In this podcast, Open Access Government speaks with Patrick McBride on how to best protect your data online and whether it’s time to go passwordless
Listen to Patrick McBride discussing password security in our podcast below:
Patrick McBride, the chief marketing officer for Beyond Identity, has almost 30 years of experience in cybersecurity.
I’ve been an engineer, an industry analyst, a Chief Information Officer and a Chief Information Security Officer. I’ve spent the last decade and a half working, launching smaller companies and growing them all in the cybersecurity space.
If you can look at the environment as an attacker would, it’s pretty helpful
I’ve had some experience in a space called Identity Management – a space called Threat Intelligence – trying to figure out what the bad guys (cyber attackers) are doing and how they’re doing it, so you can let customers know how to better protect their networks.
I’ve also spent some time in industrial networks protecting plants and refineries from cyber attacks. And then more recently at Beyond Identity – a company that sits in between cybersecurity and Identity.
Identity is actually highly related. If you don’t know it’s me, how do you let me into one of your systems?
Originally, identity was done more for HR purposes, to make sure you could get access to all the systems that you needed access to, et cetera. But now, it is a really important piece of cybersecurity. So, it either reports into the CSO or the CISO who is very interested in making sure that the CIO and their team have a good identity management programme in place and that people only have access to the things that they’re supposed to have access to. Over time in a company, you migrate, you change jobs or you get promoted, this ensures that you still only continue to have the access for whatever job you’re doing at the moment.
“Sounds like you’ve got a lot of relevant experience in some really unique roles”
Yeah, it’s funny if you look at my 30-year career, I figured out that if you can look at the environment as an attacker it would be pretty helpful. Understanding where the holes are in our armour, so to speak, is a pretty useful thing because some holes are more important than others, but just understanding that and helping to explain that is why I met Beyond Identity. We’re going to talk about passwords and things like that, but identity is one of the big holes.
Is the government evading responsibility for public safety online?
I don’t think so. In fact, I would think the opposite. I’m going to give you a bit of a twisted answer here.
The attackers move at such a speed that the government gets caught up in its own bureaucracy and its old recommendations and it’s not even an aptitude
I think there are a lot of good people working really hard to do the right thing and they truly do want to protect systems, government systems, protect consumers, and businesses in commerce in general. I just think the attackers move at such a speed that the government gets caught up in its own bureaucracy and its old recommendations and it’s not even an aptitude. I feel for them.
This environment changes if you think about it. I often coach younger people who are thinking about a career in cybersecurity and say it’s the gift that keeps on giving because the good guys keep on figuring out new and interesting things to do with technology, and at the same time, the bad guys figure out new and interesting ways to break into the old stuff and the new stuff. So it’s a bit of those two mashing together which makes it a particularly hard problem. What I would say is AMEA in general, in the UK in particular, has done a really good job.
You can’t have privacy unless you have good cybersecurity
For example, not a perfect job, but on privacy rights and making sure that you’re putting the kind of regulatory regime in place to guarantee a level of privacy that we don’t share here. We’ve done a poor job of it here in the U.S. On the other hand, I think if you flip it, I think of privacy and cybersecurity as a yin and yang, you can’t have privacy unless you have good cybersecurity, right?
If I can get in and steal your data, even if I’m one of the big companies and I just can’t use your data, if an attacker can get in and steal your data, then you’ve lost some level of privacy anyway. In the U.S. we’ve done a pretty good job of advising companies on what they need to do from a cybersecurity perspective, I would say an imperfect job as well.
I think in the U.K., frankly, they’re a little bit behind the time
And I think in the U.K., frankly, they’re a little bit behind the time. I believe there are still some commercials running, for example, talking about how to make the perfect secure password, for example, and that’s a unicorn. It doesn’t exist. There is no such thing as a secure password.
I don’t think they’re trying hard. I would say I think they just need to keep up. So it’s not that they don’t want to, it’s that I think some bureaucrats need to get a little bit of a kick in the butt; they need to think like an attacker. What are modern attackers doing to break in, stop there, figure out what that is and that’s where the recommendations that start from. Not something that was valid 8-10-12 years ago.
What is preventing the government from improving user security online?
I think they’re stuck in old patterns. People need to be responsible for what attackers are doing today, not what they were doing ten years ago. I think that information hasn’t gotten over to the policymakers.
There are typically two distinct groups in different governments. They split them up differently. But there’s a set of folks that are looking at what kind of attacks are going on right now, what are the bad guys doing, making sure they get into someplace that we can kick them out.
And then there’s a set of policies related to that, there’s a set of people that are forgetting that the government is responsible for protecting government systems. And I think that’s a little bit more close linkage. The problem is it gets over to the policymakers and then it gets over to the, in some cases the bureaucrats, the members of parliament or others, and folks underneath them that are helping make the rules or push things. And it doesn’t make it over or makes it over so slowly the attackers don’t wait.
