- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
About This Episode
This episode Justin McCarthy has an in-depth chat with Troy Hunt, a respected web security expert, Pluralsite author, and creator of 'Have I Been Pwned?' They talk about all things password related including password reuse, biometrics, and the way security has changed over time.
About The Hosts
Justin McCarthy is the co-founder and CTO of StrongDM, the database authentication platform. He has spent his entire career building highly scalable software. As CTO of Rafter, he processed transactions worth over $1B collectively. He also led the engineering teams at Preact, the predictive churn analytics platform, and Cafe Press..
Max Saltonstall loves to talk about security, collaboration and process improvement. He's on the Developer Advocacy team in Google Cloud, yelling at the internet full time. Since joining Google in 2011 Max has worked on video monetization products, internal change management, IT externalization and coding puzzles. He has a degree in Computer Science and Psychology from Yale.
About Token Security
At Token Security our goal is to teach the core curriculum for modern DevSecOps. Each week we will deep dive with an expert so you walk away with practical advice to apply to your team today. No fluff, no buzzwords.
Justin McCarthy 0:02
I'm just in McCarthy from strongdm. And I'm Max all install from Google.
Alright, welcome again to the token security podcast. This is Justin McCarthy from StrongDM. And today we're going to be talking about passwords. And we've actually got a guest who has thought quite a bit about passwords. So today we've got Troy hunt, who is an independent, what did you say? An independent, Australian? [laughs] And Pluralsite author and like I said, definitely someone who knows a lot about passwords. So would you mind refreshing us on your recent history with the topic.
Troy Hunt 0:55
Cool boy, how recent is recent? How far do I go back? Let's, let's go reverse chronological. So we're sort of late November at the moment. I was writing a couple of different things around passwords, actually, last week, because we're doing the reverse chronology. Last week, I was writing 2FA other implementations of 2FA which I which I actually thought was just interesting. I was doing my own research as well - as I sit down and capture things on my blog, incidentally, a lot of the blogs I write are not for you guys. They are there for me, so I can get my thoughts, right. If it's useful for you as well. That's awesome.
So I was writing about U2F and 2FA weaknesses and 2FA. The week before that I was writing about the responsibility that different parties have in creating strong passwords and building systems that are resilient to reuse -- and that upset a lot of people, we may get back to that. Before that I was writing about why passwords are not going to die. And the TL;DR of that was because everyone knows how to use them. And they're terrible, but they work in such as easily consumable fashion. And then before that, like just a decade of writing about the fact that people reuse bad passwords everywhere.
Justin McCarthy 2:14
All right. And then I believe you also have a, you're associated with a reasonably famous destination for thinking here and exploring password reuse.
Troy Hunt 2:22
Yeah, have I been pwned? So that actually, that's a good point, I should remember that. So I have I been pwned we're actually coming up on the fifth birthday now. So that is a service which initially focused around just being able to search email addresses. So which data breaches have I appeared in? And then over the last year and a bit as we continue to do that, but also added the ability to look at where I'll rephrase it, actually not look at where passwords have been exposed, but which passwords have been exposed and how frequently and that's actually a service which is used really extensively by a lot of big organizations to try stop people from reusing bad passwords. So GitHub probably the most prominent I'd say that's using it. So you can try and login to GitHub with a password that's appeared in a data breach somewhere, and they'll say, Hey, have I been pwned says that you've used this somewhere, or someone has used this some way before, you might not want to use that one.
Justin McCarthy 3:20
That's great. That's a fantastic service.
Yeah, I've definitely seen that on GitHub before. It's great.
Troy Hunt 3:28
Oh, that you that says something about your password.
Justin McCarthy 3:29
Oh, no, no, no, I was tested, tested the GitHub integration,
Troy Hunt 3:34
Nice backtracking there.
Justin McCarthy 3:37
You're welcome. You're welcome to check out my passwords. Anytime. They're all they're all extra. I have them all.
Alright, so many members of our audience are involved in building and shipping software. And so I think actually a lot of that argument about your general skepticism about password killers. I think I would like to revisit that you just mentioned that a moment ago. But if you could recap the audience on basically the ubiquity in the UX of the end user experience of essentially using passwords, creating a skepticism about password killers. And so I want to talk about sort of the sort of on the consumer side, versus basically the security pro side. So would you mind again, just recapping the why passwords probably aren't going away,
Troy Hunt 4:22
I think what we've got to talk about first, at sort of a very macro level, and you and you just touched on some key terms, there is the fact that passwords are part of a broader ecosystem, which is about getting people to create accounts on systems use systems spend money when they log into these systems, and basically make the systems a viable business proposition.
