Tuesday 1st June 2021, 16:00 (BST)

Passwords and the future of authentication

  • How often is information mishandled, rendering even extremely strong passwords absolutely useless?
  • The myths behind “randomness” in passwords that take “the lifespan of the universe” to crack
  • How are researchers thinking about the future of authentication and how to solve these problems

Hello, everybody, welcome to another teissTalk. A number of unusual and uncharacteristic things to mention about today's session. Number one, I'm obviously not Jenny Radcliffe. Jenny and I have swapped. She normally does the Tuesday afternoon at 4pm shift. So welcome to my session. I'm Geoff White. I'm your host for this week's teissTalk that's going to be about the future of passwords.

Secondly, I'm not wearing a bow tie. You may have noticed that I normally do wear that. The answer is where is the bow tie? It's in one of those fucking boxes over my shoulder. I have just moved house. This is not some weird Zoom background that I've selected for a gag. This really is my life. Lots and lots of boxes piling up around the house. I hope you all well. We've had a good week. I've enjoyed the bank holiday weekend in the UK and experienced some sun. The big glowing orb is in the sky again. Also, I haven't got a Teiss mug with me because it's in a box somewhere. We do give away a Teiss mug, a free Teiss mug to anybody who wants one. Basically during these sessions, I will keep a free Teiss mug this week to anyone who wants to take fifty two cardboard boxes off my hands during the course of this.

So we're going to be discussing password management, the future of passwords. They have a fantastic panel set up and ready to talk to us about this. We have Felipe Garcia, who is CISO, chief information security officer, at Scotiabank. David Cartwright, who's head of IT security at Standard Bank International Client Solutions. We also have Richard Archdeacon, who's Advisory chief information security officer at Duo, and if you haven't heard of them, he will explain a little bit about them during the course of today's chat. A little bit quiet on the public chat there. I think you can type messages in. I'm going to try and type one now and just see what it gets through. But if you are listening and you do want to send a message, please do stick one in there and I'll try and get to them when I can. We're using a new platform here at Teiss today. There might be some teething problems. If there are, please bare with us and we'll get things sorted as soon as possible.

So with all of those caveats mentioned, it's time to welcome our main guest on passwords and the future of password management, who is a fascinating character I'm really delighted to be speaking to and having him with us today. We've got Jake Davis, who's hacking and hacker culture expert. He's going to join us on our teissTalk and we'll hopefully be coming up onto the stage imminently. Jake has a long and fascinating history. Dana has got in touch. Hello. Well, that's great. I'm glad somebody can actually use the chat function because I wasn't sure if it was working, frankly. Yes, so Jake's going to be joining us in a second. He has a fascinating history, as I say, in terms of hacking culture and also now in terms of password, password cracking and password management and so on. And I say we're going to be joined later on by Philippe. Felipe and Richard are going to be wiping out the debate. I wonder if Jake has actually lost us for the moment, if we've know? There you are. Good to see you on screen. How are you doing?

How are you doing? Good. I'll take those boxes if you don't have them. I'll have a Teiss mug.

Fantastic. Yeah, OK. The Teiss mug comes wrapped in fifty two cardboard boxes.

Nice.

How are you doing, Jake? How's lockdown treating you?

OK, you just as you just said, the glowing orb in the sky is out and while it does shine various radiation on us, it does provide nice vitamins. It feels good. So I've been out enjoying that a little bit, which is pretty nice.

Good good good. For those of you who don't know, just fill us in on how would you sort of give us the potted review of your background, of your life up to date?

Yeah, sure. I guess in a nutshell, I was one of those dodgy Internet people that is now slightly less dodgy Internet person. As a teenager, I was involved with hacking collectives, Anonymous and LulzSec. We went after targets for political purposes so we weren't exactly the same types of awful hackers you see, like ransomware gangs or anything like that. But we were the guys with the mask and the defacement pages on websites with the headless suit, with the messages saying we are anonymous, we are legion. We did that sort of thing. I was then arrested for it because I wasn't very good at hiding my identity as a seventeen, eighteen year old. I wasn't thinking about the nuanced operational security that you might expect. I know since then I just work in a variety of sectors around cyber security, some more traditional technical stuff. I do a lot of talks around different topics. I try and do a lot of universities and schools trying to kind of encourage, inspire the next generation of hackers in a sort of positive way. And I do a little bit of creative consultancy on TV and film where I come as well. Theatrical projects, worked on museums and some books, lots of different ones and zeros and cybery things.

Interesting stuff. Just going back to your days in LulzSec. One of the things that I found sort of fascinating speaking to you was for anyone who's ever visited one of those anonymous hacking collective chat rooms on IRC, for example, it was just a blizzard of words, it really was difficult to make yourself heard. What I found interesting about you was you managed to kind of harness people's attention and you managed to talk amongst this cacophony of sounds you actually managed to punch through and get a voice and get people to pay attention to you and join in on operations or give you information and so on. Were you aware along the way that you were doing that, that you were becoming a kind of a you almost have a character online that you were filling out and fleshing out?

