Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Right now it's a pleasure for me to introduce channel and Cockley of psychotic software. He will talk about don't let password mismanagement lend your company in the news headlines. Thanks Martin. Here you go. Great. Great. Thank you. Hi everyone. So you've actually been sitting down for a little over two hours so far. So why don't we try to get a little bit of energy going here. If we get everyone to just stand up for a minute, you'll feel a lot better. We'll get a little bit of blood moving like on everyone, up outta your seats. Let's go. Let's maybe shake a leg here.
Let's move our arms a little bit of a stretch. You'll feel better. Trust me. If you want, you can even do like super power pose. You can literally feel your energy level rise as you do that. Okay. Let's not get carried away here. Okay. So what we're gonna do today, we're gonna do a slightly different format here. We're actually gonna do a test so everyone should have paper and pen at your tables. Or if you wanna use your laptop, go ahead, feel free.
Maybe your phone, but what we're gonna do is we're gonna do 10 different questions and we're gonna be assessing how well you guys are managing passwords. We're gonna look at best practices and hopefully through this, you'll figure out maybe a few weaknesses you have here and there. And we'll dive into that as well. So introductions. Thank you Martin. So I'm Jonathan Cogley, CEO of psychotic software, a quick show of hands. How many people here have heard of psychotic software before one person, local DC, native couple people up front here are nice. Okay.
So a couple people that definitely tells me that we're in the right place, cuz you guys don't know who we are. So what do we do? What we're small software company and we have three different software products. And the reason you probably haven't heard of us, at least some of you is that we come from more of an it operations background. So we're typically providing tools to system administrators, windows, server, admins, Unix admins, folks like that. It's a little bit more of a bottom up kind of push with these tools.
But our focus in the industry is to provide tools that solve a specific problem. So when we took IAM, it's kind of a big nasty monster, right? And if you attack the whole big thing, it can be really overwhelming. So our approach is to do the opposite. You don't have to get these tools as a suite. Some customers do and have all three, but that's not a requirement at all. Rather pick whatever your biggest pain point is and go and tackle it head on and choose a tool that will work for you and get that problem solved. So we do actually have a lot of people using the tools today.
Again, primarily it ops. So over 70,000, it admins are using our secret server tool.
We are, we have most of our customers in the United States, but quite a bit of penetration into Europe and the rest of the world as well. Okay. So enough about that, let's jump into the test. So as I said, there's gonna be 10 different questions. We're gonna go through these and you're gonna rate yourself on each question. So think about the teams that you manage, different people you influence within your organization and think about how these are gonna work. So jumping right in first off, this is the typical question format. You're gonna have three different options.
You have the ability to get a big fed, zero points. If you're not doing very well or the middle ground of five or ultimately 10 points, if you're acing it. So before you go ahead and scribble down your 10 for this answer, I don't just mean your passwords. I mean all of them. Okay. So windows local administrative passwords, service accounts, Unix, route passwords, absolutely everything. So are you changing all of those on a regular basis?
Well, what should be regular should be 30 days, 90 days, maybe some folks service accounts with maybe 180 days cuz they can be fairly difficult to change. And so what's the reason behind this, right? Why do you want to be changing these passwords so frequently? I like to use the analogy of a safe. So if you think about a physical, safe in a bank, they're not impenetrable, right? They have a specific rating. So using this type of equipment for five hours, you will be able to get through this safe.
Well, think about hashing an encryption the same way. They're not impenetrable. There's just some amount of time that's gonna be taken and computing power and so on in order to be able to, to break that and reveal what the passwords are.
Also, everyone here is an it security more or less. So you've probably all heard the joke before that you can tell how long an employee has been with a company based on how much access they have. Right? Everyone heard that one because what's the problem we give access. And we very seldom take it away. Same problem with passwords. The longer they're around, the more likely they are for more people to obscene them or be using those passwords. So go ahead, write down your zero or five or your 10. Okay. So what about all these accounts now? Do they all have unique passwords?
