Hacking Humans 10.4.18
Ep 19 | 10.4.18

Easier to trick than to hack.


Mark Stockley: [00:00:00] Targeted ransomware can be absolutely devastating for companies, and they can find themselves facing, you know, six-figure ransoms.

Dave Bittner: [00:00:08] Hello, everyone, and welcome to another episode of the CyberWire's "Hacking Humans" podcast. This is the show where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:29] Hi, Dave.

Dave Bittner: [00:00:30] Later in the show, Carole Theriault joins us once again, and she speaks with Mark Stockley. He's from the "Naked Security" blog, and they're going to talk about the troubles humans have with creating secure passwords. But before we get to all of that, a quick word from our sponsors at KnowBe4.

Dave Bittner: [00:00:47] So how do you train people to recognize and resist social engineering? There are some things, people think. Test them, and if they fall for a test scam, fire them. Or, other people say, if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how 'bout it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.

Dave Bittner: [00:01:23] And we are back. Joe, I'm going to kick things off this week with a confession.

Joe Carrigan: [00:01:27] (Laughter).

Dave Bittner: [00:01:28] I was nearly scammed. This was a close call. So let me just dig in here. So you may be aware from listening to me on this podcast and other podcasts that I enjoy live theater.

Joe Carrigan: [00:01:42] Yes.

Dave Bittner: [00:01:42] I enjoy attending live theater. I enjoy, occasionally, performing in live theater.

Joe Carrigan: [00:01:46] That's right.

Dave Bittner: [00:01:47] And so there's a local theater group, sort of a community theater group. And a couple of times a year, they hold a fundraiser. They have what they call their cabaret night. And that's where they bring in performers from the region who come in and they all perform for free. Someone will come and do a number, maybe they'll preview a number from a show that's going to be opening soon. People come, and for the low, low price of $12, you get a seat at this cabaret night. And you can buy beer and wine, and then they have cheese and snacks and things like that.

Dave Bittner: [00:02:15] So it's a nice, quick way for this group to raise a couple-thousand dollars to help them finance the productions they put on throughout the year. This cabaret night was coming up, and I had forgotten to purchase tickets. And I noticed that the event was sold out. In fact, to the title of the event, they'd actually added the words, sold out, to the title of the event.

Dave Bittner: [00:02:35] So I was a little bummed out, but I reached out to a friend of mine who happens to be on the board of directors of this group, and I said, hey, is there any way I can come? I'd love to see my friends perform. I'd love to support the group. Are there any tickets that you're holding back? And he said to me, well, good news. Somebody just posted on the group's Facebook page that he has four tickets available for tonight's event. I thought, this is great.

Joe Carrigan: [00:02:58] Yeah.

Dave Bittner: [00:02:59] So I go onto Facebook and I go to the event page and, sure enough, there's someone there who says, I have four tickets for tonight. Let me know if you need them. So I reached out and I responded on Facebook, in the group, and I said, I will take one of these tickets. And this person responded and said, private message me. And so I private messaged him, and he said, the tickets are $200 each.

Joe Carrigan: [00:03:22] (Laughter). For a $12 cabaret show.

Dave Bittner: [00:03:23] Yes.

Joe Carrigan: [00:03:24] (Laughter).

Dave Bittner: [00:03:25] Now, the response that you just had is the same response that I had.

Joe Carrigan: [00:03:28] Right. This is a $12 ticket to a community theater production.

Dave Bittner: [00:03:31] A hyper-local production, yes.

Joe Carrigan: [00:03:33] I am not going to see the Stones.

Dave Bittner: [00:03:35] I am not - exactly. Right. Yes. I was thinking Bruce Springsteen.

Joe Carrigan: [00:03:38] Bruce Springsteen.

Dave Bittner: [00:03:38] Yeah. The Stones. Here's the thing. So now for the first time, I go and check this person out. I go look at his profile. He's in Germany. He has no friends or followers. So now I'm thinking, all right. Well, obviously, this is a scam. This is a scammer. But I'm thinking, how did this scammer target this local, little production?

Dave Bittner: [00:04:00] What he did was, he did a search on Facebook for the phrase sold out. Because sold out was in the title of the event. They had updated the event to be fall cabaret night, sold out. So if you search for sold out, you get a nice, handy little list of all the events coming up that are sold out. And this scammer would go from event to event and just post and say, hi, I got four tickets to that.

Joe Carrigan: [00:04:25] (Laughter).

Dave Bittner: [00:04:26] Now, here's the other part of this. Had this person done a little more homework and said...

Joe Carrigan: [00:04:31] The tickets were $12.

Dave Bittner: [00:04:32] ...The tickets were $12, I would have paid him the $12...

