Skip to content
     
    Episode 79

    The State of Passwords with Dustin Heywood (aka Evil Mog)

    EPISODE SUMMARY

    World Password Day is always a good reminder to take a closer look at the state of our password security. To celebrate the holiday, the 401 Access Denied team brought in Dustin Heywood, aka Evil Mog, to discuss how cybersecurity is evolving around passwords, and if passwords are indeed really dead. Join us as we look into our crystal ball to predict what the future holds for passwords.

    Watch the video or scroll down to listen to the podcast:

     

    Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio   Google Podcasts

    Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

    Joseph Carson:

    Hello everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the episode today, Joe Carson, and it's a pleasure to be here with you. I'm the Chief Security Scientist Advisory at Delinea, and we have an awesome guest returning again to the show. It's been a while since we've spoken, so it's great to have Dustin aka EvilMog back onto the podcast. So Dustin, for those who're new to the episode and who may have not seen the previous ones, if you can give them a little bit of background, who you are and what you do.

    Dustin Heywood:

    Yeah, I'm Dustin Haywood, otherwise known as EvilMog. I am the chief architect of IBM's X-Force team of hackers. I'm also a member of Team Hashcat, bishop of the Church of Wifi and generally involved in all sorts of password related shenanigans.

    Joseph Carson:

    Fantastic. I want to bring up the today's topic, which is always something that's been controversial, always something that will continuously be discussed for probably quite a few years to come, is, are passwords really dead? And what does the future hold for passwords? They may be under different names, different terminologies, different analogies, but in your opinion, I just want to get your thoughts and input. Are passwords really dead? Are we seeing the decline of them? And what does the future behold? So, just get your thoughts on this?

    Dustin Heywood:

    Well, let's go to find this here. I mean, are passwords really dead. That's kind of a loaded question. I'm going to turn this around, is, are shared secrets really dead? That's never going to end. Really all the password is, is a cheap form of shared secret. Privileged accounts, privileged passwords, shared secrets, those will always live. Your corporate active directory, you're going to see those still. But we are shifting away to newer forms of authentication to servers. Let's look at Linux for example.

    I never enter in a password anymore. I use either an SSH shared key or an SSH certificate. But that's still, at the end of the day, it ties down to a shared secret somewhere being stored. A user logging onto a bank for example, might have a password stored in a password manager that they never look at. There might be the web authen, open ID connect, so that you're seeing users no longer need to enter in passwords. But from a corporate side, they still exist and they still need to be managed regardless of what they're being abstracted away.

    Joseph Carson:

    Absolutely. So really what we're talking about is that, simply, a password is one form, but in reality what we're still talking about is the secrets, is the shared secrets and even private secrets that no one even else needs to know, is really the form and the password's just one variation of that. And what we should be really talking about is secrets in general. It should be the proper term as we are talking about the higher level up method of verification, authentication, authorization, which is that secret. And a password's just one form, one cheap form of basically being able to authenticate or to use that. So for me, absolutely.

    I think getting into, really, for me, passwords still are not really kind of, I think, the form and use of passwords is changing. It's no longer been that continuous, interactive exchange to gain access. The password itself has probably been re-termed as the passphrase, or it's been changed into a recovery key. It's a way to recover what are enrolling of devices as well. So I think just the form or the interaction is changing in how we use passwords. Is that something that you think would be more accurate than...

    Dustin Heywood:

    That'd be far more accurate. The other thing is you've got to look at IOT devices for example. These things can't store massive secret repositories. They're going to have the odd backdoor key. They're going to have AES... shared or an encryption key stored on. You're going to see things like your routers, your switches, your mobile phone. I'm not going to unlock my phone with just my face, because, say for example, I go up and get rowdy at Vegas and somehow I get arrested for shenanigans. I'm going to want to have a pin inside my head because legally, they can't extract the pin but they can use my biometric features against me to unlock a device.

