Mastering Passwords: Strategies for Security with Evil Mog

Joseph Carson:

Hi, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the show, Joe Carson, Chief Security Scientist and Advisory CISO at Delinea. And it's a pleasure to be here, and I'm always enjoying fun topics and things that get me excited and interesting. I'm going to welcome back one of my favorite guests of the show. I think this is maybe a third or fourth time coming back in the episodes. Welcome to the show, Evil Mog. You want to give the audience a bit of a background, what you do, some fun things about yourself?

Evil Mog:

Yes, I'm Evil Mog. I am an Executive Managing Hacker over at X-Force and a senior technical staff member. With all the changes, it's hard to keep up. I'm a quasi-retired member of Team Hashcat. I say quasi, because I get too busy at DEFCON to compete anymore. But for years I used to go compete in the Crack 5010 competition, we won a number of times, but we're giving ourselves beaten recently by new up-and-comers, which is great. That means we have a good healthy talent pipeline. But I specialize in authentication, security research and passwords.

Joseph Carson:

Fantastic. And I really enjoyed, one of the things, you made my DEFCON this year. I so enjoyed Jeopardy. It was so much better than it's been of recent years and it was so much fun. So you definitely... And Malware Jake, you both kept yourselves running for quite a bit there, so it was actually very, very, very fun. Thank you for that.

Evil Mog:

Hacker Jeopardy is just such a long slog. It's great. Don't get me wrong. So for those who don't know, I'm a long-running Hacker Jeopardy world champion, I've now won two black badges at DEFCON because of it. And in fact, I got my entire team black badge this year. So if you need a mercenary to go compete in your team, I tend to be open.

Joseph Carson:

You have convinced me. We will join forces in the near future for this. But it definitely was very entertaining and definitely I always enjoyed getting to go, and just, it's so entertaining, it's so much fun. So thank you for what you contributed this year, it definitely was a good one. So on the episode today, we're really focusing in. We've got cyber security awareness models, we've got world password day, we've got all these things that focuses around passwords. And one of the biggest themes is really about creating strong passwords, and also focusing in trying to get people to use more around password managers. Give us some of the background. Where does passwords evolve from? Where did it start? Why did it start? And are they still...?

Evil Mog:

Well when people think passwords, they think of something they enter on their keyboard, but realistically all a password is is a shared secret. You need to prove to a computer or a system that you are who you see you are. Passwords exist in everything from routers, switches, to your phone, to Windows Active Directory, Linux, Unix. And with passwords, passwords are stored in a very unique way and it varies between systems. Which means comparing password strengths, a password on say a Windows laptop, not to blame Microsoft because they know what they did, versus a modern day Unix system, a short eight character password could be very weak on Windows, but extremely strong on a Unix system. When I say strong, I mean all these lovely things called video cards, graphics processing units. These allow people to do an offline attack against passwords extremely fast, or extremely slow depending on how the password is stored.

Computers don't store a password in plain text. When I say plain text, they don't store a password as password1!. They'll run it through a hashing algorithm, and then a number of other methods to diffuse, confuse, and otherwise make it so it's not stored in that various same ways. So verifying that password requires a lot of compute. For the average logon, that's totally fine. If it takes up to half a second, that's totally cool. But for a GPU it slows things down. So Windows uses a technology that unfortunately was broken back in the '90s, MD4, UTS16, LE encoded and that's really about it. Microsoft's overhauling this by the way, and by Windows 2027 that's going to be a completely different story. Versus the other systems it's not quite the same. The problem is the standards for what you can have for a password are really the same across the board. People change their password every 90 days from summer1 to summer2, or summer2016 to summer2017. You get the idea.

Joseph Carson:

Or they're simply using their kid's, or cat or dog's name with a year.

Evil Mog:

Exactly, right?

Joseph Carson:

Something easy to remember. And to your point as well is one of the things I think we talking about many years ago, passwords used to be stored in clear text in a file and of course then they moved to the hashing techniques, which is that one directional hashing format. And with that, I think one of the things is that for me is when we're creating passwords, humans, we're not the greatest at creating passwords. That's one of the fundamental flaws is that we are sometimes left to make that choice. And over the years, I think back when I was getting really started my career, I only had a handful so I could create something that was quite complex and quite easy for me to remember, but today the amount of credentials and passwords that I have to maintain is just so much.