Joe Carrigan: [00:04:36] Right.

Dave Bittner: [00:04:37] ...Probably without checking him out.

Joe Carrigan: [00:04:39] Yeah.

Dave Bittner: [00:04:39] Because I would have thought, well, this is a very local thing. This is a community thing. This was not on my radar that someone would be scamming something so close to home.

Joe Carrigan: [00:04:48] Maybe you would've caught on when he says, wire the money to me or give me a credit card, or something like that. Because generally speaking, if you're going to buy a $12 ticket for a local cabaret theater...

Dave Bittner: [00:04:57] Right.

Joe Carrigan: [00:04:58] ...You're going to say, meet me at the McDonald's over in Harper's Choice.

Dave Bittner: [00:05:01] Yeah.

Joe Carrigan: [00:05:01] ...And I'll give you 12 bucks. You give me the ticket.

Dave Bittner: [00:05:04] Yeah.

Joe Carrigan: [00:05:04] And the guy from Germany's going to be like, I'm not flying...

Dave Bittner: [00:05:07] (Laughter).

Joe Carrigan: [00:05:07] ...To Maryland.

Dave Bittner: [00:05:08] (Laughter). Right. Let me hop on the Concorde.

Joe Carrigan: [00:05:11] Right. (Laughter).

Dave Bittner: [00:05:12] That is true. I can imagine either something like Pay Pal or Venmo, one of the...

Joe Carrigan: [00:05:16] Right.

Dave Bittner: [00:05:17] One of those handy little - or even, you can do it with Apple Pay now.

Joe Carrigan: [00:05:20] Yeah.

Dave Bittner: [00:05:20] Right? So there are lots of easy ways to transfer small amounts of money. But because this person didn't do any homework with just, you know - $200, this is an absurd amount of money for an event like this, and this person didn't know that. So I went back to the Facebook page and posted, hey, everybody. Just so you know, this is a scammer.

Joe Carrigan: [00:05:40] Right.

Dave Bittner: [00:05:40] Scammer, be gone.

Joe Carrigan: [00:05:41] (Laughter).

Dave Bittner: [00:05:42] But for me the interesting part was it was really a nice little lesson for me on the stages that I go through in checking something out. If I had been buying tickets to the Rolling Stones or something where I might have been willing to pay a couple-hundred dollars...

Joe Carrigan: [00:05:55] Yeah.

Dave Bittner: [00:05:56] ...Well, I certainly would have done the homework to make sure that this was legit.

Joe Carrigan: [00:06:01] Agreed.

Dave Bittner: [00:06:01] But in this case, it was not. I dodged the bullet because of the scammer's greed and lack of doing homework, and all's well that ends well. But...

Joe Carrigan: [00:06:11] I think what you're talking about here is you have this internal risk assessment tool. Right? So you look at it like this. I'm going to go out and buy a ticket.

Dave Bittner: [00:06:18] Right.

Joe Carrigan: [00:06:18] I'm not going to check on the guy 'cause it's - what is it, 12 bucks?

Dave Bittner: [00:06:20] Right.

Joe Carrigan: [00:06:21] Nobody's going to scam me out of 12 bucks. And if they scam me out of 12 bucks, what happens? You're out 12 bucks.

Dave Bittner: [00:06:24] I'm out 12 bucks.

Joe Carrigan: [00:06:25] Right. But if they're going to sell you tickets for $200, you're going to be like, I think this is a bigger risk. I'm going to put more time into investigating who this is and what they have, and see if they have any positive reviews, negative reviews.

Dave Bittner: [00:06:36] Yeah.

Joe Carrigan: [00:06:37] I don't know that you're at fault here. And you can't really spend all of your time checking on things. At some point in time, it just becomes not cost effective.

Dave Bittner: [00:06:45] Right.

Joe Carrigan: [00:06:45] So, you know, at some point in time, you're going to get scammed, like we've said.

Dave Bittner: [00:06:48] Yeah.

Joe Carrigan: [00:06:49] It's just going to happen. But if you get scammed for a small amount, that's a lot better than getting scammed for $200 worth, or...

Dave Bittner: [00:06:53] (Laughter).

Joe Carrigan: [00:06:54] ...God forbid, as the stories we've heard on this, many thousands of dollars.

Dave Bittner: [00:06:58] Yeah. So I think for me it was a little lesson learned. Perhaps I'm a little less innocent than I was.

Joe Carrigan: [00:07:04] (Laughter). Poor Dave, losing his boyhood innocence.

Dave Bittner: [00:07:05] I know. A word to the wise, though, 'cause this ability to search on Facebook for the phrase sold out...

Joe Carrigan: [00:07:11] Right.

