Skip to content
 
Episode 105

Passwords: Cracking, Chaos, & The Future with Evil Mog

EPISODE SUMMARY

Evil Mog is the Chief Architect of IBM X-Force, IBM's Hacking Incident Response and Threat Intelligence division, and a renowned password security researcher. He studies the movements of access brokers across the criminal software supply chain and warns that credentials are being traded on the Dark Web for pennies on the dollar, stored in Github, and driving the growth of identity-based attacks. Meanwhile, shared passwords, reused passwords, legacy software, and the growth of AI applications makes effective authentication challenging. He and Joe discuss the latest research on the current state of passwords and how they’re evolving for layered authentication and authorization. You’ll learn how you can move manual password processes into the background and improve security through password managers, passkeys, MFA tokens, FIDO2 and other techniques. If you have questions about passwordless authentication, you’ll want to tune in.

Watch the video or scroll down to listen to the podcast:

 

 

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

Joseph Carson:

Hello everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the show, Joe Carson, Chief Security Scientist and Advisory CISO at Delinea, and I'm joining you. I'm all the way from Tallinn, Estonia and I've got a amazing returning guest, one of my favorite guests to come walk back on and it's always great when we get to catch up on person. So Dustin aka Evil Mog, welcome back to the podcast. I want to give the audience those who might not know you or a little bit of background about yourself, some fun things and we'll get into the details.

Evil Mog:

Yeah, so I'm Evil Mog. I'm the Chief Architect of IBM X-Force, which is IBM's Hacking Incident Response and Threat Intelligence division. I'm also a member of Team Hashcat. We've won Crack Me If You Can, off and on for the last 10 years and occasionally I've been known to be the bishop of the Church of WiFi and various conference shenanigans, but primarily I focus on password security research and have for most of my career.

Joseph Carson:

Absolutely. How many black badges do you have?

Evil Mog:

Five now. I've got SkyDogCon, DerbyCon, DEF CON, Thotcon, and now CypherCon.

Joseph Carson:

Well, that's an impressive collection. And I always, one of my favorite things in the past was also coming and watching Jeopardy at DEF CON. That's always one of my-

Evil Mog:

That's right.

Joseph Carson:

... fun things to do.

Evil Mog:

I mean, I'm semi-retired from Jeopardy now, but I'm coaching the next generation on how to win, which is great.

Joseph Carson:

Fantastic. So I did miss it last year. It was one of my things that I wasn't able to, I think during it was the bomb scare.

Evil Mog:

Yeah, there was the bomb scare. I had unfortunately had to be out for something else. I missed a good chunk of it, so people can't dodged an issue on that one. I think this year should be cleaner with the new venue, so we'll see how it goes.

Joseph Carson:

Fantastic. So we are going to talk about our favorite thing, our favorite topic of the world is passwords. We always hear the term passwords are dying, passwordless and everything, and what's the future behold? What is the current state of passwords? What's your view? Is passwords, are they dying? Are they changing? Is it an evolution that we're going through? What's the current state of passwords?

Evil Mog:

I think passwords are evolving. I mean, I believe finally, I've been harping on this for years. People are finally getting password managers, which is nice, and these new password managers have things like pass keys. They've got storage of your multifactor authentication tokens. They've got your static credentials. But here's the thing, no matter what we deploy out there, you're always going to need some kind of shared secret. The form of it's evolved, it's gone from something I enter into my keyboard to stuff that can be entered to be a password manager. They still have things like network devices, stuff that's offline, stuff that's not connected, stuff that's connected over a dial-up link. Yes, it's 2024, but we still have things connected via a satellite in various areas. You still need to authenticate those.

Joseph Carson:

Absolutely. I think that's one of the things is that a lot of times we're always chasing after the shiny new thing, but we always have to remember that there's a lot of systems that's basically around for 20 plus years and we have to remember that those are not going to evolve anytime soon and even systems that were even just deployed and installed maybe a couple of years ago in organizations, they're going to be around for quite a long time. So we're going to have this. I think one of the things is that yes, there's a lot of new technology, new authentication methods that logic such as FIDO2 credentials and pass keys and so forth, that allows you to really, what it's really doing is moving passwords.

I'd say it's not making them go away, it's just making that sure secret move a little bit more into the back, a little bit less interactive with the humans, but we got a lot of legacy. One of the things IRA did recently was LANs research was what was holding organizations from moving forward and it was legacy systems, legacy software, legacy applications that they will have to continue managing for a long time. Is that something that you're saying? Is it the old stuff that's keeping the password around and alive? Is that what you're finding?

Evil Mog:

It's even new stuff now. We have an AI evolution happening right now. How do you authenticate yourself to a bot that's getting to interface on your behalf to another system? A great example is I call into customer service, chat with a bot, need to authenticate myself. Yeah, they're going to try and check some voice biometrics, but collecting that's problematic. Or things like GDPR, they're going to do some kind of a pin verification. Then they might go talk to my bank with a credential on my behalf. I think even newer systems will still have this problem. It really depends on the medium you're connecting to to authenticate.