Evil Mog:

Anyway, you have about four different accounts logged on, you get your pizza place, your airline reward points, your hotel reward points, and here's the problem, you log into your library, they don't have the money for an IT guys, they could be storing your thing in a plain text password format. If you use the same password on say your Delinea laptop as an example, all of a sudden your library gets breached. Now your laptop gets breached... share credentials on the dark web. It's turning into a big business.

Joseph Carson:

Absolutely. One of the things for me is that when I'm signing up for new accounts and so forth and you're going in and it gives you, "You need to create a password of eight characters that has uppercase, lowercase, especially special character and so forth." But what they're not telling you to your point is that how are they storing that password in the background?

That's actually become something that they should be making transparent is that they are applying stronger algorithms into storing the password. It's not being stored in clear text because right now, for many people creating a credential, it's almost like a black box. You don't know how it's stored in the background.

Evil Mog:

Well even if they are telling you, there's no way you can verify because they're not giving you access to their source code. They're not going to go publish it. Or if they do publish, is it open source? Who's saying that haven't gotten it modified and there's a Trojan setting in memory or, or, or, or. Right? Here's the thing, there are two types of companies in this world, those that have been breached and those that have been breached and don't know it yet.

Joseph Carson:

Absolutely. So one of the things, getting to that, I guess how do we better get at creating a password? What what's your recommendation is a strong password, how would you master it? What's the method?

Evil Mog:

The only password that's any good is one that I don't know, long random and looks like line noise. Barring that, the password store to my password manager. I mean I know you folks do password manage for enterprises, big Blue goes out and hires one for every one of their employees. They buy one password for an example, they buy the family plan for us all and then we keep it when we ever leave. But honestly, the only way of doing this is making sure everybody on the planet has a password manager of some type.

But more importantly to that though, backing up your recovery kit, your emergency encryption keys, your password, still all those and storing them in 30 different locations. I've got one in my safe deposit box, one in family recipe book, one out on the farm. They're everywhere because who knows when my house burns down and if I lose my digital life and everything's tied to it. But then you're still tied with a secret though, right? You still need your secret to the password manager.

So that one, honestly, sentences these days are really good with mild modification, random arbitrary words. Yeah, you're still going to get around. The whole humans are bad generating passwords, but it's memorable to you and you can keep it for a couple of years and change it every once in a while to make sure it works. That's good enough. You have 20 characters long, kind of a sentence, that's hard for a machine. Guess what? It's 2024. You put spaces in your passwords now.

Joseph Carson:

I love spaces in the passwords and not just between the words but actually in the middle of the word, which...

Evil Mog:

Really. You can actually do emojis now too. You can do the chicken face poo emoji, the cake, whatever else. Those are totally okay and they're Unicode strong. So yeah, I use them especially in Windows.

Joseph Carson:

Absolutely because for me, when I'm thinking of something that will break my rules of my word list, because one of the things is when I'm cracking and trying to brute force passwords, I'm only as good as my word lists and my rule sets and my masks. That's of course the GPU part I've got behind it. But the wordless and understanding about the method that people create passwords. The moment they start doing something random, it just makes my computational process..., it increases my cost to try and crack passwords and that's one thing I don't want to have is a massive bill at the end of the month. I was just trying to correct passwords, that's impossible or just my computational power would never be able to do it in the time before that user or person changes it.

Evil Mog:

Last thing, we all shouldn't be using the cloud these days because no one can afford to get GPUs with this AI boom. Right? I mean good luck finding yourself in 4090s and everything else... for training. Now it's, "I'm going on to AWS, IBM cloud, Microsoft, having to go buy these old L40s GPUs or God forbid you buy the H100s, it's running for 95 bucks an hour. I am sorry I'm not made of money and if I put a chicken emoji, I'm Japanese character for Joy German with the whatever... or whatever, The one with a French hat, exclamation mark, exclamation mark. I'm sorry I'm not typing that or put that in my rule list. It's just not going to work.