Dave Bittner: [00:07:12] ...That was something I hadn't really thought about before. But this particular scammer had and was taking advantage of that.

Joe Carrigan: [00:07:19] Exploiting.

Dave Bittner: [00:07:19] That's right. So that's my story this week. Joe, what do you have for us?

Joe Carrigan: [00:07:22] So this week, I found an article from fifthdomain.com where they were talking about a new survey that was done by a company called Thycotic.

Dave Bittner: [00:07:30] Well-known company.

Joe Carrigan: [00:07:31] They sell privilege management software and password management software. Password management software is one of my favorite tools.

Dave Bittner: [00:07:36] I know.

Joe Carrigan: [00:07:37] So Thycotic did a survey of the hackers at Black Hat. You went to Black Hat, right?

Dave Bittner: [00:07:43] I did.

Joe Carrigan: [00:07:43] Did you fill out this survey?

Dave Bittner: [00:07:44] I did not.

Joe Carrigan: [00:07:45] The survey found a couple of key findings. Half the participants said they had easily cracked into Windows 8 and Windows 10 machines.

Dave Bittner: [00:07:52] OK.

Joe Carrigan: [00:07:53] Right? In the past year. And almost all of them said they had compromised some manner of Windows machine some way. So that means that everybody pretty much gets into Windows machines.

Dave Bittner: [00:08:01] OK. Everyone at a hackers' conference...

Joe Carrigan: [00:08:04] Can get into a Windows machine.

Dave Bittner: [00:08:05] OK. All right.

Joe Carrigan: [00:08:06] With some level of effort.

Dave Bittner: [00:08:07] Sure.

Joe Carrigan: [00:08:07] Half of the hackers say it's easy. Forty percent say, you know, it takes some work, but I can do it.

Dave Bittner: [00:08:12] OK.

Joe Carrigan: [00:08:13] But despite the seemingly easy way to break into these things, they said that's not their preferred method of attack. They said - 60 percent of the hackers in this survey said that they prefer social engineering because it's the fastest way to get access to a user's computer. So this reminds me of an article I read years ago. It was about a penetration tester for industrial control systems.

Joe Carrigan: [00:08:36] The question asked of this hacker was, how do you break into systems? Do you go out and you crack passwords? Do you go out and brute force them? He goes, yeah. I can do that. But why would I do that when I could just make 10 phone calls and get a password? Because the point of the article was that 10 percent of people who, when you call them and ask them for a password, still give you a password.

Dave Bittner: [00:08:56] Right.

Joe Carrigan: [00:08:57] Despite everybody's best efforts, and the efforts of this show and the CyberWire, and every network administrator out there will scream and yell and say, we never need your password, don't give out your password on the phone - but still at this point in time, 10 percent, we're doing it. Now, actually, that means that you will need, like, somewhere between an average of five and six calls to get in, right?

Dave Bittner: [00:09:15] Yeah. Before the show, you were saying that this person had a particular technique for this.

Joe Carrigan: [00:09:19] So that was a friend of mine back in the '90s who was doing some security assessments. He was working with, I think, SAIC. But the way he would call in is he would call in to the people in the target organization. He'd say, I'm with your network security organization. I'm conducting a security audit. What is your username and password? And in the '90s, 50 percent of the people would give him the answer. Thankfully, that has gone down over the years to about 10 percent. But still, that's way too high.

Dave Bittner: [00:09:46] And they give in to that authority - I'm calling on behalf of. We've talked about that.

Joe Carrigan: [00:09:49] Yeah. We've talked about that, as well. So the report had this interesting quote. While much attention is given to application and operating system vulnerabilities, zero-day attacks, malware, hackers still find it easier to trick users into simply handing over their credentials. That's a quote from the Thycotic report. Hackers also said they have a favorite tool for social engineering, as well. Forty-seven percent of the participants said that exploiting reused passwords was their preferred way of exploiting a victim. So I've been saying on this show and on the CyberWire and everywhere else...

Dave Bittner: [00:10:21] (Laughter). Shouting from the building, from the rooftops.

Joe Carrigan: [00:10:24] Right. Use a password manager. Use a password manager. Don't reuse passwords. Of course, the report suggests that network administrators adopt a least-privileged strategy, which is, just give the users just barely what they need to do their jobs. And, of course, you can purchase tools like that from Thycotic. The US-CERT, which is the Computer Emergency Response Team, says only give the users the minimum rights they need to do what they need to do.

Dave Bittner: [00:10:46] And I think it's important to audit them, too, because sometimes I think it's quite common that someone will need to access something, and then that access never gets revoked.

Joe Carrigan: [00:10:56] Right. That's a good point.

