 start up that recording. It's running now. All right, welcome everybody to become a cybersecurity ninja the 10-part webinar series. Today's session your passwords are broken how you can fix them and we have with us I'm delighted to say Keith Burner of Freedom House and we will let him introduce himself in just a minute we're gonna kick it off I just want to walk everybody through our ninja plan so we've been through threat modeling which we did back on the 24th all of these recordings all of these slide decks are available for free all of the future slide decks and recordings will be available for free and shall remain so so if you miss any of these and you'd like us to send them to you just let us know you can just email us around table if you can't find them they're also all available from our website you can go to our event page and you should be able to find all the back ones and Keith just as a heads up I'm still hearing a bit of breathing on your side and no big deal but that's okay and so anyway we did a threat modeling we did network security basics today we are covering authentication passwords password managers in 2FA or your passwords are broken and next session is the at dollar sign pound signs of encryption communication information and the price encryption and that will be in two weeks I of course from Joshua Peske vice president of technology strategy around table round table of course team of dedicated technology professionals operating at a main in New York and I'm not going to take too much time around table because I want to give Keith before Keith tell us about yourself and freedom house hi everybody and sorry for breathing into my microphone I've now my mic a little further from my face so hopefully you can still hear me without too much breathing so we do definitely want you to breathe okay good yeah we were joking before we started that I might just hold my breath for the whole webinar so I've been with freedom house for four years freedom house is an international human rights and democracy organization the nature of what we do angers authoritarian governments around the world so security is a big factor in what we do it's how we keep our staff and our partners on the ground in dangerous environments safe we take these things very seriously awesome thank you so much Keith and thank you so much for joining us today and for your help in giving me feedback on the slide deck today and helping develop the the deck and the resources you've sent been a huge help so what we're going to talk about today is of course passwords and the first step toward recovery is admitting you have a problem and the problem is passwords and we're going to take a little bit of time I hate to be one of those like depressing the sky is falling kinds of things but in the and I've tried very much not to have that tone in these sessions in general and I will continue to not have that tone however in the instance of password specifically while there are lots of things you can do to mitigate the problem passwords fundamentally are broken and we're going to talk over the next few slides as to why that is true why they're broken and then we'll get into as quickly as we can all the different things you can use to try to make them less broken or to fix them such as password managers single sign-on and using enterprise password managers two-factor authentication which is probably the easiest tool that you can start using right after you get done with this webinar or tomorrow or soon as you can and then of course we'll give you as usual resources for further learning first poll we want to ask is what do you think is the average number of accounts read well I don't write that healthy what is the average number of accounts registered to a single email address in the US so essentially how many now most of us have multiple email addresses but how many accounts online are registered to a single email address in US what do you think is the average number do you think it's less than 25 you think it's 26 to 50 do you think it's 51 to 100 101 to 200 or over 200 and let's see what we get we'll leave that open just for a few more seconds alright then go ahead and show us the results here and then I will well that's well that's coming up I wanted to add one thing which is that poor password hygiene is one of the major ways in which identities get stolen and accounts get hacked yes and it is a major one so people had answers all over the place and this kind of depends how you you know want to allocate it but the actual answer according to Dashlane and I have the source listed in the slide is a hundred and seven a hundred and seven accounts registered to single email address keep has over 200 you're saying then go ahead and close that up for me all right and just in case anyone's wondering I believe I wrote down in my note how many I have it's about 320 something that I have in my laptop so that's a large number of passwords that we all have and that's part of the problem so the next slide we have up here is to point out that one two three four five six is of course the best password that you can use and we have two here so LinkedIn I think you know we'll give those folks a little bit of a break for having a weak password because they're just trying to set up a town on LinkedIn because maybe they're about to leave their job and they weren't really trying very hard the Ashley Madison folks however if you're not familiar with Ashley Madison is a site for a sensibly married people who wish to you know have affairs with other married people who are not the spouses so you would think that these people would be a bit discretion oriented and might be a little more security cautious because of that and yet one two three four five six is still by a factor of more than two the most popular password on Ashley Madison so one two three four five six best password that there is so the actual best passwords in case anyone didn't catch the the previous message our previous slide are these incredibly long gobbledygook complex random alphanumeric strings right links is a really important factor in passwords complexity is an important factor and then you'll notice that the third one speckled rambling tried runners green buildings that is and you can go ahead and plug these into any password checker tool that you can find if you Google you know password checker tool you'll you'll find a number of sites where you can plug passwords in and see how