Episode Transcript
[00:00:00] Speaker A: One, two, three.
[00:00:01] Speaker B: Come on.
[00:00:02] Speaker C: In the grand stadium of the digital landscape, where teams of innovators and hackers face off daily, there stands a commentary box like no other picture. The buz of a pregame show, the strategy analysis of the halftime break, and the deep dives of a postgame discussion all rolled into one.
Welcome to Off The Wire, a play by play on cyber issues. Your sports desk for the big league of cybersecurity. Just like in sports, in the cyber world, understanding the play is key to.
[00:00:36] Speaker B: Staying ahead of the game.
[00:00:37] Speaker C: And that's exactly what we offer a podcast that brings the strategy room to you, helping you to understand the moves, the players, and the landscape like a true analyst, off The Wire, a play by play on cyber issues.
[00:00:54] Speaker B: Hi, and welcome to Off The Wire play by play on cyber issues with John Watkins and my co host Anthony Kent. Welcome to this second episode of the podcast, and we're glad you're here. We've got a really interesting one for you this time. What's the title for this one, Anthony?
[00:01:11] Speaker A: Today we're going to be talking about passwords. Change them or keep them.
[00:01:15] Speaker B: Fantastic. I think everybody hates passwords, right?
[00:01:18] Speaker A: I love passwords.
[00:01:19] Speaker B: John, you are a weird person. Okay, well, that's all right. That's okay. Hey, I wanted to talk a little bit about did you check out the stats for our last episode?
[00:01:29] Speaker A: I did. It appears that we had nearly 100 listeners. And how many states did we reach?
[00:01:35] Speaker B: Looking at it, looked like 27 of the 50 states. At least. That was pretty cool.
[00:01:40] Speaker A: Yeah, that's pretty awesome. Especially considering co ops only touch 48.
[00:01:43] Speaker B: We'll get there. That's really good. Well, I think what helped is that we did get it on Apple, which I thought was a big win, and we did get it on Spotify, so I think that's really pretty awesome.
[00:01:53] Speaker A: Yes, I'm happy with those results.
[00:01:54] Speaker B: Oh, hey, by the way, Anthony, new thing. I don't know if our listeners know about this yet, but I know you do and we'll talk about it. We've got a new feature for the podcast that we will announce at the end of this podcast.
[00:02:07] Speaker A: All right, I can't wait to hear about that.
[00:02:09] Speaker B: Yeah, it's pretty cool. Oh, hey, another thing. So what are we talking about here? We're talking about password rotation, right? So what's the scoop with this?
[00:02:18] Speaker A: Well, it's either do you do like everyone else and change your password, or do you do the newfangled thing and don't change your passwords.
[00:02:26] Speaker B: Okay, that sounds like an exciting episode. And do we have any sponsors for this episode?
[00:02:31] Speaker A: That we do. Let's introduce them.
[00:02:33] Speaker C: Today's episode is sponsored by John Watkins Consulting, the cybersecurity expert electric cooperatives trust. Are you an electric co op? Struggling with limited resources and the daunting task of safeguarding critical infrastructure. John Watkins Consulting specializes in easing that struggle. With over 14 years of experience, john offers tailored solutions to fight your unique cybersecurity challenges.
Don't let the difficulty of board engagement and cultural challenges hold you back. John Watkins Consulting will guide you through these challenges, turning your pain into progress.
[00:03:14] Speaker B: Yes.
[00:03:15] Speaker C: Ready to fortify your coop's digital defenses? Call 937622 Eightyn or visit johnwatkinsconsultants.com. John Watkins Consulting. Turning your cybersecurity struggles into strengths.
[00:03:32] Speaker A: All right. And again, thank you for John Watkins Consulting.
[00:03:36] Speaker B: That's a good company. I like those. Not bad.
[00:03:39] Speaker A: Not bad.
[00:03:41] Speaker B: So let's talk a little bit about defining password rotation and give an idea of why people were advised to change them. But before we do that, we got to do the big coin flip. So, okay, last time you get to call it in the air, right? So I guess we'll flip the coin and I'll get to call it this time, right?
[00:03:57] Speaker A: I'll give you a 50 50 shot.
[00:03:59] Speaker B: That's what it is, right? Here we go. I'm going to call it. Heads.