Dave Bittner: [00:10:57] So you sort of get this accumulation of rights over time...

Joe Carrigan: [00:11:00] Yup.

Dave Bittner: [00:11:00] ...Because no one's going back and saying, no, this person doesn't need these rights anymore, or making it so that it automatically expires after a certain amount of time.

Joe Carrigan: [00:11:08] And users are just never going to tell you about needing those rights because...

Dave Bittner: [00:11:12] No.

Joe Carrigan: [00:11:12] ...They don't want to go through the hassle of having to request them again.

Dave Bittner: [00:11:15] Right. No. I think it's natural for people to kind of hoard those rights.

Joe Carrigan: [00:11:19] Yeah.

Dave Bittner: [00:11:19] And why not? I completely understand that.

Joe Carrigan: [00:11:21] Yeah.

Dave Bittner: [00:11:22] I've probably done it myself.


Dave Bittner: [00:11:25] All right. Time to move on to our Catch of the Day.


Dave Bittner: [00:11:31] Joe, this week's Catch of the Day was sent in by a listener named Andrew. He had noticed that his iPhone was popping up unusual alerts from his calendar app for events that he had not put into his calendar app.

Joe Carrigan: [00:11:45] Really?

Dave Bittner: [00:11:45] And so he took a closer look at this. And he saw that the events were clearly being generated by people who were up to no good. So for example, here's one of the email messages that had triggered a calendar alert. The topic of the message is All of Myself from Katherine26. And it says, (reading) hey, I need you, all of you. And I want to give all of myself, every part, to you. I have never felt this way before. Oh, my God. I want you so badly. Can't wait seeing you - Katherine.

Joe Carrigan: [00:12:26] (Laughter).

Dave Bittner: [00:12:29] And of course, then there's a link.

Joe Carrigan: [00:12:31] In the middle of it, yeah.

Dave Bittner: [00:12:32] Yeah. OK. So first of all, it is what it is. Right...

Joe Carrigan: [00:12:35] Right, yeah...

Dave Bittner: [00:12:36] The standard sort of come-on with the promise of some sort of rendezvous or...

Joe Carrigan: [00:12:41] ...Basically. Who knows?

Dave Bittner: [00:12:42] ...Something like that, yeah. Who knows? So I love - Andrew refers to the sender of this email as excited Katherine, which I think is...

Joe Carrigan: [00:12:47] (Laughter).

Dave Bittner: [00:12:47] ...Which is great. So this is run-of-the-mill. These sorts of things happen all the time.

Joe Carrigan: [00:12:51] Sure.

Dave Bittner: [00:12:51] But what makes this interesting is that they included in these messages a calendar invite.

Joe Carrigan: [00:12:58] Right.

Dave Bittner: [00:12:58] And some email clients, by default, when they see a calendar invite, will automatically put it in your...

Joe Carrigan: [00:13:06] In your calendar.

Dave Bittner: [00:13:07] ...Calendar and automatically generate a pop-up...

Joe Carrigan: [00:13:10] Right.

Dave Bittner: [00:13:11] ...To warn you that this event is coming up. So this is a way that the bad guys have figured out to put their message in front of you...

Joe Carrigan: [00:13:18] Outlook does this by default.

Dave Bittner: [00:13:19] ...Right - to grab your attention, without you doing anything, in more than one way. And Andrew pointed out that it seems as though, with some email clients, even if this is sent to the spam folder, the calendar event still gets populated in your...

Joe Carrigan: [00:13:35] Really?

Dave Bittner: [00:13:35] ...Calendar. Yeah. So he did some digging around. And he found there are ways to disable this, to make it not the default behavior.

Joe Carrigan: [00:13:43] Right.

Dave Bittner: [00:13:43] So that's certainly worth looking into. But that's an interesting one. I had not seen this use of calendar events to generate these spammy pop-ups.

Joe Carrigan: [00:13:52] That's a very creative use of the technology.

Dave Bittner: [00:13:55] Yeah. So that is our Catch of the Day. Thanks to Andrew for sending that in to us. Of course, we appreciate all of you sending in these fun Catch of the Days. You can find out how to do that. Just visit the website - thecyberwire.com. And in the contact section, you can send us your Catch of the Day.

Joe Carrigan: [00:14:10] Keep them coming. We love them.

Dave Bittner: [00:14:11] (Laughter) We do. And coming up next, we've got Carole Theriault. She joins us. She's speaking with Mark Stockley. He's from Sophos' Naked Security blog. And they're going to talk about the troubles that we humans have with creating secure passwords. But first, a message from our sponsor, KnowBe4.