Joseph Carson:

Even one base in Estonia is using the Estonian special characters. Even just adding one of the random vowels that they have in just messes up all the rules and it becomes very, very challenging for those who specialize in this, governments, those who have the resources behind it. Of course they're going to be able to find...

Evil Mog:

We're going to get in.

Joseph Carson:

The ones where it's really...

Evil Mog:

We can... out.

Yeah, how much GPUs did we haul out?

Joseph Carson:

Yeah, so we're trying to stop just the easy basically cyber criminal or gang definitely where we are able to make a difference there for sure, making it as difficult as possible for them.

Evil Mog:

The Europol is going to get you. For example, we hauled out something like four or five terahash per second of GPUs. It was just disgusting. And we still got trounced by a bunch of guys in their basement who figured things out faster than we did. So it's stuff like that that gets kind of rough. But here's the thing, passwords are evolving too. It's no longer just about a password, right? There's things like passkeys that can be synchronized now between we're abstracting away passwords themselves. I think that's honestly a good thing. People cannot be relied upon to memorize passwords.

Joseph Carson:

Absolutely. The more we move passwords away from the human decision-making or creation and we do it systematically, programmatically in the background, I think the safer the world we live in will be.

Evil Mog:

Exactly.

Joseph Carson:

It really means that we're making it difficult once it's getting into programmatic in the background. And it's really about creating those temporary keys, additional factors of authentication, looking at different proximity or impossible travel scenarios and text-based security. That just increases the complexity for attackers to really make it even ... for them to be able to compromise.

Evil Mog:

I loved context-based security. IBM is going this way as well. A lot of our products, which I'm not going to be product shill, this is a different podcast, but we're looking at things like you can't teleport, I can't log in from Estonia and then five minutes later from Calgary we're looking at, am I logging in from a Mac and all of a sudden from a Windows device changing from Chrome to Firefox to Brave and then back again rapidly? There is the, am I logging in with my allowed time zones?

If it's a privileged user, should I be logging in from Estonia in time? Well I'm normally Calgary based from nine to five? All these things are kind of adding up and the major cloud providers like the Googles of the world's already checking these Microsoft's bringing out things like conditional access. So in that regard, a lot of these new requirements to not change your password are making a lot of sense. The problem is you've got your traditional on-prem rules. NIST just released a bunch of new rules these days that's stated, you no longer need a mix of characters, uppercase, lowercase, special and you can no longer require a length more than eight, which don't get me wrong in an Azure joined Entra ID, I believe it's Entra ID.

I think they can change the name in the last year. It used to be Azure ID, but in that kind of an Entra ID Microsoft's world where everything's tied to conditional access policies, that's totally perfect, but say you're traditional on-prem, back in the Dino age, classified environment, you'd better be changing your password every time a domain admin leaves, the system main leaves, some of the path of privileged leaves, these kinds of things because again, we're using a password format that was created back in the nineties.

Joseph Carson:

Absolutely. I think you're raising an important point there is that yes, there's a lot of these new technologies coming up, but a lot of cases even just like Microsoft have had to do is they've had to basically support NTLM for the last 20 years because of backwards compatibility. Even though if you're using things like the Entra IDs and the Azure IDs is that you're using a lot of the latest but because of the backwards compatibility, because of the integrations and interoperability between all their systems, they still had to leave those fundamentals.

I remember when they were changing a lot of the requirements for, I think it was the macro and they disable it by default and then they had it enabled by default and then they were talking about old Exchanges and the standards. It's just because of that legacy all systems that we still have to deal with a lot of the older technology. It means that yes, I could go and apply some other standards to my more modern technologies, but it's just not going to hold up in some of the legacy stuff that many organizations are still using.

Evil Mog:

And you never get rid of the legacy, right? The legacy can be tied to a mainframe. It's some old CNC machines making millions of dollars. The problem is Windows specifically, and I hate the carp on Windows, but that's what the majority of the world uses. You could have 128 character random password and it doesn't matter because if someone breaches your environment, password hashes are password equivalent, specifically the NT hash in Windows. So that credential needs to cycle. If one of the hash is known, no one cares about the password.