    So you're never going to get away with things like entering a pin with your credit card when you're buying food. That's still just another form of shared password. It's just the important part of what passwords is, is they should always be unique because you can never trust the site you're logging into. I don't trust my bank as far as I don't trust my air miles program or Aeroplan points or, pick whatever, my local public library. Some miscreant goes and pops one of those systems and then it's the big IR. They've extracted all the passwords, they're up on one of the various password sharing sites. Containment of making sure that password is unique and being managed on my behalf, is what generally keeps me safe from those breaches. Because, believe me, breaches happen.

    Joseph Carson:

    Yep, absolutely. And they're going to continue happening. It's just something that we know is guaranteed, is that, organizations will fall victim. And whether they're keeping those secrets in encrypted form or not, they're going to get out there. And that means that if you're using the same secret for multiple accounts and credentials, that's going to be something. Meaning that you're going to get compromised in multiple areas, not just one. So what's the best practice about how do you make them unique? How...

    Dustin Heywood:

    Honestly, humans can't generate a password to save their lives. I can't do it and I've been doing it forever. I mean I've maintained 400 plus secrets and even with my great memory, I can't remember 20 plus characters long. Ideally, length is important, despite what anybody says, because it makes the brute force harder. But most important is entropy. If you base them off words, base them off anything in general, there's going to be a pattern that can be discerned. And yeah, people say, "Oh I can't brute force monitor a 12-character password on say ND5 or NTLM." But there're these new combinator attacks, et cetera, and we've been using them for the last 10 years, that get the crack time up, their crack length up to 17 characters, if you're using common kind of patterns on a keyboard in almost any language. So really, computer-generated, randomized and frequently rotated.

    I hate NIST for example, for one simple reason. I love NIST, don't get me wrong, but NIST guidance on passwords saying people don't have to rotate them is actually counterproductive to the overall effect. Sure, you only have one master password for your vault with recovery keys, and you have things bound to a token et cetera, or bound to a piece of hardware, that's fine. But let's look at active directory, and I'm so sorry Microsoft for picking out your product, you understand NTLM is going away and you're talking about it, so that's great. But NTLM is basically MD4, which was broken way back in the nineties. I can go out and spend, let's call it a thousand dollars on a video card that can do 600 GigaHash per second, which is ridiculous. You can brute force innate character in a matter of an hour, kind of deal.

    So really, the other problem with Windows is passwords are hash equivalent or password hashes are password equivalent. In that if I know the password hash, I can just pass them around without knowing the password. So you need to rotate things like privileged passwords almost every time you use them. User passwords are fine. If you don't have any privileges, no paths to a DA or no pass to something scary, and you have a way of rotating them whenever it's detected, that's totally cool. But how many people rotate every single one of their active directory passwords every time an AD admin leaves or a storage admin leaves?

    Joseph Carson:

    Very seldom. Even to the point where even service accounts and application passwords, which have been installed by consultants, that come in temporarily and have probably used the same password in every installation they've done. Because that's the simplest method. It's the one that they're used to.

    Dustin Heywood:

    Yeah. And that's the supply chain attack.

    Joseph Carson:

    Absolutely. That was actually one of my challenges, it was two things, was that definitely the NIST recommendations should not rotate passwords, especially if we're using multifactor authentication. But we know MFA fatigue exists, we know it's been something on the increase. We know that attackers have been able to compromise it through basically just continuously pushing the user multiple. Eventually they're going to click "Accept" at some point just to get rid of it.

    So we know MFA fatigue is there. We know that rotating passwords should be a good practice and it's always been a controversy, and I know that we've always had debates online and social about it, but, for me, it means that just the length of time that you rotate passwords may not be every 15, 30 days. It can be longer, but it comes down to really what you're protecting. What is it that's behind that authentication? Is it your organization's entire active directory? Is it your bank account? Is it your intellectual property? Is it legal documents? Is it HR information? Is it health information? It really comes down to what it is you're protecting should be based on what authentication, what controls you put in front of it. It should be a proper risk-based approach. So not all authentication's equal.

