Archive 8 min read

Passwords, Educating Users, and the Communal Good

Security awareness is next to useless. Educate users instead

Passwords, Educating Users, and the Communal Good

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning. How's everyone doing? Um Let's just double check the audio here. Um I always forget something. Uh I think we're doing good. Are we doing good? Uh, check, check, check, perfect. I think we're doing decent. There we go. Helps with the microphone is actually clipped on.

There's a little pro tip for you that I've learned in uh nine times of doing mornings with Mark. The microphone is far more effective when it's actually on as opposed to just dangling. Uh Good morning builders. Um Hope you're a little more together than I am.

I was watching the uh Canada Germany hockey game. Don't tell me how it ended because I've got to pause to watch the last couple of minutes because I wanted to be on time to talk to you. Now, yesterday, we talked a little bit about um passwords and because Troy Hunt, a fantastic contributor to the security community, um, released his latest uh p passwords over 500 million passwords this time.

So they're all hash. So you can't read them in plain text, but it gives a count and that alone tells us a whole bunch of interesting information, but we can reverse the hashing because they are just a simple mechanism to do that to obfuscate them so that I'm diving into that data, going to try to see what lessons we can learn from passwords because passwords continue unfortunately, to be the best of the worst solutions out there as far as identifying who we are to our systems.

Now, I did want to talk today a little bit on continuing that the um because f secure security company out of the eu with the fantastic Mikko Heaping, he's a great speaker and contributor to the security community as well. He was highlighting on Twitter their latest incident, excuse me, their latest incident response report.

So this is a report from their consultants to go in and help customers after a breach and they have a really interesting statistic. They said I'm just going to double check on my screen here. Uh Yeah, 52% of the instance they were responding to started with social engineering.

Um So again, this is uh you know, the latest stats in a series of stats that we've seen where um systems need to be secured. Absolutely. Don't get me wrong there. But again, we're failing our users. We are not doing the right thing needed to educate users to make smart decisions around security and yes, coffee today or more accurately, a coffee flavored sugar uh drink.

Um just a little different, mixing it up on a Friday. Um But yeah, So the back to the topic at hand here, users continue to be a challenge and I don't mean that in a traditional way. And unfortunately for the longest time, the security community has always said, you know, the users are the problem.

Um when really the security community is the problem, we are failing utterly and completely to educate users um with the right information, we're not giving them the um proper information to make decisions in context. We're not teaching them the right things. We do these security awareness campaigns.

I'm sure you guys have all been a part of them at work where they say, you know, hey, don't share your password. Great advice, make a strong password. And here's how you do it, you know, uh more than eight characters, mixed case number symbols, horrible advice.

Finally, the main um us guidelines, the NIST, the National Institute of Standards for Technology or something like that. Um Nist uh updated their guidelines last year on what makes a good password to align with the reality of statistics and probability and human nature. Um That ties back to Troy's great efforts around poem passwords.

I'm going to have a blog post up on medium about passwords real soon. Um And probably a couple of ranty videos on them as well. But again, an area where we failed, same with phishing. We always tell users um you know, don't click on links in email.

What the hell do you think a link is for a link is solely designed to connect two documents or resources online and it's designed to be clicked on. So yes, there are some things that you could teach people around links but not to click on them is not the right thing.

The proper advice here, the proper educational material is to tell people when you click on a link in your email. If it prompts you for credentials, stop. So if you get emailed a link, you click on it and it goes and it says, hey, log into Google stop, don't log into Google.

Open up a new browser window or a new browser tab yourself type in your uh Google address to see if you're logged in or type in the resource that you think you're trying to achieve as opposed to clicking on the link. That's it. The reason being here is there are way too many URL S and marketing is the worst abuser of this because you see the marketing URL S that are like just massive paragraph URL S, there's no way a user can logically determine whether a URL is legitimate or not.

However, as a user, if you click on a link that was emailed to you and it immediately prompts you for credentials that should be a flag. Now, you should ask yourself, is this the right context for me to be entering my user name and password or is somebody trying to fish me, we've seen that on a massive scale where people are trying to hook in and get user credentials.

