... 

Perry Carpenter: Yeah. 

Roger Grimes: ...Or the access control token that you get when you successfully log on to a site, they capture that and then take over the session. Well, FIDO prevents that. And so I had this vendor telling me, we're FIDO-enabled and we've got these five factors and it stops man-in-the-middle attacks. And I keep asking the guy how - he's like, we use biometrics. So I go biometrics does not inherently stop the man-in-the-middle attacks. How does - it can do it. How are you doing it? And in the end, he does - he goes, we're using post-quantum encryption. I just laughed. And I guess he didn't know that I've written a book on quantum... 

Perry Carpenter: Right. 

Roger Grimes: ...Cryptography and post-quantum encryption. I was like, quantum encryption has nothing inherently in it that stops man-in-the-middle attacks. It can be used to stop man-in-the-middle attacks, but just 'cause you're - so, after he got through talking and showing me, after - and I like these guys, I like this company. But in the end, their solution did not stop man-in-the-middle attacks. So they're selling it... 

Perry Carpenter: Right. 

Roger Grimes: ...And they're saying, oh, we're FIDO. If you're not stopping man-in-the-middle attacks, you're not FIDO. So that was at the FIDO conference, you know, that Authenticate - had all these vendors that were there saying they're FIDO-enabled. Like, this one guy - company had a solution where you just talk, and the microphone can hear you, you know? And the microphone hears you go, oh, that's Roger's voice and you're authenticated. That's like - but that can be man-in-the-middled. How can you do it? You know, I'm like, 'cause it can record your voice and replay it. And another one said, oh, we use - you can't - the humans can't hear it. We use a frequency that your PC speaker can pick up but humans can't. So that's our authentication sequence. Your login is this unperceptible (ph) sound. I'm like, it can be man-in-the-middled. He's like, no, no, no. And they were saying they're FIDO-enabled. I'm like, yeah, if your speaker can hear it, it can record it... 

Perry Carpenter: Something can record it, yeah. 

Roger Grimes: ...And be replaced. So there is this problem, not only with us not understanding how... 

Perry Carpenter: Yeah. 

Roger Grimes: ...Secure a solution is, but I would probably say 80, 90% of multifactor authentication vendors have not threat-modeled their solution and don't understand how easily vulnerable it is. And then, on top of that, you have insurance companies go, oh, if you buy MFA, we'll give you an - buy MFA, buy - they don't care what type of MFA. They don't care if you buy the 80% that's near garbage. 

Perry Carpenter: Right. 

Roger Grimes: They just want you to - oh, I've got this MFA, and then you're protected. No. You know, the sad part is 80, 90% of MFA is as easy to phish and bypass as a password. And the whole reason we're supposed to be going to it is that passwords get phished so much and stolen so much and bypassed so much, so... 

Perry Carpenter: Right. 

Roger Grimes: It's really weird that the entire world is making people move to all these biometric and passwordless options, and most of them don't stop the same attacks that the passwords are vulnerable to. It's a shame. 

Perry Carpenter: So the thing that I'm hearing about the vendor community here is that we have a, quote-unquote, "security vendor community" that doesn't necessarily know how to think like an attacker yet. And they're not doing adequate threat modeling against the different products that they're bringing to market. But then they're making the grandiose claims of - they know enough of the threat landscape to say man-in-the-middle or a certain type of attack, but then when you really get down to it, they don't understand what a replay attack is, they don't understand a lot of the cutting-edge technologies, or even fairly ancient analog types of ways of dealing with - you know, doing these things. So what do we need to do about the vendor community? 

Roger Grimes: You ready for this, Perry? 

Perry Carpenter: Yeah. 

Roger Grimes: It gets worse. Most of the top cybersecurity leaders don't understand it. I - you know, over this last year, I went to the largest conferences - Black Hat, RSA, whatever. 

Perry Carpenter: Yeah. 

Roger Grimes: And every day, at the major big conferences, industry luminaries, who - many of whom I love and trust - said, oh, you should use multifactor authentication 'cause it stops 99% of hacks. I was like, what? 'Cause the reality is the best MFA only stops maybe 50% of attacks. Most MFA only stops 10, 20% of attacks. 

Perry Carpenter: Right. 

Roger Grimes: But you've got people that should know better. You've got people that are leading the country, leading the largest cybersecurity organizations, that are telling other cybersecurity professionals, if you use MFA, it stops 99% of attacks. And if you're sharing that message and they're resharing that message, when all these companies and people go to MFA, they're shocked when all of a sudden they still get hacked. 

Perry Carpenter: Yeah. 