Joseph Carson:

Absolutely. I think to your point is that what I'm finding is they're not dying. It's an evolution. They're evolving into something slightly maybe different from what they were originally intended, where it was that secret in order to authenticate me is my secret that I was able to authenticate and gain access where it's not becoming a provisioning key or it's a migration key or it's a backup key that I have to have a list of these backup passwords that if I need to re-authenticate with a new device or maybe I lost the original, that allows me back into the system.

To your point, it might even be just a pin in order to authenticate with the edge device as well. So for me, I think it is an evolution. It is not that they're dying. It's almost like say it's the caterpillar turning into butterfly, the password is becoming, it's going through that change and it might be just different. The experience is going to be different, but ultimately in the end it is a sharp secret, behind the scenes maybe not entered by a human.

Evil Mog:

Well and that's exactly, people don't understand. A password at its absolute core it's just like an MFA token. All these are just the shared cryptographic secret. You take a key derivation function based off an ASCII string, you convert it in some bits of cryptographic material and that proves who you are. But you also need to authenticate things like your device, and these are the important things. Everyone has a phone with them, everyone has laptops. These devices need to authenticate, so we're adding on additional layers. They still need to be changed, which is cool, but it's being abstracted away from the end user.

Joseph Carson:

Yeah, absolutely. I think I will say it is moving them into the background, and I'll say that when we talk about passwordless, it's a passwordless experience. So for the user, it appears that it's changed, but it's moving into the background. What's some of the newer technologies we are seeing pass keys becoming, which is literally the FIDO2 credential, which is just a username and password converging into that single credential. Is that what you're seeing organizations move to more or is there other technologies that you're seeing out there?

Evil Mog:

We're seeing that layer. Let's start with pass keys. Most password managers now actually have the ability to go run a software virtual pass keys stored in the password manager. So I'm seeing things that used to require, say a YubiKey before now have the option to automatically authenticate right up to the end by using a shared bit of a data. We're also seeing SSH keys. And finally, SSH certificates are taking out SSH keys, which kills one of my favorite static credentials that's killing that problem. We're seeing more use of multifactor authentication. Now, it's becoming easier.

multifactor used to be a pain. You had this little physical token with six digits on it that rotated. They had to mail them to you. They expired after three years and they were expensive. They were like 80, $90 a token. Mobile devices used to pay $30 a license just to get a software authenticator. Now it's becoming free. There's open source versions of these. Almost everything that is internet connected now has some form of authentication, but we're still seeing things like SMS authentication being the primary way of auth, but I know this is about passwords, but really the discussion has shifted now from just straight passwords to the entire authentication and identity ecosystem.

Joseph Carson:

Absolutely. It's the entire end-to-end life cycle of that. So tell me, what risks still, are we still seeing them being exploited as the new technologies also? Are they 100% foolproof protection?

Evil Mog:

Oh, absolutely not. If you look at say the X-Force Threat Intelligence Index that we just published, or the cost of a data breach rather, we're seeing now in 2024 credentials being more and more abused, even though we've been seeing great upticks uptake in the use of password managers, people are still, the discussion has shifted over to things like your identity, information from breaches, things like your name, your address, all this information that can be used to reset an authentication credential. So companies are getting breached from years ago, back before we started putting money into security, that information is not being leveraged, traded on the dark web for pennies per credential, sometimes dollars per credential.

They're then being used in bulk. So it used to be like a currency, got to say ransomware. Nowadays, they're going after identities. They're using those to go reset credentials at say banks, at other financial targets, enterprises. They then will issue brand new fresh, valid credentials using that information. So it's shifting up the stack. We're also still seeing a lot of password reuse for those that for whatever reason, don't believe in a password manager. So it's splitting these into tiers of difficulty, like lowest tier, same password everywhere, information in dark web breaches. Some people like some mild modifications. Then it goes up to people have stuff stored in password managers, but there's reset functionalities and then up to the more esoteric attacks, et cetera.

Joseph Carson:

So absolutely, I think we still have, I think humans in that process is that we are going to get into where we choose the easy path, where you choose things that are easy for us to remember or easy for us to get into a habit. We get into habits of choosing things that are familiar with us, and that's one of the things is when I'm always looking at the tactics of a lot of the access brokers from the criminal software supply chain of whether they're validating the access and then selling on to others to using abuse it, simply what they're looking through is all that history of knowledge of passwords that's been disclosed and then simply creating really smart word lists that all the different variations and then brute forcing and just trying to find out which ones work.

And ultimately, people get into a habit of choosing things which are easy to remember and they have a sequence. If you know these previous sequences, it's easy to predict the future. So where we continue to have humans involved in that process, I think we'll continue to have password reuse. We will continue to have credentials which are going to be easy to crack and gain access. And to your point, once they gain access to one, and the worst one of course is either the email, because that's where a lot of the password resets go to because again, access to email, they can start them finding out what services you're attached to, go and start doing the password resets for those. And it's easy because they get simply letter removed from your email to other services.

