Best security practices for the end user3 H 4 M
Help your employees avoid security incidents before they happen with this non-technical course designed to help employees identify security threats.
- Episode Description
In this episode, Daniel and Don examine the characteristics that make up a high quality password. They identify weaknesses found in many passwords and demonstrate how attackers can take advantage of weak passwords. They then help the viewers by suggesting a few methods to easily create memorable, yet secure, passwords.
You're watching ITProTV. I'm your host, Don Pezet. [CROSSTALK] [MUSIC] >> You're watching ITProTV. >> All right, good morning, good afternoon, and good evening, and welcome back to another episode of ITProTV. I'm your host, Don Pezet, here again with another episode of security awareness training, right? We wanna make sure everybody is prepared and understands their responsibility of providing good IT security practices. That's what we're gonna take a look at. And here in the studio to help me is Mr. Daniel Lowrie. Daniel, thanks for joining us. >> Thank you so much for having me, Mr. Pezet. I'm glad to be over here in this driver's seat to teach you guys a little bit about some end user security today. And today we're specifically going to talk about passwords. Yes, I know, you're probably going, not this, not passwords, I hate passwords, they're the bane of my existence. And yes, I have heard that many, many times from many, many users because we understand that there are logins for just about everything nowadays. And you have to create a secure password and I can never remember it. And what's a good password? I'll just use my mom's maiden name and that'll be great and we're off to the races. So we need to talk today about what does make up a good password. Something that you can use that will be easy for you to remember and work with, and maybe even work across the board. It will work with this sign on as well as this sign on. I know that a lot of different vendors will give you a lot of different criteria for passwords, so we're gonna talk about that subject as well. But we're just gonna start off with the basics. I like to call it, Don, the good, the bad, and the ugly. And unfortunately, we're not going to start with the good. We're gonna start with the bad and then we're going to move to the ugly. And then we'll get to the good. Because we have to understand what a bad password is first before we can understand what a good password looks like. So that's where we're going to start today. >> Now, Daniel, you mentioned like people dread learning about passwords. What's such a big deal about passwords? >> The big deal is, is that typically in my experience, a lot of people hate having to come up with something that meets the criteria for their environment, their organization, right? They've said, it's gotta be x amount of characters long. You've gotta add this. It's gotta have a number. It's gotta have that. It's gotta have this. And coming up with that can be an area of consternation for a lot of people. And then, after x amount of days, 40, 50 days. Maybe 30 days. They tell you you gotta do it all over again, right? So this can be the hair pulling, the teeth biting or the nail biting of passwords, right? So we're gonna try to help you be able to, every time you need to create a password or update a password, create something that's gonna work for you and be easy to remember and work with, as well as meet the criteria for your organization. >> And I understand that. If I gotta meet these criteria, it's gonna be a pain. So if the companies know that I'm not gonna like that, why do they make us do that anyway? >> Yeah, that's a great question. The answer to that is security, right? People are actively trying to get at data. These are the hackers, the bad actors, the threat actors, whatever you want to call them in the security world. Basically the bad guys out there that go, you know what? It'd be nice to have Don Pezet's user name and password to gain access into the system. And if I get access to the system, maybe I can find something interesting that'd be worth either money to me or prestige. So this is the whole purpose of keeping that data secure. We have information inside of, regardless of what organization you work for, there is information in there that could be valuable or potentially dangerous in the hands of some threat out there, some bad guy. So we wanna keep those out of their hands and passwords are typically that first guard, that first gate that we run into as gaining access into a system. So if they can get past that, they at least have some form of access if not quite a bit of access. So we have to keep our passwords secure, and we have to keep them out of the hands of those bad guys. So doing that means coming up with strong passwords. You have to worry about crackers, and that is basically like trying to work your way through a set of predefined words or passwords that they have lists of that might give you access to the system. Or just what we call a brute force where they just okay, start with 0, okay, 0 didn't work, 00. Okay, 000 and then just go through, and computers do this, we don't do this, right? I mean, you could. It wouldn't