Roger Grimes: Like, I think you're actually putting them at a disadvantage because you're telling them that this - when you say it stops 99% of attacks, they're hearing a hundred percent. They're like, oh, I get this MFA and it stops - I don't - I won't be hacked anymore. I think that's far more dangerous than telling someone, hey, you're using a password, and it can be stolen. Like, if I'm at least giving you the risk... 

Perry Carpenter: Yeah. 

Roger Grimes: ...I think you're at least trying to be somewhat protected. But when I show people - when I - I go around doing these hacking MFA conferences - presentations all the time. When I show them how easy their favorite MFA solution could be hacked, their mouth drops open because they've been told by the vendors, use this and you can't be hacked, or... 

Perry Carpenter: Right. 

Roger Grimes: ...Ninety-nine percent can't be hacked. And it's not true. I think it's, like, dangerous. It's like telling someone that's new to driving cars, hey, as long as you, you know, keep one eye on the road, you know, you can just drive and you're probably - and use a seatbelt, you're probably never going to get in an accident, you know? It's more... 

Perry Carpenter: Yeah. 

Roger Grimes: We're really intentionally instructing people to do things that are far more risky than they're being told. 

Perry Carpenter: The equivalent that I'm thinking of is that it does do something. I mean, we're unintentionally giving people a false sense of security when we make statements like 99%. But at the same time, there is some perceivable good, maybe, in that it's equivalent to putting a lock on your door. It's going to stop the opportunistic doorknob jigglers (ph) that see if there's an easy-to-penetrate barrier. But it's no guarantee against anybody that wants to spend a minute or two on that doorknob to try to get in. 

Roger Grimes: Well - and not even that anymore. It used to be - that's - so it used to be - the conventional wisdom was, well, if I use any MFA, it's putting down the really broad generic attacks, and it only becomes a problem when I'm targeted. The problem is in the last couple years, all the automated attacks - like, the biggest, most popular phishing kit is now MFA intercepting. So you don't have to be Kevin Mitnick to perform this hack. 

Perry Carpenter: Right. 

Roger Grimes: It's built in to all the tools, in all the malware, in all the mobile malware. You know, it moved - and let me say this. So I'll be clear about what MFA does. You should use phishing-resistant multifactor authentication when you can to protect valuable data and systems. I don't think you need to put it in - use MFA on everything to protect when I'm doing a Google search or something or logging into my cat club or something. But you should use phishing-resistant MFA when you can and to protect valuable data and systems. And I think if you - you know, today, I think the best - if you were to give me the best, most secure MFA, the stuff that I like - FIDO and passkeys or - and there's a bunch of passwordless options I like from different people, like BeyondTrust and things like that, they're going to stop, at best, 50% of the attacks. Eighty, 90% of the stuff out there is probably only capable of stopping 10, 20% of the attacks, maybe 30%. And let me say, that's not - you know, if it stops a third of attacks, that is the reason why you should use multifactor authentication. 

Perry Carpenter: Right. 

Roger Grimes: I can't think of any single defense that stops 30% of attacks other than, by the way, education on social engineering. Education on social engineering stops probably 70 to 90% of attacks. But after that, if you have MFA, it does stop - I'm going to give it, let's say, a third. And the good stuff probably stops 50%, maybe. 

Perry Carpenter: Yeah. 

Roger Grimes: That means you should use it. But the problem is is people are being told it stops a hundred percent or 99% of attacks. And the stuff they're using maybe only stops 20% of the attacks. So there's that misnomer. But, you know, it still means you should use it, but realize that it only stops some types of attacks. 

Perry Carpenter: Yeah. And that false sense of security is pretty deadly. We'll be right back after this word from our sponsor. 

Perry Carpenter: Welcome back. We're in the middle of a discussion about authentication, multifactor authentication, passwords, password managers and more with Roger Grimes. Let's get back to it. 

Perry Carpenter: Two things I want to ask real quick before we get to password managers. One is we've used the phrase phishing-resistant MFA quite a bit. Can you give us a really quick breakdown on, specifically, what does that mean? What's some - what should somebody look for if they want a phishing-resistant multifactor authentication system? 

Roger Grimes: Great question. And let me say, everything can be hacked. Everything can be socially engineered. So it's a good question to ask. What does it mean when I say use phishing-resistant MFA? I'm generally talking to, at the very least, it stops man-in-the-middle attacks. So a man-in-the-middle attack, again, is oftentimes when somebody sends you a phishing email that socially engineers you into clicking on a link. You think it's going to some site or service that you're using or you're intending to use, but it's really going to a hacker's website or service that then connects you to the real service. And it's able to take everything you send and send to the real service. And then everything the service - the server service you're connecting to, the website you're connecting to, it can send to you. So to both the sender and the receiver, what they're getting appears to be what they would normally expect to see, but the hacker is in the middle, able to intercept what flows between the two. 