So no duplication of passwords. If you've got, you know, one password and a lot of people do, unfortunately, especially windows server teams, they'll often put the same local administrative password on all their workstations and service. Not a good idea, right? You get a big fat zero for that. If there's some duplication, you get a five. And if every single password is unique, go ahead and give yourself a 10.
So again, what's the why here? Why are we, why is this so important?
And the, the key here is, well, if, if more than one account has a particular password and I know that password you've lost accountability right now. You don't know what I'm doing, which accounts I'm using. That's the inside of thread, but what about the outside? So what about a hacker coming in? We've heard about it a number of times today, but what happens when they get on one of those machines on your network? What's the first thing they go after. I think they're looking for data, something like that on your workstation.
Probably not the first thing they're going for are your password hashes. Right? And they wanna get those password hashes. Why? Because they're hoping you reuse those passwords somewhere else. If in that situation with the local admin, they're not gonna be able to jump from box to box right across her network. Worst. I've seen that she was a customer that had local admin password, the same as one of their domain admin accounts. That's pretty much game over there. Right? That's not gonna be healthy. Okay. So go ahead and fill in your answer there. Let's jump into a little bit of the tech though.
And forgive me if you know all this stuff and it's second nature. Just bear with me for a minute.
So what, what's the whole theory behind this? Right? I said password hashes. So we all know hashes. It's a one way algorithm for doing hashing. And the whole idea is you put some stuff on the front end and you get some garbage out the other side. Right? But the garbage or the digest is pretty much always the same. So whatever you put on the front, you don't actually need to know the password. You can always validate it against the hash. And so this is what every vendor should be doing.
In fact, there's even better things, right? We know there's salting iterations, all that kind of stuff too. So what is a hacker gonna do? He's gonna try to brute force it using the same algorithm, right?
Like, oh, that's no problem. It's gonna take a long time. Not really. Right.
Well, what he can do is he can pre-compute all the hashes. So when that hacker gets on your network and he pulls down the password hashes and starts breaking them on his farm of machines that are super beefy.
Well, he's also gonna bring maybe 20 gigs or Ray Mo tables with him. So he is already pre computed a whole bunch of the most common passwords.
So again, so you can do the brute force, go through, change each of the characters and see what happens. So this all sounds great and fun, but is it real well? Here's what I did on my laptop. So I pulled down two of the freely available tools, the one in the top left, forgive the font a little bit small, but it's FG dump FG dump. You just run on your laptop and it gives you the password hashes in a text file. That's literally it. Okay. So what I do with the password hashes, well then I get my next favorite little tool.
So I grab, can enable off the internet, same thing, freely available downloadable tool. And I put the password hashes in and I have it start breaking them. I didn't even bother with rainbow tables, but I could have, my password was only eight characters. So it's pretty easy, just a local account on the windows box, but I was able to break it using these tools. So this isn't some imaginary thing. This stuff is real right. And it's easy to do it. I could do it on my laptop. Okay. We'll skip over the hashing for now. So next question on the test. What about your passwords?
Are any of them ever known by more than one person at a time? Probably worst case I've seen here was a team that had a whiteboard and they had certain passwords up on the whiteboard. Okay. So disaster, right? What's what's the problem with this. What's really accountability. If multiple people know a particular password, if something bad happens, say yesterday on a particular server, who do you blame? What's one of five or 10 people. You have no idea who, so a very difficult problem. So ideally here people, you know, only one person at a time knows a particular password.
If you have some restrictions, kind of fill it in, go on from there. So next question up, this is a popular one. This is a problem. We all experience right. Staff turnover. So what do you do when you have a staff member leave? My favorite is customers tell me they leave. Right? Which is kind of a scary thing in itself, right? How do you have a senior network admin leave firing a senior network admin that has access to all your passwords is pretty terrifying. So what do you do?