Look at there it is. Heads.
I'm going to be against changing your passwords. I'm going to be the new fangle guy. How's that?
[00:04:13] Speaker A: Really? That's a brave move.
[00:04:17] Speaker B: Yeah, well, I'm progressive. I want to kind of stay out there in front of these trends and stuff. I don't know that really changing your passwords is really helping anybody's security.
[00:04:29] Speaker A: Well, you know, if you want to do the newfangled thing, John, but I feel like I've got my ducks in a row on this one, so we'll see how this shakes out.
[00:04:37] Speaker B: This should be a good one. This is going to be a good one. So let's talk a little bit about why people were even advised to change the passwords in the beginning. Yeah. So the reason why was that with passwords, 90 days was pretty much the standard back in the day, that was kind of the gold standard for how long it would actually take to crack a password. So when brute force when you're protecting against brute force, the kind of the theme of the day or the kind of the common wisdom was, hey, if it takes an attacker 90 days to brute force your password and you've changed it every 90 days, even if they brute force it and get it, then what they're going to get is worthless. Right?
[00:05:17] Speaker A: Yeah.
[00:05:18] Speaker B: After that, then the whole hashing was introduced and then solving the hashes. So it became less and less of a I think that advice hasn't aged well, is what my side of the opinion is on this one. Yeah.
[00:05:33] Speaker A: With the advances in technology and then also really just the amount of characters that folks are using at their organization, I think that's changed the game quite a bit.
[00:05:43] Speaker B: Yeah. So, I mean, the reality of it, too, is Microsoft now, I think, even in 2019, and come out and said, hey, you don't need to change your password every 90 days. That's just ridiculous. And what it actually does is and this is one of my arguments and maybe you can argue against this, but this is what I feel and this is what I've seen happen, is you make people change their password all the time. They hate your security program for one thing and then for another thing on top of that, they go to change it from winter 2023 to spring 2024 or whatever.
They change it in such a pattern that it's easy for the attacker to spot. So how does that even help the security by changing it every 90 days?
[00:06:20] Speaker A: Well, I do think you need to stress the importance of pass phrases and I know we're going to talk about some tools after this part, but I'll go ahead and give a preview to one. You basically should have some kind of tool that is looking at the hashes of your password to make sure they're not something overly simple or something that has been part of a breach.
[00:06:40] Speaker B: Yeah, and I think that's the other thing, know, I think Microsoft's guidance was based does your password even matter? I think we're going to provide a link to that in the description here. But does your password even matter these days according to Microsoft? No. And they did this whole research and they've got a little matrix, you can see it on the link that we'll provide. But it doesn't really matter what the attack is credential, stuffing, phishing, keystroke, logging, local discovery, whatever for whatever the reason, know local discovery, we'll just use that one for know, if you change your password, it doesn't really matter if they do local discovery because they've just found what your password is anyway.
[00:07:21] Speaker A: John, I did not realize you were such a Microsoft fanboy.
[00:07:25] Speaker B: Oh, shot across the bow. Now you're going to put me on the defense here a little bit. I'm not a huge fan of Microsoft, or at least I hadn't been for a long time, but that does make sense to me. From a I'll say this one of the things I read online know Rob Lee from Dragos and another one from Sands. I forget the guy's name off the top of my head, but another Red Team guy from Sands, him and Rob Lee both said all the tax that they did while working for the government, not once did password rotation ever stop them from breaching a target.
[00:07:59] Speaker A: Yeah, I don't think it'll stop, but I think there's some benefits to doing it. One of those is just if you have a user and they share their password because they're not going to tell you that they're sharing their password, if you're never changing your password, how are you going to get rid of that and you're not going to know about it? There's a few other reasons, but I.
[00:08:18] Speaker B: Think that's one I get that one thing is that's a good point, right? If somebody's sharing a password that needs to be changed out, if somebody leaves the organization and they've got this shared password that needs to be changed. But what about this? You're saying that it shouldn't be changed, but what about every time you change it or make them change it, then they forget, right? There's just like this cycle that they go through and then they put a help desk ticket in.
What's it cost for somebody to actually work a help desk ticket? Do you have any idea by chance?
[00:08:50] Speaker A: Well, I looked at an article by Gartner and they're saying that an account lockout, it costs anywhere between $50 and $100.