    Dustin Heywood:

    Oh, exactly. I don't really care about my log on site for ordering new espresso pods, as an example. I'm sorry to use brand names, but I order coffee all the time and I'm not going to care about swapping that out because I don't save my credit cards on those. I don't necessarily care if I swap out my thing for the major groceries chains because nothing's really stored on those. There's no secrets have been had, I buy milk every Tuesday. Yeah, unless you're profiling me on that, it's not a big deal.

    But yeah, you're right, my banking, my anything financial related, anything storing massive personal information stores, those are critical. I'll be honest, I have a jankey password that I use on those throwaway sites, on throwaway emails, just because it's a default for I'm not going to go through the effort of putting something in the password manager that I'm never going to use again.

    Joseph Carson:

    Absolutely. And that gets to the point as well, is that not even just, for me, I don't just rotate passwords and have unique passwords for all sites. I actually have even... Because the email address that I use, I use different email addresses for different types of sites. For signing up for hotel chains or loyalty cards and stuff, I have a completely separate account that I use just for those. Because even the password's still 50% of the secret, you have to have an identifier as well. So we should always have a practice of making sure that we try to make that 50% as difficult as possible.

    Dustin Heywood:

    Oh, exactly. Even on the usernames, I'll use plus style email addresses. So enter in EvilMog, nobody cares.com. I go add a plus at the end of the EvilMog because certain mail providers, who shall remain nameless, allow you to add on additional pieces. So I'll go like, "EvilMog plus hashcat," for example, for access to my hashcat accounts. And this way, if I start getting spammed, I know where the junk's coming in from. You go to Vegas to sign up for the casino rewards program, you're going to get spammed 30 ways from Sunday and it's handy to know who to contact to get your please remove me requests in.

    Joseph Carson:

    Yeah, absolutely. That's one of the things, methods I've done, is just practicing over the years. And just for me, it's a lot to manage sometimes, but it allows me to almost identify just right down to where that spam is coming from, or where that company that might have been selling off your data or been breached, it allows you to isolate that source much, much, much better.

    Dustin Heywood:

    Exactly. And I'm glad you've brought up the management part though. That's the important thing. Secrets management needs to be easy. Because here's the thing, people aren't in the business of changing their passwords, people are in the business of doing their jobs and they'll do whatever it takes to get things done. One of the cheapest things companies can do is give every employee a mobile phone and then buy them a password manager synced to their mobile phone, tied to their enterprise policies. And then give them the free access for personal use. If they have it made easy for them, there's an incentive to not have to deal with the cumbersome processes. You say look, "If you're using the passive manager, you go to the front of the support line," or something to encourage the usage. You can't be all stick all the time because, quite frankly, nobody cares.

    Joseph Carson:

    Absolutely. I mean, it should really get into the part where it's about reducing that cyber fatigue. Because passwords still are a pain. I mean, I'm in the business of privilege escalation and identifying... managing privilege access, but passwords are not the funnest thing that I enjoy doing in the day, is not rotating them, not thinking about them, not creating them. And what we should do is, to your point, is managing them much better and moving them into the background as much as possible. The less we have to interact with them, the less that we have to even choose them and decide what's the next greatest password, I think is the better. Is that, the more we get automated, the more we have a solution or tool that does it for us, the more we can focus on what we enjoy doing, the more time we get back.

    For me, we always talk about what's the most valuable thing in this world, and for me, it's-

    Dustin Heywood:

    It's time.

    Joseph Carson:

    It's time. It is time. It's, how much time I have to do anything? And the more time I can save and the less time I waste on changing passwords or deciding on passwords, the better life that I live. And I think that's ultimately what we should do, is rewarding people with giving them time back. That's what we're doing.

    Dustin Heywood:

    Yeah. And another thing, you see passwords aren't really dead per se, they're shifting to the background, they're changing form, they are being abstracted away and it can't come soon enough. But they will always exist, or at least until I retire in another 10 years. I mean, if I'm still dealing with passwords in 10 years in the form they're at now, I'm going to scream.