As soon as they find a new way to do something, they’re going to do it
As soon as they find a new way to do something, they’re going to do it. And if it’s working, they’re going to keep going. They’re not going to wait for the government regulations to catch up. And so I think it’s that gap between what’s actually happening on the ground and what the policymakers are doing.
To some extent, there’s always going to be a gap, even in a perfect situation, writing a good set of regulatory requirements and then ginning up a programme to inform people of what those are and what precautions they need to take. It is just a time-consuming process.
Regulations will never keep up with the hackers, but they can’t be ten years old either. So the gap is there because I don’t think the information from what’s going on on the ground is getting in quickly enough into what the policymakers are doing. That means one of the things that has to happen is the guys that are watching what’s going on on the ground have to share that threat intelligence better with the companies that are trying to protect their systems or trying to protect the consumers.
In a lot of ways, I’m trying to protect my internal systems where I’m keeping a lot of consumer data, or I’m trying to protect the applications that consumers are using so I don’t get an account takeover, that sort of thing.
Is time for the death of the password?
In a ten-year time frame? You probably have a couple of really bad laggards where you just didn’t get it in a 20-year time frame. I think we’ll roll over all the systems. I think a large majority of companies are going to go passwordless within the next three to five years.
In 2004, Bill Gates proclaimed the death of the password all the way back then
Now, if you take all the thousands of systems that are out there, is everyone going to go? No, but we’re finally on that path. At one of the biggest cybersecurity conferences called RSA in 2004, Bill Gates proclaimed the death of the password all the way back then, and yet here we are.
But a lot of things have come together. There’s a lot of momentum behind it, and that’s removing passwords out of systems that a workforce uses, like the internal systems that a government would use or a company would use, or even a non-profit organisation would use the ones that their employees log into, I think that will move faster. In some ways, the consumer space is going past relatively rapidly in some areas, but in others, it’s kind of what I would call fake passiveness.
You have to be careful. For somebody who removes and I’ll dissect this a bit: I can remove the password from the view of the end user to make it more convenient.
I’ll give you a good example. I can log in using my camera on my phone and then some of the applications, like there’s a banking application that I use, will then – underneath the covers – grab my password and log me into my banking app. I haven’t removed the password. I’ve made it more convenient for me. I could use my face and then it sends my password over.
But I haven’t removed the risk of the password. How do I know that I can go to the web browser on my MacBook Air and type in www.mybank.com and I get a user ID and a password so it can still be stolen? It still can be used to break into my account. You need to make a distinction there between actually removing the password as part of the authentication process and just hiding it from the user for convenience.
Very recently – both Apple and Google noted that they were going to pass key. They’re going to support, something that you already started using, called the Fido standard. It’s a standard that allows them to securely remove a password and replace it with a strong cryptographic kind of connection. We use this stuff every day. We all log on to our bank from our web browser and we see a little lock in our browser come up. That lock in the browser makes it clear that I’m talking to the appropriate server and then I’ve got a secure private connection.
The problem was getting into that application is the last mile and I still use it today. I still typically use a password for that and in some cases, for some applications, I get a multi-factor authentication challenge. We’ll get to that in a minute. So the first step is really eliminating the password, not giving me a one-time password like a magic link or something that I click on because that’s just as bad as a password.
Without worrying about somebody sniffing that information off of the network
It’s another shared secret that gets passed over the network. It’s actually removing a password from the authentication flow and making sure that I’m using a much stronger way to do that. Typically something like public-private key cryptography, which again it’s used every day. We use that to have a private web conversation. Once I’ve logged onto an app securely and I’ve got that secure connection, I can type in my Social Security number or my ID number or whatever, or my other personal information if it’s a healthcare application or something… without worrying about somebody sniffing that information off of the network. We’ve been using that kind of technology for some time, we just haven’t used it to replace the password. I think that’s what’s going to happen fairly rapidly now.
Who is responsible for ensuring password security?
It really has to be a combined effort. I mean, governments have to get better, as I stated, about letting companies know what kind of attacks bad guys are using now. I’ll give you a specific example of that. The reason they tell us to use these strong passwords, a passphrase or something that’s long and uses uppercase and some other things, like an exclamation point or any other special character like that – so that I’m not putting passwords one, two, three, or my kid’s name or whatever, things that people could easily figure out – is because the bad guys used to steal a password database, or they would get an encrypted password, and then they would unencrypt it. And if you make it really long and with all these special characters, it’s much harder to run an attack against that.