[00:08:57] Speaker B: Yeah. So people are locking their self out all the time, every 90 days or whatever it is, and you've got it on this rotation. I mean, how many that's a lot. 20% to 50% of all help desk calls are actually password resets. So you that by $50 a time or something. Get pricey.
[00:09:16] Speaker A: Yeah. Well, John, I think there's a way to fix that and also still change your passwords. So at my organization, when I got there, we were doing passwords changes every 90 days. And I actually looked this up previous to this podcast and I just picked a random month and there were 79 account lockouts and we only had 97 people that worked at the organization. Wow.
[00:09:41] Speaker B: 79 times $50. We'll go on the low end that just cost your organization $3,950.
[00:09:47] Speaker A: Well, it was practically a part time job for someone unlocking accounts and of course the user they're impacted and can't work until they get their account unlocked. So I agree it's an issue, but I'm going to challenge that with basically what we did. We went from 90 days to changing it once a year. Now, I do think any organization changing their password every 90 days, I hate to say it, but at this point, that's just insane. Yeah, it's a little much.
[00:10:17] Speaker B: Well, what about this one thing we didn't even talk about on this is MFA, right. So if you've got MFA on an account, does it even matter changing it every year?
[00:10:28] Speaker A: I think it still does. We talked about basically if someone's sharing their password, you're not going to know about that, most likely. But the other thing is well, let me ask this. I'm going to ask a question to kind of answer this.
How many times have you changed a character limit at the organizations you've worked at?
[00:10:45] Speaker B: Yeah, I don't know, but I think you could do that. I think that's one thing you could say is like, hey, we'll let you not change it as often as depending on your character count. Like if you've got a passphrase that's 24 characters or something crazy, we're definitely not going to make you change that one all the time. So maybe that's a good way to do it.
[00:11:02] Speaker A: Well, I was just thinking more in line that if you ever decide to change the character count, you're not going to be able to enforce that if you're not making people change their password once a year.
[00:11:11] Speaker B: Yeah, good point. That's a good point. Okay, one point for you so far. Ten for me, one for you.
[00:11:17] Speaker A: I think it was more nine to two, but okay.
[00:11:19] Speaker B: All right, whatever. Well, I'm winning, I think, anyways, on this one. I don't know, because I heard you several times, said that was a good idea. So I don't know. I'm saying that's why I'm winning. What we need to do you know what we need to do, Anthony? We need to end up getting us a judge that comes on the show, listens to us debate, and then gives us points and at the end picks a winner. What do you think?
[00:11:41] Speaker A: Yeah, I think my wife would do great at that.
[00:11:45] Speaker B: Vested interest. Vested interest.
[00:11:48] Speaker A: She might side with you, though.
[00:11:50] Speaker B: I don't know. She might. It's hard telling. We could get maybe both of our wives involved and have some double coaching. I don't know. That's something to think about for a future episode, for sure.
[00:12:00] Speaker A: They would love that.
[00:12:02] Speaker B: Well, let's see. Let me say I had a situation one time.
We'll talk about some recommended practices here in a minute, but I'm talking about this real life example. Had a situation once, I heard of it, where this It department guy, he had like this really weak password, right? And not only was it for his regular credentials, but it was also being used as his domain admin. So you got his regular Creds, also his domain admin. Super weak. So this organization told me that it was during a routine audit against the environment. They actually found that situation.
[00:12:36] Speaker A: So you're telling me an It professional was using one the same password for his user account and his domain admin, and it was a weak password?
[00:12:44] Speaker B: Yeah. And I think you're not going to be able to implement a password policy where you don't change passwords without doing my whole point here is you got to do some kind of auditing, right?
[00:12:53] Speaker A: Yeah.
[00:12:54] Speaker B: You know what I mean? Which now we can kind of transition and talking about those tools or practices, it doesn't matter. If you want to do password rotation, great. If you don't want to do it, great. I don't think you should. But here's some practices, and I heard you say this already, but like in the case of a breach, so we used to have a policy where I worked where if you got a bunch of two factors coming through authorizations and you know they weren't coming from you, well, guess what? You're going to have to change your password there. So another one was like you talked about, too, was the shared password. So you got a user. That leaves the organization. You got to rotate that shared secret, right?