This applies for example in NTLM version one, reversing to NTLM using the DEZ cracking method that people are using these days that makes ... a lot of splash. You need to specify a domain admin or a domain controller passwords need to cycle every 30 days automatically. I'm not going to get to the point where I have privilege users cycle unless I have an enterprise password manager like a Delinea or your 1Password or whatever is in your environment. You need those kinds of systems to secure an additional on-prem.

Joseph Carson:

Absolutely because it's able to make sure that all of those accounts, both legacy and new, have the same consistency applied to them. It has the ability to make sure that they're rotated, that even if attacker does compromise a standard user one place, they can't find ways to elevate to move around quite easily. I will say it forces them to repeat their techniques over and over again and the more that they force them to do that, it creates that noise in the environment. When you start seeing noise, then it gives you an early indication that something's happening. And that's just...

Evil Mog:

There is the migration path though, thankfully. Windows for example, supports certificate based sign-ons. So you can use things like the Estonia digital ID or PIN for sign-on with rotated backend passwords. There are other methods that can basically abstract the password away. If I leave CISO tomorrow and buy every one of my employees a cell phone, or a cheap Android device, or a cheap device of some type, I'd store the enterprise password manager on there and I'd just say, "Look, your Windows passwords must be completely random and you're going to type it from your password manager as opposed to one that you remember." At least that solves the problem. It's just... Microsoft is moving away from ...

Joseph Carson:

Even getting to the point as well as we're moving towards more of the digital wallet scenarios, is I would even try to get them at least where some type of facial or biometric is also part of it as well.

Evil Mog:

Yeah, like Windows Hello.

Joseph Carson:

Windows Hello, face ID and all of those things and biometrics. It's pretty much available in most modern smartphones today and some laptops. They're also kind of and tablets and so forth. So just really getting where the user experience is. Basically passwords are in the background. We are moving to that passkeys, which is that that can be unlocked at the edge device through biometrics and I think that really, we make the experience better. And that's what we're getting into as well is that most of the consumer world is already in that experience today. So to get that same experience in the enterprise, I think that will definitely have a fundamental shift and make it really difficult for attackers.

Evil Mog:

Well it's all about friction removal. The thing is businesses are set up so that they will route around damage. There's no company in the world that's in the business of being secure. They're in the business of making money. It's like an example, the most secure system in the world is encased in concrete, at the bottom of the Mariana Trench, controlled by submarines. Is it useful? Probably not. It's the same deal. If someone can't sign into their laptop to go make a high-frequency trade, they're going to figure a worker on fast because if they lose millions of dollars waiting for that trade or they can't run that CNC machine or the MRI machine, what's the entire point? So we need to make it so that it's literally automatic. People sign in or it's as easy as possible to do the right thing because they're going to find the easiest path possible. Build the best system in the world, put a user in front of it, watch them for a day or two during the ...they're going to find all the holes for you. Why hire a QA team when they'll find it?

Joseph Carson:

Absolutely. That's actually one of my fun things is that in the past I've always put myself in the situation where I always want to know what it's like to be in my customers', or in the person I'm serving, kind of choose and in their chair. And over the years I've always... I remember doing Contest and years ago I wanted to understand about, how can I help them do their job better? And sitting and just watching them for that period of time allows you to get some of the surprises because they're really focused. How they get measured is very different how I get measured, but ultimately I need to make sure that they're being successful. So I need to always map my metrics and goals to help them achieve theirs. And fundamentally, I came up with a motto right after that, after sitting and watching many users either struggle or be successful at some things.

And I'll say that anything that I put in place from a security perspective should always be better than the previous experience and it should make their lives better. Not just about improving security and reducing the risk for the organization, but it should make the actual employees lives better. It's something they should want to use rather than something that should actually be something that creates friction. The last thing we want is friction because it puts people down the path that you mentioned, is, "We'll find alternatives. So we'll find workarounds," whether it being just simply even just writing things down on sticky notes and put it in their table, which is okay if that is a locked room and a closed protected key.