Evil Mog:

Yeah, we're seeing things like people reason passwords between say their corporate environments like good old active directory. As much as I love to yell at Microsoft, the standard MTLM passwords and the advice of, hey, you should never change your passwords anymore due to NIST. You get one of those breached and it happens to be the same password as email. All of a sudden you're now crawling into things like cloud accounts or you're crawling into personal. So that's my biggest fear is people reuse passwords in their corporate environments. They reuse at home because they follow the same similar patterns means it's, hey, it's my password. Or even worse, they use the same password when they change companies.

Joseph Carson:

Yep. One of the things I remember I never forget was it was SCADA control systems. And I remember I was going through a penetration test and all of a sudden I saw on the piece of paper written down on the desk where the command and control was. I always laugh because on the side of the SCADA control system had advanced threat protection, the most secure SCADA control system ever. And then I looked around and all of a sudden sitting on the table was username, password, IP address. And actually when I saw the password, I was just, oh my goodness, it was the same password, because I signed up for the SCADA control emulation software because I couldn't get access to it.

It's something I can simply go buy and use. So the training software, you could sign up what's emulation that simulated all of the pressures that the SCADA control would have. And as I looked down on the piece of paper, it was the same password that was actually the training emulation software. So what simply happened was the consultant goes through a documentation and then the documentation has a password and they just reuse that same password every implementation.

Evil Mog:

And one changes it.

Joseph Carson:

And no one changes it. And because they're afraid of breaking it, they're afraid, because once it's up and running it's like, oh, don't touch it. It's not running, it's working and it doesn't get handed over. They don't go through that handover. And ultimately that's what we end up having is a default credential on the SCADA control that is meant to be all of the most expensive security bells and whistles built in. And that process, and I went through as well, I can tell you I did some research in service accounts recently as well and I went through, I took a lot of the top service accounts implementation guides for large software that's commonly used in many organizations.

And if you follow the instructions, it almost gets to the point where by default that service account is vulnerable. It's telling you what account and what password to use and it gives too many privileges and ultimately at the same time it set as interactive log on which service accounts should not. Sometimes you have to validate that the account works, but it should not be logging indirectly. There's no reason for that unless there's a GUI in the background that has some-

Evil Mog:

Given that, it's a service account, then it's a long-lived shared ID.

Joseph Carson:

Exactly. And if you go through those documentation guides, it sets us up for that situation where people are following the implementation or following the documentation to the letter and ultimately it's not having security by design or by default. It's simply, it's to the point where it's getting the application working, but it really hasn't thought about how do we switch it to hardening? How do we make sure that security is enabled in that perspective?

Evil Mog:

And here's the thing, no company out there is in the business of being 100% secure. They're in the business of making money. And people are afraid to go take things down that will cause service loss. They start losing money, but that's how we produce things like the cost of the data breach report that say, here's the cost of a breach compared to the cost of your outage, and then it all of a sudden goes, oh, maybe we should change this. But to your point, it comes down to the documentation. Say the service engineer gets certified on product XYZ, they get certified on a number of these, they're going to follow their documentation to the letter to make sure it's fully certified.

Joseph Carson:

Exactly.

Evil Mog:

Joe, a security guard running SCADA control software for example, or process engineer isn't going to go in tinkering with the service set up. IT is not going to touch because they haven't got a change ticket. It's just the way it works.

Joseph Carson:

And sometimes if they have a change ticket, maybe that requires recertification. You see that a lot of times in medical devices and those OT devices where if you change something you might have to go through the recertification process again. And that's something that your point, you want to be focused on keeping the business running. You want to keep things running and certified, and that's one of the things that's finding that balance. I have a question. What techniques, what's some of the latest techniques that attackers are using in order to try and bypass the authentication?

Evil Mog:

I mean it all typically comes down to application security tools. Your typical OWASP techniques. You basically want to do everything you can to get around the controls. So you either look at the API, is there something else in the system that's going to give you direct control around it? It's a weak controls to say for network controls. But nowadays, people are really attacking SAML and IDPs. They're forging tokens these days. You look at some of the major cloud provider breaches, if someone set up a test tenant that could issue valid credentials and they use the system against it, there's API credentials stored in GitHub all day long. So people using that to go sign on to your vault instances to go issue out credentials, it's really the typical standard information security controls that are now being used to spin up testances, really.

Joseph Carson:

Absolutely. It's the playbook. It is simply that full playbook that follows, and it works almost like every other time you're going to be successful with it. So going back to one of the things you mentioned about APIs and also things like GitHub repositories, and that's one thing I find as well is that last year that seemed to be the big trend. It seemed there were attackers were shifting their focus on because if you're able to then, or it used to be pretending to be an authenticated human, you would log on pretending to be as authenticated service and actually making that API call in order to either to exfiltrate data or to provide you that access into systems as well. With an API side of things, are we still saying the hard coded passwords in the code and uploaded and publicly available and then maybe they try to remediate it later. Is that something that you're seeing in a lot of the assessments you're looking at that?