strong they are the speckled rambling tried runners greening buildings is in fact I believe stronger than the other two they're there for certainly as strong and the reason why is that it's a very long password so even though it's English words it's still a very strong password and that's a pass phrase which makes it easier because human brains are not good at making remembering long complex and random alphanumeric strings and because I know people can't read and listen at the same time I'll give everybody just a moment to read the cartoon there and so obviously that's a little bit of a problem and then of course it gets worse so this is remember I said I was gonna be a bummer so this is the part where I'm a little bit of a bummer so even complex passwords aren't that great why aren't complex passwords that great well they can still get fished and we haven't talked about fishing yet we will I believe two sessions from now when we have begun fishing where we talked about social engineering but fishing is a technique that someone can use to get you to enter your password into a system that isn't the system you think so basically someone can send you like a login failure notice from what seems to be Gmail and you click on the link and it shows you what looks like a Gmail account login except it's a fake website that's been built just to harvest the password that you enter into it so if you do something like that if you fall for a fishing attack then you I then then doesn't matter how complex your password is your passwords will now have been free because a little bit captured by that service they can still be reused in multiple places you might have a really good system for making a complex password like a combination of your name plus your kid's name plus your birthday plus your friend's birthday plus other things and and so if you reuse those passwords in multiple places then if it's breached in any one place then it can be breached in all the other places they can still be shared in insecure ways so you might email your password to somebody else which is generally a really bad idea if you're sending that email over unencrypted text you can you might write your password down to post it you might text it to somebody you might in any of a number of ways you know put it in a spreadsheet put it in a document there can be all kinds of challenges there they can obviously still be part of a larger breach like Yahoo like LinkedIn like Chase like any other thing and they can still be captured by keystro bloggers so if you get malware on your computer or if you're using a computer that has malware on it or if you're using a terminal where someone has installed a keystroke logger and you put in the password then this wonderful complex package that you have can still be breached so I hope that in the first nine minutes of this webinar we will you know not depress everybody thoroughly but I'm going to let Keith talk this for a moment here because he has a couple of points to make but I just want to say we'll go ahead Keith you make you make your point sure well I typed into the chat first of all when Joshua rightly says even complex pack passwords aren't great he's identifying some of the problems with them but in fact long complex passwords are great if you practice good password hygiene around them and we'll get to some solutions the major problem with them is it's hard to remember them even if you're using those kinds of past phrases rather than random characters if you've got too many of them they're hard to keep track of one of the thing I'll notice is that it's not necessarily completely unsafe to write them down on a piece of paper as long as it's not a sticky note attached to your computer however one rule of data management is no piece of data you care about should ever be in only one place if you're going to write your passwords down on a piece of paper it can't say this is my Facebook password followed by the password you have to use some sort of clues to remind yourself but here's the other thing if you're going to keep track of anything on paper make a photocopy of it store that photocopy away from where the your main resources in any time you update it remember to make a fresh photocopy that's just like backing up your data thank you so much Keith I really appreciate that all right so now that we've sufficiently distressed everybody we're going to talk about password managers password managers to the rescue and we're going to quickly launch a quick poll and we're going to ask folks that if you can go ahead and launch that up do you use a password manager for your personal account so if you don't use a password manager please let me know if you do use one and it happens to be last pass or one password or key pass please go ahead and choose that one and if you use another password manager you can go ahead and type that in and you can if you if you don't mind telling us what password manager use you can throw that in the chat for us and if you'd prefer not to tell us then of course you cannot just keep that to yourself and we'll leave that open just for another second then why don't you go ahead and show the results of that and so fortunately we're doing this webinar today to an audience that largely hopefully can benefit from it because over half of you are not using any password managers of those and I got to say go ahead and Joshua if we have one result out of this I'd like to see if they were a follow-up poll I'd like to see that number 57% drop to zero if we accomplish nothing else we will have really done something here if that's the result yep and I would love to to get that you know I think 0% a high bar but we'll go for it yeah and we've got other people just just to catch everybody up we have some more last users we have Dashlane which is another one I decided I was only go to webinars so irritatingly give you five choices so I dashlane would have been the next one I would have put in Norton's identity safe is another one that someone listed in there so thank you folks for for all that all right and let's get back to it so top password managers and this is not in any way a endorsement of any one of these password managers but last pass this was from Lifehacker January 2015 so Lifehacker is a reasonably tech savvy community of users you know depending on your view of Lifehacker but generally speaking that's a fairly savvy group of folks so their ratings are the best password manager 43% of