But that’s not how the bad guys are getting passwords these days. They steal them when they’re in the clear when they’re unencrypted. Either they have some malware that’s running on the device that you’re logging in from, and I go to type my password in it, and they’ll grab it there and send it back to the bad guy, or you get what’s called a man in the middle attack.
They’ll send me to a fake site. ‘Hey, you need to reset your password Patrick’ and it looks like it’s this exact site I use. Type in my username. I type in my old password. They told me to type in a new password. I type in a new password. It really doesn’t do anything with that. It’s just stealing the password and sending it back. And there are criminals that just do that. They’ll run those attacks all day, and then they sell access to computer access, for example. So that’s a lot of the way that ransomware happens.
One criminal group will buy access to somebody’s system. They’ll buy the passwords, the user ID, and the passwords for those systems that got fished earlier, stolen in an earlier attack, and then launch the ransomware attack. Or they’ll do the same thing and launch an account takeover. Well, they’ll take over my bank account and then be able to move money, or steal my points if I’m an airline, that sort of thing. So it used to be that attackers had to run some cracking technology to find out passwords and steal them.
The government has got to stop saying ‘Just pick a longer, stronger password’
Now attackers just buy them. Attackers buy them from another guy and use them to log on. So that’s one of those examples where the government has got to stop saying ‘Just pick a longer, stronger password’. They’ve got to start pointing out regulations that are actually going to protect the consumer from the modern attacks. The modern attack is perpetuated by somebody just buying a set of passwords and using them to log in.
Attackers don’t necessarily have to break into accounts anymore. Very often they’re just logging in as you or I would… So what was supposed to help? That was MFA, right? I typed in my user ID and my password. And since my password is so weak, I can just get a code onto my phone and then I type in the code. A lot of those same techniques that were used to steal the password, this man-in-the-middle attack kind of thing, can now be used to steal the code that I put in.
So now I’ve got two weak factors. I’ve got a password that’s totally compromised and now I’ve got a second factor, effectively another password that I’m typing in or passphrase or a number combination and that can be stolen too in many of the same ways.
So I’ve got a totally compromised credential filed by a credential that is my second factor. That’s merely a speed bump these days. In fact, Microsoft reported 10,000 attacks where criminals stole the MFA code – they already had the password, and now they’re stealing the MFA code and just logging into the system.
What really has to happen, is passwordless technology that uses crypto that you can’t steal
What really has to happen, is passwordless technology that uses crypto that you can’t steal cryptographic links from but you have to have multiple factors and all of them have to be unphishable.
And in fact, that’s what the U.S. government came out and said in January. They said you have to replace the authentication method that they’re using with ‘passwordless, phishing resistant’. I’m using air quotes or real quotes because that’s exactly the phrase they want to use, ‘password’ and ‘phishing resistant MFA’.
Rather than spending time producing commercials telling consumers to build a longer, stronger password that doesn’t have any effect, do you think malware running on a machine or a man-in-the-middle attack cares? It’s not like they weigh the password and say, ‘Oh this one’s only four or five characters. I’ll send it back to the bad guy. This one’s 15 characters and it’s got some special characters in it. I’m not going to touch that’. Of course not. They’re just going to send it back to the bad guy. So they’re not having to crack the passwords. They’re just phishing them out and sending them off to the bad guys to reuse. So you can’t make a secure password. It doesn’t exist.
Could you compare US and UK strategies?
I think in stark contrast to our privacy regulations, the U.S. is actually being pretty aggressive now with the regulations. Right now, the regulations only specifically apply to government organisations or businesses that are directly supporting those. So there’s always a set of contractors and consultants that are working with government organisations running some of those systems. They’re both beholden to use this passwordless, unphishable MFA, and they’ve got to do it quickly. They told them in January that they need to make this change within two years.
I don’t know enough about the U.K. government, obviously, watch some of it and try to keep up with the regulatory regime there.
In no way does the U.S. government barely roll over in bed in two years. That’s the fastest or the shortest time I’ve ever seen this in 20 years of watching our (U.S.) government. So they’re worried about it. They’re very worried about it.
They’re focusing a lot of their attention on consumers. They really ought to be focusing their attention on not only their government system but the folks who are building applications that consumers use, educating them that there is a way to make those applications much safer than you make them today.
They should dig into that and make that known, at least make it known and educational. But if you continue to take privacy, if the U.K. government and the rest of Europe, the whole of Europe take privacy seriously, and they do. I mean, they’re way ahead of this than in the U.S. Then you have to solve the security issue because if you don’t, you can’t have privacy anymore. Because if I’m a bad guy, I can log in and steal all your private data. Does it matter that you’ve got good regulations that keep Facebook from selling some of it or Google or others? That’s what they’ve done.