Dave Bittner: [00:14:30] Let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4 CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture, and sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:15:18] We are back. And, Joe, we are pleased to have Carole Theriault back to join us. This week, she interviews Mark Stockley. He's one of the writers at Sophos' Naked Security. And they're talking about, again, one of the things that is near and dear to your heart. And that is passwords...

Joe Carrigan: [00:15:33] Password managers.

Dave Bittner: [00:15:34] ...Password managers - but specifically, why do we humans have such a hard time creating secure passwords? Here's Carole Theriault.

Carole Theriault: [00:15:43] So I don't know about you guys. But working in the tech industry as a writer and podcast producer, I have a zillion online accounts for all types of apps - services, plug-ins, add-ons, portals. And each one of these has a password. Security experts tell us to have a unique password for each account. They tell us to make these difficult to crack by using capitals and mixing up characters and numbers and symbols. They tell us to make them long, and they tell us not to write them down or tell anyone.

Carole Theriault: [00:16:17] Now, is it just me, or is this a nigh on impossible task? Without using my trusty password manager, I'd be up that creek without a paddle. And it turns out there may be a very good reason why I find this task so stupefyingly hard. I reached out to Naked Security writer Mark Stockley. In previous roles, he has managed large IT, web and UX teams. And Mark has a keen understanding on human behavior. And he sees a huge disconnect between how our brains work and what good password creation requires of us.

Carole Theriault: [00:16:54] Talk to me about this disconnect between our brains and passwords.

Mark Stockley: [00:16:57] So this year, there's been quite an interesting development in the way that ransomware is deployed. And the state of the art now, if you like, is actually targeted ransomware. So targeted ransomware can be absolutely devastating for companies. And they can find themselves facing, you know, six-figure ransoms. And what all these different types of targeted ransomware attack seem to have in common is that they all start with cracking passwords. They all start...

Carole Theriault: [00:17:26] OK.

Mark Stockley: [00:17:30] They all start - they all get into the network - they get into your network in the first place by guessing a weak password. And I think, kind of, we're used to the idea that phishing and social engineering preys on our human weakness. But actually, the way that password cracking works - password guessing - is that also preys on our human weakness.

Carole Theriault: [00:17:53] But we've been talking about passwords for, I'd say, decades. Surely, people are creating much more difficult passwords. Like, even my mom talks about replacing E's with 3s, you know?

Mark Stockley: [00:18:06] That's a really interesting question, I think, because there's two parts to that. The first is, I don't think there's any evidence that we're creating more difficult passwords at all. We are phenomenally resistant to education. You know, the amount of time and money that has been spent on trying to get people to choose passwords that aren't really bad - you know, not even good passwords but just passwords that aren't bad - it's incredibly difficult to educate people out of this problem.

Mark Stockley: [00:18:34] So every year, there's a company - I think it's SplashData - they produce a list of the 25 worst passwords. And I look at those lists every year because, you know, they're great for writing stories about. And they just don't change. You know, the worst password in the world - and these passwords come from data breaches. So, you know, you assemble all the leaked passwords from all the different breaches in the world and then rank them. And you'll see that the most popular password in the world is still 123456.

Carole Theriault: [00:19:06] So it's not just that this is the worst password; it's also the most popular password.

Mark Stockley: [00:19:11] Well, that's why it's the worst because...

Carole Theriault: [00:19:12] Oh, got you (laughter).

Mark Stockley: [00:19:14] ...What you want your password to be is rare. You want your password to be really hard to guess. So if your password is the one that the largest number of other people use, then you don't have a rare password. And it isn't hard to guess.

Carole Theriault: [00:19:29] But - OK. So if my Auntie Jean creates a password using her pet's name or using the dates of birth of her kids, that's surely difficult to guess for strangers.

Mark Stockley: [00:19:41] So it's more difficult to guess than 123456.

Carole Theriault: [00:19:46] Yeah. OK. Yep.

Mark Stockley: [00:19:48] But it is not as difficult to guess as a truly random password.

Carole Theriault: [00:19:56] But how am I supposed to remember a random password?

Mark Stockley: [00:19:58] I would suggest that you probably can't. And actually, the problem that you have is not that you need to remember a random password. The problem is that you need to remember 25 random passwords. So I went through a whole bunch of research a few years ago. I was looking for - how many accounts do people have online? And I was looking at the sort of research by people like Microsoft Research, who do lots of really good stuff on passwords. And you can see every time the research is done that the number of accounts that people are using online is going up and up and up and up. So...

Carole Theriault: [00:20:30] Yeah.

Mark Stockley: [00:20:30] ...The problem with passwords is not simply that you need to remember something that's really difficult to remember but you need to remember 25 things that are all really difficult to remember. You know, if I asked you to remember - if I had a deck of playing cards and I laid out 14 cards in front of you and said, well, there you go, Carole. Could you remember that sequence of 14 cards so that next time we talk to each other, before we talk, you have to tell me those 14 cards - yeah?