Evil Mog:

Yeah, we are seeing that a fair bit. Right now, there are some good detect secrets plugins that'll stop things like secrets being checked in, but those plugins may not catch things like an SSH credential embedded into URL with a username and a password for example. So we're seeing a lot of that being missed. It's being caught bit by bit, but there's new and unique secrets that are being stored. There's JSON files with opaque Base64 blobs. There's-

Joseph Carson:

Using Base64 encoding just to try and obfuscate it, but ultimately it's not something that stops attackers from going in, decoding it.

Evil Mog:

Oh yeah, there's a GitHub dorks page. What a dork is for those that don't know is a search string you can use inside, say GitHub or one of the major search engines to go search for secrets. So oftentimes it's just as easy as me typing in, but without even go to the dark web, here's this particular search string and then here's all of this software. And then quite often you'll find, oh, here's some open source packages being reused inside multiple other software pieces and due to the software supply chain, not everyone has a Nextbomb for example, or software builder materials. And you, oh, here's the software, the software, the software tied in with some dark web searches or some web searches to enumerate. And oh look, I've now got authentication to your tenant or here's-

Joseph Carson:

Absolutely. And in that regards, what are some of the things that you're seeing around what's the updates for some of the tools? You're on Team Hashcat and what's some of are those looking to evolve into? What's the next kind of latest updates that are looking to add and enhance and really for us to help see the techniques that's being used in order to actually find vulnerabilities and harden those?

Evil Mog:

So I mean, Hashcat itself is actually fairly mature now because it's now so modular. The only real major updates, either performance updates or the fact that we're adding in new modules for different hash types, but realistically the techniques using Hashcat, there's enough advanced techniques that you... Hashcat, for example, you can pipeline, so you can take extra tools and pipe them in. So there's things like generative adversarial network password generators for plain text that we're then piping into rules, et cetera, stuff like that. So really we're layering more tools around Hashcat rather than doing fundamental changes to itself. The distribution problems already been solved with tools like Hashtopolis so you can distribute Hashcat to thousands of nodes. The clouds made it ridiculously cheap. Things like NTLM version 1 is still in use in Windows active directory, which is still insane to this day. The fact that I can get a conference talk based around that technology still accepted in 2024, including the most recent BlueHat-

Joseph Carson:

I did see your talk of BlueHat, which was, it was a fantastic talk. I really enjoyed the demo that you did to highlight the backwards compatibility challenge that still exists.

Evil Mog:

So for those who don't know, the LAN Man or NTLM version 1 is based off LAN Man, which based off DES. And DES does this wonderful thing called ITAR. If you have LAN Man compatibility level set to two or lower, we can reverse the NTLM version 1 to NTLM with about a thousand dollars in GPUs. Then you can use that NTLM hash to DC sync or replicate against the domain controller. So if your, or even that particular server and then we can get in, I'm still seeing this I want to say at least once a month inside X-Force there in our engagements. So go audit your active directory systems and turn off LAN Man compatibility level. Please, please, please.

Joseph Carson:

Yeah, it's definitely it make us happier because ultimately our goal is to make the world a safer place. I mean that's all that we here to do and really find those areas. And we equip our minds in the hats on to think like an attacker so we can look at our phone map perspective. Do you think that also in things with AI and GPTs and stuff, what we see like a hashtag GPT type of scenario where you simply just say, here's the highest code, go figure it out.

Evil Mog:

I honestly wish I'm working on some of that. The problem is there's so much complexity to how you can operate it. There's really two methods of doing this, if anyone wants to do research. Method number one's been using say a AI system to go generate password candidates directly, there's a couple out there, and those are actually still fairly slow when humans can be more efficient at this. Then there's the methodology of do I use attack mode A0, A1, the hybrid modes, but I pipe it through things. That's the second method I don't think has been explored yet and something I'm going to probably work on with Watsonx is teach Watsonx how to password crack and give it access to a cluster. So I apologize if I accidentally create Skynet, it's not my intention, but that's on my list.

Joseph Carson:

Let's hope that that's not the outcome, but let's hope that it does find ways to make sure that one is that getting to a password that should validate against the word list. It should not be null or everything. I think that's what a lot of that can be-

Evil Mog:

The word list is actually fairly easy. We've already built that in... One technique we've been using lately and this is actually built into IBM Verify, not the product shelf. We've been using things like Bloom filters to take massive word lists and shrink them down into something that's embeddable within a product. We can do real-time checks against the Bloom filter without exposing the giant password list of eight, nine gigs of passwords into a product without just blooming the product size. So what we'd do is we would shrink it down and then doing real-time checks that way. Some great effect inside our IDPs like the SAML, the OpenID connect layer for our clients.