That's an interesting question. The role of the hacker character is really fascinating when you first start out. So the first time I joined one of those insane anonymous chat rooms, like you say, it was an absolute blizzard of information. It was completely insane. You're talking about IRC rooms with uncapped amounts of people and where the server would crash, etc. I'd never seen anything like it. And I've been in those sorts of rooms for ages. So the first time I joined, I just use my real name. I just said, hi, I'm Jake. This was the Anonymous, the AnonOps main anonymous chat room at the time. They were attacking PayPal, Visa and MasterCard over the withdrawal of donations from WikiLeaks. And then I realised, well, maybe don't use the name Jake, maybe I shouldn't do that. I changed it. This is the weird thing about Anonymous is it wasn't just, there had been kind of collectives of just hackers before, but at this point we were looking at kind of media experts and other kind of comical characters coming in and giving it a different shine. So you get these hacker groups that would just post a cliched hacker images that you might expect to see in Hollywood, like ASCII art of skull and crossbones and leetspeak and taking themselves very, very seriously. And what we did was sort of come along with a kind of post-modern hacker Internet culture. Not to make it sound like some art piece and sort of made fun of ourselves as well. So we did the whole we are legion, we are anonymous. And there were some serious things done, you know, and during the Arab Spring, supporting protesters and taking down government websites and replacing them with serious messages about supporting uprisings and attacking other corporations and governments. But at the same time, there was a kind of self knowing humour to it which was lost through the court process. I don't think the judge and the prosecutor care as much about that kind of artsy nonsense. But it was very interesting. And, um, and I know you did a book which covered Anonymous really well in it, as well.

Yeah, so I spoke, just full disclosure, I did speak to Jake for my book, which was out last year called Crime Dot Com. And there's a whole chapter about Anonymous and the birth of Anonymous and quite a lot about LulzSec, the group that you, Jake, were part of. I mean, as you say, there was a sort of public information part of it you were trying to expose security weaknesses, but also fundamentally it was illegal, which is why you were prosecuted. What actually happened as a result of that? You did do time in a youth offenders institute, wasn't it?

Yeah, it was a very strange, strange arrest because they didn't really, they had the legislation in place to deal with this sort of thing in the UK, but they hadn't quite had a case like this before. So they were looking at it and thinking, well, these guys didn't really do it for financial gain, even though they could have. There were these weird motivations. And so I kind of got a mix of all these weird restrictions and punishments. So first, I was banned from the Internet for two years, which is just insane. And that never really happens nowadays because I think that even the police have recognised that people need the Internet. It's sort of a basic human right or a basic way to live in society at least. So I was banned from the Internet for two years in combination with a house arrest. If you've ever seen one of those, a private security company tags they put on your ankle. I had that in combination with no Internet, which is an interesting thing and then I was sentenced to some time. I was sentenced to two years in a Youth Offenders Institute kind of place. It's like a maximum security sort of institute where I shared, I didn't have to spend anywhere near two years because I'd spent so long banned from the Internet. I shared cells and I shared the wing with like gangsters, like gang members and stuff. So a really interesting combination. And I think a lot of folk were interested in the hacking in there. But was an interesting, weird, weird sort of process that they didn't quite know what to do with us. So they just sort of went, this is the most serious type of crime. Let's just throw them in with the serious criminals.

What did the serious criminals make of you, can I ask?

I think, I don't know if this is universally speaking, but if you've gone after governments and you're hacking things, you do okay. I think you're well respected amongst those circles. I don't know if you want to be, but, well, yeah, sure. It has some respect through it, I suppose.

Interesting. When you come out as well. You know, you come of prison. What restrictions were you. Sorry, out of Youth Offenders Institution, what restrictions were you under and how did that affect your search for work? Because you're still young now and you even younger then.

Oh, yeah, yeah. So looking at the timeline now I was arrested in 2011 and I came out of the young offenders in 2013. Up until 2018, so not that long ago I was banned from encryption, which makes no sense.

But that's something Facebook uses.

Precisely, exactly. I mean, you can't. You can't. So it was essentially, this was literally the wording was just don't use encrypted software or an encrypted operating system, and I tried to explain to them, well, again. You enter a password, you're using encryption and we're going to talk about passwords later. And so I think I had to deal with I was more dealing with people than legislation. So I had to sort of rely on common sense of the officers in charge of it. And luckily, they didn't arrest me for using a bank ATM, which is encryption.

Just going into that. The restrictions that you're placed under on your licence when you're released, they're not standard clause. They can just write sort of anything in the box, don't use encryption, they can just make up the form of words?