Roger Grimes: Even if you have TLS, you know, HTTPS enabled, they can - because they can have that - you know, they can have that enabled to their website. And then if you don't notice that the URL is bad - 'cause Let's Encrypt allows anyone to get an SSL or what's called a TLS certificate today. But if the victim doesn't realize that the link is different, well, the server side doesn't know that the man-in-the-middle website isn't the customer or isn't the client. 

Perry Carpenter: Right, right. 

Roger Grimes: So why say that you have phishing-resistant multifactor authentication? I mean, at the very least, it stops man-in-the-middle attacks. And why that's important is it's probably - just guessing. There's no real data here, which is bad for a guy that's called a data-driven defense evangelist. But it probably stops half of phishing attacks. About half of phishing attacks try to get your credentials. And if you have a MFA solution that's not susceptible to man-in-the-middle attacks, then I can say it stops half of social engineering attacks, and that's a good thing. 

Perry Carpenter: So then the other question I wanted to get to before password managers is there was a fairly notable breach that was disclosed a while back where one of the methods that was used was MFA prompt fatigue. And I know Kevin uses that, as well, as one of the ways that he's gotten into things fairly recently. Talk a little bit about what's the problem there. How does that happen? And then what should people do in order to potentially mitigate against that? 

Roger Grimes: Great question, again. And let me say that push-based MFA - so push-based MFA is a type of multifactor authentication where you get prompted - either on your phone or your device - to go, hey, are you logging in? Yes or no? Do you approve this log in, yes or no? And it typically gives you some other information. It'll tell you sometimes the service that you're logging - the service to the application you're logging into. It will tell you your IP address. It will many times tell you your physical location by city. Sometimes it will tell you what operating system and browser you're using. But the idea is, you know, many times it'd come to your phone, but it could be a phone app. It could be a - you know, a laptop app or something. There's this app that goes, hey, is this you logging in? Like, when I try to log into Gmail, I'll get prompted, hey, this is - we're seeing this log in. It's coming from this location. It's coming from Tampa, Fla. Should I log you in, yes or no? 

Roger Grimes: And when I first learned about push-based MFA, I thought, man, this is a great solution because it gives you information that's useful, that - you know, and you're approving right at the time when you're doing it. And so in my book "Hacking Multifactor Authentication," which I think came out in 2020, I said, oh, I like push-based MFA. But it turns out that a non-minor percentage of people - and again, I'm making this percentage up, but it's probably around a third of people - this one, we can - you know, you can design a system, and until the humans really are interacting with it at scale, you don't know how humans are going to react. Well, it turns out somewhere around a third of humans will approve a logon prompt that they did not initiate, which is amazing. And I got called in to consult. This company had lost 25 - they had to pay $25 million to ransomware, and their CISO was the one that approved the prompts, even though the prompt said it was coming from Russia and Ukraine. It kind of switched between the two locations. 

Perry Carpenter: Yeah. 

Roger Grimes: And then the attacker got on and put ransomware and held them for ransom. But they were interviewing the CISO and said, you know, why did you approve over 80 prompts that were coming from Russia? And he said, listen, I was just told that when I got this prompt that I was just supposed say OK. I was like, what? 

Perry Carpenter: Whoa. 

Roger Grimes: You know, so first of all, you got a fairly cybersecurity knowledgeable person. I thought, is it - you know, I get it. You know what happened is IT is trying to switch them from passwords to this push-based MFA, and they're just trying to get people how to use it. And they're like, hey, when you get this prompt, just say yes. And either they didn't - either they told the person you should say no when it's not you... 

Perry Carpenter: Right. 

Roger Grimes: ...Or they assumed anyone would know to say no. And then, you know - and that's what happened. But then this push-based fatigue is where attackers have learned that they can - you know, if there's a push-based login, that they can just do it, like, a hundred times at 2 in the morning. And there is another percentage - so out of that third that will just approve any prompt that's sent their way, there's another additional percentage that when you bug them enough at 2 in the morning - well, I don't know what's going on. There must be a computer problem. Let me just see if yes stops all of these messages. And so that's push-based fatigue. And also, what happens in a lot of these big hacks is the hacker then actually calls the person and says, hey, I'm from your company's IT. We're trying to apply this patch. I apologize. But if you don't say yes, this stuff's going to keep going all night long. And they're - and let me say, the companies that have been hacked this way are a who's who... 