them like last pass one password was next to 26% key pass was next to right around 20% and then Dashlane and Roboform were in there as well so just to give you those are kind of a top five and those are certainly all ones that I've encountered and used and I like all of them in different ways and by the way Keith oh go ahead Keith yeah I was just going to say here at Freedom House I am using last pass for myself and for all colleagues who will follow my guidance in my personal life I'm using one password and Joshua stopped me if you were going to cover this anyway but I wanted to quickly state a difference between last pass one password and key pass key pass stores stores your data on your computer which on the one hand is very safe unless somebody steals your computer and is able to get into your computer itself however remember what I said earlier about not having any piece of data exist in only one place there is a danger if you're not backing up that key pass file that if your computer becomes damaged you may lose all your passwords one password and last pass both have built in or as add on the ability to sync your passwords across multiple devices last pass itself is based in is a web based service which means that you can access it from anywhere and unless you lose your main password for it you cannot lose your data and I also wanted to say and he sent me this video as well and Keith I'd also received that video from actually about three other people I guess when you're doing a webinar and password management people are keen there was a video that came out it's about a three and a half minute animated cartoon that talks about passwords and password managers it's almost like a three and a half minute version of this webinar although obviously there's a fair amount of content cut out and we have that in the resource link and it talks about what I would say is the biggest question that we'll get which I'm not going to address directly other than the point people for the animation because it covers it well of well but what if I put all my passwords in a password manager and then my password manager gets free isn't that really dangerous and that and the short answer is of course that the problem and you don't want that to happen but the net gain in security that you get from having strong passwords that aren't reused that you can audit that are managed by one system that you you know we have protecting of fishing all those other things the net gains vastly outweigh the sort of dangers of that one system getting getting breached also you can now expend quite a bit more energy protecting just that one system because you don't have to expend that same level of energy on you know the hundred and seven credentials that you have out there because your password manager is doing that for you and that's the sort of rough version of that all right so can I have a big one one more point Joshua and that is to put it in a slightly different way there's no such thing as perfect security there's no such thing as perfect anything but in the world of IT security we don't compare the excellent with the perfect we compare the excellent with what the alternative is and if using a password manager that's web-based helps you practice good password hygiene it's sure better than having your password for every single thing you use be password or one two three four five six yep all right so password manager basics so they create complex and random passwords it's literally the job of a password manager to do that and and you can literally set your last password key password to generate hundred character passwords for every website and you come across and have them all be alphanumeric with random characters like that they are generally speaking quite inexpensive and by that last pass personal is a wall of things everybody wait for it $12 a year dollar a month for last pass personal professional version by the way it's free if you don't need some features like meeting on your phone and stuff like that and for enterprise versions it's still like 30 bucks a person a year and if you're a nonprofit you get that down to something like $20 per person for years so these are not expensive tools then who's with us who's doing the tech behind the scene you may hear from him later he made the point that yahoo's sale to Microsoft just just completed and they got it Microsoft got a discount to the tune of $350 million specifically because of the breaches that yahoo had so when you talk about you know $30 a year for staff persons they could have paid for password managers you might have saved a breach you know that's something of a saving all right password managers will protect against phishing attacks and I'm not going to get deep into the technicals of how they do that but essentially password managers will only automatically put the passwords in for a site that is the actual website that it knows is there so it can't get fooled by a fraudulent website because it won't be at the URL or the exact web address that it's looking for now you could still you know go copy your credential out of your password manager and you know entered into a phishing attack you could still manage to breach your password you know if you worked around what your what your password manager was doing but the password manager itself can protect you against phishing and it can audit all your passwords and I've gotten there a sample last pass security score so it can tell you you know how many passwords have been part of breaches how many of your passwords are weak how many have been reused how many are old all that good stuff so you had asked Josh or maybe Ben had whether I would answer Stan's question shall I take that on I did yeah about about the excuse me the last pass breach that happened last year oh yeah and then the video actually covers that and that's why I didn't want to get deep into that so the video links like then Stan actually covers the last pass breach and why even though last pass got breached last pass customers the net net is that all last pass customers had to do was change their last pass master password their the passwords within their vault were actually not breached as part of that you can believe that which is a part of how last pass handles their security so even though it's not great that people have to change their passwords they're all the passwords within their vault were not breached yep and they've also implemented they've also