[00:13:30] Speaker A: Yeah. If you know about it.
[00:13:32] Speaker B: If you know about it. Well, which is another reason why you should do some kind of auditing. So the next one is what about service accounts on that?
[00:13:40] Speaker A: It's hard but you should be rotating those on a regular basis.
[00:13:44] Speaker B: Yeah, because you can't do the MFA there. There's really no other way. And make sure that they've so there. I guess the only way to win that out is to have those super long super long passwords, right? Yeah, anything with single factor, I guess passphrases are going to be the best. And what I found in my research was the numbers and the characters and all that stuff doesn't matter as much as the length. So I guess length is the new entropy is what I heard.
[00:14:07] Speaker A: Length trumps complexity. That's a catchphrase with that.
[00:14:12] Speaker B: Yeah, that's good. And then some of the tools of course, MFA, right? Like I don't know, Duo Azure. There's a bunch of MFA. LastPass even has a lot of your SSO stuff. What was that other tool that you were talking about with that Microsoft has?
[00:14:27] Speaker A: So we have the Microsoft Intro password protection and that will basically look for bad passwords out on your system and that's a free tool. And then also I want to throw out one more. There is Microsoft Labs and Laps stands for local administrator password solution.
So I know after we rolled out CrowdStrike we got hit on having the same local admins across the network. And anyways we implemented Lapse and it's a much better solution because I don't know how many times we had a computer where we didn't know the local admin. And Labs prevents that by storing an active directory.
[00:15:07] Speaker B: Yeah, that's a real thing too.
We had inside of our password manager, which by the way we didn't even talk about password managers. Let me say this real quick. You're going to have to use a password manager in some way, shape or form. I know there's been some breaches on some of the password managers out there but I don't know of any good way that you could have all these rotated secrets and audit these very well without some kind of password manager.
[00:15:35] Speaker A: Yeah, the one thing I'll throw out there just I believe it was LastPass that had an incident. But you need to be using MFA on any password manager.
[00:15:43] Speaker B: Sure. 100%.
That's a mandatory, right? Well that's web facing. So that's where you catch everything. Anything web facing has to have MFA for sure. You know what I mean?
[00:15:57] Speaker A: Anything external?
[00:15:58] Speaker B: Oh then one thing we didn't talk about yet was the good old and the Sans people just blew this up, the PCI DSS requirements. Right.
[00:16:10] Speaker A: That was a very welcome change, John.
[00:16:13] Speaker B: Now they've said what now?
[00:16:16] Speaker A: So let me review. So I believe the character requirement is twelve but they recommend 15.
So I would urge anyone just to go ahead and move to 15.
[00:16:29] Speaker B: Absolutely.
[00:16:30] Speaker A: And then also multifactor. It's required for any account that can access cardholder data. And the big one, the one I'm loving is users must change their password every twelve months instead of 90 days.
[00:16:44] Speaker B: Yeah, that's good. Yeah, sans blew them up. I forget when they wrote this article, but there was an article out here called Time. We'll put the link to this one, too. Time for password expiration to die. In this day and age, changing password every 90 days gives the illusion of stronger security while inflicting needless pain is what their actual thing said. And they called out several times. The PCI DSS Compliance Framework. There you don't want to give the illusion of security. Right?
[00:17:12] Speaker A: Yeah.
[00:17:13] Speaker B: So how would be a good way to help?
All right, let's say they do think that I'm right in this case, which a lot of people will. No problem, I'm okay with that. What would be some good ways that they could do that and help their management to understand that this guidance is actually not too bad.
[00:17:30] Speaker A: Do you really think someone's going to challenge us for telling them for decades that they need to change their password every 90 days? That now we don't?
[00:17:36] Speaker B: Yeah, trust me, there are those guys out there that are still running Windows, or they wish they could be still running Windows XP, I think.
[00:17:44] Speaker A: Yeah. Well, I'll say this, microsoft, they're a huge organization and they take cybersecurity very seriously, and they're getting attacked left and right. They're obviously a heavy target, but it would be counterproductive for them to hand out that advice and not have some merit behind it.
[00:18:02] Speaker B: Yeah, that's a good thing.