Joseph Carson:

Absolutely. It's going to get into the concatenation side of things where you can actually really do it on the fly and validate that will definitely one is increase performance, but also yes, you don't want to be having to carry around those massive work lists, which are quite extensive these days with how many billions of password choices and options and variations on there.

Evil Mog:

And that's exactly one thing we should bring up to people, if you think your password's unique because you can remember it, you're wrong. And the reason I'm saying this is we now have resources out there that have word lists that have been used of every single major breach combined, combined in with almost every dictionary into these massive lists and they're downloadable by virtually anybody. So if your password is say, stored in the MD4, MD5, NTLM, one of the faster lists, they can run through these in seconds and you add in some rules to it. Really the only good password now these days is one that looks like line noise. I mean I'm recommending 12 characters minimum, uppercase, lowercase, specials with a high amount of entropy and that's the key part. It has to be randomly generated. If it's generated by hand or for pure memory, it's probably going to get breached.

Joseph Carson:

Absolutely. I think one of my, because at some point in time we have to, for humans, we have to have something that we have as a secret and hopefully anything else is stored within a password manager, access management and so forth. So if we actually have that more, let's say unique long password generation. What I find is that absolutely getting into the using passphrases and having multiple words and trying to get it as long as you possibly can, and then I also find is that if you have a technique of putting just random things in the middle, not just changing the A to an @ or the I for one and so forth, but actually just putting even random spaces because when look at, how I've done it is I looked at how I do my word lists and I do my basically masking and rule sets and I try to find out is what makes that actually confusing, difficult, what's the techniques they can put in.

Evil Mog:

The technique to make it difficult these days. If you really want to annoy us, use unicode passwords or unicode password characters. Those will not be in any of our systems. If you can go like chicken, Egyptian hieroglyphic, exclamation mark, pizza as the symbol and then some actual characters, that will mess us up a fair bit, but words themselves will be broken down into tokens. So we've got new techniques now that's like, hey, you grab the four words from the 419 list, et cetera that are easily memorizable. We have patterns for that now which make the fair bit easier.

That's why I do recommend, if your password manager absolutely a passphrase, but you as a human aren't going to remember 400 plus passphrases. So that's why it's back to one total if that, and still I think you should change your password, maybe not, and Windows active directory do a quarterly guarantee just because. Ignore NIST in that regard. But for other systems that don't use a MD5, MD4, NTLM or password hash or password equivalent, absolutely change them once a year if that-

Joseph Carson:

That's what I get in. There's a whole long debate of if you're using 2FA or anything, never change the password. I find that you have to get into at least some password rotation at some point. You just can't leave it as hoping.

Evil Mog:

Sysadmins leave, back admins leave. Every time a back admin leaves, you should be re rotating your secrets.

Joseph Carson:

There we go.

Evil Mog:

Rotating your secrets, at least the critical ones. I believe enterprises don't put enough effort into rotating privilege secrets. We look at straight active directory because band views are your right. If I'm blocking on to my Aeroplan Rewards points program, I'm not going to change that every six months. Quite frankly, I don't care. It's long, it's random. I'm going to change it on evidence of a breach, which the password management will tell me about, but internal work active directory, you bet you I'm changing my password at least quarterly. Privileged users, especially anybody with a path to domain admin, you should be changing every time you do a pen test, every time you lose a batch of admin, every time a person with access to that database such as a tier zero domain admin leaves and then probably at least once a year on top of that, which is why things like an enterprise password manager has different features from a personal password manager.

Joseph Carson:

Yes, absolutely. They do separate and getting into where with a personal password manager, you're still relying on the human to make good security decisions into audit to check things. With an enterprise side is that a lot of those can be automated and put behind the scenes to the point where even the person doesn't even know the password. It doesn't need to be disclosed and you can get to the point where even after use, especially for, I always get into the shared passwords or the non-human passwords as well. They can be basically rotated API keys, backup keys, applications. You can have it as long as the possible application will take, whatever that system accepts. If it's windows and UI, I think it's 128 and 256 in the command line. You can put 256, then you should take the long as you possibly can because we don't need to remember it.

It's a system that does it for you and then it could be rotated. So moving them more behind the scenes, getting them as complex as they possibly can means that especially for service accounts and for your Kerberos ticketing and stuff like that, get it as complex as possible because that will definitely make it harder for the attackers to elevate privileges to the lottery move to do ticket attacks. You're making it as difficult as possible. And then with the human side of course is the MFA side is you want to have something that does that continuous verification.

