Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Weird setup. I'll explain that in a bit. But what I want to talk about, as you probably notice from the title is Passwords. Everybody loves passwords. They're amazing. So here's the deal. Honest security pro out to you guys, um, passwords suck.
But they are the least suckiest of a plethora of sucky solutions. So you might have noticed and I did a quick video on it last night that Twitter made an announcement that they um are currently had an issue internally where they were logging passwords before the hashing process, which means the passwords were exposed in Twitter logs, um unencrypted.
So they were encrypting them down the stream. But before they were encrypted, they accidentally got logged, they fixed that error. But in the meantime, that means all 330 million plus Twitter users have had what's called an initiating event.
Um Now there's new password guidance and the reason why I use that term initiating event is because the new password guidance says everything we told you about old password management was wrong. Sorry. So this guidance came out in October of 2017 from Nist, the National Institute for Standards in Technology I think don't hold me to that one, but it is the standards body and sort of the guidance that most people look to and previous guidance from NIST around's passwords was what everyone's familiar and comfortable with.
Um, you know, at least eight characters, um, mixed case throw in a, a number or a symbol and change it every 90 days turns out that goes against math and human psychology and it ends up with a whole bunch of crappy passwords.
In fact, those rules sort of optimize for poor password outcomes. So think about that for a minute. Our official guidance for years has actually driven worse security outcomes than what logic and sort of math would dictate.
So nist updated these standards last year, they are slowly kind of rolling out. Um People are getting on board, but here's a great opportunity with the Twitter password change to implement them. So the Newness guidelines, um I'll get to the specifics in a second.
But the gist of the newness guidelines are you shouldn't change your password that often, maybe once a year or in the face of an initiating event. So Twitter is an initiating event for your Twitter account password.
And that's the only account you use that password for, right? Maybe please. So you should only be using one, you should be using unique password for every single account you're using. Um But this is initiating because your password was exposed.
So you should logically then go and change it. Um, but then you don't have to change it again for at least another year unless something else happens. That sounds far more logical, doesn't it? So you can pick better passwords and stronger passwords and not have to worry about having password, one password, two, password, three.
So the second critical piece of the newness guidance is that you shouldn't be using passwords, you should be using pass phrases. Now, I won't dive deep into the math even though I'm super tempted with my whiteboard back there.
Um But basically what it ends up is this is that the longer the password, um the more probable password or possible passwords there are. So that's why we always said, you know, at least eight characters because eight characters got you into a zone where every character space you could put, you know, A to Z caps or lower case and numbers and symbols.
And basically you started to increase the probable combinations or the possible combinations. And the longer you go for every single one you add that is a massive spike in the potential or the possible combinations for your password.
So that's why we always said longer was better. But of course, the longer it is, the harder it is to actually remember. So it turns out when you talk to psychologists or neuroscientists, they give you some tricks about how humans remember information.
And this has a great um example of this up and I'll link to it in a minute. It's actually in the video I posted on Twitter yesterday and in a couple of the tweets since then, but I'll retweet it out again.
They have a great little article that explains how to pick a strong passphrase. So a passphrase should be at least four words preferably more that are essentially random. Um But humans can't remember random stuff very well.
So you can either use anemona. Um So some way of sort of the first letters mean something to you, your head or better yet, they're recommending actually like a visual. So if you can see here and behind me, I've got a white board, there's maybe an image of a of the light reflecting from there and a picture of my wall art has got some uh some chairs in it.
Um And you can see the kids closet because I forgot to close the door. So you can see that's not creepy eyes from a cat that's actually reflectors in the back of sneakers. Um So I could say be something like uh whiteboard light chair sneakers.
Um So whiteboard light chair sneakers, that's four. I could keep going ideally. But if I can picture this in my mind, it's a lot easier for me to remember that as a passphrase. Now, I know that the, the push back right away is well, wait a minute.
Isn't that just dictionary words together? Yes, it is. And that reduces it. So you're not purely calculating um, possible characters, you're actually looking at sequence of words together so that when an attacker tries to break your password, um, they're not just randomly throwing characters together, they're actually gonna cycle through words, but it turns out that the math holds up that that is still significantly more complicated than a password.