They did in this case. I mean, this case was sort of laid the groundwork for some more sensible words later. But it's called a serious crime prevention order. And if anyone watching ever does serious crime and it gets prevented, you'll get one of these. And essentially they just they can say anything they like. So if you're, I don't know, if you're someone that creates fake banknotes, they'll ban you from the machines that can make fake banknotes or they might ban you from Photoshop. In our case they banned us from everything because they didn't quite know what was going on. So they said, oh, no, no, every time you buy a phone, disclose it. Every time you travel, disclose it. So I had five interesting years of being monitored in weird and wonderful ways which expired. And to your question of did it affect work? I mean, absolutely at first to the point where I was sort of not allowed into buildings because they were scared of the anonymous hacker people. But I think that's come full circle now. I think society now has in the last 10 years recognised that it's not black hat, white hat hackers and it's not law enforcement. Good. Some hacktivists. Bad. I think there's a lot of space in the middle so things have turned around.

True. Although some people I've spoken to not about your specific case, but about people like yourself who've gone on to subsequent careers. And actually interesting, most of the LulzSec, think all the LulzSec guys have gone on to cyber security careers. They find it a bit galling that you broke the law and now a sort of make it they almost worry that you're profiting out of crime, that you've managed to make crime pay. How would you respond to that?

I've never encountered that. I imagine there are probably some law enforcement types that say it, but most of the people we work with are pretty, pretty delighted. I don't know. But then again, I don't suppose I would ever encounter the people that don't want to work with us because they wouldn't approach us. But I don't think that's mainly what happens. I mean, I think once all of us first came through the system, there was some scepticism. But I think over the last five to eight years, we've all got a pretty good body of work. And really how we see it is we provide a number of offerings. And if people don't want to become more secure and they want to keep falling victim to these things that have existed since the 90s and still work today, then I mean, I think it's on them to open up a little bit and accept that you need some help.

Good, thanks. Yeah, interesting, interesting stuff and yet it is mainly people who come from not only law enforcement, but that kind of background to make those points. Thanks for all the suggestions, by the way, about the boxes. Still thinking how I'm going to deal with all of those. Jake, I just want to come on to then passwords. I find this intriguing. It's sort of the habit that we can't kick, passwords. I mean, there was an amazing website called Leak Source, which I think is now down. Leak Source. You could basically pay a few dollars and you could access their stash of passwords. It was sort of like the kind of have I been owned website only instead of just checking your email address, you could check anybody's email address and it would give you the password or at least the hash password if they had it. At that point, I just thought surely this is game over for passwords. But apparently not. What do you make of the advice from different organisations about how often you should change your password? Because that was the thing, GCHQ in the end said, look, forget it.

Yeah, yeah, I know exactly. That website got taken down. And there are some other scarier websites up where you can essentially, as you say, put in someone's email address and get not only the password, but any other information that's been leaked. With regard to changing your password. I'm sort of slightly with GCHQ on this one, which is not something I often say. But I mean it often it does boil down to actually rather than the users creating strong passwords, which is important, it's how the companies store those passwords because a user could have a very strong password and it is very strong if it's encrypted properly by a company or and of course, it can be completely useless. It can be as weak as extremely weak password if it's encrypted the wrong way. Example I always use is the difference between LinkedIn and Dropbox. Two big companies that had suffered a database breach and I think around 2012 and the databases went public in 2014. Not to this day, linkedIn's database has had ninety eight percent of its user passwords cracked. As in the passwords have been discovered, decrypted, recovered. However you want to say. And LinkedIn sorry, LinkedIn had 98 percent and Dropbox has had less than 10 percent and they were both hacked at the exact same time and the difference was really basic. The difference is LinkedIn was using SHA-1 to encrypt its users passwords and Dropbox was using Bcrypt. Just two very different hashing functions. One is very easy to implement and is not very resource intensive. And so people like using it because it's time resource management, it doesn't exhaust your system, but that makes it very easy to crack. And the other was using, as I say, Bcrypt, which has existed since 1999, I believe. And it's just very dense. It's just a bother resource wise, but it's very, very hard to, to attack that and to quantify that very briefly, I'd say it's about SHA-1 is around five hundred thousand times quicker to attack than Bcrypt. So you're looking at the difference between like on a desktop GPU at home, fifty billion attempts per second to fifty thousand or something like that. So that's always interesting. But no changing the passwords. It's useful if there has been a breach or you suspect that there might have been a breach. But other than that, it might actually in some cases it weakens your password because maybe the website has switched to a new scheme where you then get adopted to something like this. So it is quite outdated.

In terms of breaking those passwords. So different encryption mechanisms that have been used. I just wonder is that obviously as a company holding onto users passwords, you have an obligation to secure them and the security will be whatever is reasonable to expect. In your view, what would it be reasonable for an organisation to be using at the moment?

I think it's pretty reasonable to stick with something like Bcrypt or like Argon2 which won the password hashing competition 2015. I think one Metrica was used and people can use this metric, it's sort of if you don't fancy paying someone six digits to do this for you, you can look at these leaked database websites that are legal, not the ones we mentioned. And you can order, you can basically acquire a list of two thousand two hundred leaks without the personal information. And what you can do is order those leaks in a spreadsheet by most percent cracked. As then, who has lost the most passwords? And if you sorted by lowest to highest, you'll see Bcrypt, Bcrypt, Bcrypt, Bcrypt, Bcrypt. 9 percent, 10 percent, 11 percent. If you're a company in your database, unfortunately gets hijacked, you've done everything you could, but it's out there in the public domain and it survives for five years in the public domain with less than twenty percent of it being cracked I think that's an amazing result because that 10 percent we're talking about are just the really bad passwords, like one, two, three four, five six, which aren't safe. You cannot make that safe. It's impossible. And so that's so a standard of basic salting and peppering, if you prefer, as well or both. And also multifactor authentication should just be a, we all know this sort of thing. But there are still a surprising number of new leaks that come up that are just really bad encryption schemes and you just see the numbers go through the roof and you think, oh, man, why are they doing this?