So I mean, like, let's take sort of an e commerce example. What's the objective, we want to get people to register and buy t shirts or whatever else it is that we sell. And we want to try and make that process as frictionless as possible, we would also like to not have account takeovers and get hacked, and all that sort of stuff, but is part of the ecosystem. And I think until everyone sort of recognizes that all of these things are going to work together to achieve whatever it is that that is the broader objectives of the organization. And if we don't recognize that, it's very, very hard to, to make sort of good decisions for the ecosystem as a whole.
So let's, you know, let's sort of start delving into what I mean by that: passwords they are not in a technical capacity, at least a very good means of authentication. We have so many problems with passwords. We know that people keep reusing them, we know they're weak, we know that they named after the dog and the year he graduated, or whatever else it is. We know people do a terrible job of managing them. And we see time and time again, just terrible incidents happen as a result of password reuse.
So password reuse at the personal level leads to massive amounts of account takeovers. We see that time and time again, password reuse, even at a system administrator level, which is still something that happened lot leads to entire systems getting compromised, and everyone else's passwords getting compromised, and then their accounts getting taken over. And you enter this just like nasty, nasty cycle of account takeover, after account takeover. So yeah, there is a great big deficit in the column of the technical efficacy of passwords.
But there's this other column, which is part of the broader ecosystem, which is the usability of passwords. And as terrible as passwords are, every single person knows how to create one and then know how to login with one and no amount of saying passwords are terrible, technically, is going to change the fact that they're the fastest, easiest way we have of people actually creating accounts, then logging back in.
Now, this is what the sort of whole premise of the blog post was about, you know why are passwords persisting? Well they're persisting because of the UX of them. And it was also to sort of trying to address the issue that is often raised with me, which is: passwords are terrible. there is something else that we have built, or someone else's built, which is a password, and the password killers. He doesn't want to sort of name names on them. But if we just talk about the patents, it can be anything from where we're, yeah, instead of using a password, you're going to get an email and emails got a link, or you're going to use a mobile app and point at the screen, and there's a QR code, or you're going to have a physical device or something like that. And there are cases where each one of these things has made sense and has gained some traction.
But if we look at it on mass, the vast majority of the time, you still have a password, sometimes we have a password plus something else, such as a two step or 2FA, sort of model. But we still have these passwords, like nothing has come and killed them. And the simple reason is, is because the friction in terms of actually getting people to create accounts. And log on is very, very low. And some people don't like to hear some people get very upset with me, because this is what some people do on the internet. It's like, look here is, here's where we are. This is why
Justin McCarthy 8:00
Yep, so I very much appreciate that. And actually, I would like to contrast that, let's see, if I'm, if I'm thinking of the general consumer population and their and their ability to use something other than passwords. I think that's I think you make a great point and a great argument for why we need to have something that's fairly universal, and achieves that same UX, and sort of that's what will ultimately replace passwords, but it's not here yet, in environments where we do control more the parameters. So in a corporate environment, let's say, and let's say it's even a security that are rich corporate environment, if you're writing a prescription for that group today, what would you expect to see in let's say, what would you what ingredients would you expect to see?
Troy Hunt 8:50
Well, I think the first thing to note here is that when we talk about a corporate environment, you're not trying to win business in the same way as an e-commerce site. Like, I think back my many, many years in the corporate environment, and they basically just went "you're doing this" so okay, I don't have a choice. Like they could they could be dictatorial. And that's not to say they are being dictatorial in a way which didn't make sense.
It's like, Look, the organization can prioritize, for example, security of usability, because they've got a very different set of risks.
So, you know, look, a really good example of that is, is things like, even back in the day, more than a decade ago, I had an RSA token, the little sort of blank rectangular ones with the rounded edges. And every time I logged into the VPN, I had to use the RSA token. And look, that made sense, because this is giving external access into the internal network. That's a that's a very sort of highly privileged thing to do. Yeah, these days, I think, particularly things like U2F tokens. Obviously, the likes of ubi-keys getting a lot of traction it I would argue that as it is not too burdensome for an organization to spend with what's an ubi-key like 40 bucks or something like that, for him to ship ubi-keys and say, Look, you're going to need to have this with you in certain circumstances.