be a whole lot of fun for the bad guy out there, but there are tools that they have at their ready that will allow them to basically hammer at the door and hopefully find a weak password that allows them entrance. So this is what we have to worry about. This is why we need to work with passwords to make them secure. >> Now, I know like physical safes. Like a combination has three numbers And if it's one through fifty, that's a lot. But in theory, a human with enough time on their hands could sit there and turn that dial and eventually hit the right number to open the safe. It's the same with passwords, right? But you said computers do it because the longer a password is, the harder it would be to to guess, right? >> That's exactly right. Don hit the nail on the head. If the password is short enough, a human could potentially just sit there and guess over and over and over again, and it probably wouldn't take them too much time. So obviously a three digit password, that's not gonna take you much time to get through. I think I actually did the, all the four digit codes on my TV remote one time. >> [LAUGH] >> It took me about an hour to figure all the codes that actually worked, all right, and especially from IT. So I was able to do that in one hour and a four digit code. That was a human pushing buttons physically. Imagine what your computer can do and the power and the processor behind it. So they have very, very strong password crackers out there. So we have to make sure that these passwords are nice and strong. Now we don't wanna go too crazy though. right? Cuz I could have a 100 character password. >> [LAUGH] >> And I'd be super secure, right? So what's the kind of recommendation? >> Yeah. That's a great question. Let's go ahead and jump on my computer. Let's look at the bad and the ugly, right? So here I've got a couple of examples of different types of passwords you could run in both links and complexities, right? So you have a seven character password with one upper case letter, two digits, and one special character. That's an exclamation point, a hash tag, something like that. So usually, you have to hit the Shift to get one of these things. Running that through an average password cracker, you're gonna crack the password at 0.24 minutes, that is not very long. So that is not a good password. But as Don suggested, the longer we make that password, the more secure it becomes. And you see that with an eight character password with one upper character, two digits, and it's basically the same format. We're just adding length to it. That jumps to 1.11 hours. All right, well, that seems like a whole lot better. Except, then an hour's not very long in the grand scheme of things, so that's really not enough time. And then if you move to a 10 character password, same criteria, 31.17 days. Now that sounds strong. That sounds like we are actually getting somewhere. And you know what? It might be strong enough. That might be a strong enough password depending on your environment. >> I think I see a pattern here. So when my company asks me, and says, Don, you need to change your password every 30 days. >> Yes. >> I'm going to say, that's dumb. I don't want to change my password every month. But, if it takes 31.17 days, right? And somebody starts to try to break my password, well, within 31.17 days I'll change my password to something new so that that protects me, right? Is that the reasoning behind password changes? >> That is exactly right, so when your company says, hey, we need you to update your password. You get a prompt on your computer screen that says update your password. It's that time. Please enter a new password. Yes, I know, it's a headache. You gotta come up with something new. We'll broach that in just a minute. But this is the reason why, because these modern password crackers are very fast, they're very efficient, and within 31 days. So if we set the threshold for 30 days, well, you should be pretty safe. And obviously the longer you go, the better that's going to be and then maybe we can bother you less if we make the 11 characters, well, then you don't have to worry about it. If we make that the standard, it's gonna make it a whole lot harder for those password crackers to nail it. Alright, now let´s talk about the ugly, right. That's the bad, these are bad passwords, ten characters, it´s skirting the line, it could be good, but it might be bad, right. The ugly, just like what we got up here, we got default passwords. So if you are asked to install something, and it´s got a username and password field that you log into it, maybe some new software on your computer. Do not stick with the default that it comes with, you need to change that password. Anybody can go to Google type in default password for x software, default password for this router, default password for this access point. And if you have left it the default, well you basically just said, I'm gonna hang the key outside of the door, and anybody that wants to come in come on in. So that's not a good idea, change default passwords. That's why I call it the ugly, because you've done nothing to secure that system, and you basically ask people to enter into it. And then we have words associated with your person and