Perry Carpenter: Yeah. 

Roger Grimes: ...Of the computer security world - like Cisco. Cisco Talos got hacked that way, through an employee being told that IT was calling. So the industry responded with this thing called number matching, which is when you go to log in to the screen, there's a number on the screen where you're logging in, and then your push-based app will have - either you have to type in the number or they'll give you three numbers to choose among. But you have to select or type in the right number, and that means that you are in front of the machine. So it's got to be you involved with that login prompt, or so I thought. And then the sort of thing that - you know, the hacker when they call to tell you they're from IT will go hey, this is from IT. We're trying to apply a patch. The number is 23. Like, it's not that hard for the hacker to tell you what the number is. 

Perry Carpenter: Right. 

Roger Grimes: So I went from being kind of a fan of push-based MFA and the number matching to I'm convinced now it's all useless, and it should not be used by anyone. It is really, really bad MFA. Although, you know, what could - you know, Perry, you know what could solve it? Telling your employees, by the way, people can spoof... 

Perry Carpenter: Right. 

Roger Grimes: ...You know, being in IT, you know, security awareness training. Like, literally, I think a lot of these attacks would just stop or be prevented if you gave them just five minutes of education about here's the types of attacks that would occur - and let me say, for every - that's my answer to every MFA option. If you can't get to a good option, or even if you have a good option, spend some time educating your employees about the popular types of attacks... 

Perry Carpenter: Right. 

Roger Grimes: ...How to recognize them, how to prevent them, stop them, mitigate them, and then how to report them. Like, literally, we don't give people passwords without giving them a little education, but somehow, we're giving them MFA and going, here. It stops 99% of attacks. Have a good day. 

Perry Carpenter: Yeah. This is your forcefield. You have got this, everything's good. You know, the thing that I was always afraid of with push-based MFA is how many of us get notifications all the time and we just hit yes or we don't even know what we hit. We just swipe the notification out of the way. Anything to get it off my screen because it comes up at the least convenient time. I'm trying to check an email or I've got a phone call coming in. The last thing I want to do is deal with this notification. 

Roger Grimes: No, you're exactly right. You know, I've read - I'm looking around right now. You can't see me if you're just listening to my voice, but I'm looking around for one of my favorite books called "The Humane Interface," and it is written by one of the creators of the first Macs - called "The Humane Interface." It's a great book. It's out of print now. But he said that once we answer a prompt, like, 15 or 20 times that we begin just answering the prompt through muscle... 

Perry Carpenter: Yep. 

Roger Grimes: ...Respond. 

Perry Carpenter: Yeah. 

Roger Grimes: And he's saying, like, the prompt where you, like, are you sure you want to delete, he goes, it's useless. All of us have deleted files we didn't really mean to delete. He goes, just make it always be a really easy file to recover. 

Perry Carpenter: (Laughter) Exactly. All right. So let's switch gears. So we're trying to deal with authentication authorization issues. We've been grappling with it in different ways for the past couple decades. We know that people, now, are having to juggle literally hundreds of passwords every year. Passwords are extremely vulnerable, they end up in data dumps everywhere, they fuel even more attacks. One of the primary ways that we tell people, oh, you can start to get a handle on this is through using something like a password manager 'cause we don't want you to continue to create and propagate really bad passwords. We want you to have stronger passwords, longer passwords, ones that are harder to decrypt using mechanized methods of trying to crack those things. And a password manager is really the only human-friendly way of doing that right now. But there's a potential keys-to-the-kingdom problem, and we've seen that keys-to-the-kingdom problem surface a couple times recently. So give me your thoughts on password managers. Where do they fit in, what are the strengths, what are the weaknesses and what's your advice there? 

Roger Grimes: OK. Well, so my quick, short advice is everybody should use a password manager. 

Perry Carpenter: Awesome. 

Roger Grimes: And the reason why is that the average person only has a handful of passwords, or maybe, I think, the official stats are three to 17 passwords that they reuse across 170 unrelated sites and services. 

Perry Carpenter: Yeah. 

Roger Grimes: In any given year, odds are one or two of those sites will be compromised and hackers will get your password. And the problem comes is after you've been on the internet for five years, 10 years, like a lot of us, if you've been using the same password, or password pattern - like, I used to think I was really good 'cause I - let's say that my root password was frog - it wasn't; let's say it was - frog. I'd say, oh, I'm supposed to use a different password for every site, so I do FrogTW for Twitter, FrogI for Instagram, frog for - FB for Facebook and I just thought I was brilliant - right? - at 170... 

