Stop Using Passwords, No Really, Stop

Meanwhile in Security

May 27 2021 • 9 mins

Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.

Links:


Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

Jesse: Stop using passwords. No really, stop using passwords; use a password vault. Although, when you have to memorize a password to access something that you can’t use the vault to look up, such as to get into your phone or computer to access your vault, use a passphrase. A passphrase is a group of words or a full sentence. See the famous password strength XKCD comic for how to understand, passphrase is better.

Pro-tip: do not use easy-to-guess phrases. Don’t use your dog’s name, kid’s name, and your favorite sports team. A good one is ‘dolphinstrollthroughmountains.’ [unintelligible 00:01:38] the period in the end. A bad one is ‘SpotKarengiants.’ I want everyone to know that neither of these have ever been nor ever will be a passphrase used by me, you shouldn’t use them either. At least a few of you will, but you’ve been warned.

Also, my dogs aren’t named Spot. I don’t have a family member named Karen—that I know of—and I don’t really know anything about the Giants except that I think they’re a football team. A password vault is software that stores your passwords in an easily accessible manner. There are several cloud-based services with client software and/or browser plugins, and all of these have family, team, and business or enterprise service levels that allow easily sharing password entries or creating shared vaults for storing accounts. Password vaults are generally between only $4 and $10 per user, per month, even at the family and at the business level, which is a trivial cost even for small businesses. Even my tiny nonprofits use a cloud password vault service, it’s worth every single penny. This will change your life and transform your business, especially in a remote world.

Meanwhile, in the news. Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM. I talk all the time about the value zero trust architecture—ZTA—and the importance of shifting left to make your applications and services more secure. Building cloud-native software with ZTA integrated at the API call layer is the best way to secure your operations.

Misconfiguration of third party cloud services exposed data of over 100 million users. On cue, there is yet more research showing that cloud apps and services are exposing access credentials or keys to user or service data. If these app developers shift left and integrate better authentication and authorization mechanisms, they could use this for ...