or organization. So this is kind of diving into what makes a good password, obviously this does not. We don't wanna use organizational terms if, we're here at ITProTV, I don't wanna make my password ITProTV. I don't wanna make it shows rock. >> [LAUGH] >> Or anything that has to do with what I do for the company, or what the company does. >> Yeah, I mean you could even think of like geographic things that change this, and we're in Gainesville, Florida. >> Right. >> Which is the home of the University of Florida, and the Florida Gaters. And so I can guarantee probably a third of the population of this city has the word gaters in their password, and it sounds like an exaggeration but sadly it's true. I've worked at an organization where I saw this, Daniel you did too, where there were tons of employees that would just use various combinations of the word gaters in their password. And so if you knew that somebody was from here, that kinda would be your starting point, and shrink the amount of passwords you had to try before you could guess somebody's password and get in. >> That's right, that's exactly right. So your IT people might make that part of the policy, where you can't use specific words because they realize that right, they're trying help you out, make a good password. And that can lend to some of that frustration, you're like I just want to use gators123. Yeah, that's easy to remember, but length is not great, and it is too close to something that somebody could easily guess. We wanna keep that guessing ability out of the picture as much as humanly possible. So those are the bad and the ugly, let's finally jump into the good. Okay, well we've seen bad stuff, what does a good password look like? Well, let's take a look, if you jump to my screen you'll see here passwords that aren't easily guessed or cracked. That's basically what it comes down, the opposite of what we just saw. I know that seems a little facetious, but. >> [LAUGH] >> I like to a have a little fun with the word play. So I did jump up to that 11 character password, with one uppercase, two digits and one special character, right. And you'll notice that the amount of time that it takes to crack that password went from, how long was it, we had- >> 31.17. >> Yeah, 31.71 days to 810.36 days. At this point I could let you have that password for the year. Two years, four years, well not four, I guess we're getting up there, right. But couple of years, I could allow you to keep that password, if that's what we made the standard. Is it more difficult to create a password that's 11 characters, it can be. I know that not everyone's awesome, creative, right. I don't run around like Picasso and create amazing paintings every day of my life, I'm not that creative. But I do have to be creative with a password to make it long, and rememorable, right. Something that meets the complexity requirements, and that I can remember, don't forget the remembering part. Because I've always found that, Don, I don't know if this is your experience as well. That when I get a user they call me up and it's something to do with their password, they typically are complaining about, I can't remember this, and that's where they really get upset. >> Yeah where I usually saw it was, let's say you had a 30 day password change window, so every 30 days people had to change the password. They would change it, and the next day support tickets would always go up, because people would forget their password the very next day. After they had used it for a week of two they'd kind of commit it to memory and now they've got it. But if they don't have some kind of mnemonic, some kind of way to remember what that password is, it's easy to forget it, especially on the first day, which means you end up have to change it again. And you kinda repeat the cycle, people get really frustrated with that. >> Yeah, and that's totally understandable, I get that myself. I have been just as frustrated as anybody out there about having to come up with passwords. And especially, like I've talked about before where you have multiple different vectors of authentication. I've got this website that I log into, which we do business with, it's not our system, but I have to log into it because we do business with them, right. Their login credential, their requirements aren't the same as ours. So I have to come up with something for them, then I have to come, and then the times that they change their passwords are different than ours, and now I'm constantly changing and trying to remember passwords. So that's where we come in, how do we make a good password? A, length, length is great, we want to make them all as long as we can remember. But how do we remember that long password, right. That's the rub. What do we do? Well we use phrases instead of words. Words can be easily forgotten, or they're too short, that's typically the problem, they're just too short. So what we do, we make a phrase, something that I can easily remember. I don't know about you Don, but I can remember the preamble to the Constitution, we the people of the United States, right, and so on and so forth. That's something that we learned, that's buried into our brains. Maybe the Pledge of Allegiance, something you do on