We'll come onto multifactor authentication in our panel. We're going to bring on in just a second. But yeah, in terms of two factor authentication, to what extent does that make things harder if that is enacted compared to somebody who's just got a password, no matter how well encrypted it is?

I mean, you're looking at just mitigating passwords and credential stuffing there. Even if you as a company, of course, this will seem obvious. If you encrypt your user's passwords very well and they reuse that password with another company that doesn't, then you're vulnerable if you don't implement good 2FA in that method. However, of course and I think we all know this now, but stop using SMS as 2FA because yes, SMS protocol is a bit of a I mean it is a joke at this point that we're still using it for anything. We should sort of nuke it from orbit. And so any sort of a superior authentication, which is easy enough to build in all the authenticator apps is an option.

Is that because of the SIM swapping where people phone up your mobile phone company and impersonate you, then get your number put onto their SIM card? Is that why SMS is?

That's one of the reasons. Yes. And there are many others, including basic vulnerabilities in the telecommunications system itself, where you can impersonate or spoof entire masks or parts of the infrastructure. Texting itself is very easy. I could easily send you a text from yourself or send you a text appearing to come from the NHS to say your vaccine is ready or something like this. And so, yeah, I think it's just something so outdated. We should definitely stop using it as a sole source of 2FA. I don't mind seeing it, but I don't like seeing websites that just offer it because I think it really does nothing against the targeted attack.

Yeah, interesting. So I'm going to bring in our panel now because I think it'd be good to open this up to them. We have joining us Felipe Garcia, who is chief information security officer at Scotiabank. We also have David Cartwright who is head of IT security at Standard Bank's International Clients Solutions. And we've got Richard Archdeacon, who's advisory chief information security officer at Duo, who are going to be joining us on the stage very shortly. As I say, it is a new platform, most likely getting used to this as a slight delay on things. Also, the chat function is very quiet. I'm not sure that's because I'm just not seeing the chat, whether you are all just out enjoying the sun, which is, yep, still out outside, there we go. Our panel are going to be joining us in a second just before they do, Jake. I mean, in terms of the actual password cracking, there are still services online, presumably, that you can go to and try and get passwords cracked if you if you if you need them, you know?

Yeah, sure. It's quite easy if you and I'll give you some some numbers, for example, on a home desktop. I have a nice work computer at home where I have a couple of good graphics cards and I can attack some hashes at a rate of about two hundred billion attempts per second, which is a lot. And if you order up, if you spin up a twenty, thirty two dollars an hour or somewhere twenty five to thirty two dollars an hour, Amazon EC2 with the Tesla, is it the Tesla V8 hundreds over the V100x8? You can get around three times the speed I have at home. So yeah, if you can sign up to a subscription model and essentially pay people to crack passwords in a distributed manner, or if you're someone like a ransomware group and you want to encrypt people's files. And then unfortunately the way ransomware groups now is they really work now is they really care about the files. They have a lot of money. I mean, these people have millions and millions in cryptocurrency. So there's really no limit to how fast they can attack passwords. So I do think we should move away from.

In terms of that, so you're sort of bombarding the password with different guesses. Can I ask how you know when you've got the password right? Because you can only enter into the website a certain number of times. How does the actual mechanics of that work?

Computer tells you. No, yeah, it does. It just says yes. I mean, with cracking a password. I mean, it's not like a lot of people think it's sort of Hollywood style where one letter goes at a time. But it's either you have it or you don't. Either your plain text matches the hash or it doesn't. And so you just run through lists, many, many lists. And there's lots of different techniques, starting from basic dictionary attacks to Combinator attacks. There's some interesting AI things that assume that there have been billions and billions of leaked passwords on the Internet and you can essentially run that through an AI system to guess human patterns on how they make passwords. So, you know, all those calculators you see online that say this password will take five hundred billion years to crack?

Oh, yes.

Those have been irrelevant for about 15 years, especially 5, 10 years, absolutely. Nobody, nobody attacks passwords on that entropy based system anymore. So it's all far more advanced. Another reason we should just, again, nuke passwords from orbit and move past passwords.

Get stuff we have to. Joining us now, other panellists will be here shortly.

David, can you hear me? Can I hear you so you can pick just fantastic right to stand up bank. Tell us a little bit about it. For those unfamiliar with it, what sort of scale of the business and what does the international climate solutions do?