That way, that is a better way to educate users because here you're giving them something that's reasonable and you can still click on links. You know, if it smells fishy, don't click on it. But if you click on a link and it prompts you for credentials, now you should start asking because maybe one out of every 10 or one out of every 20 emails, the link that you click on, asks for credentials or needs you to be authenticated and logged in somewhere.

So telling people not to click unrealistic and not even great security advice, telling people to question when they're asked for credentials and to make sure that they're really giving them to the site, they think that's far more realistic. And I think that just continues on and on and on.

You see, my favorite comes with Mac Os or with Windows and even on IOS, it happens where it just randomly prompts you for your password. And it says, hey, you need administrator access. Give it to me. There's not enough information for me as a security professional, as a forensic scientist to make that decision correctly, to say, hey, yes, this is a proper action that should be authenticated at a higher level.

This should have admin access, let alone the average user. And that's a huge failure on us on the security community on the development community. That's not a failure on the user. So this is a huge change. And I think there's a lot of complexities and there's a lot of nuances to why things have ended up this way.

But it can't go on. Um Especially with IOT, especially with connected devices like connected cars and things like this. We are integrating technology on a deeper and deeper level into our lives. And there's some wonderful, wonderful upsides. However, we have completely and utterly failed. There's a lot of adjectives today.

We have completely failed to educate the, the citizenry, the digital citizenry properly. We are going down tropes. Uh We are, you know, inventing false narratives and putting fake um or, you know, mythologizing things that shouldn't be true or that simply aren't true and that's to everybody's detriment.

So I think there's a lot of work that needs to be done in this area. I gave a talk uh two years ago called Setting up your security team or your security team set up to fail and tackle the security side of things. I think I've got another talk brewing right here.

Great conference coming up in April that I might pitch it to as far as how we failed to set ourselves up as a security community for the success that we state that we want. So we say we want everybody to be safe and secure. But are we really set up to do that are we teaching users and digital citizens the right things.

I don't think we are. Um I think that's entirely on us. Um And I think we need to do something about it and that starts by calling it out to ourselves that starts by questioning things and standing up for what is good for the user, what is right overall.

Um And there's a lot of complexities there and I think that's, it's really can, uh what's the right method to get it out there to raise that question? The questions need to come from both sides, from the average users and from the security community. So that's a really weighty and meaty subject and really deep subject.

Um And it goes off purely on the soft skills. Um, you know, and it reminds me of, I don't know if I saw last week, um, that I wanted to tweet out, but I just couldn't bring myself to it where, um, basically it was, you know, finally, um some uh undergraduate degrees in community courses are adding ethics.

Um and, uh to, um computer science and it just blew my mind because, uh that's a core question of what we're building, how we're building it that comes back to security. I know when I did my graduate work ethics was a core part of it and it was one of the best courses I took.

It was really interesting and it's something that we need to hold ourselves up to, I'll link below to a great piece that Mike Monteiro did around designers and designers responsibility around ethics. And I think if just, you know, sub out designers for security professionals or builders in general, it equally applies to us, we really need to start asking better questions and do what's best for the user as well as for the community, not just for the bottom line.

So really weighty Friday, I'm sorry for that, but I'm also not sorry because I think it's absolutely critical for us because I know educating um when I work with kids to understand uh cybersecurity risks and, and help them, you know, start their digital journeys. There's a lot of stuff that we're just failing at.

I think we can do better. I think we have to do better and I think we will do better and that starts with conversation. So as always, um hit me up online at marknca on all the networks. I would very much like to talk to you about this issue um and see all sides of it because I think it's a, it's a very um dynamic issue.

I think it's a very involved issue and everybody has something to contribute here. So please let me know what your thoughts are on this and how can we do better? Have a Great Friday? Hopefully you're thinking about this, um have a great weekend where hopefully you're not thinking about this.

You can just cut loose and relax and I'll talk to you again on Monday.

Read next