Perry Carpenter: Yeah, nice little algorithm. 

Roger Grimes: Yes. That was 170 different passwords, and - well, then one day I dumped - I went to one of those, you know, password dump sites and I looked up my email address and there were all of my passwords with what was - like, if I'm a hacker, I would've gone to Amazon and tried FrogA, you know? Like, Roger was not the password genius that he thought he was. 

Perry Carpenter: Right? 

Roger Grimes: So the No. 1 - the two biggest risks with passwords - with just passwords in general without a password manager - are that you're going to use - reshare the same password or a password pattern across multiple unrelated websites. That's the biggest risk to you and whether you're going to be hacked or not. No. 2, that the password you provide is fairly weak. And let me say today, we have attackers that are guessing 10-character complex passwords - let me say your complex password, which is probably an uppercase character in the first position that's a consonant, it's a lowercase character in the second position that's a vowel, and if you have a symbol or a number, the number's one or two and it's located at the end. Like, that describes, like, 80% of complex passwords. So your complex password and the complexity that we think - oh, here's a complex password - it really doesn't work. We have - so just on online password guessing, we know we have evidence of an attacker without any insider knowledge guessing at a 10-character complex password. It was Welcome2020. It was, like, a Dutch password, but it was a 10-character, so... 

Perry Carpenter: Yeah. 

Roger Grimes: It took them a year to break it, but they did. And there was no controls whatsoever on that website. You know, they were able to guess 100,000 times a day for over a year. If they are able to get your password hash - so in - today, most operating systems today - Windows, Linux, Apple, whatever - they'll store your password as a password hash. So your plaintext password of frog gets converted to this cryptographic hash that's the same for - every password's the same. Well, if an attacker can get to your password hash - let me say, that's a big if - but it turns out that I can sometimes get it just by sending you an email. You click on the link, and I get your password hash. Or if I break into one, let's say, Windows system on Active Directory network, I can dump. You - if I'm logged in as a regular user, I can get the password hashes for all the service accounts. 

Perry Carpenter: Right. 

Roger Grimes: And you cannot stop me. But if an attacker gets your password hash, they are routinely breaking passwords up to 18 characters long - complex passwords up to 18 characters long. There was recently even a study by the U.S. government. They did password hash cracking. And in 90 minutes, they cracked 16% of user passwords on their network. That - and let me say, required to be, like, 10 characters long and... 

Perry Carpenter: Right. 

Roger Grimes: ...Complex. They cracked 16% of them in 90 minutes. And let me say, today, the password hash cracking rigs can take tens of trillions of guesses per second. Most of our passwords are not going to withstand tens of trillions of guesses per second. So... 

Perry Carpenter: Yeah. 

Roger Grimes: ...In order for your password to be truly secure today, it has to be 12 characters perfectly random, like what a password manager creates and uses. So that's why - that's - in order for your password to be truly unguessable, uncrackable, it needs to be 12 characters perfectly random and longer. Password managers create and use them, and you don't need to know them. All you're... 

Perry Carpenter: Right. 

Roger Grimes: ...Doing is clicking on an icon inside of a password manager - or edit copy, edit pasting. That's why you should use a password manager because it creates perfectly random passwords that are unguessable, uncrackable and uniquely different for every website and service. So a password manager, even though it's a single point of failure, the two major risks they offset - which is you reusing your password or you using a weak password - a password manager gets rid of those risk. And those two risk are the largest risk you face as a password user. And, of course, there's password managers that become a single point of failure, and there have been ones that are hacked. But that risk, right now at least, is still substantially lower, exponentially... 

Perry Carpenter: Right. 

Roger Grimes: ...Lower than the other two risks. 

Perry Carpenter: So this is backtracking a little bit, but talking about the fact that you can fairly easily break password hashes there - in your mind, what's the vulnerability associated with that? So for folks that aren't all up on crypto, you assume that if a password is hashed, that it's cryptographically sound and that there's some kind of seed in there that's hard to replace. So what's the biggest vulnerability that makes those, quote-unquote, "easy to crack?" 

Roger Grimes: Yeah, so what attackers do, if they get your password hash, they use what's called a password hash cracking program like Hashcat or what's called John the Ripper, which is one I used to use all the time. And they can upload your hashes, or the captured hashes, into that program. They upload a password dictionary, and then they fire it off at trillions or tens of trillions of times per second. And what it does is it takes the password dictionary and it has all the root words, and it starts doing all kinds of combinations - the password dictionary throwing numbers at the end and doing uppercase, lowercase. And then it hashes them and then compares the password dictionary hashes against your captured password hashes. And so in doing so, they can convert your password hash to a plaintext password. And why that becomes important is that if I have your password hash, I cannot log in remotely to any servers. 