Carole Theriault: [00:20:55] No, I couldn't. I have a bad, bad memory (laughter).

Mark Stockley: [00:20:58] You would think I was insane. You would say, that's a terrible method of authentication, Mark. Who would ever come up with such a thing? But again, like, that's not the problem. The problem is not that you have to remember those 14 cards. You have to remember 25 different sequences of 14 cards. And the 14 is important, by the way, because the 14 is - that's the sort of length of password that you need to have a password that is all but uncrackable.

Carole Theriault: [00:21:25] And this might be a good time for you to talk to me about how this doesn't sit well with a human brain because it needs to - what? - classify and simplify things.

Mark Stockley: [00:21:33] I mean, our brains are designed around sort of remembering things as narratives and stories. And we're all about creating order out of chaos and looking for patterns and creating patterns. And you know, we have biases that see us anchoring around things. You know, whatever the last number you heard was will influence the next number you'd guess, for example. So if I told you a low number, I could bet that the next number you'd guess would also be a lower number.

Mark Stockley: [00:21:59] You know, I contend that it's a human weakness. Our inability to create these passwords is a human weakness. And I think that's evidenced by a number of things - firstly, the fact that we're simply resistant to education. You know, there's research that says that we are able to spot weak passwords. And yet we're still unable to produce them. And that's because we're just not designed around producing randomness, you know? We're designed around creating order. The human weakness is evidenced by, firstly, our resistance to education. And then, you can see in the habits that people have. Like, how do they work around the fact that they have to do this impossible task?

Carole Theriault: [00:22:36] Yeah.

Mark Stockley: [00:22:36] So instead of remembering 25 really difficult passwords, people just reuse the same password over and over and over again - makes it really easy for crooks to get a whole load of extra value from cracking your password. The other technique that we have for overcoming the sort of impossibility of remembering these 25 totally random strings of characters is to come up with a family of characters or to use some sort of formula.

Mark Stockley: [00:23:07] Any time that you use a formula, you're doing a load of hard work on behalf of the crooks because the hardest thing for them to do is to guess a random password. And the more order and the more structure there are in your passwords, the easier they are to guess because the crooks can just ignore a whole bunch of things that your password might be.

Mark Stockley: [00:23:31] So there's two different scenarios that we're talking about here. One is I have a password database and I don't know anything about the people who are in that password database. Then I'm going to use dictionaries to try and crack those passwords. People often use real words for their passwords, or they use words with some modification. And so what I'm going to do to try and crack your password - I'm not going to just go in there with a random guess, or I'm not going to start with A, A, A, A, A and then go to A, A, A, A, B. I'm going to start with my list of the most popular passwords in the world, and then I'm going to get a dictionary and I'm going to guess all the words in the dictionary. And then I'm going to start modifying those words, and I'm going to start substituting in numbers for letters. So where there are O's, I'm going to try zeroes. And where there are S's, I'm going to try dollar signs.

Carole Theriault: [00:24:23] Right. Right.

Mark Stockley: [00:24:24] Yeah? So because there's a password cracker, I understand that that's how people - that's how lots of people assemble their passwords. And also, I can use tricks like, I understand that, you know, if you visit a website and it says you must have a password with a capital letter in it, chances are you're only going to put one capital letter in the password. And the chances are you're going to put it at the beginning or the end.

Carole Theriault: [00:24:50] So in trying to be random, we actually fall into very predictable patterns.

Mark Stockley: [00:24:56] Yes. So there are the obvious patterns, which are the ones that you're talking about where you say, OK, well, my pet's birthday is...

Carole Theriault: [00:25:04] Yeah.

Mark Stockley: [] ...September. And then there were the sort of subconscious patterns that we share around, you know, doing things like number substitution and a way with the capital letters or how many we're going to pick. You know? If I say your password must contain a capital letter, it's going to contain one capital letter, not four.

Carole Theriault: [00:25:26] Interesting.

Mark Stockley: [00:25:29] And then the other side of that is, if I do know who you are, if I know that I'm trying to crack Carole Theriault's account, then I can go and hoover up all your social media information. And that can help me enormously in terms of trying to decide, you know, how I'm going to approach cracking your password. You know, what have you written and what's your vocabulary? And I could if I wanted to. If I was really determined, I could just go and download everything you've ever written and use that as my dictionary.

Carole Theriault: [00:25:57] Yeah. That's a scary thought. What advice do we have for people that know about passwords and need ways to teach people to do better passwords? Do you suggest they just use password managers?