So it's the bank as it is Africa's biggest banks. It is about fifty five thousand dollars worldwide. We are about 450 people were affected by the offshore compared to, say, Jersey in the other mompreneur.

And in terms of passwords, I mean, listening to Jake talking there, we will you start to sweat a little bit or if you got this covered, what's your situation and standard on on two factor authentication and passwords and so on?

Yeah. So bottom line is, anything coming in from outside is in my face. Most of it is not negotiable. So if you're on the London then password that any kind of access without a doubt completely agree with Jake as well. Used you work for a telco. So I also prefer using your phone based approach, though, as Jake says, it's a useful resource if you if you just drop your phone down the drain. Yes. Yeah. The other thing we are looking at at the moment is biometrics.

So we're just testing some kit to use things like Windows. Hello. Or is one of my colleagues is just requesting to.

And how would that work so that the biometric. But are we talking fingerprints. Iris voice Once you got your camera or say, oh, I see.

So many, many years ago, fingerprints been around for a long, long time. The local businesses who use it for their cooking and cleaning out the punch cards. But even longer than I can remember, things like, you know, Lenovo laptops have come with a fingerprint almost instantly. The biometric stuff is something that the people are really starting to accept. And I'm getting used to, and particularly with modern mobile phones, of course, because, you know, we're all used to going to get the iPhone to unlock it or even to make it work.

So the whole button tricks thing, people are getting more and more used to more willing to accept.

Jake, can I come to you on that, because the thing with biometrics is always concern me is is at least a password. You can change it. Whereas, you know, I've only I've only got two eyes. As the song once said, I think it was the Smiths. And, you know, is that a concern that with biometrics you only have one of each thing?

I mean, I largely agree with David that it's come from a security perspective. It is just I mean, it's leagues better. It's uncomparable. You don't you don't know. You don't crack or spoof that sort of thing too easily, though. It has been done on isolated cases. But I, I always enjoy the combination of of and we're talking about here is something you are so the eyes and the fingerprints. But I always I'm always a fan of something, you know, is, is king and that we should just avoid single points of failure really.

And I would still consider biometrics specifically on their own, a single point of failure against four specific people. If we're talking about the end user, then sort of they can decide what environment they want. And we're also talking about I think we have to differentiate between websites or like your full disk encryption password for your laptop. Let's say if you're if this is a very specific case, but some people are worried about it. If their laptop is physically stolen and someone forces them to give the password, what you what you definitely don't want is them grabbing your hand and going online, in which case having a decoy password is useful, et cetera, et cetera.

But for the for everyday use, having having biometrics as an option is very useful. And there are a bunch of other integrity checks that can be done as well. If the user goes actually fingerprints irises are an option, but I don't really want to do it. There are also other ways. Browser integrity checks, environment checks. There's a lot of I mean, we do this already with captures. I mean, with with just the Google's latest smart capture already does that sort of thing.

So interesting. Thanks. Thanks, Jake. David, on that front, to what extent do you do that, that kind of finger pointing to spot? So so do you have different levels where if somebody is using the laptop, they always use the connexion. They always use they're looking at the time, they always looking at during the working hours. You know, the security checks might be less strong than if they're locking in for an unknown device at 2:00 a.m..

To what extent are you able to enact all of that?

At the moment? We decided to just take the straightforward approach that if you're coming in from outside, you get in a fight simply because it is so straightforward. It pops up on your phone that the authenticator upset high. Someone's trying to authenticate you. Please click and get used to it's it's completely f of us reject the biometrics. So shouldn't be used as a single point because we all recall when faced with. Oh, I've far as latex paint and stuff, but they did actually manage to fool me, so I don't mind if I use your friend.

And it's so easy to do so and it's so easy to use it, you know, so it should just kind of fall as well. In terms of this. Are you are you just talking about employees just on the bank or do you deal with the bank's customers on this point as well? So you can't get into online banking without MFA? If you are coming from an unfamiliar device, then you are interrogating much more rigorously.

Yeah, David, just go back to the biometrics as well. What's been the sort of staff reaction with that? Because some people sort of ask questions. Hang on, what's this? You know, we just experiment in testing the I have worked with local companies which have had a few minor gripes from users, you know, when you started my fingerprints. But they have been few and far between. Not something we've really come across yet because we're still in the test race, but generally a low level of grumbling because there is an argument which says if you are reading someone's fingerprint on a door entry system, for instance, you are for a fleeting moment.

You're sending that through a device in another Great Depression. So could potentially theoretically you capture protection issue if you don't have to go and get a consent from my users? So all of these questions have been asked and I'm not sure we know the answers to something.

Yeah, that's going to be interesting, isn't it? You can imagine the information commissioner's office here in the UK taking a look at that when, when and if that happens. It's interesting. Can I ask can I come to you and ask you quickly about password managers? Because just actually from a personal perspective, I get asked a lot about this. I'm never quite sure what to say. Where do you go? What do you stand on?

