Join Sean Martin on the Redefining CyberSecurity Podcast as he talks with Ted Heiman, CEO of CISO Guru, about the shifting landscape of password management and the critical role of multi-factor authentication in securing organizations. Discover why 75 to 80 percent of breaches are linked to static passwords and how transitioning to advanced authentication methods can significantly reduce security risks.
Guest: Theodore Heiman, CEO, CISO Guru
On LinkedIn | https://www.linkedin.com/in/tedheiman
On Twitter | https://x.com/tedrheiman
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, host Sean Martin engages with Ted Heiman, CEO of the cybersecurity practice CISO Guru, in an insightful conversation about the complexities and evolving landscape of password management and multi-factor authentication (MFA). Sean Martin introduces the session by highlighting the challenges practitioners and leaders face in building security programs that enable organizations to achieve their objectives securely.
The discussion quickly steers towards the main topic - the evolution of passwords, the role of password managers, and the critical implementation of MFA. Ted Heiman shares his extensive experience from over 25 years in the cybersecurity industry, observing that passwords are a relic from a time when networks were isolated and less complex. As organizations have grown and interconnected, the weaknesses of static passwords have become more apparent. Heiman notes a striking statistic: 75 to 80 percent of breaches occur due to compromised static passwords.
The conversation examines the history of passwords, starting as simple, memorable phrases and evolving into complex strings with mandatory special characters, numbers, and capitalization. This complexity, while intended to increase security, often leads users to write down passwords or repeat them across multiple platforms, introducing significant security risks. Solutions like password managers arose to mitigate these issues, but as Heiman highlights, they tend to centralize risk, making a single point of failure an attractive target for attackers.
The discussion shifts to MFA, which Heiman regards as a substantial improvement over static passwords. He illustrates the concept by comparing it to ATM use, which combines something you have (a bank card) and something you know (a PIN). Applying this to cybersecurity, MFA typically involves an additional step, such as an SMS code or biometric verification, significantly reducing the possibility of unauthorized access.
Looking forward, both Heiman and Martin consider the promise of passwordless systems and continuous authentication. These technologies utilize a combination of biometrics and behavioral analysis to constantly verify user identity without the need for repetitive password entries. This approach aligns with the principles of zero-trust architecture, which assumes that no entity, inside or outside the organization, can be inherently trusted. Heiman stresses that transitioning to these advanced authentication methods should be a priority for organizations seeking to enhance their security posture. However, he acknowledges the challenges, especially concerning legacy systems and human behaviors, emphasizing the importance of a phased and managed risk approach.
For listeners involved in cybersecurity, Heiman’s insights provide valuable guidance on navigating the intricate dynamics of password management and embracing more secure, advanced authentication mechanisms.
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Breaking the Password Barrier: An Expert Guide to Multi-Factor Authentication and the Rise of Passwordless Security | A Conversation with Theodore Heiman | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody, you're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. This is Sean Martin, your host, of course. And I get to talk to all kinds of cool people about cool things that, uh, we, we, Try to, uh, deal with and handle from a cybersecurity perspective. So practitioners and leaders in all sizes of organizations, uh, trying to build security programs that hopefully enable the business to achieve its objectives in a secure way.
Uh, not always a fun task and, uh, we get to unpack some of the challenges that's that folks, uh, folks encounter, and then hopefully get some insights from, from people who've experienced some things that, uh, you That might apply to your organization. So we're going to, we're going to spend some time today talking about passwords and passwords, manager, password managers, and MFA, and who knows what else, if we'll get into PKI or not.
Anyway, well, we'll talk about some fun things and I'm thrilled to have 10. Hi, [00:01:00] Manon. How are you, Ted?
Ted Heiman: I'm doing excellent, Sean. Thanks for having me.
Sean Martin: Thanks for being on. And, uh, yeah, I'm excited for this. We've been, we've been, uh, chasing each other on, uh, on calendars for a while. And we finally pulled this together.