Mark Stockley: [00:26:07] So there's two separate areas of advice, really. The first is, OK. So you're an end user. What should you do? How can you overcome your brain's inability to produce a random password that's hard to guess? My advice would be don't bother. Don't even try. You know, don't come up with a formula. You don't understand how much you're fighting against yourself. You know, we do have password managers. There are perfectly good pieces of software out there that can do this for you.

Mark Stockley: [00:26:34] Computers are very good at choosing random numbers, or certainly much better at it than we are. I think it's time to stop giving users advice about passwords. I think there's been this enormous dereliction of duty within the IT infosec community for too long where we've said the security of our systems rely entirely on your ability to choose really good passwords. And we all know that you're really bad at that.

Mark Stockley: [00:27:03] There are some really simple things that companies and systems administrators can do to take control of those passwords on behalf of their users and take control of their security. And the first one is simply to stop people from choosing bad passwords. So earlier, we were talking about these lists of, you know, the 100 worst passwords. Well, there were lists of the 10,000 worst passwords and the million worst passwords. Instead of telling people you've got to have a password that matches this formula, simply tell them when they type in the password. When they say, right, I want my password to be 123456, you stop them from doing it and you say, did you know that's one of the 25 worst passwords? So you're not allowed to choose that. That's too easy to guess.

Mark Stockley: [00:27:46] The second thing that companies can do is they can use rate limiting. So rate limiting is where you say you only get to try your password three times, or you only get to try your password 10 times. So exactly what happens on your phone.

Carole Theriault: [00:28:01] Right. Yeah.

Mark Stockley: [00:28:02] OK? So you can, essentially, drastically strengthen passwords. So you can essentially strengthen passwords on behalf of your users simply by preventing adversaries from making multiple guesses. You might have an incremental lockout. So you say, OK, well, you get three guesses, and if you don't get it right in three guesses, we're going to lock you out for 10 minutes. But if you do three more and you don't get it, we're going to lock you out for an hour. And then if you do three more, we're going to lock you out for a day.

Carole Theriault: [00:28:32] I'm going to be one of those people that's going to hate that, though I understand why. I just seem to be just always hitting the wrong keys on my phones and stuff.

Mark Stockley: [00:28:42] So that's another human weakness. Another...

Carole Theriault: [00:28:44] (Laughter).

Mark Stockley: [00:28:45] We haven't even cut into that.

Carole Theriault: [00:28:48] (Laughter). Fat finger syndrome.

Mark Stockley: [00:28:50] Yeah. Actually, what I should've said is, that's just you, Carole.

Carole Theriault: [00:28:52] (Laughter).

Mark Stockley: [00:28:52] All the rest of us are fine.

Carole Theriault: [00:28:54] (Laughter).

Mark Stockley: [00:28:57] And the other - so and the last thing that you could do is to use 2FA, two-factor authentication. I don't think there's enough of that. There's voluntary two-factor authentication adoption.

Carole Theriault: [00:29:08] Right. So you're talking about companies enforcing stronger security policies, taking back the ownership of passwords so that they actually better protect the environment.

Mark Stockley: [00:29:18] Exactly that. Exactly that. It's time to acknowledge that, that fundamental human weakness.

Carole Theriault: [00:29:25] You know, what Mark's saying gives me hope. Get the importance of passwords. After all, I prefer the use of a made-up passcode than using intrinsic information about me that I can't change, such as my date of birth or my Social Security number. These things are part of me, and if they get hacked, they're gone. So I don't like the use of those things. But he's addressing the problems that I have, that I can't keep all these complex passwords, random passwords, in my head.

Carole Theriault: [00:30:02] If we can hand over the password creation component to online services and on-site experts that will prevent us from actually getting hacked and our vulnerability being exposed, surely that's going to radically reduce phishing and ransomware and all kinds of other online nasties. Food for thought. This was Carole Theriault for the CyberWire's "Hacking Humans."

Dave Bittner: [00:30:34] What do you think, Joe?

Joe Carrigan: [00:30:36] Hold on, Dave. Let me get up on the rooftop here real quick. Use a password manager.

Dave Bittner: [00:30:47] Watch your step on the ladder getting back down there, Joe.

Joe Carrigan: [00:30:49] Thank you, Dave.

Dave Bittner: [00:30:50] Yeah. (Laughter).

Joe Carrigan: [00:30:50] Had to scream that again.

Dave Bittner: [00:30:51] Yeah.

Joe Carrigan: [00:30:52] A couple observations. No. 1, the top 25 worst passwords never change. That stems from a brilliant observation that Mark makes in this interview, and that is - I don't know if it's an observation or a statement - that humans are designed to produce order.