Yeah, I my my view is pretty simple. They're good. And you should use them. I mean, I don't think that I think that if we if we really give it an overview, we should say that there's too much onus on the end user. We're sort of basically telling the reader to act like they're a spy or act like there's a master hacker and telling them to come up with these more and more complaints. And it really isn't scalable because I'm afraid you could use a powerful in the way passwords can be cracked or essentially telling the user, no, no, put some letters and numbers at the end of it, also now out of the randomisation system and then add six more words at the end of it.

It's just this weird arms race. And so the possibilities are just useful. I always recommended last pass, however, recently they've kind of changed up their payment scheme, which makes it very hard for free users to use it. So I don't specifically recommend, but I do recommend to all of my old, my one on one clients that I'm teaching OPSEC or perspective that use a password manager, except obviously for four for passwords that exist in a higher level of trust than the password manager itself.

I've seen people store their full disk encryption passwords inside a password manager, which is very unwise. So perhaps you want to have your main email passwords or your accounts that are hub's to other accounts stored in your head and then keep the sort of individual nodes in the password manager on the quickly on on. Some people do ask and you might get this question. Oh, as you say, oh, you use a password manager. What if someone just gets the password to the password manager and.

Well, the way the way something like I'll take last pass for an example, because they do a good job with it. The way that sort of works is they generate an extremely strong hash and they have a very strong method for driving it, which is which is based on actually some interaction at your end. And the reason companies don't do that is because it's insanely would be insanely expensive if you had if you had to do that for millions of users logging in and out constantly, authenticating constantly, you'd be you'd be surprised to exhaustion of resources and you'd be racking up billions of dollars in bills.

But in the same way that you can encrypt your laptop outside of the operating system and the and you can create the master seats for that. Those seats are generated in a number of ways. But let's say you wiggle your mouse around on the screen for two minutes and it uses the randomness from that to generate the seat that goes into the the key. And essentially that results in a hash that is just extraordinarily hard to crack. However, like I said, it would be good to move away from passwords to avoid that arms race because we won't go into quantum computing today or anything like that.

But things are more zeros are being added to things every every year.

And I am a father sadly passed away. I was four years ago now and obviously in the wake of that, we had to look at the passwords and I had I blame myself. A lot of this I give him without advice on how to create a password. And it obviously taken it to heart and created some very strong passwords. He had written one or two of them down, which sort of helped us, but it varied from website to website.

So we had it was like the Rosetta Stone. We had to interpret my dad's sort of password system and kind of have a go with that password. So, yeah, it was a bit of a nightmare, actually, at that point, I did think to myself, why didn't I just tell them to use a password manager and then get the password to that? So word to the wise. Philippe, you've you've joined us. We're glad to have you here from Scotiabank.

How are you doing today?

Fine, thank you, I'm here.

Finally, yes, we had a bit of a few Nagle's apologies with this, we have got Richard standing by somewhere, but having a bit of trouble getting him on stage and on the platform. And Philippe, apologies to you for the delay in getting you here, but in terms of actually calling in from Wes WMP.

What I can do if I didn't go, where were you calling in from, where is home for you?

Well, I'm from from Mexico and here Scotiabank is one of the biggest fans here. And we are doing a lot of work over here to protect the customers. So nice to hear, Jake. And let's have a nice chat. You.

Yes, good stuff. Philippe, thanks for that. We've talked I mean, David talked about his work at Stanford on this. But in terms of Scotiabank, can I just clarify, Philippe, are you looking at employees security or do you also do a customer facing security as well?

Oh, well, that's a good question. Here in Mexico, the regulation is is different from other countries. So the chief information security officer that's my position reports directly to the CEO and all the security architecture and all the stuff off of the hard work is down the CIO. So this is a big, big change regarding other regulations in other parts of the world. So in my case, I'm more into the field of security for all to sort of get a name into the strategy for all the cyber security, for all the employees, but also for the customers.

And I'm much into the understanding of all the necessities and the requirements for each line of business, but also talking with the regulator, with agencies, with the police and with all of these parties to understand what is happening and with debt, do a fix today to the strategy that we have with cyber and with that protect the customer list and also protecting what we have right there.

In terms of in terms of all of that, in terms of passwords, David has said, you know, if anybody logs into the logs in from outside the network, it's it's automatic multifactor authentication for Scotiabank. What's what's your situational password where you are?

It's as you know, banks, we have different layers of infrastructure, so we have the legacy systems and we have challenges with legacy systems, then we have the current systems, the most modern ones, and that the U.S. and we are changing into new ways of communication so we can night with model and as any other organisation, at least here in Latin America, is falling into the same situation. So going into the future of litigation and passports, recourse to also look back into what you have been managing for two years.

We have a challenge to into the procedures that we're set up for years. And we use like was saying, you have different kind of tools to use it for the end users to have one password. But you also have some tooling for legacy systems within the organisation. However, the challenge that you have managing that kind of situation and that kind of passwords is that when you are doing with setting up with more complexity, they just sort of start using notepads, start using whatever other thing and they are not, and making more robots to the security that you have.