So I, I appreciate your flexibility and, uh, hopefully everybody gets to, uh, gets to enjoy this conversation. I know I am. So let's, um, Let's start with maybe a few words from you about what you're up to. Maybe some of the experiences you've had, roles you've had, and, uh, why this topic of passwords, I think, I think may, I may have prompted some of that, but, uh, your, your thoughts on that topic in general.
Ted Heiman: Yeah. So, um, I am the CEO. of a cyber security practice called CISO Guru. And I have been in the security industry for over 25 years. I actually started when people wanted to start [00:02:00] connecting their networks to the internet. And I was selling firewalls. And I've been in the industry and seen, uh, you know, quite a bit of technology that's been, uh, developed to try and stop breaches and, uh, prevent the attacks that organizations are seeing.
And, um, it's been a real challenge. I've worked with some of the largest organizations in the world, as well as the DOD, helping them try and solve this problem. And so I think that, you know, passwords are. I think most people would agree are something that they have a real challenge with and aren't really always sure what they should do or how the password should be used.
And so I think it's an awesome time for us to talk about that and talk about why 75 to 80 percent of breaches that happened today. Uh, are conducted using a valid credential and in most cases it's a static password that they've been [00:03:00] able to get access to. And so, um, it's become a real challenge for the enterprise.
Sean Martin: Yeah. And it, it's, I don't know if it's funny, it's not the right word, but maybe ironic. Something that, you know, Presumably started so simply in the beginning, a few machines, you had a password, you probably wrote them down on a notepad, um, has become complex yet still a core part of how we operate our, our IT infrastructure and connect to systems and data and applications and whatnot.
Um, but it's not sexy, right? It's not the cool new sim, uh, Sim rack system or the, or the new AI enabled, uh, EDR or whatever it is that, that everybody's chasing right now. Um, so I think it. It kind of gets left to the side in terms of where [00:04:00] huge investments are made. If you ever get a huge investment in a security program, um, that doesn't need to your point that it isn't critical as a, as a key component.
So maybe, can you start for us maybe kind of a history of the password, how it started and maybe how we ended up to where we are today, and I'll jump in as you say stuff, cause I'm sure you're going to trigger some. Some flashbacks for me, you're talking about connecting networks, networks to the internet.
I did a lot of that, uh, we're a construction company, which is a lot of fun.
Ted Heiman: Absolutely. Yeah. Feel free to jump in anytime. I
Sean Martin: certainly will. I certainly will.
Ted Heiman: So the first thing I want to say is that passwords are a remnant of a time gone by when companies had local area networks that were pretty much confined to that organization.
And it was merely a simple way. To keep track of who is gaining access to what [00:05:00] systems and and for that purpose. It was fairly, fairly successful. Um, you know, it wasn't a scenario like we have today where everybody's connected to the Internet. And so passwords work just fine back then. Um, but even even 25 years ago, Um, but even 25 years ago, We already realized that we needed a better way to authenticate and and people may have had You know familiarity with like rsa tokens or ubico keys or other types of usb fobs That are used as a way to Uh, to do multi factor authentication, but and it's been around forever, but it's hard to believe that almost 60 percent of the organizations out there, large enterprises are still leveraging static passwords.
And I think that I think that that's that's part of the challenge. And so, If we start, you know, so okay, you had a password, you're on a local area network, you could gain access to [00:06:00] the systems that you needed to. Then comes the internet, and so everybody had to install a firewall, and so basically you had You know, a big mode around your network and, and your firewall was the one gate that you had to get through to get to your network.
And, um, and then, and so at that point, then passwords started to become, uh, more challenging because as, as things evolved, we started connecting not only to the internet, but we started connecting to other divisions, business partners, suppliers, vendors. And now. You've got so many ingress and egress points on your network that, that making sure somebody is who they say they are is really critical.
And so for 25 years, we've really been working on trying to solve this problem. And the fact that we're still using static passwords today is, is a real, real challenge.
Sean Martin: So [00:07:00] let's talk about some of the, some of the, uh, The current challenges, because, let me see here, you gave the stat to the number of, of, uh, Breaches rooted in, in a valid credentials.