Well, I would contrast that the GDPR and other things as much aligned as GDPR is sometimes, and it’s certainly not perfect. It’s way ahead of other parts of the world and certainly others in the U.S. However, you’ve got to marry that with strong authentication or you’re not going to have the intended impact. Private information is going to still get out and massive reaches.
What is the role of the dark web in password security?
The dark web for a long time is where the bad guys sell their wares. They do a couple of things. It used to be that they would sell the kits that they used to pull off these attacks on the dark web. You can get a kit as an attacker. I don’t have to be super sophisticated anymore. We’re not talking like Russia or China-level state actors. We’re talking about garden variety, financially motivated attackers.
I used to have to go to the dark web to buy my toolkits to log in and steal credentials. But now very often those things get marketed, like straight up on Facebook, but then it’s a dark web connection where the actual transaction between the buyer and seller, like two bad guys, takes place. But in some cases it’s open.
You’ll see people marketing breach passwords on the dark web. They’ll sell you hundreds or thousands of usernames and passwords or a database full of previously breached passwords that you can then put into your malware kit to try to do from what they call a brute force attack. Typically the dark web was where I either buy the toolkits that I use to pull off these attacks or buy passwords. That’s kind of the fuel that these things run off of.
But now you’d be shocked at how many places, like in Facebook and Instagram and those places where bad guys are marketing both sets of those things kind of out in the public again, they may do the transaction on the dark web or do the exchange there, but they’re openly marketed in the visible web.
What advice would you give consumers to improve their passwords?
The single best piece of advice that a consumer can actually use on something is to use a different password for every site. So if it’s stolen on one side, it can’t be just pushed, automatically pushed in.
Having said that, that won’t solve the problem, right? Because I can still send you to a phishing site. I’m your bank or I’m not your bank, I’m a bad guy. I’m mimicking your bank. I tell you you need to do a password reset, for example, and I give you an email that looks like it actually came from the bank. When you go to the site, it looks like it came from the bank. The URL looks just like your bank and it’s probably got some little character that’s changed and it’s really hard to recognise. And then you type in your username and password. So just because you’ve got a unique password from your bank doesn’t mean that I can’t steal it and then reuse it.
Having said that, since they’re buying a lot of these passwords on the underground or above ground on the dark web and other places, one of the things that they’ll do is these passwords frame campaigns.
Use a different password for every site
They’ll take your bank password if they stole that and try it in 100 other different sites with your same username, your email or the front part of your email, and then try it with a bunch of different passwords. So a unique password on every different site can help. It just doesn’t solve the problem.
But then you’ve got the other problem. How many websites do you have to log on to? Personally, I use upwards of 100. So I’ve got over 100 accounts. There is no chance in the world that I’m going to remember a unique password.
So what then do you do? Well, I could use a password safe. Something that I use now because of some of the sites that I go to. But to use a password safe I put all my passwords in one little database that’s protected by, you guessed it, how do I log into my password safe? Using a password. So I log into my password safe using a password and at least I have a unique set of other passwords.
But if somebody gets the password to my password safe now, I’m really screwed. So that’s not a very secure way to do it. So at the end of the day, you can’t protect the password. It’s a totally compromised thing. The best advice I can do is to the extent you can use a different one on each site that’s got important information like your bank account.
What is the most important thing that individuals can do to protect themselves online?
Even though the recommendation I gave you doesn’t solve the problem, it makes it incrementally better. MFA can make it incrementally better, it’s so vendors like us have to solve two real problems. They have to replace a password that’s something that’s foundationally strong. And again, we know how to do that. There’s a capability. Like I said, log in to any site that you do and click that little lock that comes up in your browser. That’s a technology called TLS transport layer security. And make sure that if it’s working, you’ve got a private conversation going back and forth between your bank. Now your bank doesn’t know necessarily because somebody could have stolen their password and now they’ve got a secure connection. But at least that secure connection is there. And it uses public private key cryptography. So unphishable passwords or phishing resistant passwords are going to use some sort of a public-private key technology. Now what you wouldn’t want to say is just use a unique password and all your sites and everything’s hunky dory. It improves the situation, but only incrementally. And you could say, well then you just have to use MFA.
It’s got to be foundationally secure and it’s got to be easy to use
When I said we have to solve two problems, it’s got to be foundationally secure and it’s got to be easy to use. Most of the world doesn’t turn MFA onto their applications because it’s inconvenient. But every time I log into my bank, usually, the financial services will force me to do it.
But in many applications, a retail application, am I going to really turn my multi-factor authentication? My credit card information is in there, but am I really going to turn MFA on and I got to pick up my phone and do another code? I’m just not, so we’ve got to fix that. It’s got to be both secure and not annoying to use.