So you are technically going after the people is going backwards. So that's one of the challenges that we have. And we are starting to try to to go into some initiatives and go with the regulator and also with all the banks here and also, you know, to to make the people understand better with some kind of education and also have awareness how you can protect better your legacy systems, your current systems, and and start the adaptation of new new ideas for the next year or just.

Hi, Richard. I'm glad you could glad you could join us this evening. Just before I come to you, Richard, I want to get back to you, David, just on that fun of legacy systems, because as we all know, banks have built almost archaeological levels of different sort of struggle with that standard in terms of just making the new stuff work with the older stuff. Oh, you will meet David, I think you need to know the number of times I've heard those words.

Yeah, I wouldn't say we've struggled with it. We have the same challenges as every other nation. And we banks are far from unique in having legacy systems. What you find is you have heterogeneous systems, some of which will look at your active directory will eventually strike through AT&T. You can build something like Windows. Hello. And very, very easily are other things. You you have to do what you can. So so if you have an application where you can't integrate it, well, let's configure it such that you can access it.

Know it's probably getting through various other levels of authentication so that we know we really trust you by the time you get to be able to look into the application. But as I say, there's nothing unique in banking. I think every reasonably active company has that. A that's why such a delay on those very rare occasions you join a Start-Up and you build everything properly, don't often between us get the opportunity built from scratch, but for almost no money.

Richard, can I come to you firstly on to tell us a little bit about what the company does and how big it is and so on?

Thanks, Jeff, and thanks to Jake, Phillipine and David for your comments and Jake, you were quite terrifying that you meant to be, but I think we've always worries. But yeah, I've been with during a couple of years now project that I work for size and scope of doing big security transformations. And what interested me about the kind of solution we're looking at is driven out of experiences I'd had before around the typical insider breach where people passed out their login credentials and then had faked invoices being sent out and also all the big ransomware attacks where you could try and validate who was coming in.

But so what if the machine was compromised? So it struck me that we needed to do things differently. And this is not a new concept. The Jericho Forum we're talking about, it was a ignore context at your peril that came out in about two thousand four. So it was the contextualisation of access that was important. And in terms of passwords, I know Jake wants to Newcome is not a new idea. I always go back to Bill Gates comments in two thousand four saying they weren't fit for purpose and we've done nothing about it for years and years.

So how do we try and solve that problem and start getting some of the of some of the headaches? And so looking at the contextualisation of access was important. So at the moment we have passwords. Sure. But then we have to look at greater detail around the user, around the device and so forth to see why people are accessing what they're accessing, when and how they're accessing, and then also where they're going. Because one of the other great fears that we have seen in the past is that issue of lateral movement.

So let's try and focus on where they're going. So so even if they do go through all of those steps, they managed to get the biometric, they managed to get the password, the username, et cetera, and they get in then limit the damage they can do. So I think that Jake mentioned use the expression single point of failure. We want to make sure that there's no single point of failure, but if there is something to minimise the issue.

So that's really what was the thinking that I was drawn to around that issue. But I think that some of the other topics that have come up have been really interesting. What is do I think it's the ease of use to rollout something like that and say we none of us have got enough resources to do things, it must be easy to roll out? That's one of the most important things you have to be able to implement and put a solution into practise.

Otherwise, it's just a waste of time and your resources and the other element, as well as to make sure that whatever approach you take to that user interaction, that it's as easy as possible. I think there was some comments about how we we expect users now to start making really complex passwords and dig them all up. We're driving security back down to the user is not a security person. They want to get in and do the job. They want to do marketing or H.R. or finance or whatever it is.

They don't want to do security. And so what we did in the industry for years and years, we made it more complex for them to do their work. And complexity is always a risk. So what we have to do is make and if you'll forgive the simple complexity for the user, make it as simple as possible for them whilst bringing a complexity.

So forgive me for interrupting, which comes at a time that goes back to Jake's point about moving the mouse around, and that creates and creates a very strong password policy, slightly running short on time, which is sort of noticed where we're at, but which is so it's a good introduction to where you're coming from. I want to go to Philippe. I'll ask this of each of the panellists just before we close off. But in terms of just getting rid of passwords of passwords, no longer being a thing, what do you what do we have in store for you, Philippe?

What does that world look like? Well, I no longer have to remember passwords. What will I be doing instead?

Well, we'll go at some time. That's worthless. I think that will have for some time. And I break. And right now, what is happening to the banking industry is that we're moving from this legacy to the current systems to MFA to start doing some kind of indication, not just relating to passwords. And what we're seeing is that within some locations and mostly you can see if we can reach in America their reliance to mobile devices, these will be keys and also mobile devices having cameras for use in other ways.

It's called indication that the camera will be important in Africa. You have a lot of to education with estimates in Latin America, the devices are starting to use MSA with tokenization, with some push-ups. We are not so advanced as Asia, Europe and US and Canada. However, what we're seeing is that the regulators are starting to move to have these kind of situations in which the devices that you have will relate into the layer of the password, that one that you know, and some kind of in effect.