    Joseph Carson:

    Absolutely. The form is changing. They're moving even sometimes... I think, when we had to, the previous episode, we talked about what is smart passwords and how to choose them. We talked about moving to temporary keys, was even a better form. Where you're using things like... It's moving it into the background. But it's been basically created that one time only, for that specific amount of time, that might have additional factors of security controls, where maybe it'd be push notification, maybe it'd be multi-factor authentication, maybe it'd be peer review, depending on what sense-

    Dustin Heywood:

    Well, risk-based authentication as well. We've got various indicators we're collecting from all this data on people, if all of a sudden I'm logging on from Canada and then I switch to logging on from across the world in Asia Pacific region within less than an hour, time travel isn't possible, no one travels that fast via other methods, so these kinds of things also tie into it. Everyone has a fingerprint. So it's always about multiple channels of authentication and also easier recovery as well.

    Joseph Carson:

    Absolutely. And that's where we get into, that's why I always use the term about using, almost like a digital polygraph test, is that you have this set of, say, analytical, key metrics that you start to understand about a person's... It's not my behavior per se, as me, but it's my behavior of authentication. It's my authentication behavior.

    Dustin Heywood:

    It's like your telemetry that comes in.

    Joseph Carson:

    Correct.

    Dustin Heywood:

    Where do I always log in from? What kind of hours? What about my machines, my Linux windows? Are there things about my stack? There're a number of signals that we can collect. And then it's all about abnormal signal analysis, which is the one thing AI is actually really good at, is identifying stuff that's outside of a pattern.

    Joseph Carson:

    Absolutely. It's much, much more quicker than we can determine. And once we have that visibility, and once it allows it to bring it to the surface, we can then reach out and check with that person, "Are you really coming from this location?" We can automate that. We can use orchestration, interoperability to check and verify that that person is really-

    Dustin Heywood:

    And the you still have the odd human in the loop to go make the final trigger because, who knows, weird stuff happens. I could wind up partying heavily in Australia somewhere and I might do the random off after a night out, but that's one of those things. You have a human check in the loop, you make it seamless, you make it less painful and that's the important part.

    Joseph Carson:

    Absolutely. So where's the future going with passwords? We talked about moving them into the background, we talked about, of course, them changing form, and making it much easier to manage and having incentives for people to manage, where's the future really going? Where do we see... How do you see, let's say in 10 years time, if you decide to retire?

    Dustin Heywood:

    Yeah. Well, what I'm seeing now is, recently, we've gone to a lot of folks moving to open ID connect or SAML for authentication. Usually, against the major email providers such as your Microsoft's, your Google's, your Yahoo's, et cetera, and having them rely on the authentication for the smaller shops.

    For example, I run a multi-user dungeon, I'll use every year for DEFCON. And the forums, I don't use user passwords anymore, because I don't want to store user secrets, I make people sign in with their social media and/or emails via those open ID connect methods. And then there's nothing for me to worry about. And then the provider deals with all the authentications. I'm seeing a lot of that in the consumer space. That reduces a lot of the accounts people need to memorize. And there're toolkits out there for that.

    Business-wise, they're moving to a lot of centralized authentication. Even Linux now, with things like HashiCorp vault, SSH certificates, that kind of world. Like my users, for example, to log onto Unix box, they authenticate, their certificates are valid for 12 hours. At the end of the 12 hours, they're off the system. So when I need to do staffing changes or adjust enrollments, it's no longer having to go push to a thousand plus systems. Using authentication modification on stuff in the field, it's a very brittle process. So that's going away.

    Joseph Carson:

    So it's time-based authentication in reality. It's no longer that you have persistent privilege for your entire lifetime.

    Dustin Heywood:

    Yes.

    Joseph Carson:

    And that also gets away from one of the things, the major challenge you brought up at the beginning, was around deprovisioning when the admin leaves and having to worry about, do they still have that secret? Well that secret was only time-based, so there was nothing deprovision because they only got access for a period of time. And if they can't re-elevate that access up after they've left, then there's nothing to deprovision.