Evil Mog:

Yeah, exactly. The most important thing I need to tell people about is make sure you have a backup of your authentication secrets or your emergency kit. The reason why I say this is, good example, my sister lost her phone about a month ago, run over by car of all things, and so she didn't listen to her-

Joseph Carson:

Her phone, not-

Evil Mog:

Her phone run over by car. And she didn't listen to my advice about printing off a copy of the emergency kit storage copy in the safety deposit box. So she had to wait on hold with all of her various providers to go and reset her tokens. I'm like, will you listen to me next time? But yeah, I'd love seeing this thing where companies are buying enterprise password managers for their entire company. IBM does this. Every employee gets a password manager that they use for both work and then they get a personal plan that they can roll out to. So it's like we use one password, but they're all good.

So it'll roll off and if I ever leave big Blue, never going to happen, but if I ever do, all my passwords stay with me, it turns into a family plan version that then gets converted over that I start paying for. And so we push all of our credentials into an enterprise password manager now so that don't maintain secrets. It stores pass keys, it stores SSH keys, it stores SSH certificates, it stores multifactor authentication tokens, integrates into browsers. I mean, this is the future. I wish we had this 10 years ago.

Joseph Carson:

Absolutely. I remember starting off, I think it was with one of the early password stations back in 2001 I think it was, and it was great. I was a domain administrator. I'm responsible for hundreds, thousands of servers and I would never know the connections of all those and for me it was the next level from before that it was in spreadsheets and then you put the name into it because that's all you had before-

Evil Mog:

Password to spreadsheets and pen tests. That's how we get in a lot of the time.

Joseph Carson:

Getting the point. One of the things you said is it reminded me of a time that I was brought in to do a risk assessment and it happened. We found out that the problem was the organization was doing security and silos. They had patch management, they were doing training and EDR and everything. It was all separate but not integrated. Ultimately, the result was that the organization, after doing all of this assessment, found out the employees that they wanted to make sure that not only were they safe at work, but also safe at home because they realized that security didn't start at the organizations just at their own devices and laptops or in the network that the offices they had.

Security starts at the home of their employees and their family. And I think what you just mentioned about having the ability to extend software and security to families and having the family also getting protected, getting the value out of it. It also shows that organizations then are more, that they're taking employees, not just their work life's important, but also their family and personal lives important as well because ultimately security does start at home. It starts with the people around you, and I think that's a great initiative. I think that's something that all organizations should look to IBM and take that and think that actually let's spread the security further out and get our employees and the families also secure as well.

Evil Mog:

Well, that's exactly it because it's no longer, especially with it's us working from home and quite often doing BYOD, et cetera, it's now about the entire person. The work in life lines are blurring a little bit, so makes good business sense to secure all aspects of our employees.

Joseph Carson:

Absolutely. I think I've seen this evolution from bring your own device to, in the last couple of years it shifted to bring your own office, not that employees are still working remotely, maybe hybrid and so forth. And then also I see the shift to bring your own identity. Eventually organizations will not be divisioning identities. You'll be choosing whatever IDP that I already have an identity with and then all you're going to focus on is the authentication authorization, the security controls, the entire enablements and compliance so forth.

Evil Mog:

Well, we're seeing that with a lot of sites, for example. A lot of sites now have the option of sign in with one of the major cloud providers. Your Googles, your Microsofts, your LinkedIns, your Meta account sign on, call it, social sign on, I believe is the term for it now, and it's built into a lot of the various IDPs and software packages now as a option. So like Keycloak from IBM now has it as an automatic sign on. We're seeing it in all sorts of platforms. It's actually really cool in that regard because you're right, we're bringing my own identity and then we're shifting that response because me as a, say a small site owner, I'm not going to go want to keep a massive password database, but if I get breached, I don't want that to be my problem. With risk, you can do one of three things. You can accept the risk, transfer the risk, or mitigate the risk. We're shifting from mitigating the risk to making it somebody else's problem.

Joseph Carson:

And they specialize. I mean they'll provide specialized capabilities around it and a lot more that a lot of those small medium businesses might not be able to do themselves to the point where they'll come with a whole set of features into multifactor authentication, into threat intelligence, into basically integrations. And it really enhances... The goal hopefully though, is we'll have that security by design built into its security by default, which isn't-

Evil Mog:

Absolutely.

Joseph Carson:

... there completely, but some organizations are moving to that point.

Evil Mog:

I'm still jealous of Estonia, your digital identity that you guys give to absolutely everybody. I wish every country would give me a cryptographic identity type to my driver's license that I could authenticate myself with as a secondary layer. That would solve so many problems.

Joseph Carson:

I completely agree. I've been trying that for years to try and pass it on to... Other countries are taking it. Singapore, the same pass you've got. Tokyo, not the whole country of Japan, but Tokyo as a city is also moving that direction. Finland, Norway, Holland, Australia, UK have dabbled in it a little bit. They've had their starts and stops. They haven't quite got it there yet, but I think they're retrying again. I think every country should, it gets into it's one method of a trusted identity and they're getting the cryptographic keys that basically allow you to authenticate and to also have not just authentication, but it also provides you the authorization capabilities as well.