So, and you've said static a few times. So my, my sense is that, I don't know, I know there's some best practices, 30 days, 90 days, whatever to recycle the passwords and reset them. Do we, are we just not doing something correctly or, or I mean, is it, is it a policy issue? Is it a control issue? Is it a scale issue?
Is it, I don't know. What, what are companies. Challenged with, with respect to passwords that's leaving us vulnerable to 75 percent of the breaches, whatever it was driven by a password that's that's stolen.
Ted Heiman: So, yeah, so it's a technology issue [00:08:00] and and it's a human being issue. Okay, so from a technology perspective, it's an issue because if you're using a password that doesn't change.
There are many ways for people to gain access to that password and use it to, to, uh, impersonate you. So, you know, it's, so the static password, that's really the challenge and, and, and what, what happens is this. So, I mean, you know, you could talk about the history of the password, right? We started with. you know, our dog's name or our kid's name or our favorite sports team's name or, you know, something that we were really familiar with and that we could remember easily because, because as human beings, that's how we relate to things by stories, by pictures, by activities.
And so that was real easy. And then they told us, well, That's not complicated enough. You need to use uppercase and lowercase, uh, letters to make your comp, [00:09:00] your, uh, password more complex, uh, to defend from brute force attacks. And so then everybody, uh, changed and added a capital N at the beginning of their password and, and, uh, some uppercase and lowercase there.
And then they told us we had to add a number and then it was a special character. And so, you know, now our password is one Oakland A's. Uh, uh, exclamation point. With the A being an ampersand instead of an A, or whatever. And so we've made these complex passwords that are very, very difficult to memorize.
Human beings brains just weren't designed to memorize these passwords. And so we do the one thing, Or two things that you're never supposed to do. One, we write them down. And that defeats every, every purpose of a password. As soon as you've written it down on a piece of paper, and it's tucked under your mouse pad, or stuck to your monitor with a sticky [00:10:00] note, or in a little pad or file that you keep, Um, you've got now a bigger problem and the other challenges that as from a technology and a security perspective, the weakest link sits between the keyboard and the chair.
So that's us, that human beings. And so when I say it's a technology challenge and a human being challenge, it's both because one, We're still using a technology that's outdated and that's easily compromised. And, and, and so it's, you know, we, we, we've made it easy for them, but to, you know, we tend to reuse our passwords across multiple different sites.
Because, if you had to remember a different password for every site and application that you had to access, you, you could never do it. So then what do we do? Okay, I can't remember all these passwords. So, then, we introduced something called password managers. And, [00:11:00] uh, that was a whole new concept. Uh, you know, a whole new concept.
Look, you don't have to remember your passwords anymore. We can just stick them up in this application. It'll automatically remember them for you. And all the problems are solved. Uh, the challenge there is that now we've put all our eggs in one basket. And so every, every key, every password, every access token that we have is now stored.
With that application and unfortunately all those password managers have been hacked.
Sean Martin: One password manager and no, no second factor usually on those as well. So as you're describing this and, um, I don't know, you, you and I have had the luxury, you'll say, of, uh, looking at this for a while. You 25, me, me around 30.
Um, there are probably a lot of people listening to this show that, uh, let's say. Passwords. We have that kind of [00:12:00] under control. It kind of, kind of sucks, but at least we have some control over it. What, um, the, the, the stat you mentioned though, suggests otherwise. So I can, I can see kind of a level of maturity where regulated industries, large organizations that, that, uh, really value security might have a high bar for, for, uh, Yeah, policies and controls and their, and their password stuff is, is well suited to, to meet the risk appetite.
And then there are others that, that probably don't right now. I'm thinking smaller, smaller organizations, mom and pop shops, uh, yeah, some, some of the folks in the middle of the supply chain, if you will, um, where do you see, I guess my question is, do we think we have it under control or we really don't?
Or. What's kind of the status of [00:13:00] password management at the moment?
Ted Heiman: I think most security experts would agree that static passwords are no longer an effective way to secure our networks and our data. So the real challenge is then, okay, what do we do about it? How do we get rid of it? How do we fix this problem that's been created, um, over the years.