regular basis. The opening to Star Trek or. >> [LAUGH] >> Any set of words, or a phrase that is going to spark your memory, maybe you have a favorite lyric to a song. These are great passwords, why? Because they can be long, and they're easy to remember. So that gives us our length, and our mnemonic to make them easy to remember, that's the big important one. If you look at my screen really quickly you'll see that Wethepeopleofthe, and I put a 01, and then the US and then an exclamation point, that meets all my complexity requirements. I see that I have a capital W, right, there's one complexity requirement. I have plenty of length when it comes to this password. We also have 2 digits, 0 and 1. And then I have an exclamation point at the end, which is my special character. This is a great password to remember, I'll never forget this, it'll always be stuck in my head, and I can fiddle with this the next time I change my password. Maybe change the 01, to 10, maybe change it to 20, maybe change it to 90, or 99, or any other combination of numbers that I want. I can make it 001, I can always add more numbers if I like, I don't have to stick with 2, I just have to have at least 2, right. So that is just good security. Now if you are not required to add any of the capitalization, special characters, or numbers, that's okay, length really helps out with those. Short passwords when it comes to that, those aren't going to be very good at all, they're going to be very easy to crack. The complexity helps when it comes to the, what we call a dictionary type, I've got a list of words. If I were to use just, we the people of the United States, or the US, that might actually be in a dictionary. Somebody might have a file that has something like that inside of it. And that's what they call a dictionary, its just a file full of common phrases and words that people use as passwords. So we don't want to be inside of one of those files, but we might want to use stuff that would be in there, but we've gotta change it up. So we break it up, I put 01 before, I don't put it at the end, I don't put it at the beginning, put in the middle somewhere, right. Cuz that keeps that from being a dictionary word. It's no longer a word to the computer. It's a word to us, and that works out great because I can remember that word, but the computer is just, this is just a string of a weird characters. And now my dictionary's not gonna have that in there. I'm gonna have to resort to that brute force that, okay, let's try 0. Let's try 00, let's try 000, A, AB, ABC, and so on, and so forth. And we've seen the amount of time that a password of this length would take. And as we're looking at the actual time it would take to maybe crack that password, I don't know, Don, you think that's a pretty secure password? >> I thing 300 Trillion Years is probably fine. >> [LAUGH] >> And we could even make it more if we wanted. Because you mentioned weird characters, right? >> Yeah. >> You've got the exclamation point there. You could go ahead and put the spaces between the words, right? >> Yes. >> And if you did that here, what we looking at, what, six more spaces? >> Mm-hm. >> That means your password would be that much stronger. I mean, you could really crank this one up without having to jump through a bunch of extra hoops to be able to remember it. So the key secret here is using a pass phrase, not a password. >> Exactly, you hit the nail on the head. Easy to remember, meets complexity and length requirements for strength. And that's what we're looking for. And like Don said, if you have a hard time typing that out without hitting the spacebar, I know, it did take a little getting used to, for myself. That's fine, add the spaces. That way you're just typing it like you normally would type. You're just typing a phrase out, easy to remember, I like this. Now there's another way to create a really strong password using length and complexity requirements. And that is to take the phrase, and just take the first letter of each word in the phrase. Again, an easy mnemonic to remember, I used Little Miss Muffet as an example. I don't know why that jumped into my head when I was creating an example for this, but it did. And then I have, little miss muffet sat on her tuffet eating her curds and whey. >> I think this says something about your personal character. I think we might need to look into this one. >> Don't judge me. >> [LAUGH] >> Don't judge me cuz I don't like where he's going right now. >> [LAUGH] >> [LAUGH] But it's a nursery rhyme, so pick something like that. And you just take that first character out of each one. And that is going to make up your password. Right above it, you'll see I have a hash symbol, or a pound symbol, whatever you like to call it, that starts mine. Instead of putting it at the end, I put it at the beginning this time. I could've put it in the middle, I could put it anywhere I like. And then, little miss muffet sat on her tuffet eating her curds and whey. And I could even remember that, lmmsohtehcaw. >> [LAUGH] >> Maybe I'll remember it that way after a few hundred times of typing it in. >> But I'll never forget the Llittle Miss Muffet nursery rhyme. And then I add my numerical complexity, if I like, or if that's