implemented some extra requirements when signing in from a new device which is how the breach actually happened to prevent that could that kind of breach from happening again so that's and as Keith said before and I think you know articulated it quite elegantly there is there is no perfect security and you know so when something happens you learn from it you make a change and that's how security gets better right Keith did we cover everything you wanted to say there I apologize the one other thing I would just add is that and we've kind of alluded to it but I want to say it specifically and that is that when last pass did get breached all the attackers saw was encrypted data meaning gibberish so you can assume that the password managers themselves are using advanced encryption all right and Ben also corrected me in the chat or you need to uh oh that was just the organizer sorry it was Verizon not Microsoft but my apologies for that Verizon by Yahoo apologies if stocks if the market just took wild swings because of me saying that on this webinar I hope I didn't impact the world markets too much all right so I wanted to talk a little bit about single sign-on which also gets tossed around as a term or SSO which also gets tossed around as a term within password managers and that just to explain that there are different services and we're not going to get deep into single sign-on today because I felt like I wanted to give more time to two factor authentication which is going to be what we're going to roll into next but I did want to just give people a breakout some of the popular single sign-on services one password is one last password can function as a single sign-on service octa ok ta is probably the most popular current single sign-on solution that lots of folks use and the differences between a password manager which we've talked about a lot of the password managers are used predominantly by individuals that they those individuals can be part of organizations and the individual password manager accounts can be managed by an organization and enterprise which is what Keith is doing at a freedom house of last pass password managers generate manage passwords they can log in automatically especially with browser plugins they you could they provide a means to share your credentials with someone else securely so if I want and this is another important feature of password managers let's say I want Ben to have access to my roundtable twitter account so that he can post tweets on behalf of me for roundtable I can using last pass share my credential with Ben and either let him see the password or not right I can just but if his last pass can still authenticate him to twitter as me with that share even if I don't let him see the password and then at any time I want I can revoke that from Ben and say Ben you know I'm done with meeting you need to tweet so I revoke it he's never even seen my password and so he can't possibly log in with me anymore and also if we're sharing that it's a secure way to share it so we don't have to deal with emailing it to each other or texting each other writing it down or all these things so it's a very important thing and they can store private credentials so when you're using something like last pass enterprise within an organization the individuals can actually use it for their personal passwords and have those not be in any way exposed to the organization they have a private vault which is theirs and theirs alone to use so by implementing password management for your organization you can not only increase your organizational security but increase the personal security of the individuals that work at your organization which I think is pretty awesome Keith you sounded like you you had something to say I do have something else to say one other feature of good password managers is that they include a random password generator so in fact you know Joshua and I both talked about having upwards of 200 even upwards of 300 accounts that we've got passwords for in principle the only passwords we need to remember are the ones to log onto our computer itself and to log into last pass all the other passwords I have stored in there are random as long as I want them to be for me I default to 30 characters with all four character types uppercase lowercase numbers and symbols and I only need to create that sort of passphrase approach for last pass itself and for my computer this means that everything is really highly secure it's very difficult to impossible for even the most sophisticated computer systems or hacker systems to break through passwords of that length unfortunately there still are sites out there that won't allow you to create passwords longer than 12 or 15 characters so in those cases you use the random password generator and set your length to that I go to super nerd lengths and actually use the random password generator to generate security question answers as well so if you want to go way overboard you can use that as well great tip that's a really great tip you know those security questions things like your mother's maiden name or what city you met your your spouse in they don't have to be truthful answers you just have to have a record of what answer you gave that's a excellent excellent security tip and and I I had not want to include some of that stuff in here because it's just I have to just decide what we can cover in a half an hour and reasonably expect people to start doing but but those are excellent excellent tips that Ben and Keith are giving you guys so I just want to very quickly cover single sign on so that what single sign on is where it's different is that it simplifies provisioning and deprovisioning which is a fancy way of saying when we have a new hire and when someone leaves and what that does let's say we are we have an organization we use office 365 we use sales force and we use active directory and so we're using all three of those different sort of authentication systems and currently when someone comes on to our organization we have to create an active directory account we then have to create an office 365 account and we then have to create a sales force account we have to create three different credentials for each of those things three different usernames for each of those things and then communicate each of these things to the staff person now the staff person has to go change each of those three credentials they have to put them in whatever system they