#BeCyberSmart: What’s the magic word? The art and science of a password

Passwords are an integral part of cybersecurity. And weak passwords are significant threat to our privacy and security. Password management is increasingly complex. Hackers and threat actors are becoming more adept at cracking passwords, and the data exploited from our stolen credentials make cybercrime increasingly profitable.

In addition, companies are utilizing more and more cloud-based and third-party services, requiring employees to use login credentials across a greater ecosystem of applications. All of these systems become more vulnerable to attacks. Given this growing threat landscape and increasingly digital world, how should organizations respond? What is the future of passwords?

In the second of our #BeCyberSmart video series, McAfee & Taft cybersecurity and privacy attorney Joshua Snavely talks with special guest Terence Bennett, director of operations with TeamPassword, about the latest trends and best practices regarding passwords  They discuss:

• What “password construction guidance or rules” are and why a company should have them
• The difference between passwords and passphrases, and which an organization should use
• The critical components to an organization’s password management policies
• What a “password manager” is and why individuals and businesses should consider using one

About our guest

Terence Bennett is a cybersecurity expert, operations leader, startup advisor, frequent speaker, and former U.S. Navy intelligence officer. He is presently the director of operations at TeamPassword and TeamsID, two of the industry’s best password managers for small teams needing to actively share and manage passwords in a professional environment. He has previously worked on Google’s Offensive Security RedTeam. In partnership with engineering leadership, I planned and managed our exercise pipeline across the entire Alphabet portfolio. Before that, he worked in Google Cloud as an administrative business partner on the Storage and Databases product management team.

In his more than eight years of U.S. Navy service, Terence was a naval intelligence officer and surface warfare officer, and worked at the Naval Criminal Investigative Service. In a reserve capacity, he worked at the Defense Department’s Innovation Unit Experimental, with its operating base in California’s Silicon Valley to get closer to the new technologies they need for strategic and tactical needs.. He deployed as a gunnery officer aboard the USS Paul Hamilton in support of Operation Iraqi Freedom in 2011. In 2014, he deployed on the USNS Spearhead as the intelligence detachment officer-in-charge. Terence is a graduate of the U.S. Naval Academy and U.S. Naval War College.

.

Transcript

Joshua Snavely:  Welcome to our series on Being Cyber Smart, as we highlight and celebrate the annual cybersecurity awareness month in October. And we’re glad to have with us today, Terence Bennett. Terence’s a retired surface warfare and Naval intelligence officer. He served also as a member and leader at Google’s Red Team. He’s now the director of operations at Xenon and as well as the director of operations at Team Password. So probably the perfect person to talk with us a little bit about passwords and some of these security procedures and operations. So Terence, before we dive into passwords, just tell us a little bit about you and your background, I shared some but incredible experience and glad to have you on.

Terence Bennett:  Thanks, Joshua. I’m really happy to be here. Yeah, so I joined the Navy after the Naval academy, two years as a SWO, I was actually out in the Arabia Gulf during the Arab spring and seeing what I saw decided to hate, I think Intel is pretty interesting. Maybe I could do some interesting work over there, ended up working in cybersecurity. And that wasn’t a foreign area to me. I actually, I grew up doing tech support as a high schooler and building my own computers. And so it was really fun to work back into that world. My last tour was actually at NCIS looking at all things from criminal to counterintelligence cybersecurity. And then I landed at Google, ended up on the Red Team as a program manager and helping them craft realistic, compelling exercises that really pushed Google security to the edge. And then also the Red Team is not just about, can you get in it’s once you’re in, can the blue team get you out? And so being sort of a, an arbiter, if you will, of that game of cat and mouse gave me real insight into what hats actually look like. It’s not just, like I said, can you keep them out? It becomes this crazy game of what’s they’re in, what can they actually get access to? And so truly informed my understanding of cybersecurity and what those risks look like for businesses. So you said what’s in the password, hopefully a bunch of random numbers, a bunch of random characters and some special characters and, you know, capital, lowercase letters, but it’s really a much more complex story within that. I have this conversation a lot with people, hey, I don’t need a password manager. I have a special system that only I know that allows me to re-essentially remember every password I need. The funny thing about that is we’ve built computers, so they’re really good at actually guessing passwords. And so that’s just not good enough. And so a good password what’s in a password is really something that’s so complex, you can’t remember it. I think the best rule of thumb, it’s not about so many letters and so many numbers, it has to be so complex you can’t remember it because computers are so much better at this game than we are.