And that comes down to looking at some alternative technologies that are very effective at, uh, protecting access to systems and networks. And this is where we introduce something called multi factor authentication or MFA. And this is an idea that's been around for a very long time, and we're all very, very familiar with it.
And this is the concept of an ATM. We all use ATMs on a regular basis. We walk up to our ATMs, we insert something we have, which is our, our credit card, we, we enter something that [00:14:00] we know, which is a pin. And we're able to get money out of our account through that mechanism and even to through today. And this technology has been in place a long time because I implemented the very first online banking system in the United States.
So this has been going on for a very long time, and you can see that banks have been very successful and very. Very few ATMs are ever compromised, otherwise the banks would be looking for a better way to secure them. And so, this concept of now going to MFA, multi factor authentication, where instead of just a static password, We're leveraging something you have and something you know.
And so, today, I think, really, the most familiar one that people are, you know, have, have run into is the idea that you log on to the system, and it wants to send you an SMS message to your phone with some kind of [00:15:00] code that you then enter into, uh, the application to gain access. And this takes security. I mean, it takes from passwords to multi factor authentication.
They're a universe apart. And there are ways to get around multi factor authentication, but they're really hard. You have to be really smart. And multi factor authentication really eliminates probably 99%. of the challenges that you have around, um, access control and people getting access to systems that they shouldn't.
Sean Martin: So one might even suggest that the static password is okay if you have MFA. Well, yeah, if you have
Ted Heiman: MFA, your static password is your PIN. You reused it over and over again, but the reality It's more like the
Sean Martin: model of the bank. Yeah,
Ted Heiman: without your phone though, and your phone number, you're not going to get that code.
So the code is, That, that, you know, not only [00:16:00] is something that you know, but your phone is something that you have. And then the code is, is another level of security where you're actually entering that code.
Sean Martin: So is it an issue that, that, uh, organizations aren't leveraging MFA? And is that, is that a cultural, if so, is that a cultural thing?
Is it a technology or maybe it's a, or a program thing where they just haven't figured out how to get it all over the place, or is it. An issue with the technologies they've selected. So some might allow or might have MFA enabled. Others might still only rely on passwords or is it a end user behavioral thing?
Or all the above, what do you see?
Ted Heiman: It's all the above without question. That's all of the above. So. I think we've, you know, once again, we've all come to the understanding that static passwords are a challenge and we're, you know, the fact that we still use them is a challenge. And [00:17:00] what the, uh, what the bad guys have figured out is.
That it's easier to hack a human being than it is to hack a firewall, or a NAC system, or a configuration management system, or some other way to try and get into your network. They don't do that. It's too hard, it's very difficult, it's much easier to trick a human being into doing something that, um, That they shouldn't do, which then impacts the organization as a whole.
And so, you know, without getting too deep into the concept, but if you think about ransomware and malware, the way that that usually gets injected into the network and your systems is because somebody sends you an email. And it's about something important like, um, your iCloud is full. And if you don't sign up for more space, you're going to lose all your pictures.[00:18:00]
And then we, as human beings emotionally react to those emails. And so instead of taking the time to look at who did this email come from, does this email look right? Is everything spelled correctly? You know, okay, this is a valid email. Unfortunately, as human beings, our emotions get to us first and we click and then go, oh shoot.
And at that point, it's too late. The malware is already being loaded. The ransomware has already been injected and you've now created a huge, multi million dollar problem for the enterprise. And, um, and, and it's as simple as just thinking before, you know, thinking before you act or acting before you think, however you want to look at it.
But, but we as human beings are, are fairly easy to fool. And. One of the things that's happening now with AI is that they're being [00:19:00] able to create even more compelling, more emotionally, uh, you know, uh, compelling, uh, content to make us click and to make us look, think, and look like it's coming from a valid source.
And that, that's pretty scary.
Sean Martin: So what are your thoughts on passwordless systems where you get, it's effectively, well, you can correct me if I'm wrong, but effectively you get in, but I guess it's two, two second factors, right? If I'm not mistaken, is he, you get an email and then you also get a text or something, um, and, and the email includes the link that allows you to log in.
