Identity and access management is one of the most discussed and most critical aspects of cybersecurity, and security innovations in the industry seem to announced daily. Yet employee’s password behaviors don’t seem to be changing with the times? And what about those times? What do these innovations truly mean for digital identity?
To learn more about the discrepancies in employee password behaviors and the other innovations in the identity and access management market, we spoke to Sandor Palfy, CTO of Identity and Access Management at LogMeIn. Here’s our conversation, edited slightly for readability:
Solutions Review: What common password behaviors do you think are particularly egregious for cybersecurity?
Sandor Palfy: There is no doubt for consumers and businesses that data breaches and security issues are no longer an anomaly but have become the new normal. According to the most recent Data Breach Report by Verizon, more than 80 percent of these breaches last year leveraged stolen or weak passwords. Passwords play a huge part of one’s overall security, but people continue to neglect basic best practices.
Some of the most common ways they are leaving themselves vulnerable online are by using weak, easy to guess passwords, and then re-using those passwords on multiple other online accounts. Because the password is weak, once one of these websites are breached, attackers can figure out your password through brute forcing (guessing at scale). And because it was re-used, now they can potentially have access to several of your other accounts. In spite of this, people continue to reuse passwords across their accounts, despite the obvious risks.
Another bad habit is storing passwords in an insecure way. Spreadsheets, post-it notes and similar tools were not designed to store passwords. Even the password managers built-in to your web browser don’t provide adequate protection to your credentials, as this is simply not their main focus and expertise.
The three basic rules of password management haven’t changed for years:
1) Use strong passwords: by today’s standards this means 20 characters or more, randomly generated passwords that contain lower and uppercase letters, digits and symbols
2) Use a unique password for every single account
3) Store your passwords in a secure way
These rules might sound daunting, but online password managers make it extremely easy to follow them.
SR: So despite growing threats and at this point almost daily breaches, employees’ password behaviors haven’t really changed. Why is that? What the disconnect between the headlines and the day-to-day?
SP: It’s interesting because there are two trends that we’ve found happening in parallel in cybersecurity. One is that cyber threats are becoming more sophisticated and more targeted – hackers are continuing to find new and innovative ways to breach companies or steal personal information from individuals. But the second trend is exactly what you said; despite news about big data breaches, users aren’t taking the simple protective measures they could to protect themselves or their businesses.
So the heightened awareness isn’t translating into action. We conducted a study a few years ago that found that 75 percent of respondents considered themselves informed on password best practices, yet 61 percent admitted to using the same or similar password across accounts. In other words, they understand or at least claim to understand the risks, yet often ignore them in favor of speed and convenience. Modern online password managers are designed to give the same, or even more, speed and convenience, while dramatically strengthen your online security. We will soon be issuing an updated version of this research that takes a look into whether or not user has changed.
SR: What do you think of the direction machine learning (ML) and AI in cybersecurity in the future? What has been its impact thus far?
SP: AI has already been used in many components of cyber the defense. Next generation end-point security systems use machine learning to detect previously unknown malware, modern IAM solutions use it to spot unusual activity, for example, when an employee is trying to access data from an unusual location at a strange time, and SIEM tools are scanning through hundreds of thousands of events coming from the corporate network, hunting for anomalies that can indicate malicious activity.
Attackers using ML is relatively new, but I expect a very rapid escalation leading to a war of AIs. First, it was the cracking of the classic CAPTCHAs, the boxes that used distorted pictures of letters and numbers. Now there are examples of attackers using AI to mimic the behavior of a regular user, trying to outmaneuver AI in the defense systems. Another paper from 2016 demonstrated how ML can be used to create tweets that will lure specific type of people to click on malicious links.
Algorithms can find very surprising, outside-of-the-box solutions, which is scary if you think about the many ways an attacker could use them. The arms race of AIs has already started.
SR: How do machine learning and AI relate to password behaviors and identity management? Has there been a clear impact in that regard?
SP: Artificial intelligence is increasingly being used by cyber attackers. Recent research has uncovered ways hackers could use machine learning to figure out patterns people use to create their passwords. This new method is much more efficient than using previous tools used for password guessing. The personal systems you may have used to generate passwords in the past, such as using your pets name and the year you were born, etc. are no longer safe from AI. This is one of the reasons why we recommend everyone to switch to randomly generated passwords for their online accounts: random passwords are not guessable by an AI.
The same is true at an organization level. A strong identity solution deployed across an organization can be the difference between whether a large-scale hack, possibly AI-driven, succeeds or fails.
SR: What about biometrics? Will biometrics supplant passwords, in your opinion? Or will they be more of a security complement to passwords and password behaviors?
SP: Biometrics is an excellent way to provide additional layers of security over your passwords as a form of multi-factor authentication. In some situations, they can even act as a proxy to your passcodes or passwords as we can see it on the mobile phones, for example.
However, while the prediction for years has been that biometric authentication is going to eliminate passwords, we simply don’t see that happening. In fact, people manage a whole lot more passwords than they used to a couple of years ago, both in their personal lives and in the office.
Part of the reason why passwords are still with us is that while biometrics work great as gatekeepers, granting or denying access to data, they can’t be used to encrypt the data.
Ever wondered why iPhone X, with its sophisticated face recognition technology, still asks you to create a numeric passcode during setup and prompts you for it every time you reboot your phone? It’s because it cannot use biometrics to encrypt your data. It has to use your passcode to do that.
Even if it were technically feasible, what would happen if someone stole your facial data, the same way how hackers steal passwords today? Passwords can be changed, but your face cannot. Or at least it would be rather painful!
While we’re seeing biometrics going mainstream and becoming a very convenient authentication method, we don’t think that passwords and passcodes will completely go away anytime soon.
Thanks again to Sandor Palfy of LogMeIn for his time and expertise! Sandor Palfy serves as CTO of LogMeIn’s Identity and Access Management business unit. In this role, he is responsible for the technology vision, innovation, engineering, and security of all LogMeIn IAM products including password manager LastPass and remote access and management solutions LogMeIn Pro, GoToMyPC, and LogMeIn Central. He joined the company in 2004, initially focusing on the Pro and Central product lines, and later taking ownership of Platforms, IT and Security. From 2014 he served as the company’s CTO, and now most recently the newly formed IAM business unit.
Hey! You seem interested in identity and access management! You should consider joining me at Identiverse in Boston, MA, June 24-27. The conference will cover the major innovations in identity, best practices in password behaviors, the new frontier of AI, and more! You can register here.