    Dustin Heywood:

    Exactly. Microsoft calls it Just Enough Administration and Just In Time Provisioning. These kinds of systems are absolutely the future. You're still going to have to maintain a couple of backup passwords, but they're going to be easier to maintain because you'll know where they are. Obviously, randomized per system. But we're getting there, it's going to take us some time. Those secrets are indeed shifting, but you still have to manage them like anything else. What happens when the servers hosting the certificate signer gets popped? How do you go swap out those secrets? So I still have to rotate those on an annual, quarterly, whatever, basis and have overlap to recover in the event an agent can't check in.

    Joseph Carson:

    So what you are really saying is to make the lives easier for the people, the users and the consumers and everyone else, it's our job's getting a little bit harder to do that. But what're some of the best practices for our jobs of managing secrets? What would be the best practices that you would recommend to make-

    Dustin Heywood:

    Most important... All right, so we can break this up into two sections. One for a consumer, one for an enterprise. So for a consumer, make sure you back up your password manager's secrets and store them in either like a safety deposit box or a secondary location. House fires happen, people's devices break, and if you lose access to everything, including your multifactor secrets, it can be a serious pain to recover and a lot of phone calls.

    So make sure that's backed up always, always, always. Try and rotate your password manager's secret once a year. I know it's hard. Make sure it's something that's memorable for you but still reasonably random. Make sure it's long. I know this is pushing the limits in most people's memories. I prefer a 16 character long authentication secret at a minimum for my password manager. Some people go as low as 12, that's kind of pushing it. I mean if you can do up to 20, that's great, but the memory on that's really hard.

    So the important part is you stick with what's memorable. Yeah, make sure there's multi-factor authentication enabled, back up your recovery secrets. So that's the important piece for the consumers. Yeah, don't use the same password everywhere. Randomize them as much as possible. Pick a password manager that hasn't been breached multiple times in the last couple of years. I'm not going to name names. I know I'm not... No, I'll say this anyways. IBM uses one password as do I. But yeah, pick the Bitwarden's or whichever ones are the one you want, find one that works for you and stick with it. Consistency is key.

    Now, when it comes down to the enterprises, get an enterprise secrets manager tied into all of your systems. Make sure secrets are rotated on a routine basis, and particularly, privileged passwords. Also, heavily monitor your privileged password use. If all of a sudden a privileged password is being used from a lower security zone such as an end user terminal service zone accessing say a server zone, that's bad. So network segmentation, oddly enough, it's still critical even though it's not a password best practice. But make sure your secrets are managed and then make sure your secret stores are split up. I mean, if someone managed to go break into a secret store for a low security zone, make sure it has the secrets for the high security zone. Keep your secrets in those security zones. Because here's the thing, identity is the new VLAN. And this applies to your cloud world, it applies to your passwords here, it applies to absolutely everywhere.

    And then finally, make sure your employees are enabled with password managers. This isn't just privileged management. Your employees guard some of the greatest secrets on their laptops, your finance, your marketing, everything else, so give them the tools they need to succeed. Otherwise, they're going to go to post-it notes and same passwords and we'll be having the same discussion again next year.

    Joseph Carson:

    Absolutely. I think you've brought up a really important point, and this is something that I keep iterating over and over again, is that almost all users should be considered privileged in some form or another. Because we sometimes isolate into privileged accounts with privilege access because those are the ones that really keep the infrastructure running. They keep the lights on, they keep the access going. But some of the most sensitive data, is it's privileged data, which is sitting in people's laptops and sitting on... Some specific... The accountant might have access to your financial data, your lawyer has access-

    Dustin Heywood:

    Lawyers.

    Joseph Carson:

    ... have access to your actual legal documentations, your intellectual property. Even sensitive cases, you might be having some summation from some new product or new algorithm that might be in copyright or in some patent. And if that gets out, that is sometimes more devastating to the business than it is, sometimes, than other accounts being compromised. So privileged data, for me, is something that organizations should be... Also considering is, having access to that should be considered privileged. And therefore, making sure that getting into good segmentation, and to your point, is... And those different security zones, having the appropriate level of access in each of them. And don't try to put everything in one bucket.