So I guess by virtue, you're, you're accessing the system and logging in with the. Probably some kind of key or code through the email. Um, and then perhaps a second, [00:20:00] uh, a second, second factor. SMS on your phone or something? Or, or, uh, yeah, an authenticator app like, uh, Google or Authe or something. So I, I'm pretty sure that's the, that's the definition of a password or model of a password or passwordless system.
But what are your thoughts on that, do you think? Because then at that point, you're not managing any passwords for anybody.
Ted Heiman: Yeah, and and that's the goal. I think that's where we really need to go. And I think that companies are understanding this and enterprises are starting to implement this. So imagine a concept where you walked into your office and your computer automatically initiated a Bluetooth session with your phone, an encrypted Bluetooth session with your phone.
So that recognizes who you are, and then all you have to do is hold your phone up and use [00:21:00] facial recognition, which is part of our phones today, biometrics, which is part of our phones today, or merely enter a pin. Which is something that's very simple to do. And so what we have to do is we have to make the first authentication really strong.
So we want to make sure you are who you say you are. So we're going to use multi factor authentication to prove that you are who you say you are with a fairly high level of confidence. But then from that point on. There's, there's a technology called single sign on where every time you need to access an application behind that initial authentication, it happens automatically, transparently for you and you're able to access that other system, uh, through that, through that transparent mechanism.
And then now we've developed something that's called constant authentication that we leverage with single, uh, you know, single source.
, so constant authentication now is [00:22:00] this cool new technology that actually authenticates you based on behavioral analysis. So we can, over time, learn how Sean Martin types or how Sean Martin uses a mouse and these types of things. What applications you go to on a regular basis.
All this background information that we're able to gather about a user, we can now leverage that to do constant authentication. And then the user never has to enter another password unless at some point we feel like the The session may have been compromised or something doesn't look right. And at that point, the system might come back to you and say, Hey, we just want to make sure you are who you say you are, you know, and, and, and you might have to authenticate again.
But the goal is to pretty much eliminate the requirement to authenticate to every application with a different mechanism and every tool. With the different mechanism. And so, um, I think that that's where we want to go. And I think [00:23:00] that most large enterprises are moving very quickly in this direction because getting rid of static passwords is the first step in zero trust.
If you're implementing a zero trust, you know, type of architecture. The first thing you do is eliminate static passwords. So, um, you know, so I think that that's something that, that, you know, we really need to think about as well.
Sean Martin: Are the, are the systems, and for those listening who know this answer, uh, forgive me, but I don't implement, uh, authentication systems, so that's why I'm asking.
Are the systems in place to support endless variety of, uh, Applications and systems and things like that. Because let's face it, there's a lot of old legacy stuff out there. I'm sure there's still Windows 95 floating around somewhere. NT , right? So those aren't [00:24:00] being updated anymore, so I don't even know if they support, uh, second factor login unless you've added something.
I dunno. So I guess my point is. We have a lot of legacy stuff. You can't, can't just flip a switch to passwordless. I don't think so. How do we, how do we arrive to a point where we have a password list, no static passwords needed, no M no password managers needed, uh, some way to manage a second factor, multi factor system as part of this, um, where necessary, but that ultimately that continuous authentication model, how do we get there from Where we are today.
Ted Heiman: So that's absolutely correct. And there are legacy systems out there and there are proprietary systems out there that companies have built. Um, there are certain systems and applications that you're not going to be able to authenticate the way you might to. [00:25:00] The majority of your application. So what I would say is that those are the outliers.
And when I've helped companies deploy two factor authentication across their entire organization, I've run into those in every every time there are those outliers. And what we do is we do what every seesaw does, which is manage the risk and understand the risks. And That we have that risk and then make sure that it's an acceptable risk to the enterprise and you and that possibly you've taken other steps to make it difficult for, for instance, somebody on the Internet to gain access to one of those legacy systems by micro segmenting your network to make it very difficult for anybody to get to it.
But, but with security, there's no such thing as 100 percent security. With security, you know, we're, we're just constantly trying to improve and get better and better and closer to a hundred percent. But we [00:26:00] never are going to get to a hundred percent it. There's always going to be these outliers. And so, um, but let's not let, you know, uh, the perfect be the enemy of good, right?