Evil Mog:

That's still better than having the same password everywhere. My dad had all his passes written in the family recipe book. We'll say, "Hey, isn't that insecure?" Hey, if you want to break into the family farm with the senile old guy with a shotgun that shoots first ask questions later, you are welcome to it.

Joseph Carson:

Even a lot of my peers and I seen social media, sometimes I see people Posting the password book online and saying, "Oh, this is shocking." And I'm going, to your point, "If it's at home in a lock safe, it's better than using the same password everywhere. It's better than using something that is easily guessable and crackable." It's something that's physical that if an attacker wanted to be able to get access, they had to physically go and get it.

Evil Mog:

Yeah, it's a good backup. I mean computers die. I've got all my passwords printed out. I archive once a quarter just to be safe and it's stored in archive fireproof paper in a fireproof safe somewhere far away from my house just in case because I'd hate to lose my entire digital life because my phone died.

Joseph Carson:

Always reminds me, sometimes people come to me and ask me for help in dire scenarios. And I've helped organizations, critical infrastructure, recover from ransomware attacks and other types of incidents. The one I always remember was there was this small family run business that had been basically attacked with ransom. And ultimately when you get into it, their business and their digital personalized were all of one. They were all merged together. Ultimately you're looking at the impact that their digital life of their entire last 20 years had been visibly erased by the ransomware. And you're thinking about that, when I start thinking about it's not just about the business financials and their invoices and contracts and all of the things that they've had business wise, but it was also their family photographs.

And when that person was going through the details, they were telling me that it's their family photos of family members and videos of grandparents who had passed away many years ago and they have no record of that remaining. And you're getting into that scenario, but having a strong backup, having the ability to make sure you're protecting your digital life and to your point is a lot of that is the credentials. It gives you access to that. I remember talking with a bank one time and they said, "You know what? When you have financial fraud, it's easy sometimes to get your money back, but when you have identity fraud or identity compromise, it is so difficult to get your identity back." And even when people lose credentials or their accounts get taken over the process that they have to go through just to recover that is as difficult as you can possibly think of.

Evil Mog:

It'll take you years. It's impossible because you got to bootstrap your identity. You got to proof who you are. You need to get a baseline, you got to be in support for say your Google, your Microsoft. You got to give a blood sample and fingerprints and show up with multiple notarized things and use that to get other identities back. Meanwhile, trying to do these resets with 400 different companies. You'll just never get it all back.

Joseph Carson:

Absolutely. I think that's one of the scary... I'll never forget that case. And it was one of those things that ultimately I helped the person can negotiate and deal with the criminals, but it always made me fear, how can I stop and reduce the risk of that happening to me? And to your point is doing all of these multiple things of resiliency, of backups and alternative backups, not just of my data but of my credentials as well and making sure there's multiple paths into those. If at some point in time a password doesn't work, what's the other way I can get access? Is it through a passkey or through a hard token? Is it through a recovery key? And really looking at the ones that's important for me because sometimes your email is a lot of cases your recovery into a lot of those credentials as well.

Evil Mog:

Here's the thing. How many people go buy a YubiKey for example? Problem is these firmware have breaks or compromises or essentially stopped getting supported by Google for example. So you got to go make sure your most recent keys are up-to-date, then back up your backup keys. And we tried say we're now nice and evolved with the authentication space, but realistically multifactor authentication is still a pain. It also goes back to say the end user experience.

I'm prompting for every single log on for a hard token or a Google Authenticator, every single transaction and I do a thousand plus transactions a day, someone's going to work up some kind of script or a little rubber ducky that presses the button all the time just to go get around that. And that's no more secure than the way we used to be. People get authentication fatigue. I can probably tolerate four or five authentications a day before I get really, really annoyed. So I'm doing this a hundred times a day. It's easy for an attacker to go slip in authentication request. You go, "Oops. Yeah, that was accepted."

Joseph Carson:

Yeah. What I really like now is a lot of the services now provide you some type of magic link or if you're already signed in on the phone, simply even a QR code to really simply just make it seamless does make that experience much better.