Um, that's 10 random characters, um, strung together and it's far more easier for me to remember. Whiteboard, light chair, sneakers. Um See, I actually remember that. I hope you can rewind the video check that. Um It's actually far easier for me to re uh to remember that than it is to remember just a random string of crap.
Um So pass phrases are the way to go. Um That's awesome. That's great guidance. Now, it's gonna take a while for systems to catch up. Thankfully, a lot of s a services already allow you to enter longer passwords.
And this was part of the N Guidance as well, which basically said stop with the bullshit of capping people's passwords. We've all tried to do that where it's like, oh, your password has to be at least or less than 12 characters.
Horrible security guidance atrocious your password should be able to be as long as you want. Um The current official guidance is 256 characters, which is pretty darn long. Um, realistically if you're building password systems, just let people store pretty much as much as they want.
Um, maybe up to 1000 24. Um, you know, just because if you have to have a cap there. Um But that's the, the new guidance is basically pass phrase, um, and change your password when there's initiating event.
Now, there is a tool, there are set of tools out there that you can make this even easier, you can use what's called a password manager. Now, that password manager is essentially like a vault of passwords and it normally has a generating tool so it can generate a long 32 or 64 character string of random crap.
You never have to remember it. You use your passphrase to unlock that password manager and then it will enter those into your web app for you or you can copy and paste it in it in. So I have no idea what my new pass Twitter password is.
I can tell you the parameters of that password. Um It's 32 characters complex. Um Lots of symbols, lots of mix in there. It's a really, really strong password. I'll never have to see it or type it in my life.
I will simply copy and paste it from my password manager or it will push it through, automatically through a browser extension. Um I remember the strong password phrase that I've set up to unlock that tool. There's a bunch of commercial offerings out there.
There's also a bunch of free ones out there. So do some research. Um There's uh it's really hard to go wrong with that usability is really key around there though because you want it on your phone, on your tablet, on your laptop, that kind of stuff.
So, um the other thing I was recommending really strongly here is to enable login authentication for Twitter. So that's multi factor where it sends you a message, a text message again, not infallible, but using a pass phrase and log in uh authentication, you're gonna really reduce the risk.
Um And Twitter has a really slick thing. I was really excited when I saw this. Um I know that's a super nerdy thing to say, but I was quite excited when I saw this on um yesterday, when I changed my Twitter password was that they actually actively prompt you and say, hey, there are x amount of applications connected to your Twitter account.
Do you want to review them right now? Pro tip? Yeah, you do. Um look at them, walk through them and see what's connected. If you don't recognize it, disconnect it. If you're not using it anymore, disconnect it.
Um They will, if you are regularly using it, you made a mistake, it'll ask you to reconnect to your Twitter account. Um But third party connections is how uh a lot of people end up embarrassed sometimes when that third party uh account gets hacked.
Um So a good, good set of little hygiene here. Super frustrating, but good opportunity to talk about this because at the end of the day, passwords suck. But they're the best thing that we have right now and they're sort of the best solution out of a set of crappy ones.
I mean, there's really no way to put that better way to put that. Um, there's lots of experiments, lots of science, a lot of research going on in security to try to make passwords. Uh a thing of the past and do better alternatives.
We're seeing a little bit of it with, I'm here on an iphone X with face ID, with the touch id on the ipads. Um That's not infallible. They're always backed up by passwords anyway. Um But we're getting there in the meantime, pass phrases, not passwords and you can take the N guidelines and go back to your it, security teams internally and say, hey, stop getting us to change our passwords every 90 days.
That's not even the best guidance anymore. We should be all pass phrases and change it every year or after an initiating event like this Twitter leak. So that's my rant for this morning. Um You'll probably see a lot more from me on this.
I think it's a pretty common thing um that we all struggle with yet. We don't have to, this can be a little bit easier. We're gonna have a post up on markn.ca shortly. Um I put the Twitter thing out yesterday, um which has got really good response.
It's also up on linkedin and, and, um, Facebook just a quick little, hey, this happened, switch your passwords. Um As always hit me up here uh on Twitter at marknca. Um Most social networks.
That's me. Always happy to talk about this. What do you think about passwords? What's your pass phrase strategy? Um Did you know about pass phrases? Uh Let's talk, let's have a discussion. As always, security is better when we all work together.
I hope you are set up for a fantastic and phenomenal Friday. Um Enjoy the weekend. I will talk to you on Monday.