I mean, we can lock down 90 plus percentage of our applications and systems with two factor authentication and, and most of these systems are designed to work with two factor. So just because a few of your systems might not be able to be incorporated into the overall authentication screen, authentication scheme.
Um, it doesn't mean that you should say, Oh, because of that, I'm not going to implement two factor authentication. What it means is, two factor authentication is still very important. You should implement it across your organization as best you can. To the systems that you can, and then manage the risk around the other systems that you have, that, that you, you know, our legacy, because you have other issues with those systems, [00:27:00] right?
You can't update the software on them. There's no patches available. There's all kinds of issues with those legacy systems. And so, you know, enterprises should be working to eliminate those legacy systems as they go. But, but they shouldn't wait to do that before they implement. You know, a two factor authentication scheme
Sean Martin: and other other challenges in implementing two F.
A. M. F. A. Passwordless continuous off solutions. I'm just thinking at least we have the oil well oil machine. And when it comes to I forgot my password, right? A lot of that's automated. There might be some help desk involved to kind of close the gap there. Somebody loses their phone. Somebody loses their, uh, YubiKey, um, a little more challenging, right?
There's a cost with the YubiKey. The phone, that's a whole other story, but [00:28:00] if that's the only way, if the authenticator app is on the phone, and that's the only way to get that key. That, uh, code, that's all another thing. So how, how do organizations kind of, or are there others like that? And how do organizations overcome some of those challenges?
Ted Heiman: So, uh, there's, there's kind of two things that happen. So I, I did an extensive amount of work with the department of defense to roll out the new military ID badge. Which is the common access card. And it's basically your key to everything in the military. It's your key to the base. It's your key to the facility.
It's your key to get on any of the military networks, zipper net, nipper net, et cetera. And so if you show up to the gate and you don't have your cat card, you're going home to get it. And if you've lost your cat card, they're going to escort you directly to a place where you can go and have your cat card replaced.
[00:29:00] So with the military, it's, you don't have it, you don't get in. With the enterprise, it's a little bit hard to do that. And, and, and, you know, people forget things. I've forgotten my phone. I've forgotten other things that I needed when I left the house. And that happens. It happens. So we have to set up a system.
To when that happens to allow those people to gain access to systems, um, temporarily until they're Till they've got their phone or their token or whatever they need back. And so that's just part of rolling out two factor authentication to the organization. And, and, you know, one of the challenges with two factor is it touches everybody in the company from the janitor to the CEO, it touches everybody because you're not going to have exceptions for those people.
Oh, I'm a CEO. I don't have to use two factor. No, it touches everybody. So rolling it out is, is complex and it needs to be done in a way. That [00:30:00] you're doing it in stages and understanding the repercussions and expanding, uh, the deployment as you go and not try and do one giant installation that rarely works.
Sean Martin: And do you see, I know you talked about kind of the legacy system and, and don't not do two factor because you have legacy systems. So get started on something else, but do you see the. The zero trust password list and continuous auth, is it, is it right there to touch where we can, I don't know if we have to, we still need to multi factor, right, in those schemes as well, I would imagine, especially for high, highly critical transactions, perhaps.
Um, cause I guess we didn't even talk about that, right? The idea that you, you log in and you might have stepped authentication for, for certain things. If you move 50 bucks between accounts, yeah, [00:31:00] your current authentication is good. If you lose 50, 000, you might have to reenter your password. If you move 50 million, you're going to get two keys and your, your counterpart to sign in as well.
Um, but anyway, I guess my, my question is, do, are we at a point where we can kind of skip? Some of the old, like why bother with password manager? Just jump straight to a two factor multi factor.
Ted Heiman: Yeah, I think the password manager was an intermediary step. It was, it was, it was a terrible idea to begin with because all you did was take a problem and exacerbate that problem by adding password managers.
Because as you know, as soon as the company implements a password manager, every 90 days. Now they want you to change your password. And so, you know, it's just [00:32:00] now there's just a ton of passwords. And what the password managers do is kind of act as a database, a place for us to store this information that we can't remember and can access easily.