    Dustin Heywood:

    Exactly. And the other thing is, I mean, we should be reducing friction. We make things so hard for people that they're going to work around a control. Here's the thing, people are not in the business of following controls. People are in the business of doing the business and if they can't get their job done, deadlines start pressing, they're going to work around them and they're very ingenious. So that's the important part. Make it easy.

    Joseph Carson:

    Absolutely. We've been talking about zero trust for a long time time, and for me, what we should be talking about is zero friction. We're ultimately, is getting to zero friction security. Because that's where, if we make it easy for people to use and consume, that's where actually security becomes usable and better. That's what people want. People want to use it because it makes their life better. And we have to be better at listening and understanding about the needs of the users, the needs of the people, the needs of the people that we serve, to making sure that we're not forcing something that's difficult to use on them. Because they'll always find ways around it, they'll find ways to circumvent it or to get around it. Or we force them to use their personal device for work and we lose visibility of security completely because they're sending everything to their personal device. And that means that you're not having any visibility at all. So we should be making sure that people want to use it and it makes their lives better.

    Dustin Heywood:

    Yeah, exactly. Someone once told me the brakes on the race car are there to make you go faster, not go slower. That's exactly what security is here for. We're there to make the business go faster and do things in risky environments that normally wouldn't be able to be done, but we need to be working with the business. That's why we're seeing the rise of things like BISOs in addition to CISOs. BISO is a business information security officer that understands the business far better than the technical folks do. That's why every technology person should understand their business they're in, otherwise they're just giving generic advice that doesn't really have application in the real world.

    Joseph Carson:

    And that's a really important point, is our job is actually is to make the business actually resilient and make it be able to move faster. To your point, it's like the race car with the brakes. I've heard that analogy multiple times and I think it's great. That therefore, you know they're going to work when you need them, it's to slow you down, to stop you from actually having a really bad accident and they allow you to keep going.

    Dustin Heywood:

    Well, exactly. Also, if you look at... you're going through a curve, you brake as you come into the curve, you regain your traction. And then you slam the gas on the way out, and you go faster because of those brakes. Otherwise, you'd have to go lay up the throttle and you'd go spin out and nothing would work.

    Joseph Carson:

    Absolutely. That's really, really wise words. So I think we've come to the reality, is that passwords are evolving. I think it's an evolution that's happening and that it's not the death of passwords, it's an evolution of passwords that's evolving into, much faster than what we've seen probably in the past 40, 50 years that passwords have existed, that we're seeing an evolution of passwords evolving into... moving more into the background, becoming time-based and not persistent-based. To having, basically, more segregation and entropy, and also, understanding about making sure that we have fewer passwords. Meaning, that also, less interaction, less human involvement into it. I think that's also a key as well.

    Dustin Heywood:

    Yeah, and that's exactly the important part, is less interaction. And the less I see the password, the better. I mean, how many times, where you have to go querying me for authorizing that secret? And yeah, I'm getting a lot more control over how they're being used, but in general I no longer have to go spend... How many times in IT do you have to go enter in your password to go log onto a system, pre password manager? It was insane. So we'd keep short passwords because it saved us typing. Now, that it's in a password manager, it's one click auto approve, it validates the website I'm logging into and everything else, I can copy and paste in the terminals. Heck, even some of them now will type in my multifactor secrets for me.

    Joseph Carson:

    And especially for people like us, for our passwords, at least the generic system passwords tend to be very, very long, but we don't have to type them in anymore. Which is great as well. I mean, I don't have to remember them anymore, which, for me, is a savior.

    Dustin Heywood:

    Yeah, the only piece I don't like is there is no real good interaction between a virtual console on a hypervisor and a password manager yet. So if you're seating a system, the passwords are typically garbage until you give online authentication to them and then turn them into a proper password. If someone manages out there, looking at your 1Pass and possibly someone of the rest of VMware, if you can make that work, I'd be very happy.