Joshua:  -t reminds me a couple of years ago, I saw one of those advertise on direct from TV, the password manager, like books. That was basically just a notebook that you had by your computer, that you wrote everything down in sort of the original password manager, but probably not so secure. I was visiting a company the other day that they had them all written out on the desk. So I’m glad you’re here to tell us a little bit more. One of the things, Terence, I think we’re seeing is sort of this shift or a lot of discussion around passphrases. Talk a little bit about that. What’s the difference? Why should someone think about that maybe instead of a password and what are your recommendations there?

Terence: – If there’s actually, there’s a great debate online about passphrases and really the way to think about it is it’s a password. It can be just as secure or just as insecure depending on how you construct it, but simply put a passphrase is a series of words you string together with or without spaces that acts as that authentication mechanism. The key is that they’re not predictable. They’re not quotes, they’re not inherently memorable and thus guessable, but I’d like to just pick up something in my room, something on my desk, here’s a yellow, post-it, it’s an example. You know, you could do a, you could say something like four sided, yellow square or something, right? All simple words to remember, and it can hopefully sort of help you. I would, the way I recommend the use of passphrases is for accounts where you want, where maybe the password manager isn’t sort of the right answer, right? So if you’re creating a master password for your password manager, passphrase is perfect mechanism to build a really secure password. That’s going to be, you know, 10, 15, maybe even 20 characters but yet easy to remember and retrieve when needed. Passphrase have actually become very popular in crypto as well. Meta Mask, which is the popular Ethereum Wallet requires a 24 word pass phrase. That’s actually the retrieval key as well. So this is something we’re going to continue to see. I think it’s actually a great response to the sort of burden that password that become on our digital life.

Joshua:  – As C-suite leaders, IT leaders are, you know, going through these decisions. It’s always a business versus security, right? Like what’s easy to get people in and work on stuff. And the temptation is always to back down a little bit. So you may focus group some of this and see what you can kind of get the workforce to buy into so.

Terence: The beauty of the passphrase is a concept is that humans actually are quite good at remembering passphrases. And there’s actually a fantastic book that I just remembered called, Moon Walking With Einstein that touches on this, the human mind is remarkably good at remembering and memorable things, right? The concept of Einstein walking on the moon is something that sort of sticks in the mind, right? And it’s thus a very, very memorable concept. And so as you build passphrases and as you educate workforce around building passphrases, I think that’s an important thing to communicate.

Joshua:  We’ve talked about passwords, we’ve sort of referenced password managers generally, but if you could just talk through how people sort these out, I think I’ve searched the other day, there’s 15 or 20 different password managers now with all different kinds of functions. And some of them have, you know, encrypted texting and cloud storage. And I think that in and of itself can get a little overwhelming for consumers and businesses who are trying to, you know, decide on these. You have any recommendations for how people should think about the kinds of password managers to select.
.

Terence: Yeah, absolutely. It’s a great question. The conversation I have with customers, but just start, I’ll just tell you the password manager simply put will store, manage quite literally, but share and also generate passwords for you and your employees. It’s also not just about security. It’s about convenience as well. When you have a well implemented password manager, it actually makes your employees lives much easier. Especially if you’re working with different clients who have specific passwords and it just cleans up the whole process of who’s got access to what, and do you have what you need to get the job done. To that point, right, you’ve got this burgeoning industry of password managers. What I tell you is, you know, you don’t buy a car without trying it out. I’d say the same thing about password manager. If you’re a big enough company that can afford to do this, pick a few people in the room and ask them to sign up and to import some passwords and to start using it and see how that goes. And is, does it work for your business’s workflow? Is it a seamless process? Does it process, does it add value?

Captioning/transcript provided by Rev.

This information is provided for clients and viewers of McAfee & Taft A Professional Corporation. It does not constitute legal advice, and it is not intended to create a lawyer-client relationship. Viewers should not act upon this information without seeking professional counsel..