have right it's a big pain and then you multiply that times five or ten or however many systems you actually have so what octa or other single sign on services do is you simply create the person in one place in octa and create one credential and octa goes and creates all the other accounts and the person simply logs into octa and octa authenticates them to all the other systems so they actually don't even know their passwords to those other systems they never get them they don't need to know them what they need to know is how to authenticate to octa or that single sign on service it is a very good thing if you especially if you have a lot of cloud services and then when you onboard someone you simply you know set them up in octa and all the other accounts get created and provisioned and when you offboard them you remove them from octa and all the other accounts get the provision so that if you especially if you're a larger organization this can save you a ton of work and also make you quite a bit more secure all right key success factors and by the way we're running we're going to run at least probably five or ten minutes long on this one today i apologize to everybody we've always left that half an hour of Q&A open so this so we're out till three i don't think we'll go all the way till three but just giving folks who are worrying about time a heads up we are going to run along today i apologize so key success factors for password managers so obviously a strong master password using two factor authentication which we're going to talk about next even better strong change management and support so Keith who's implemented this at freedom house can talk about what that means i give them a couple minutes to do that and of course regular reporting and use monitoring meaning you know are people using the password manager that we have and are they putting passwords into the system and are they using secure passwords and then giving time so you're not going to implement a password manager for your organization tomorrow or for yourself tomorrow and then the next day have nice every single password that you use in that system but over time as you log into different sites as you've got that state the different things the password manager will pick those things up we'll start to notice that hey this is the password you've reused before this is a weak password the password is part of a breach we'll change them for you to some randomly generated hundred character string and over time your systems will get much more secure so that's those are the key success factors and Keith i'll let you give you a minute or two here to talk about the change management and support experience from freedom out well first of all change management anyone who is on the line who's responsible for it knows that change management is essential meaning that you have to have incentives ways to show people who are going to embrace change you have to show that it helps them directly we're not perfect in this and in fact i have been preaching last pass to the choir here for four years and i'd say that we have about 25 percent adoption there are those in the organization who need to have access to shared password resources for enterprise level stuff those people have no choice and they've got to adopt it but for the others hey all i can do is continue to remind them that securities pair amount and that this is a solution that they can all use i also pitch this very very clearly not only for use within freedom house but also in their personal lives awesome thanks to you i'm just sharing a link um that uh from watch i'll say that later okay okay we have our next poll here which is two-factor authentication we want to know if then you can pop this up do you use two-factor authentication in your for any of your personal accounts so do you use two-factor authentication for any of your personal accounts through gmail or for anything else like that and go ahead and put in those responses we'll give it just another few seconds here and let some more folks get in and then ben if you want to go ahead and close that up and show us the results and again we've got uh a few more people using two-factor than using password managers so that's a good thing so a third of us are using two factor authentication for four or more personal accounts good for you guys that's awesome uh weirdly no one just using everyone accounts everybody who's picked up two-factor authentication on the webinar has decided to go for it for more than one account which is also great and before now a few people didn't even know about it so that's uh you're going to know about it right now we're going to jump into it all right so ben go ahead and close that up and we're going to talk about two-factor authentications let's let's consider the different ways to authenticate and two-factor authentication by the way is a subset of multi-factor authentication and when we talk about multi-factor MFA there are fundamentally three different methods you can use to authenticate to a system so the one method is something you know which is historically the only thing we've used a username a password right so I know this information in my head and I use it to authenticate to a system another option two is something you have and we are all quite familiar with authenticating to a system with something we have any time we open our house or apartment with a key right we are only using one factor but it's a different factor than the one that we use to log into our computer at work right it's a factor of one which is a key that I have with me right it's something I have and then three is something you are or a thing you know biometric information essentially fingerprints voice recognition et cetera and the the most common way that that we add two-factor authentication at the moment is through using your mobile phone as the something you have component and there's a few different ways you can do that although increasingly we're seeing biometric as an option and we're also seeing different ways of using something you have let's let's get into what those are so here's the the most common method of two-factor authentication that that work are currently and most of you who have used two-factor will recognize each of these so fingerprint anyone's got an iPhone may recognize that which is if you enable touch ID which is using your thumb or a finger as a means of authenticating then you can use that as a means of