Perry Carpenter: Right. 

Roger Grimes: I can't log in to your email. I can't log in to anything that requests your login name and password with just your hash. If I had just your hash inside of a Windows machine or a Windows Active Directory network, I can do what's called pass-the-hash attacks and use them to log in. So across the network, if I'm already inside your network, I can use them to go across your network and log in to servers where you can log in without your plaintext password. But if you get your plaintext password, then I can do far more things with it. 

Perry Carpenter: Yeah. 

Roger Grimes: So it gives me versatility as an attacker. And let's say, a common - another common scenario would be - I'm an attacker and maybe I break into your Cisco router or your email gateway and there's hashes for your login there. If I can crack those hashes back to the plaintext password, because most people share the same passwords across multiple sites and services, one password allows me to get into many more things. Like, let's say, in Microsoft Active Directory, the separate - a security domain in a Microsoft Active Directory network is known as a forest. There's a domain level. Then there's forest level. And a forest level - if you have two different forests, they don't share any of the same stuff. They're administrated differently. You have to have to log in to them differently. But password penetration testers will log in to one forest, crack the hashes, get the passwords, and then just log in directly to this other forest because it's really likely that admins are going to reshare the... 

Perry Carpenter: Right. 

Roger Grimes: ...Same password against other forests. Let me say, today, ransomware will routinely break into one person's machine, get the - crack the administrator password and/or service account passwords and from that, crack everybody's password. 'Cause once they have a service account password that is administrator or domain admin or something like that, I can go from having one person's password on an Active Directory network to having everyone's password, literally, in minutes. And it's a... 

Perry Carpenter: Right.  

Roger Grimes: I think the - I hear the speed record is the Russians. The Russians go from one compromised workstation to having every password of everybody on the network in about 8 minutes - but certainly within a day. That's the reason... 

Perry Carpenter: Right. 

Roger Grimes: ...Why these password hashes become so important. But if you have a strong password - 12 characters, perfectly random - or maybe, if you create it out of your head, it has to be 20 characters or longer. If you have a strong password, they're not - they may have your password hash and that's a problem, but they're not getting your plaintext password that gives them more versatility to be able to... 

Perry Carpenter: Right. 

Roger Grimes: ...Move to different security domains where you might reshare it. 

Perry Carpenter: OK. So having a really good, strong password using non-repeated, non-guessable types of combinations saves you from those dictionary-based attacks where they're trying to bump up against your hash and do comparisons. So are there any other things that we need to think about when it comes to password managers? 'Cause I want to ask the same question for capturing passwords in the browser 'cause I think that... 

Roger Grimes: OK. 

Perry Carpenter: ...There's a difference. They're - they sound similar. On the surface of it is, I'm putting all my passwords in one place. But there's a degree of sophistication difference, right? 

Roger Grimes: People say, is it all right if I use my password on my browser's password manager or my operating system password... 

Perry Carpenter: Yeah. 

Roger Grimes: Like, well, it's better to use a password manager, no matter where it's located, than it is for you to reshare weak passwords. So I'm - if you're - if that's your alternative, you're telling me that if you don't use your browser password manager, you're going to use weak passwords everywhere, I'd rather you use your browser password manager. But the problem with those is twofold. And No. 1 - my No. 1 problem with browser-based password managers is every hacker and every malware program out there stealing passwords immediately dumps your browser. Like, that's what they - and they - and let me say, they could do it against the password managers, but so far, I don't know of malware that does it and - or hackers that quickly do it. And there's a chance if someone - if a hacker breaks in and your password manager's not open, there's a - that at least prevents them from immediately getting to your passwords, versus if it's in your browser, it's probably going to be automated, and they steal all your passwords out of your browser within the first couple of seconds of compromising your workstation, so... 

Perry Carpenter: Right. 

Roger Grimes: Standalone password managers are better just because the companies usually have a focus on one product. They have more feature sets. Like, my password manager will let me know immediately when they're - when one of my passwords has been compromised. Like, they're like, oh, I got a - they're like, Facebook's been hacked. You need to change your Facebook password. I remember I was looking on Google or Bing trying to find out, Facebook's been hacked? Well, it didn't come out till, like, four, six hours later that Facebook had been hacked. But the password manager people knew it and it built that alert... 