Now, maybe that's when you're authenticating via VPN, maybe some organizations want to go further and say, Look, even if you're sitting at your desk, you're going to need to have that. But you know, then also you've got the ability to say things like, well, if you do have this physical token with you, and it's something that we can ingrain into people to always keep on the person, maybe we can use a combination of like that, and Windows Hello, which has facial recognition with IR to authenticate. So we can still do 2FA but suddenly you're not typing any keys. And typing keys is kind of painful.
I mean, I'm looking at a webcam now that's got Windows Hello, built into it. I love just sitting down in my chair, looking at the thing and it just unlocks.
Justin McCarthy 10:59
There was a great, that's great point, I think in that of course, anytime you get into the biometrics versus the versus the something you have, versus of, you know, there's, there's always a trade off, but I definitely like the idea that I believe that combination of something you have and, and, and maybe something like Hello, or obviously, Apple's facial recognition could could could be a could be a great experience anyway.
Troy Hunt 11:24
Well, you know, and this is an interesting one too, because then people getting upset then people get very upset because ago yeah, biometrics like what happens if someone steals your face
Justin McCarthy 11:34
Troy Hunt 11:36
Of course, mind you, if you buy any of the new Apple things and not using fingers, anyways I have other issues with them, which are more to do with too much sunlight in Australia making facial recognition had first world problems, right? But I guess the point is, is that every single one of these solutions, then seems to open up a can of worms of other issues as well.
Justin McCarthy 12:21
Absolutely. One thing that I've noticed, again, this is mostly in a, in a corporate environment, is that there's, there's often a policy that may be created as a result of a compliance regime, a password complexity or rotation policy. And, you know, I see these policies, and I, and I think, gosh, that they're well-intentioned, but sometimes it seems like they're doing more harm than good, yet you have a take on when complexity and rotation should be enforced.
Troy Hunt 12:48
I actually think there's, there's a really interesting narrative here, which is the way security changes over time based on a combination of both technical and human factors.
So that there's this talk, I do quite a bit right talk about the history of passwords on computer systems. And it starts with this photo of MIT and the 16th, which is believed to be the first ever instance of a password on computer system. And you're sort of looking at any gun, you know, here's this black and white photo of a guy in a room, and the entire room is just computer like, the room is a computer. And it's the first ever implementation and you sort of going will Okay, what are threats back then? Well, nevermind access you had to be physically present, you need a high degree of competency in knowledge about that system, which of handful of people in the world would have, there's no password ray is, because this is the first one, there's not another place to use it, you're not putting your dog's name on social media. So you can use that in the, in the, you know, all like all these different conditions.
And, and we built the system where you had two strings in your head being the username and the password. And then you had two strings in the system being the same ones. And if they match, you're good to go.
And today, it's still the same basic premise for all things, education for a lot of systems. So two strings in your head matching the two ones in the system. And what that means is, is that we're using this system design sort of 50 years ago, in an era where there was one and it was a room, you need specialized knowledge. And we're using it to the point now where there's millions of services and billions of people online, and you can be anywhere, and we're still using the same basic thing.
So the environment has changed fundamentally. And even if we look back just a decade, a lot has changed in the space of a decade. So consequently, what's happening is our ideas of what constitutes the right balance of security and usability of changing as well.
So this whole premise of password complexity sort of made sense for a while, where he said: Look, if we don't have password complexity, people are going to create stupid passwords. So you know, we need complexity rules, and this will make stronger passwords, and it will stronger by the mathematical definition of more character types. And greater length increases entropy, therefore, we're good to go. And then what we've been saying over time as we get more people systems is the human propensity to circumvent any technology control that gets put in place, but doing something stupid, and what I mean by that, and this is with respect to people doing things to you, but I'll certainly it's stupid passwords in the past of all it is we would do things like character substitution. Yeah, I just replaced my E's with threes. Now we'll be right.
I'll put an exclamation mark at the end. Now, we'll be right. And hey, we've met complexity rules.