And then we will move it to something else. I think that this is the future four to five to 10 years ahead. And probably my colleague is here can can detail something that they are seeing for four to four years for old applications at least. What is happening here in Latin America is that the mobile will be the key into all of this that we're doing.

Interesting stuff. It'll come to you on this if if you wouldn't mind, on muting yourself. What's your what's your take on where will we be? Well, what I will be using instead of passwords, what will what my future will be like.

Oh, it is definitely going down to biometrics and MFA will be with us for a while. How long will we stuck with passwords as a as a last resort in case we lose our devices? Remains to be seen, I guess because of Jake. Just finally, what what what from you. What you going to replace it and how will it work?

Yeah, I think it's I think I agree with everyone here. It's a mix of those things until which was very, very good point about lateral movement. If we look at how adversaries currently exploit users security, they can currently do it in bulk. You can attack two hundred thousand two million users at a time because of this thing. The password, if you implement a combination of things that requires extreme lateral movement, you reduce that attack, surface down to very specific targeted attacks, which we can't block.

All of that's impossible, but we can stop. The current is a very low level crime, gangs raking in millions of dollars through simple passwords. And if we can take that down a bit and make life a bit harder with a combination, maybe we don't get rid of passwords entirely. Maybe we just take them from as the main point of defence and still have them nicely in our heads as something we know, which is always good for for very specific things.

But for the for the for the end accounts. I agree that take simple complexity and enjoy that a bit to stop this natural movement, to stop this exploitation of information.

Good stuff, folks, that is about all we've got time for apologies, had a few snags bring people on stage and so on, but we really, really appreciate you attending and appreciate your comments and simple complexity. I do like the like the concept that folks, thanks for attending this session this week session. We've got another session, of course, coming up on Thursday, which is me again, a double dose for me this week. It's going to be passive, reactive and proactive threat management.

And I'm going to be speaking to, amongst others. Craig McKewon, CEO and Anglo American. Thank you so much for your time. I hope, as I say in the UK, you enjoying the sun if you get sun normally where you are. Hope you're enjoying it all the time. Thank you again for your time. We shall see you at another time to talk Thursdays at 10:00 a.m. and Tuesdays at 4:00 p.m. Have a great week. And thanks to our panellists Jake Davis, David Coates, Richard Archdeacon and Philippe García.

Thanks, guys. See, we'll see you.

Your host:

Geoff White

Investigative journalist Geoff White has covered technology for BBC News, Channel 4 News, Audible, Forbes online and many others.

An experienced public speaker, he has given keynote talks at some of the UK’s largest tech events, in addition to hosting conferences and chairing panels at venues ranging from London’s Chatham House think-tank to the Latitude music festival.

Guests:

Jake Davis, Hacking and hacker culture expert,

Ex-Lulzsec and Anonymous member, Jake Davis (aka Topiary) is a former “hacktivist”, experienced security speaker, consultant, and author. He is interested in the psychologies and nuances behind hacking, hacker culture, and the wider internet community, and is working to educate and inform the next generation(s) of technology experts.

Felipe Garcia, Chief Information Security Officer, Scotiabank

International audit and internal control executive specialized in Information Technology, risk, compliance, processes, auditing, cybersecurity and operational control hardening. I had performed relevant projects of SOX, IT controls, fraud investigations, forensics, security, revenue assurance, risk frameworks implementations and analytic testing automation. Working in the manufacturing, financial, consumer goods, retail and consulting sectors.

Strengths include operational, processes, compliance, financial, security and information technology auditing and internal control competences; as such as, knowledge of SOX assessments for IT internal controls, fraud investigations, forensic reviews, physical and logical security evaluations, revenue assurance and analytical testing automation. Field job performed in financial sector, consumer goods, security, retail and consultancy. Major markets reviewed are Mexico and Latin America.

David Cartwright, Head of IT Security, Standard Bank International Client Solutions

Head of IT Security for an international bank and Deputy Chairman of the Channel Islands Information Security Forum

Dave has been based in Jersey since 2009, and is presently head of IT security for an international bank. Dave is co-founder and chairman of the Jersey Charitable Skills Pool (http://www.jerseycsp.org.uk), which offers cost-free infosec advice for charities and not-for-profit organisations; he is also deputy chairman of the Channel Islands Information Security Forum, a committee member of the Jersey branch of the BCS, and the Digital Committee of the Jersey Chamber of Commerce. He has been a judge of the UK Cloud Awards since its inception, and is the co-founder and chair of judges for the Jersey Tech Awards.

Richard Archdeacon, Advisory CISO, Duo

A senior level information technology professional with over twenty five years of international experience in consulting, functional and multinational IT companies in both the sales and technical areas. Expertise in providing strategic business change, hands-on leadership; new product and service innovation. Extensive experience in the definition and implementation of technology solutions across all major industry sectors.

Specialties: US and EMEA markets; IT Risk and Security from operational and vendor side; MSS; Consulting; presenting at public conferences; PR experience in Press, TV and radio; Government liaison;M&A identification and integration.

© 2021, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd • Registered number: 05832927 • VAT registration number: 830519543

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]