And so password managers You know, it was, it was a way to try and improve on, on, on the issues with static passwords, but it also created other issues, as I mentioned, where if all your passwords are in one place, all eggs in one basket. And that basket gets hacked because the reality of the situation is most of those password managers, you authenticate to them with a static password, hopefully a very strong static password, but a static password.
So it didn't really solve the problem. It made complexity for the users actually go up. And I know for me, You know, one of the biggest frustrations I have is you can actually have a password manager create a password for you a really strong password and then [00:33:00] you're out and you're trying to use your phone and it wants you to log in and you don't remember what that password was.
So now you've got to go find your password manager system, look up the password and put it in, which, which is frustrating. So I think that password managers were an attempt to improve on what we had. But inevitably, they actually made the problem worse because it gave people, um, a sense of security that wasn't real.
Sean Martin: Yeah, master weakness. Ah. Or centralized weakness, I don't know how to use that word. But anyway, yeah, it's an interesting time. We didn't even get into the username, user ID, kind of the identity part of the access. We only talked about the access part. Um. There's a lot there, too, I'd say, in terms of, I mean, there's, what's the idea?
Is it your email? Is [00:34:00] it a log, a username you create? Is, is that? Shared. Is it unique for all there's a hide my email for at least for a lot of the consumer based stuff you can, you can use hide my email. Um, so you're obfuscating the, the ID in addition to the password. I don't know. We don't necessarily need to go down that path.
I think
Ted Heiman: we can do a whole nother, another, uh, discussion about identity and access management and why again, he is so critical for organizations today because. Identity is the new perimeter because we have so many ingress and egress points on the network. We need another way to know who's doing what and, and what identity systems do.
I had any access management systems do is give us that visibility. And so they're very critical to the enterprise and they are a critical step in improving your security overall. So we definitely [00:35:00] identity access management is kind of the, taking all of this to the next level. And, um, and we should definitely take some time to talk about that.
Sean Martin: Yeah. The other thing we touched on before we started recording was the, I mean, this is all user based. Human, human based, uh, authentication. We didn't even get to machine to machine and app to app and service to service and API to API. And, and all the combinations that those, those hold with, by the way, a user sitting in front of it, kind of orchestrating all those things.
Um, so maybe another conversation there too. Uh, because those use static things that do rotate, but those have to be managed as well as we, we talked about. Well, Ted, um. Super interesting. Uh, I think the history to the present, uh, is really cool. Any, any final thoughts on Where things are heading. I think the, the continuous auth is pretty [00:36:00] exciting future.
I don't know what the status of that is, but, uh, anything else you want to touch on before we wrap up here?
Ted Heiman: No, I think right now that's really the state of the art. If you can get to constant authentication for 95 percent of your users, you've done an incredible service to your organization and you've reduced the risk of a breach by.
Huge percentages. I mean, like I said, in the beginning, 75 to 80 percent of, of breaches happen because of a, a valid static credential. So if we can get rid of those static passwords, it's a huge step in the right direction from a security perspective. And, um, you know, I, I've done this for, for the biggest corporations in the world and the department of defense.
Sean Martin: I appreciate the, uh, the conversation here, Ted, and, uh, a lot of good insights and hopefully we got people to think that's my main objective, right? If they can take something and take action, that's even better. But at least start thinking about things and hopefully, uh, hopefully we get some nuggets here today.
So thanks, Ted. [00:37:00]
Ted Heiman: Oh, it was my pleasure, Sean. Thanks for having me. I really appreciate it.
Sean Martin: And as my coffee machine, uh, grinds away in the background, I want to thank everybody for listening to, uh, listening and watching, uh, this episode of Redefining Cybersecurity here on ITSP Magazine. We'll put some links in the show notes to connect with Ted and, uh, hopefully we'll see you all again soon.
And Ted, hopefully another chat. I think we uncovered a couple more things to dig into. So at some point we'll have a happy back on the show.
Ted Heiman: I look forward
to it, Sean. Thank you.
Sean Martin: Very good. Thanks everybody. See you on the next one.