Perry Carpenter: Oh, nice. 

Roger Grimes: ...Into the - were able to send me an alert. Or they'll tell you when your passwords are weak or they'll tell you when you're resharing a password or password pattern. You know, or you can do secure nodes. Like, in a password manager, I can put... 

Perry Carpenter: Yeah. 

Roger Grimes: ...Secure nodes - like, one of the things I do is I put, if I die. I have a tab in my password manager going, if I die, and one's for my wife and one's for my kids. And I've actually sent my kids my secret key - I split-key it. I took my master password from my password manager and I split it in half and sent it to each of my kids. So they have to get together to steal all my money. Hopefully, they like me, but my wife knows that if I die, she can go to a tab on my password manager and it has a list of all of our retirement accounts... 

Perry Carpenter: Nice. 

Roger Grimes: ...Our lawyer, you know, all the important fiduciary information and who she should call. And the same thing for my kids if me and my wife die. And I like that that's there. Well, that - that's... 

Roger Grimes: Yeah. 

Roger Grimes: ...Very difficult to put in a browser password manager. But if you want to use an OS-based password manager or you want to use your browser-based password manager, sure. That's better than using the same shared, weak passwords everywhere. 

Perry Carpenter: So there's a perception among some that in the browser, that the encryption or the hashing is weaker or nonexistent. Can - you know, what security mechanisms are browsers using to protect the passwords that are there? 

Roger Grimes: Well, you know, it depends on the browser. They're actually using fairly good encryption, industry standard-accepted encryption with good key sizes, but it's not implemented as securely as most standalone password managers. And meaning by that, like, let's say 1Password and LastPass - probably the No. 1, No. 2. They're the two... 

Perry Carpenter: Yeah. 

Roger Grimes: ...Most popular out there - standalone. Well, 1Pass has not only the master password, but it has a master key that's this really long digit number. And you're not going to steal that password manager and get to the passwords unless you know both the master password and the master password key, which they tell you, hey, get it off this system. But then it's encrypted and it's sent securely, using a public private key encryption, to the 1Password people. And the - it... 

Perry Carpenter: Right. 

Roger Grimes: ...All your information's encrypted in the cloud, but by multiple keys, not only your master password key, but this secret master key, which is not - even they don't know. It's an offline thing. If you lose that - if you have not backed that up and stored it somewhere, probably off your computer, you could be without all your passwords one day. Although - and that's the worst thing. If you get locked out of your password manager, which does happen to people, the worst-case scenario is you got to go around and reset all your passwords from all your websites. That's... 

Perry Carpenter: Right. 

Roger Grimes: ...That's not great, but that's not like you've lost your money. 

Perry Carpenter: Right. 

Roger Grimes: You know, you have to... 

Perry Carpenter: Yeah, not the end of the world. 

Roger Grimes: ...Reset my password, reset my password. But - so, you know, most of the browsers use good encryption, but it's the additional security mechanisms using that same security that the standalone password managers do. So, you know, again, I wouldn't say that it's - that they're using weak encryption, it's just that the password - not all of them, but some of the password - standalone password managers are using that same encryption but in better and additional ways. 

Perry Carpenter: Two really quick questions. One is if you hear that your password manager has had a breach, what do you do with that information? Do you... 

Roger Grimes: Yeah. 

Perry Carpenter: ...Not trust that password manager anymore? And then the second question you can just kind of freeform off of that is, what one last piece of advice related to passwords or authentication do you want to leave the audience with? 

Roger Grimes: So I'm going to start with the second one first. Maybe... 

Perry Carpenter: Yeah. 

Roger Grimes: ...If that's all right. 

Roger Grimes: Yeah. 

Roger Grimes: Which is - that way, if you tune out - 'cause I talk so, so much every time you ask me a single question. But, you know, I think your password policy should be that you use phishing-resistant MFA when and where you can to protect valuable data. And if you don't know what's phishing resistant or not, follow me on LinkedIn or email me at rogerg@knowbe4.com - rogerg@knowbe4.com - and I'll send you a paper that shows you all the ones that I know that are phishing resistant. So you should use phishing-resistant MFA to protect valuable data in systems where you can. Where you can't, you should use a password manager to manage your passwords. If you ever create a password out of your head, it needs to be 20 characters or longer. And that's because I have friends that routinely break 18-character passwords that are not even nation-state attackers. 

Roger Grimes: But going back to the password managers, everything gets hacked. Most of the password manager hacks are that the password manager software has a vulnerability in it, a flaw. Like, why can't use it? You know, and if you go look up LastPass and 1Pass, they have, like - one's got, like, nine vulnerabilities been found; the other's got, like, 12. But I always tell people every month, your browser and OS has dozens of vulnerabilities and you're still... 