    Joseph Carson:

    I know a few people that we can pass that along to. So we'll see how that goes. Dustin, it's been fantastic having you on the show again, really wise words. And I think, we've come to the conclusion that passwords probably won't be dead before both of us retire. We might let... less interact with them. They might have under new names and new terminologies. And it's really, I think, when we talk about passwordless, it's really a passwordless authentication experience. It's an experience and it's a form of the end direction which is changing and that they are changing into more backup keys and recovery keys and temporary keys and so forth or enrollment keys. So we're seeing that evolution. But definitely, recommendation, use password managers and let's get to zero friction security. Let's get to where people enjoy security.

    Any final words for the audience? Anything that you would like them to take away and that would make their lives different?

    Dustin Heywood:

    I mean it's World Password Day. So I mean, the last time any of us changed our passwords is probably the last World Password Day, so please go out and change all your passwords.

    Joseph Carson:

    That's a good point. I know if there's anything that you haven't changed that you... And if you can't remember the last time you changed it, it's probably a good time to change it. And if you have a password manager, it will tell you the last... How many years or however the length of time that that password age is. So it's not always a good time to come up and think about what's a good formula for your pass phrase, how to make sure that it is at least 16 characters long and maybe invest in a password manager.

    Dustin Heywood:

    And also, double check your backups while you're at it. I mean, because here's the thing, one is none is two is one. You're going to always have a backup fail, make sure you've got multiples, especially for your authentication secrets. Even if you think you're good, just go back them up again just to be safe because EvilMog told you to.

    Joseph Carson:

    Having two backups is better than just having one. And having a backup that actually is recoverable is the purpose of having a backup, rather than just having it that you can't use it. So very wise. Again it's fantastic having you on, really hopefully looking forward to catching up at some point in your future. And again, congrats on getting your other black badge. That's amazing. Before we go, tell us a little bit about the Church of Wifi.

    Dustin Heywood:

    So the Church of Wifi is mostly a joke religion. We basically pull pranks and shenanigans. So the version I'm in is Church of Wifi version three, which started at DerbyCon with RenderMan, where we were parachuting stuffed animals from the 18th floor of the Hyatt. We're also a hacker jeopardy team that has three world championship wins at DEFCON. So my entire team at DEFCON is now black badged, as well as at Chicago’s 312CON or THOTCON, we're all black badge there. So we're mostly shenanigators who like to play a lot of hacker jeopardy.

    Joseph Carson:

    Yeah, I'm looking forward to it. I'm really looking forward to Jeopardy this year. I missed DEFCON last year but I'm definitely looking forward to this year.

    Dustin Heywood:

    We're fully retired now because we've won too many. They've actually said we can't play anymore. So now we're taking part in helping with the shenanigans up front instead. So you'll probably see me at whose slide is it anyway, judging up there, but we'll be around doing shenanigans.

    Joseph Carson:

    Fantastic. So if you're looking to catch up with EvilMog, definitely catch him at DEFCON for sure. Definitely take the recommendation because he is one of the most knowledgeable people in passwords that I know in this world. So it's a pleasure to know... So for everyone, make sure World Password Day, take the time to review your passwords. Take a look at what you can do to make your lives better, use a password manager and to EvilMog's recommendation, make sure you backup, you have solid backups and that they work and are recoverable.

    So again, thanks very much for being on the show. And for everyone, make sure tune in every two weeks for the 401 Access Denied podcast. We're here to bring you the latest ideas, thought topics, best practices, and to really help provide you the information you need to make the world and your world and society a safer place. So even go back and take a look at some of the previous episodes, you'll find a lot of great valuable information there.

    So I'm your host, Joe Carson, and it's been a pleasure serving you today and take care, stay safe. And again, EvilMog, thank you for being on the show.

    Dustin Heywood:

    Thank you.