[00:18:04] Speaker A: The other thing is, I really do like following NIST. Even though I don't agree with you, I still think you should change it annually. NIST does give the guidance. That guidance came out quite a little or quite a while ago, 2017. And then, just thinking about it, everyone's got their home banking, they got their personal email. When's the last time you've changed your password for that? And hasn't it been secure?
[00:18:27] Speaker C: It's got two factor on it.
[00:18:28] Speaker B: I mean, yeah, and I do like.
[00:18:30] Speaker A: That most of these systems are now requiring two factor. And then the last item, I would just say just compliance rules have changed. Like with a PCI. Well, now, PCI, you still have to do it annually, but everyone is agreeing that doing password changes in a short duration, such as 90 days is not recommendable. And I agree with that.
[00:18:49] Speaker B: Yeah. And I'm glad you saw my side of this, Anthony.
[00:18:52] Speaker A: I said I agree with not changing every 90 days.
[00:18:55] Speaker B: Okay. All right, well, I hope you enjoyed this episode. We're going to wrap it up now just to kind of go back through what we talked about. We defined password rotation, talked about what that was, we talked about some of the pros of it. We talked about some of the cons of rotating it, and we talked about the history of it, and we talked about that Cost piece with the help desk overutilization. And we talked about how effective MFA is against this. And the reality of password attacks today, they've changed a lot from the old guidance. Just because it's traditional guidance doesn't really make you more secure. Now on the other side of the know, Anthony talked about password spraying and some of these other things, database extraction, those kind of thing, and other evolving attack methods. And in that case, maybe you should change your password. Maybe you should change them when people leave. I definitely think you should do that. You should definitely change them. In the case of a breach or a suspected breach of that password service accounts, those definitely are something that need to be rotated. He talked about using Microsoft Labs local administrator password solution.
I think he talked about two different things with longer passwords not having to expire so soon. And then the other one know, using the Microsoft entra password protection. We'll put a link to that in the description as well. So yeah, so good podcast.
Thank John Watkins for this is a note here I have thank John Watkins for sponsoring the episode. So. Thank you. John Watkins Consulting. We appreciate and by the way, if you are interested in sponsoring this, we are completely open to sponsors, aren't we Anthony? We are, absolutely. So contact myself or Anthony, either one. We want to thank you for listening in and also please share your thoughts, share your experiences on passwords when we post this out on our social. We would love for you guys. We want to hear your thoughts, right? And now what I've been waiting for to announce the whole time, Anthony, is we ladies and gentlemen, we need a drum roll please. But we now have a way for you to donate to this podcast. So believe it or not, Anthony and I both, neither one of us are independently wealthy, right? No, not yet, but no. The thing is, we would appreciate your support financially for financial sustainability. We might need new equipment. We'd also like to make this podcast a little bit better. We usually need a little bit of money to do that and plus we want to make it keep going. So we need some longevity, we need some growth. So if you want to give 1015 $20, whatever you want to give will be totally accepted. You can give on a one time basis or you can give on an annual or excuse me, on a recurring basis as well. So either one of those is completely appreciated. We've got a link for you here. We'll put that in the description as well. Anthony, any further final comments?
[00:21:42] Speaker A: I'm just going to say whether you agree with me or John, do yourself and do your organization a favor and either look at doing no password changes or doing it annually. I wouldn't really recommend doing any closer timeline than that. So I think either way, following either one of these methods would be good advice.
[00:22:03] Speaker B: Absolutely. Now, I do agree with what you just said right there.
So that's all we got, and thank you so much for listening and we'll see you next time. See you.
[00:22:14] Speaker A: All right, thank you, everyone.
[00:22:15] Speaker B: One, two, three.
[00:22:16] Speaker A: Come on.
[00:22:17] Speaker C: Thanks for listening to off the Wire, a play by play on cyber issues featuring Anthony Kent and John Watkins. Make sure to like, subscribe, follow and hey, share this podcast. If you liked it, we appreciate it. Appreciate your time.
[00:22:34] Speaker B: See you next time.
[00:22:37] Speaker C: The views and opinions expressed in this.
[00:22:39] Speaker B: Podcast do not necessarily reflect those of John Watkins Consulting or its affiliates. Always consult with a qualified cybersecurity professional for tailored advice.