authenticating to different applications on your phone or different services so that's one something you are all right sms which is where you register with the service and you have it text you anytime you try to log in and then you in addition to putting in a username and a password you now have to put in the six digit or a digit code that is texted to you to your mobile device which is a thing you have so that's where it requires the thing you have and then an authenticator app and that's the google authenticator that you're looking at there but there's also off the last has its own authenticator app Microsoft has an authenticator app and what was the one that you duo was that the one that you like the best case we use duo security at freedom house reason why we like it first of all we work with some very advanced security advisors who think that it is better than the other tools out there in terms of the way duo itself manages their data the other thing that we like about it is we're able to use it for a variety of applications we require two factor authentication for all people working outside the office to access remote desktop and for our web mail we also require it for our website editors whether they're working in office or out and also for our slack instance you can configure duo to work with a number of tools there are a lot of apis for it awesome thank you Keith so those are the most common methods currently i'm going to take a little bit just to talk about another and i apologize for throwing all these acronyms u2f or universal two factor authentication which is a means of using a physical key that you stick into the usb slot and then they have a wireless interface that you can use if you need to authenticate to something on a mobile device like a tablet or a phone that doesn't have a usb slot and the reason i'm going to talk about this even though they're they're not in a lot of use is you'll see in a moment so one thing is that they're pretty inexpensive to implement so we talked about like a password manager or something like that being 30 or 20 a year right a u2f key or a ube key to range anywhere from about 20 to $50 for the key itself and then there's no cost after that unless you lose the key and you need to replace it from a security perspective they are considered the most secure form of two-factor authentication for a variety of reasons that are technical but they completely make phishing not a problem the user cannot get phished if you're using one of these keys these keys completely thwart any kind of phishing attack and there's another kind of attack which i'm not going to get into here it's called a man in the middle attack which other forms of two-factor authentication can still be vulnerable to u2f keys are not vulnerable to that the other thing as kind of shown by this grid so you've got the like authenticator apps and SMS that we just showed in the right in the middle of this grid right that's the smartphone and then you've got the biometric you'll notice that it's not as highly secure even though it is simple and low cost and the ube key or or u2f keys are super easy to use because you carried around with you and when you need to authenticate you simply plug it in and you're authenticated and if you physically have that key with you that's that's it from the user perspective super easy they're extremely durable as well so other than being lost and in case anyone's wondering if you lose them it's not like everything's compromised you simply register that the key has lost and it stops working so i don't want to spend too much time talking about them but one of the reasons that i'm just including this slide here is most of the major kind of what we think of the cloud service companies so oh i can see my dial pad down there sorry about that all right let me quit that there we go sorry about that everybody so facebook google salesforce dropbox uh cern labs and i include a link there for all your customers they're all using this for their regular staff so their regular staff are not using you know SMS based or authenticator based two-factor authentication to log in at facebook they are using u2f keys so if you want to know what the sort of best practices are at the moment key success factors for two-factor authentication so obviously start with your most critical services um have testing groups so work with groups first uh the authenticator app is preferable to sms it is definitely more secure using an authenticator app the duo service that the key's mentioned or the google authenticator or aughty or any one of those uh and then if you're really security conscious if you think you have really significant you know threat models at your organization consider u2f and then of course training support training support print repeat all that good stuff one more note joshua about why sms is not the most secure approach and that is that a voice and sms data on mobile phones are inherently open all right um although we're going to talk about that it's like you set me up for the next session but uh that's okay there is a mitigation for that and we're going to talk about that in the next session in two weeks but uh for now what we want to do is launch our last poll and and then we are done so we didn't run too far over but we ran about 10 minutes over here what is your biggest challenge concern around password management of course you can enter stuff in the chat so you think it's reuse passwords you think it's weak passwords you think it's shared passwords compromised passwords um if you have other things please enter them into the chat i'm just uh i'm trying to end each of these sessions just with a sense of like where are people struggling the most where do they need the most help and then you can go and close it up and show the results uh so it's that's more or less in line with what i thought let's see what people are uh are putting in the chat so josh with hollyteens oh go ahead yeah i was just going to say i'm part of the reason why we're running over here but i just wanted to say when i onboard new staff uh two things a couple of things that i tell them is one don't reuse the same password for more than one item you'd be surprised how many people in my onboarding have never heard that tip before the other thing is not to share passwords with anybody whose own password management and hygiene you don't trust yep and another thing that i see that's very common organizations and i and i