Well, if you're just disabling their ad account, that's gonna score you a big fat zero. If you're locking down some of their passwords and, and changing them, go ahead and give yourself a five. If you're immediately changing all the vulnerable passwords and even that's hard, right?
What, what is vulnerable? How do you assess all the things that they might have had access to? That's what you need for a 10. Okay. So what's the reason here. Why do you need to change these passwords? See if our video's gonna play or not. Okay.
Well, I'll give you the gist of it. Basically what it goes through is a breach that happened at a certain office of the United way. Basically employee left a year later, came back reused accounts, basically just trashed. All their systems took down. Absolutely everything took him. I think in the region of seven to 10 days to recover, they did catch the person and he served jail time.
Well, here we go. But at the end of the day, you know, you still actually had to deal with that whole situation. This is a little too painful. I'm gonna go ahead and skip over it. It's gonna take five minutes to run. Okay. So let's jump into the next question. So this is an important concept. When you're thinking about your passwords, do you distinguish between which ones are identity passwords? So a password that actually ties to an account that identifies you. So a good example would be say your active directory account, right? What you log into your machine with.
That's an identity password. I need to remember that it proves who I am, a windows, local administrator password for the admin account on my laptop. For example, do I really need to know what that password is? Not really right. So separate them out, think about which accounts are non identity and which ones are identity. And that's a really important thing you should be doing with your security policy, make that separation. If you are doing that, then you'll find that you have far fewer passwords to remember.
So the ultimate goal, right, would be just one password, depending if you can get federated identity or something like that in place, then you can actually achieve that goal of just one. So now with those identity passwords, are they strong? And our industry seems to change this definition about every five to 10 years, right? So what is the definition of a strong password these days? So we've gone from things with must have upper lower must be so many characters, that type of thing. Maybe you're adding a few numbers and symbols to your passwords, general wisdom.
These days seems to be, to use pass phrases. So take a bunch of different words, wrap 'em together.
So let's, you know, pick red building elevator three. Okay, good password. Not too bad. It's got dictionary words in it, but it's awfully long. Right? And there's actually only four concepts. There are three different words in a number and I've generated, you know, a 20 plus character password. Okay. If you're using any kind of predictable things in your passwords.
So, you know, it happens, especially our end users. So are they doing things like sports teams, you know, name, your dog, that kind of stuff. That's certainly a vulnerability as well. So now when you're working with non identity passwords, are you now dialing them up? Are you using randomly generated passwords for those S back to that windows local administrator password, are you dialing it up to the max for that account? So for example, if you look at Microsoft SQL server, we know the essay account on SQL server is kind of a scary account, can do all sorts of amazing things, right?
But what is the maximum password SQL server will allow? It's actually 128 characters. Okay. Probably most people here don't set it to 128 characters. But think about it. If you did imagine if you set your policy and you said, I want all those types of passwords to be, say a hundred characters and you max it out to whatever the platform will allow.
There's, it's not perfect. Right. But there's a lot of inherent security in a password like that. First off I could show it to this whole group, maybe one or two might still remember it, but I doubt it a hundred characters is a lot. Right. But also imagine trying to write, write it down. Or even if you got smart and you took a picture, you imagine actually trying to type it correctly. So there's a lot of inherent security in having really wants to passwords like that. Now you probably argue, well, they could be really hard to use.
Well, not necessarily. If you have the right tools in place, you can still have passwords like that and use them easily. So now that we have all those nice, strong, randomly generated passwords, where do you store them? So if you're using paper processes, we actually see that a lot with some very sensitive customers, they will actually do everything on paper and put it in physical safes. It's not awful. It's just tedious. Right? Ideally want some kind of, you know, automation around that as well. The most common thing that we see is actually Excel spreadsheets.
So if, if you're shaking your head right now and you're like, we don't have those go ask around, you'll be surprised. You may easily find one or two, your admin teams that are using them. So what's the problem with an Excel spreadsheet.