And that really allows you to, as a citizen, to be able to have the highest level of security, what comes to identity, where you possibly can. And I think it's great. I enjoy the services that the Soviet government has provided. I've been involved in it for quite a long time and assisted and participated in a lot of the architecture side. So I think it's amazing and I would love other countries to really adopt it because it is that true. You have that BYOI or bring your own identity capability there because organizations can also take advantage of that service.

Evil Mog:

Especially if you're sending onto your password manager. If there was, say I'm looking at you Canada, if you rolled out a Canada-wide identity system, similar to Estonia and you type it into something like one password, then one password had the rest of your passwords, do you know how much that would change the world?

Joseph Carson:

Well, that's the exciting part where it's going right now with the digital wallets side of things. And the digital wallet will be not just your identity store, but it'll also be your active use store. It'll be your passport, your visas, your financial transactions, your crypto wallet, whatever you have in there. I think that's going to that wallet and then it'll store your credentials, your FICO credentials as well.

Evil Mog:

Exactly, and especially now that they can revoke the things if they get stolen and there's methods to swap them out, it's from the infrastructure perspective, they've already got the whole apparatus to verify identities, verify people, the overhead processes. To me as an enterprise, I'm not going to go maintain an entire process for 1000% proving I am who I am. I'd rather delegate that to my country that actually does that professionally. I pay my taxes for this.

Joseph Carson:

Well, that's one of the services they provide. It's all about the population register and identities that really gets there. Absolutely. I'm with you on that one. I know that that Canada is with DACA, isn't it? That's actually more part of that process there, so I know they're looking at it. They've got their own version of it, but I think definitely all countries will eventually have something similar. It's really funny is that who knows you well as a trusted source and it's typical. It's either the government that's from taxes or population strategies register or it's education, it's health, it's the postal office. Who else is it? It's the driver's license side of things.

All of those have some... Your banking as well, they all go through know your customer processes and verification and they all become possible entities, for example, into that trusted source. And as long as your identity can tie into one of those or you can have one that overlays across all of them, it changes the way that services are provided and also how data is more accurate, how it's more secure, how it's easier shared, and you've got better transparency, auditability, all of those are benefits that come out of that.

Evil Mog:

Yeah, that's why I think the password and authentication is going to evolve into the future. I mean, especially as we start talking to things like your AI bots, your additional services around the internet, we keep swimming into a conference talk. I mean, that's really the problem we're trying to solve. If it's going away from a single fixed static ASCII string to this long bit of a say, a 4096 bit RSA key combined in with your fingerprint, your MFA, your other identity attributes, it's an interesting new world. I'm excited to see where it's going. Finally, we've been ranting about how passwords suck the last three years and now we're actually seeing some progress and it's really cool.

Joseph Carson:

Absolutely. Absolutely. I think it's great because a lot of the challenges, passwords have been important for 50 years now and a lot of the challenges they've introduced has really created innovation and new services. One of the things you just reminded me of as well, one of the things that Estonia is, and this was a debate I had with the government a few years ago, is when they introduced, they had this AI bot, which is called Kratt Law. It's based in Kratt law, and Kratt was this mythological creature of Estonia that it would steal treasure for its master. I was almost like, crap, how are you going to get the citizens to adopt Kratt law? And after I seen it getting into implementation, it's amazing. It's almost like, it's a mini me. It's my digital version of me. And what I mean by that is that all the actions I do interactions, let's say with the government or within the systems, that if I have to go back and repeat it, I can simply just say, do you want to do what I did before?

Absolutely, yeah. Just clicking it and it will actually do. So if you have a postal delivery and you did that declaration multiple times, you say, just do the same way I did it before because it's exactly the same process and it automates. It allows you to autofill forms and declarations and it saves the whole ultimate time of having that type of service, which is based on identity and based on authentication authorization. All of these things are built in based on the Estonian digital identity. And what it does is it saves time. How much time is people wasting on trying to reset passwords and trying to get access to systems-

Evil Mog:

And nobody likes entering in a password. Let's be honest. The entire process is completely abysmal. Have you ever tried to enter in a complex 16-character password on a virtualization server's console where you're logged into a system's user recovery?

Joseph Carson:

And the keyboard is not the same language?

Evil Mog:

The virtual keyboard. So you're clicking with your mouse as you're going through and you haven't forbid, you type it wrong and then you have to re-enter it again. It's the worst.

Joseph Carson:

Actually for one of the reasons I still have here in my office, various different international keyboards so that if I run into those problems, I have to look at the language, say, okay, the keyboard's set in this one, where's the characters of the keyboard for that? It's the problem's without...

Evil Mog:

We have to do that with X-Force all the time because we do these remote penetration testing machines and say the machine doesn't connect back to us. I'm doing a WebEx or a video conferencing with somebody and say, I'm working from the US, but I'm working with a French customer. And they used the AZERTY keyboard or the QWERTY keyboard layout trying to take the password in. It's getting translated by the video telecom with the software and their screen share, and this is why I no longer have hair. When I started this industry seven years ago, I had a full head of hair. It's gone now.