And what's happening is, is we've sort of recognize that the human element more and more in recent years, and we've started to say, Well, you know, met, maybe we should use things like pass phrases because of pass phrase, or something that an average normal everyday person can come up with. And, and I often say to people like, yeah, let's just look around the room and combine a few words, you know, what do you get, there's a very, very high degree of uniqueness in that, but it may not have an uppercase character, and it may not have a number, it's a very, very good password. It's better than like password with a capital pain. And at symbol instead of an eight, right, and any going to change the OT zero, because you got to have a number as well, you know, this is way, way better than that. But now we're dealing with the fact that systems are still using this idea of complexity, which really just doesn't fit today's practices. And it's the same with password rotation, you know, it's a look, we got to rotate the normally every three months because a hacker might get your password. And then when I do this talk, is I sort of say to people like, what's gonna, what are you gonna do in three months. And I like the audience is, in unison, says, I'm going to add one to the end of it, because that's what I always did, too. So, you know, you gotta do that. And then you sort of look at and go, well, also, if a hacker gets my password, like, what are you gonna do? Are they gonna go? Well, I'm, I'm busy, I've got family commitments to feed the dog, like all the rest of stuff, or am I gonna just use the password straight away, it's going to be the latter. So it's sort of a combination of recognizing that the fallacies in the modern era of ideas that we head from years ago, and also recognizing that there's a lot of other things that we can do to improve security that I O. And we touched on some of them the ubiquity of things like YouTube, for example, to a favor all sorts of different mechanisms. So we can start to sort of try and focus a bit more on usability and put other mitigating controls in place as well.
Justin McCarthy 17:19
I'm sure I'm sure we all share this frustration. When we enter password manager, drag, drag all the nice sliders all the way to the right. And then the government website says, No, you can't use that you can't use that character use special characters, but not that special character
Troy Hunt 17:32
or characters special Come on, probably get in trouble for saying that. So.
Justin McCarthy 17:40
Okay, so So this, the name of this podcast is the token security podcast. So I think we'd be remiss if we didn't talk a little bit about API's and bearer tokens. So this is when machines talking to machines, the passwords that they use, so so how you put much time into thinking about that. And I guess what, what's come up before in terms of the way let's say an API token might be similar or different from human password?
Troy Hunt 18:11
Well, there's a few things here. And I guess there's, you know, that just in order the rate at which they come to mind, one of the big differences here is that we're talking about API tokens when only talking about machine generated strings, as opposed to human generated ones. And machines can do, if not genuine randomness. And, and at least Should I ran on us in terms of actually creating uniqueness. Now, humans aren't very good at doing that, because our brains don't work as well as computers. So yeah, first off, we're going to get much more uniqueness in something like an API token, we then sort of have this challenge where it's like, okay, now we move to the next thing, which is, well, how do we manage them? You know, are we going to put them in our GitHub repository, which has got open access to everyone?
Apparently, some people do. Yeah, so that's the problem, we going to to have them being sort of long, persistent tokens, or are we going to sort of rotating and re authenticating them. And, and incidentally, when we talk about things like bear tokens, we do keep coming back to this thing as well about where's the right balance between sort of ease of implementation and, and security because if we get to draconian on the whole thing, and we put lots of demands around like, max out all the security things is that going to make it harder for normal everyday folks we need to build against these systems actually implement the thing. So we're trading off there as well. And I look, I often sort of get to the point, whether it be with machine generated tokens, passwords, or just about any other security decision where a sort of say, look, if everyone has actually sat down and spoken about this and reach some sort of evidence based conclusion. I'm okay with just about anything. Yeah, the thing that gets me is like, why you're doing this?
Well, we just always done it this way, and then look them in a good example of this is Netflix has a minimum password length of four characters. And most people would go this is just stupid, you know, you're not even trying. But then you stop and think of it and go, Well, most people watching Netflix on a TV, a lot of them are going to be authenticating to the TV with the remote control. Plus, it's Netflix on your TV.
You know, this is and I haven't looked at too many. There are other media and controls, but if they're not exposing, like partial credit card data, or other personally sensitive information, maybe the impact of a breach isn't that high. And the benefit provided to us is actually very high, but being able to easily authenticate with a device. That's just not a very good input of us. So I guess the point is, there are I can sort of rationalize any decision if there's evidence and thoughtfulness that's put into it.