Dave Bittner: [00:31:07] Right.

Joe Carrigan: [00:31:07] It's what we like. It's why we have a society. Right? So don't even try to generate random passwords. Use a password manager. Computers are pretty good at generating pseudo-random passwords that are almost impossible to guess. Right? I like the idea of rate limiting. That's a great idea. It's very easy to do that in an enterprise. I worked in a very large organization for a number of years, and they had a lock-out policy. And I even administered a system that we had a lock-out policy, if somebody tried to enter their password three times and failed, they were locked out of the system and they had to come see us to unlock the system...

Dave Bittner: [00:31:38] Right.

Joe Carrigan: [00:31:38] ...Unlock their password. And we would say, was it you? That was our first question, was it you who entered those passwords incorrectly? And they would say, yeah. Invariably, they would say, yeah, it was us. And I'd say, that's fine. I'm happy to do it. I'm going to reset your password now. But I need to know that it was you that did that because if the answer to that question is no, I have a different issue. Two-factor authentication is great. I think that goes a long way even to preventing having accounts violated if they are using bad passwords.

Dave Bittner: [00:32:05] Yeah. If something's important to you, if something's valuable, have two-factor.

Joe Carrigan: [00:32:10] Right.

Dave Bittner: [00:32:10] No-brainer.

Joe Carrigan: [00:32:10] Right. Just some kind of two-factor.

Mark Stockley: [00:32:11] Yup.

Joe Carrigan: [00:32:12] Even if it's just a text message sent to your phone. I know that's not 100 percent secure, but it's much more secure than nothing.

Dave Bittner: [00:32:16] Right.

Joe Carrigan: [00:32:17] And somebody has to do a lot of work in order to compromise that. Why do we have a hard time generating the random passwords? It's because we're designed to produce order. You don't need to know why we're bad at generating random passwords. Just understand that we are bad at generating random passwords.

Dave Bittner: [00:32:30] (Laughter) Just accept that.

Joe Carrigan: [00:32:31] Just accept it.

Dave Bittner: [] Yeah. Yeah.

Joe Carrigan: [00:32:31] You don't need to know how gravity works in order to know that falling off a cliff is a bad idea.

Dave Bittner: [00:32:35] Right. Right.

Joe Carrigan: [00:32:36] You can see something fall off the cliff and go, yeah, looks like that would hurt. And it's not so obvious with passwords for people. Right?

Dave Bittner: [00:32:42] Yeah.

Joe Carrigan: [00:32:42] Weak passwords are a bad idea. Reusing passwords or using your own passwords that you come up with is just a bad idea.

Dave Bittner: [00:32:48] No. I'm definitely guilty of it. I've taken that formula approach in the past before I had a password manager.

Joe Carrigan: [00:32:54] Right.

Dave Bittner: [00:32:54] You know, I would - how clever I was. I'd use some sort of root password, and then I'd vary it using a formula. And this was great until one day - actually, I had already moved on to using a password manager, but one of the folks I work with, a colleague that I met through the CyberWire, said, hey, do you mind if I try to look up and send you a bunch of your past passwords?

Joe Carrigan: [00:33:17] Right.

Dave Bittner: [00:33:18] And I said, oh, OK.

Joe Carrigan: [00:33:19] (Laughter).

Dave Bittner: [00:33:20] And so he sends me a list of about a dozen of my passwords.

Joe Carrigan: [00:33:23] Right.

Dave Bittner: [00:33:23] And this was chilling. This was just - and you know this is going on, but to have someone do it so effortlessly and just send it to you in, like - it's kind of like a magician saying, is this your card?

Joe Carrigan: [00:33:35] (Laughter) Right.

Dave Bittner: [00:33:36] You know? Like, yes...

Joe Carrigan: [00:33:36] That is my card.

Dave Bittner: [00:33:36] ...That is my password. Yes. So...

Joe Carrigan: [00:33:39] I remember a couple of months ago, we had that article from Virginia Tech, I think it was, where if they know that you use a base password and just augment it slightly in order to make your next password...

Dave Bittner: [00:33:50] Right. Right.

Joe Carrigan: [00:33:50] ...They can usually guess it in under 10 guesses.

Dave Bittner: [00:33:52] Under 10 guesses. Right. Yeah. All right. Well, our thanks to Carole Theriault. Always great to have her back. And our thanks to Mark Stockley from Sophos' Naked Security for joining us, as well. And thanks to all of you for joining us.

Dave Bittner: [00:34:05] And, of course, thanks to our sponsor, KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training.

Dave Bittner: [00:34:24] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:34:33] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:34:50] And I'm Joe Carrigan.

Dave Bittner: [00:34:51] Thanks for listening.