Evil Mog:

I love Nintendo for that, like with the new Switch where they just put a QR code up to go sign in. I send in from a phone, click, I'm on the eShop. That's so much easier than trying to enter in your password, especially if it's like 20 characters long from a controller. It just doesn't work like it used to.

Joseph Carson:

Absolutely. And I never forget, I remember having to do that on things like Spotify and Netflix and Disney and all of the other streaming services just like this is going to be impossible to do it on the PlayStation or on the Switch or something.

Evil Mog:

It's why I never bought a new TV. You get a new smart TV with all these sign-ons and you have to move all your stuff signed over and signing back into Netflix and you buy a new gaming console. It's not...

Joseph Carson:

Especially because the likes of me and you, we go with that. What's the maximum number of characters I can put in as the passwords and to type that in is and go through? And sometimes if you don't have that color coding into whether, is that a number, is it uppercase, is it lowercase? What is that symbol?

Evil Mog:

Sometimes that character doesn't exist on the keyboard, right? And you can't sign in with that character on the keyboard. You're like, "Well, I guess we changed the password from the backend and go call support because it's not..." No.

Joseph Carson:

But yes, I love some of those services that I really have made it much easier if you're already signing in one device. The pairing of accounts, I really think that's a great way of, "I've already authenticated very strongly and one device make it easy for me to pair so I can actually easily log into desktop or laptop and so forth." So absolutely, the better we make the experience, the more people will want to use security and then the more we make it difficult, what's some of the things, if you're looking for suspicious activity indicators of compromise or indicators of accounts being tensely, being attacked, what's some of the things you look for? What would you look for to ensure..?

Evil Mog:

My favorite is I'm sitting around having a beer late night and I get a notification on my phone going, "Someone tried to change your password, but it failed multifactor authentication." That's indicator number one. Number two is say I'm signing into the site and it says, "Oh, you last signed on from Estonia." I'm like, "Well, as much as I like Iceman and Joe's over there, I'm not going to be coming to Estonia anytime soon. This is probably not me." Or I start seeing weird suspicious things ordered.

But realistically that's the problem. You won't really know you're compromised as a consumer unless you're monitoring all these logs which you don't have access to or until you see suspicious activity. So that's kind of the curse is if you see weird things happening, people signing in, notifications, extra users on your Netflix, that's a big one where it's like, here's a random extra icon. How many people sign into all their accounts once a year to go look for activity? I mean four or plus accounts, good luck on that one, right?

Joseph Carson:

It is difficult. I categorize my accounts into risk. So from my personal side, I've got my password manager, which I've got categorizations of risk. So the higher party ones are the ones I will check for sure. And then there's the ones that...

Evil Mog:

Yeah, your banking, that kind of stuff.

Joseph Carson:

Banking, email, some subscription stuff that might have information. Your healthcare piece is in there. So you really categorize it into what's important for me and what do I want to you make sure that as difficult as possible. And then I've got medium risk ones and I've got low risk ones, which, if anyone gets access, there's nothing really they can do with the data that's there. So I've got to categorize those risks. But then I spend time on a periodic basis to go in and look at the logs, activity logs. And it is a bit frustrating because in a lot of scenarios is that you're going to have lots and lots of failures. You're going to see lots of attempts and it's indicating which ones are the ones that you should focus on.

Evil Mog:

It's when they succeed that I'm worried, right?

Joseph Carson:

Yes. It's when they succeed because that's the ones, especially if you've moved to, for example, a multifactor authentication where it's a simple notification log on. What I really like is definitely the matching of the numbers side of things because the randomness are makes it more difficult to compromise. But you're looking through that. Sometimes I wake up in the morning, I'll see, "Multifactor authentication attempt failed," because somebody's trying that push notification. Just like, okay. And then you go in and you'll check the logs. One thing you have to be careful and for the audience is for sure, is that sometimes even phasing campaigns are using, "Suspicious activity found on your account. You want to log in." And some phasing campaigns are really trying to take advantage of that as well into making your suspicions that your accounts compromise. But actually the suspicious activity email notification is the fish itself.