see it people honestly guilty of this like so much is they have like literal spreadsheets of passwords like they literally create passwords for people and do not let them change them this anybody who's not an admin at an organization you know and and has worries about this if you want to and i apologize if i get you in trouble but if you're working in an organization like that um you have my permission to tell your IT person this guy joshua said like that is wrong and that is a horrible practice and they can call me if they want to talk about it but your IT administrator should not know your password and that is 100 true and they should never know your password and they should not ask for it and if i need to get into someone's system i will ask them to reset their password to something that you know we can both share and then i will go log into their system and then i when i'm done i will say now go please change your password back to something i don't know that's the best possible way that would work but you there's no reason you need to share your password even within administrator so just want to make that point all right bam let's go ahead and close up the poll and thank you everybody for that just a quick point there excuse me just to clarify if you are a roundtable customer and we use log me in to access your computer we are using a username and password that we have created and we hold that password we don't actually use your personal password so just because i can understand what you're saying hey why do you know our password yeah so exactly yeah we do not keep like personal customer passwords we have our own administrative credential that we're using we are not we are not using their credential so here's some resources the animation that we talked about before warning a little bit of bad language at the end of that so heads up and give them a sense of that sort of thing a nice little article on single plan on solutions and challenges and for those of you want to get jiggy with two-factor authentication 12 days of two-factor authentication from the wonderful electronic frontier foundation they will give you very clear instructions and have a set up two-factor authentication of 12 of the most popular services like facebook linkedin gmail officer 65 dropbox salesforce etc so you can go get your two-factor set up on all of those different services thank you all so much for for sticking around today the next session it's going to be march 7th and it is the at dollar sign pound i'm gonna have to figure out a way to pronounce this right so obviously i'm well probably not obviously i'm just a complete nerd but that's a making fun of the abc's of encryption communication information and device encryption basics and we will talk about if you are using sms for two-factor authentication you could maybe use an encrypted mms sms like signal and that might make that a little bit more secure for you so we'll talk about some of those things and that's coming up in two weeks thank you so much to Keith for joining us today round of applause Keith thank you so much Keith and we will now take questions and i'm happy Keith i don't know what your time is like i am i am set till three so i will stick around until we have answered all the questions you are welcome to flee anytime that you are appropriate i am committed to staying on this webinar for the rest of my life awesome perfect all right and keep breathing so and beth shared another video on passwords so i'm going to go ahead and type that in i just needed i would have typed it in right away i just wanted to make sure it wasn't anything strange every once in a while we have vendors that will sit in on these and throw in links so uh so beth thank you for sharing that oops i only shared the organizers though it probably helps i show it to the whole audience so i will see that and let's go ahead and take a look at the questions here all right so Keith is there anything that jumps out around you jumps out for you in terms of it's it's probably worth answering beth's question about websites that don't accept complex passwords to the the wider group if everybody didn't see that this is Keith i addressed that a little bit earlier which is that there are websites that limit you to 12 character or 15 character passwords you still and i i may not be aware of all the limitations you're seeing beth but on those sites i still have been able to use a mix of uppercase lowercase numbers and symbols and i use the maximum length that they allow was there something else that you were referring to well uh wait a second to see if beth pops any uh any questions in there and so if anyone does have questions just go ahead and enter them into the uh the questions section of the uh thing we've got one here from michael we'll go ahead and get that so with what password change frequency do you recommend was it every 60 days so we'll see if Keith and ben and i all agree on this i always think this is fun to see if i who wants to answer first and then we'll see if everybody agrees i'm happy to throw my hat in the ring first and let you guys make fun of me but i actually have an answer ready go ahead um we require a freedom house that one's main network password which is also the email password uh gets changed every 60 days my general advice when i'm uh onboarding new users is that in their personal lives and for their other professionally related accounts that the frequency depends on the sensitivity sensitivity of the thing in question so in my personal life i might not update my netflix password for even more than a year but something like a bank account i'll update that every 90 days to six months well i actually go far more frequent with my bank stuff with any any banking or credit card information usually uh i have a reminder every time i get a statement i update my password it's part of my process when i go online and review my charges and things i usually update my password so it might be a little bit of an overkill but i'm better safe than sorry for those of you who haven't been to one of my webinars before i want i want just to mention before i answer this myself is that i encourage dissension among our panelists and encourage debate i think it's healthy for audience members to hear that even you know professionals and you know quote-unquote experts in these realms don't necessarily agree on the best approach that that there aren't necessarily hard and fast rules in time so as