Perry Carpenter: Right. 

Roger Grimes: ...Using them. So I don't think the mere fact that your password manager has a vulnerability means that much in that as long as the password manager, when they find out they have a vulnerability, that they quickly patch it, and that that patch is auto-pushed to you, I don't think that's a reason to stop using your password manager. I do think - you know, one of the major password manager people, they've actually had compromises on people's passwords and the password vault. And part of the problem there is they encrypted the people's passwords, but it was only - it was encrypted by the master password, which - for the last couple years they've been saying it needs to be 12 characters or longer. If your master password was 12 characters or longer, it probably is very protective in that your passwords didn't get compromised. But it used to be that you could do any size, or maybe you only had to have eight. So if your pass manager - let's say in the LastPass recent hack - is below 12 characters, I would immediately change your master password to something above 12 characters - I'd say to 20 characters - and I would change every password that you stored in there. 

Roger Grimes: But the other problem was LastPass also, in an unencrypted state, stored people's logins in the websites. So literally the attacker now has a list of every website that you use that password manager to log on to and your log login name, which is just - you know, and if they crack some of your passwords, it's beginning a chain of events. But not only that, but they can spear phish you. Now they know, oh, you belong to a cat, you know, website? Well, I can now do some type of targeted spear phishing. Roger, we found this really valuable cat that we'll give to you for a hundred dollars, you know, or something. But in general, I've used maybe 20 password managers - and there's open source ones, there's commercial ones. By the way, people go, which password manager should I use? What I always tell people is go to WIRED magazine - that's wired.com - and they have two password manager reviews. I agree with what WIRED magazine says to use. 

Perry Carpenter: Nice. 

Roger Grimes: 'Cause they're like, here's a good free one. Here's a good commercial one. Here's a good one if you're worried about this or that. I like what WIRED magazine says. And they choose a handful of different password managers. But if you use a password manager, try to use one that's been around for a while. You're going to get what you pay for. The commercial ones are better than the open source ones just 'cause they have more features. And make sure you use a good master password. I'd say, again, 20 characters or longer. A lot of them allow you to protect them with MFA. And let me say, try to use phishing-resistant MFAs. So that's my advice. 

Perry Carpenter: Sweet. 

Roger Grimes: You should use a password manager. If you want to have extra protection, use MFA to protect it. And let the password manager create strong, different, unique passwords for all your websites and services. If you have to create a password out of your head, it should be 20 characters or longer. 

Perry Carpenter: I hope you've enjoyed this deep-dive discussion into authentication, passwords, multifactor authentication and password managers with Roger Grimes. In the end, we see that there is no perfect system. The industry is taking steps to improve resilience and usability, but these changes take years, if not decades, to gain mass adoption. That being said, even small improvements are still improvements. And so I believe a healthy mindset for us to adopt is one of open-minded skepticism. It's unwise to blindly believe that the next MFA or authentication method is the, quote-unquote, "silver bullet." We should know by now that security is a game of building layered defenses and achieving incremental improvement. 

Perry Carpenter: And what that means is we adopt technologies like MFA, password managers, biometrics and continuous authentication methods knowing that there will be flaws in these systems. There will be exploitable vulnerabilities. There will be process issues. There will be integration issues. There will be a whole range of adoption issues that come with these technologies. And there will even be exploitable vulnerabilities. But that doesn't mean that these technologies and these strategies have failed. What it does mean is that we have the tendency to expect too much from them. We tend to expect perfection. But every security professional should know, embrace and plan for the fact that there is no perfect system or strategy. It all comes back to layered defense and incremental improvement over time. And that is the game. It's your move. 

Perry Carpenter: Thanks for listening to "8th Layer Insights," and a big thank you to my guest and colleague, Roger Grimes. I've loaded up the show notes with links to some of the articles and other resources that we touched on today, links to Roger's books and more. And also, don't forget to check the show notes for information about how to submit listener questions or how to connect with me for anything else that I might be able to help you with. If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, there are two big ways that you can do so, and both are always important. First of all, if you haven't yet, take just a couple seconds to give us five stars and to leave a short review on Apple Podcasts or Spotify or any other podcast platform that allows you to do so. The second big way that you can help is by telling someone else about this show. Word-of-mouth referrals are really still the lifeblood of helping people find good podcasts. And if you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. If you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. 

Perry Carpenter: This show was written, recorded, sound designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off.