So lot, lots of different issues, right? First off, if you have an Excel spreadsheet, well, you're gonna need some kind of encryption for that spreadsheet, right? So you need a master password for the spreadsheet itself. So good job. You just created another password to worry about.
Okay, so now it's encrypted, it's in a spreadsheet. It admins are pretty enterprising. What's the first thing they're gonna do with that spreadsheet. Probably put it on a USB stick and carry it out. The building with them that evening. Right? So if you do have that situation where one of them leaves, you really have no sense of whether it's passwords are, and you're not gonna have to change every single password in the file. So very scary. The other big problem with Excel right, is there's no real row level permissions. So you can't really isolate who has access to what?
And we see a lot of teams try to do that. What they'll then do is split the spreadsheet. So they'll have something for Unix, windows, network, whatever it might be. What's the problem. Now you've just generated more passwords cuz every single one needs to be encrypted. So really not the best way to do it. Ideally you want some sort of password management tool that can then control that access for you and be a secure place to store them. So what about those identity passwords? Are you ever sharing them now? We're at an it security conference, right?
So probably everyone here, you did not get a call from someone asking you for your identity password while you were here. Did anyone actually get one I'm guessing? No. And even if you did get the call, you wouldn't give it to them. Right. But what about other departments? So I think about other people within your groups, they might not be as familiar with that. Someone's out on vacation. They could very easily share that sort of password. This one's really tough. So think about it now, application passwords. So think about all your production environments.
Think about different apps that are out there. Hopefully you don't have passwords in source code, but you probably do have them in configuration files or scripts and all sorts of other places. That's a hard problem to solve. So how do you get those passwords out of the files? So kind of the middle ground here, the yellow is I've seen a lot of companies with more of the DevOps approach. So the code comes from the developers, you know, maybe they're just checking in development level passwords in.
And then when it goes to production, the DevOps team picks it up, changes all the passwords puts 'em out on the server. Still not ideal there, right? Because now all your production service have production passwords in the config files all over the place. So the ideal to get 10 here, you really need to be using some sort of API within your password management tool, to be able to tokenize those passwords, get them out of the files, right. And not run time. Just have those servers resolve the passwords as needed. So lots of benefits. You don't have passwords going into build scripts.
You don't have it going source code. You don't have a box gets breached.
No, one's gonna see a clear text password. So how did you guys do 10 questions? Theoretical. A hundred point max. So I won't ask anyone if they got less than 40, but how about 40 to 80? Sure of hands. Couple of folks, anyone get above 80 anyone get a hundred.
Okay, great. So we're gonna have a, we have a number of t-shirts at our booth. If anyone wants to come by later and tell us their score and how they did, we'll be handing out t-shirts there. If you're not, t-shirt some of these answers and I wouldn't actually expect you to probably know all of them, cuz it gets in the weeds on some of these issues. But go ahead and look up password maturity, test.com, hand it out to other people on your team, see how they do get that feedback.
So if you've got the, the impression from all of this that you probably do need better security for your privileged accounts, there are lots of solutions out there. So our particular product is the secret server tool, but it is that password management tool that you can put on premise have control over the passwords and be able to automate all that password, changing, meet all those different requirements. I won't get into all the details, but as you can see, this whole space is pretty sophisticated. So there's a lot of capabilities for these types of tools.
So what do the Analyst analysts say about our tool? It comes back to what I started out with in the beginning. So easy tools to solve a problem. So don't think of IAM as this big scary thing, your, your highest risk.
Oh, we had a customer just the other day. They determined their highest risk was their domain admin accounts. Just being able to have all those passwords on checkout and change say every 24 hours enormously reduce, reduce their risk profile. So if anyone's interested, stop by our booth where at stand P eight, we do offer demos and proof of concept and we do also get the next slide. So we do also have a research note. So coping or cold did a snapshot and we have printouts of the snapshot. So if anyone wants to stop by the stand, come by and get your own copy. Great. Thank you. Thank you.