long as we're all respectful of each other you know it's it's okay for us to disagree having said that i'm going to say that i am not a big fan of expiring passwords frequently and perhaps not at all i think that complexity and links are absolutely critical and that's much more important than frequency of changing i'm also not reusing passwords is much more critical than frequency of changing and when you increase the frequency of the changes you increase the likelihood of these other bad practices leaking in the people starting to reuse passwords put in weaker passwords and get frustrated not use complex passwords so i don't you know i'm okay with people setting like a year for for expirations for systems or even no expiration although i'm not a huge fan of that as long as they have these other systems placed fundamentally two-factor authentication and using password managers are really what you need to do if you want to get serious about this stuff so that's my answer. Joshua this is this is Keith i just want to weigh in and say i largely agree with you and even some of our hired security advisors disagree with each other on this stuff there's one good explanation i've heard for why changing passwords on some regular basis is a good idea and that is that some hackers will collect passwords but not use them right away and so if a hacker has been storing your password for six months but you already changed it before that then they can't get it. Yeah all right i'm going to throw a link in here for Debra let's see i'll put send to all so Debra asked the question about is there a way you can tell all the places where you have credentials it's not super easy actually to to know all the places where you have a credential that's where that time when i talked about the best password managers best practices or success factors for password managers giving time if you start using a password manager today it will you know notice every time you log into a site and offer to you know save that in its system and over time you will start to now have this register of all the places where you are. I've also thrown a link in there called have i been pwned which is you can type in an email address and see if there's an account that's been part of any breach that's tied to that address. I will period I last pass uses a similar database and will tell you if your credentials have been part of any breach so i let last pass do that for me but that's a quick way you can see if any of your credentials have been part of any breach and if you find that it's been part of a breach and you haven't changed that password or god help you reuse that password other sites which you probably wouldn't know you can at least know about that but Debra i don't really have a good way for you to find all the accounts that are registered to email address other than to today start using a password manager and every time you log into a site let the password manager save that credential for you and then start looking at what your security scores look like and how many reuse passwords you have stuff like that. Keith or Ben i don't know if you have any other suggestions. I have one thing about the password manager functionality. I again actively use one password and last pass. Last pass actually has built in and what you saw it briefly earlier you can have it tell you how good your password hygiene is and suggest to you which passwords ought to be changed. Last pass also can notify you when it thinks it's time for you to change a password and last but not least last pass also has some functionality that it can automatically log into a site and change a password for you though i found it does not work with all sites. I don't see any of that functionality in one password unless i'm missing it. All right and we've got a question from rebert uh who said about updating including those in the last pass and i'm asking for a clarification on that question because i wasn't totally clear. I think what she's asking is should we you know update passwords even if they're stored in last pass and one of the cool things about last pass or one password or key password they can actually go and update passwords for you on lots of systems which is kind of cool and also kind of scary but mostly cool and they'll just go ahead and take the password that hopefully you have no idea what it is because it was a randomly generated 30 character string that was generated by your password manager and change it to some other randomly password randomly generated 30 character string that is also created by the password manager and you get a little notification that your password was changed if you have two-factor authentication set up maybe you have to put that in to enable the password to be changed and you're good to go from there um so i hope that helps but yes you you do probably still want to update those passwords but again i'm much more concerned with getting rid of the weak passwords getting rid of the passwords that were part of breaches and getting rid of reused passwords and replacing all of those with nice long complex passwords which only a password manager can really do effectively and then again enabling two-factor authentication if a six months from now everybody that was part of this webinar was using a password manager and had two-factor authentication and five or more counts i would be such a happy person so yeah if the other thing to consider as well um rebert is that not all organizations and even business types are required to report breaches in a uniform way so um there there may be instances where a website that you have used was breached but they haven't actually issued a press release or anything like that so although having that password being complex in any password manager as good management there's still a chance that it it may have been compromised so you know just like we've like Keith has been talking about just practicing good hygiene with those passwords kind of continuous improvement is always going to be the best way to to stay kind of one step ahead of of those breaches so and with that we are we are done with questions so we're going to go ahead and wrap up uh Keith and ben and i will be staying here on the webinar we're going to stop the recording and just start chatting amongst ourselves so if anyone feels like he's dropping on our debrief you're welcome to just you know hang out but this is the end of the webinar and everybody may depart now