Joseph Carson:

For me, I didn't have any gray hair. Now it's on full on once it coming on. So one of the things, what's your advice to the audience when it comes to what are some of the best practices or steps you think that starting points if organizations-

Evil Mog:

Most important thing, if you don't have a password manager, get one. As a personal individual, I even store my work passwords in there because at least my passwords are going to be a random long and next to impossible to type. Now I've got a controversial opinion for enterprises because it could cost a lot of money. I believe that enterprises should provide their employees some kind of a device to access a password manager and the password manager so that they no longer have to remember their Windows Directory passwords to sign into their workstations. Password manager, make sure they're random, make sure your passwords a minimum of 12 characters and completely random looking like a line noise when they're stored in. I mean, obviously longer is better, but from a general, if you need to type something in frequently, that still provides a high level of entropy. I mean 14 characters even on NTLM, randomly brute-forced, you have bigger problems of being stored in memory than us brute-forcing it in time.

Builders, when we say you have longer passwords is because if you're using passphrases or English words than you just want to extend it out as long as you can. So yeah, get a password manager, rotate your passwords, know where your secrets are, and the most important thing, please print out your emergency kits because if you lose those authentication keys and you lose all your access, you're calling customer support on 400 plus accounts and I don't have that much time. You don't have that much time. I mean, if you assume your time is worth very little, you'll be spending so much doing it that you just give up and ignore the accounts.

Joseph Carson:

Absolutely.

Evil Mog:

Just store those separate from your phones. Ideally outside of... somewhere secure, print multiple copies of it and put it on archival grade paper as opposed to junky low grade paper because that stuff will degrade over time.

Joseph Carson:

Absolutely. Very, very wise recommendations and absolutely. Is there any resources that people should look online resources or places you go to that would help them with best practices?

Evil Mog:

I mean, the problem is with resources online is we are all still debating publicly which ones are the best practice. For example, NIST publishes their password guidance that says you never have to rotate passwords. And there's people like me who are arguing the technicalities. The majority of the resources out there are pretty good. It really depends on your risk and threat profile. Assume though that your primary risk these days is criminal organizations trying to steal money, whether it's steal money directly or this new scam called pig butchering. I'm not sure if you've heard of this one, where they'll steal all your information and they'll try and apply for a bunch of loans in your name to fatten you up and or get you investing and then they'll go, butcher the pigs, steal everything out. So really even you think you're worth nothing. You are worth a lot of money in the market based on how much money they get out of you.

Joseph Carson:

Whatever your credit score is, if it's good, you're a target. That's ultimately if you can get loans, a stolen identity can lead to somebody being able to get loans. That's one of the things.

Evil Mog:

And you're never going to get rid of those debts. I mean some of them get up to a hundred thousand dollars out of these loans, predatory 30% interest rates. That's also your problem. They don't care.

Joseph Carson:

Yeah, they don't care what the payback is because they're never going to pay it back. So Dustin, Evil Mog, it's been awesome having you on as always. Enjoy catching up and looking forward to catching up with you in the near future. Looking forward to more of your talks. So how's the best way people can follow you and follow your research and contribution?

Evil Mog:

So oddly enough, I post a fair bit on Twitter. Now I will warn you it's mostly dad jokes, even though I'm not a father. I did a full talk.

Joseph Carson:

I do love the GIFs. What was the recent one you posted? I'm trying to remember. It didn't have me shuffle bit.

Evil Mog:

I posted so many, but yeah, so Evil_Mog on Twitter. I occasionally post some security content on there. The rest is all guaranteed to be dad and cat jokes. The funny part is I'm not a parent that makes me a faux pas. So we're good there. Also LinkedIn, I'm Evil Mog on LinkedIn. I post more business stuff there, but once in a while on talks, as you've probably noticed. Yeah, I'll post most of my research on there.

Joseph Carson:

Absolutely. What we'll do is I'll make sure in the show notes that we have the link back to the BlueHat talk that you give because that was always great on the NTLM V1. So it's a great session with the awesome demo as always.

Evil Mog:

And if any conferences want me to do that, I can do it down at a 10-minute demo now. So I'm happy to re-record and do that when I've published it virtually everywhere. Please, for the love of God, turn off NTLM version 1 by checking the LAN Man compatibility level.

Joseph Carson:

I think that we're going to leave that as the final recommendation. But also many thanks for being honest and hopefully I'll be able to catch up with you at a future event. I'm pretty sure. So the audience, the awesome Evil Mog, giving you the current state of passwords to the future and some technologies, best practices to really help you reduce the risk. So everyone, tune in every two weeks for the 401 Access Denied podcast. Really here to bring amazing guests, world-knowledgeable experts in their fields to really provide you with what's happening, what's the trends and the ways in order to actually reduce the risk and ultimately make the world a safe place. So again, thank you to Evil Mog and everyone, stay safe, take care, and all the best.