Evil Mog:

So I think to ignore the emails, like log in, this is what I wish every account would do is give you a notification of log within the platform as opposed to that email because email could be spoofed heavily, but the actual actual log on and I mean, unless somebody's compromised the site and at that point, what's the point? They've already got all your details, right?

Joseph Carson:

Absolutely. So for the audience, what's some of your favorite go-to places to stay up to date? How do you stay educated? What are some of the places you go for learning and to stay up to date with some of the new technology and changes?

Evil Mog:

I see a lot of new sets. I spend a lot of time on The Register. I like those guys. They do a fair bit. There's your traditional Packet Storm. I still use Slashdot somehow. Now, this is terrible. I still use Twitter and no, I refuse to call it X. I'll be deep in the cold ground before I call it X.

Joseph Carson:

I do love your memes though.

Evil Mog:

Oh dude, I love my memes. There's a little bit of security content and lot of memes.

Joseph Carson:

That rib sandwich was pretty. I was a bit peckish when I saw that. It was like, okay.

Evil Mog:

Yeah, I stole that from Discord. So that was actually pretty good. Yeah, so those that don't know, I repost a lot of memes from Meta/Facebook onto Twitter. Some of them are rather entertaining. There's a little bit of security content on there. There's a lot of pictures about my cat, stuff like that. So if you want to get a lead, laugh, Evil_MOG is kind of entertaining on that regard. Promise there's no actual real content. Well, there might be some, but it shows up. But yeah, that's where I go to check out is a lot of Discord, a lot of X/Twitter, a lot of just randomly browsing the internet to look through the news because oddly enough weird things coming up pop up in the news all the time. And then just word of mouth. And occasionally you have the odd NIST standard. If you want to go fall asleep at night, go read NIST.

Joseph Carson:

If you want to get your kids to bed really early, start reading them. The NIST.

Evil Mog:

NIST, PCI, the various auditing compliance standards. I love compliance. It keeps people honest, but it creates a lot of work for most. And it's like you need to be a lawyer to understand have of these specs sometimes.

Joseph Carson:

I think it was a classic picture of me reading my book to my kids and the kids are just their faces. Just like, "Look at what he's doing to us." So definitely good bedtime stories, any of those compliance and regulatory standards.

Evil Mog:

Of course podcasts like this are great.

Joseph Carson:

So Evil Mog used to think.

Evil Mog:

I was the only source or news is the only source to stay up to date now. So I'm not a worthy expert. It's like, so yeah, listen to me. I think.

Joseph Carson:

No, I think absolutely these are for the audience, it's always good. It helps them get that quick stay up-to-date informed about some things they might want to learn more of, and then they'll go in and look for other sources of information for sure. But Evil Mog, it's been awesome having you on. I always enjoy chatting with you and definitely it's always great seeing you at various conferences throughout the year and hopefully we'll be able to catch up again soon. So I'm looking forward to it.

Evil Mog:

Yeah, thank you. And last piece of advice for everyone, use a passkey because they're great.

Joseph Carson:

Absolutely. Passkey and a password manager. That's definitely the minimum standards for sure. So any final words of wisdom that you would like to show the audience? What way would it be best for them to contact you other than on Twitter?

Evil Mog:

LinkedIn also. So my LinkedIn username is Evil Mog. I'm easy to get ahold of on there. I actually trademarked Evil Mog as well in... in house. But yeah, Evil Mog on LinkedIn, track me down. I'm easy to get ahold of and approach.

Joseph Carson:

Fantastic. Excellent. So thanks. It's been awesome having you on the show as always. It's always great catching up and chatting with you, and hopefully you get to see you soon. So for the audience every two weeks, tune in for the 401 Access Denied podcast. We're always bringing ideas, thought leadership, new hot topics, and really things to really help make the world the safer place, not just for your organizations, but also for you and your family. Because everything we talk about here is not just about keeping your organizations and business safe and you safe, it's about actually sharing that around with your family and the people you work with and the people you basically socialize with. So hopefully this is something that will help you stay safe and educated. So everyone, take care. Stay safe until the next time. Thank you.