Justin McCarthy 20:45
Yeah, I think that sounds that sounds right. And certainly at watching a watching in here. The Jones is not it's not it's not a secret that's been seen.
Troy Hunt 20:57
That's not the one that would worry me or others.
Justin McCarthy 21:00
Alright, so we do have some new standards on the horizon, sort of begin wrapping up with some hope. Can you tell us because you've had just share anything about web Athan and maybe how it's related U2F. And do you think it's going to work?
Troy Hunt 21:15
So wearable thing sort of has the promise of being an implementation where we can do authentication to web apps, not using passwords, but using other devices such as YouTube tokens, and it's very early days, and you would probably know this better than me, but I think we've got support and crime and we just got support and Firefox. Right?
Justin McCarthy 21:35
I think so. Yes.
Troy Hunt 21:36
And they're the only two browsers no one uses anyway. So this one, I'm sure it will come to whatever the other ones, but that sort of the promise there is, like, what if we could create a standardized way of doing authentication, and then we could then implement that across different sorts of devices like you to if tokens, you know, that would be fantastic and, and to the earlier discussion about here's what passwords are still alive. I suspect that the thing that ultimately does supersede passwords we already have in various incarnations, it's just that none of them have reached a combination of accessibility to people usability and enough critical mass in large services.
But imagine, let's say it's were both in gets enough traction and easily accessible two factor authentication tokens that a physical like a USB key or some other youth implementation. And as people get those because their banks ship them out, or whatever it may be, we all get biometric implants overnight. But there's like some critical mass where we get enough of these things. I think when we get to that point, it'll turn and one of the joys about something like web or thin is it's not, you know, vendor I who's come along and said, I have got the password killer, and everyone will use my proprietary vendors system, you know, a lot of days as well, a being a being very heavily protected, the patents and all sorts of things around them. These are not the standards that we want to get traction, we want an open standard, like we're both in which is well supported, I believe, by the likes of what is it? Fido to Yes, you probably know better than me.
Yes. Something along those lines. So look, that's that is the great hope. And we just have to see where it goes.
Justin McCarthy 23:19
Alright, so so we have a standard coming on the horizon. That sounds promising. What about beyond that standard in general in 2019, or we're gonna we're going to be done is everything going to be fixed?
Troy Hunt 23:32
So I'm like, literally looking at my calendar because it always creeps up. And you're done that, but I think we've got what, five, six weeks to go until
Justin McCarthy 23:40
a few weeks left yet.
Troy Hunt 23:42
Yes. So by 2019 now, we're not gonna have it fixed. To be honest, I don't think anything is going to fundamentally change in 2019, either it's, it's a bit too early for were both in, you know, what I see changing more than anything is, is not so much killing passwords, but changing the way that we interact with them. And this is, you know, maybe a great insight to leave you with. But when I look at things like my, my iPhone, so I I tend to cycle that each year when something else comes out. And it's kind of touch ID in Facebook, etc. I don't have any less passwords, and I had before. Yeah, people sort of say, I look, if I saw these commands, it's going to kill the password. I got my phone I pulled out of the box. And it said, if you want to set it up, you got to put in your Wi Fi password is one password. And then it says you probably want to restore from iCloud can we had to be a password for that. Okay, there's another password. And then it says, All right, set up the biometrics you gotta have a fallback position again, and a third password. So I'm like three passwords in before the phones even working. So I've got more passwords and what I've ever had before. But the difference is, is that I'm using them with much less frequency than what I ever did so so you know, now I'm looking at my phone and unlocking and I'm looking at my PC to unlock that my laptop soul have fingerprint readers on them. I'm touching on those. So I I suspect that what we will see over 2019, and almost certainly 2020 as well is just this increasing prevalence of other options to passwords for authentication, which don't kill them, but they supplement them and they supplement them in ways that are very usable. And in many ways off for a lot of security upsides as well.
Justin McCarthy 25:24
Perfect. That's that's a great note to live us on. Alright, so so I'm going to thank Troy hunt. Thank you for all that you do to improve our thoughts on this throughout the internet on plural site and elsewhere. And a very much appreciate your time today for joining us on the token security podcast.
Troy Hunt 25:43
Well, I thanks very much for having me on. I really appreciate that.
Justin McCarthy 25:46
All right. Take care. Thank you.
About the Author
Schuyler Brown, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.