required of me by our administration. Not a problem, and there you go, I put 001 at the end. This is not as long as the We the people one. And so unfortunately, I only got 10 million years out of that. And man, I should probably think about strength increasing on that. But again, easy to remember, meets the complexity requirements. >> And speaking of the time on these. We might look at it and say, 10 million years, that's forever, right? But each year, computers get faster and faster. And that means the people that are running password cracking utilities or the brute forcing utilities, they get faster and faster. So today, it might be 10 million years. But a year from now it might only be one million. And then it keeps going down, and down, and down. >> Right. >> So as the years go by, passwords get increasingly weaker. But the reality is that the biggest weakness of a password is not so much the brute force side of it, it's ourselves, right, Daniel? Like we can weaken password security pretty easily. >> Man, there is apparently no patch for our humanity. And that is that if Don and I were working together, this is a prime example. Don is hitting the nail right on the head, again, that we tend to give our passwords out. This is a bad practice, this is a no. Warning, warning, warning, Will Robinson, do not do this. Do not give out your password. No administrator is going to call, worth their salt, and say, I need your password to log into such and such. He's an admin, he has rights to every system that you have in your company, your organization, wherever you're at. And he doesn't need yours. And in fact, I could change your password and log in as you, if I felt so inclined, as an administrator. I can't think of many reasons why that would come about. But almost invariably, if not invariably, they will not ask for your password. They won't have you write it down and give it to them. So you don't need to give your password out to anyone. >> And going even a step further, let's say I give mine to an IT rep that calls. Or even a family member, or a co-worker, or whatever. And so I give it to her, and it's the Little Miss Muffet 001. And I think to myself, well, when she's done with it, I'll just change it to make it 002, right? But now she knows the pattern. She sees like, Don uses Little Miss Muffet 001, I bet he's going 002. >> [LAUGH] >> Or whatever, it, again, minimizes the guessing pool she had to go through to figure out that password. So you gotta keep that in mind with these passwords. That they're designed to be just for you. And if you do give it to somebody else for some particular reason. Hopefully, that doesn't happen, but if you do. You not only need to change your password afterwards, you need to change it to something completely different. Because otherwise, you've already weakened the integrity by giving out a part of it. >> That's right, you set a precedence of, well, they use nursery rhymes. Maybe I'll just go through a book of nursery rhymes and try the same thing until I hit it. Maybe I can create a computer program that does that for me. Hint, hint, that exists, okay? >> [LAUGH] >> So we don't want to be giving our passwords, don't share them with anyone. Also, this has been a common practice for quite some time. Even though it's become a bit of a joke inside of the IT industry, is that people write their passwords down. And what do they do with it? They put it on a sticky note, and they put it on their monitor. If they think they're really slick, they stick it underneath their keyboard. >> [LAUGH] >> And they just, flip it up, there's my password. Now you might be going, I do that, well, a lot of people do. So we wanna get you away from that practice. And there's a good reason for that, obviously. Then we could just look up and check it out. >> Yeah, and Daniel and I, we used to work together at an insurance company years ago. And you'd go in the field to some of the offices. And if the person wasn't there who was working on the computer, it was just our general practice to say, you know what? Let me look under the keyboard. >> Yep. >> Or let me ask their secretary, let me check some of the other employees. Somebody'll know the password if it's not stuck on the monitor. And we joke about it, but it was so common you could almost count on it! >> [LAUGH] >> That everybody in the office knew their password, or it was written somewhere easy to find, it was almost comical. And the thing here is you may not mind if you share your password with a coworker. >> Yeah. >> Maybe it's a part of your normal workflow that you'd do that. But if it's in an area of open display, somebody could be coming in to clean the office after hours. You could have customers that are in the office that see the password. And now they know it, now it's leaked out. And that's why it's so important to remember that passwords are designed to be kept secret. That we don't share them, and that we keep them committed to memory. So like Daniel, your techniques of making it easy to remember these passphrases, that really helps with that, right? >> Yes, that's exactly right, that way you don't need to write them down. It's something you'll easily remember. And therefore, it just keeps you out of those weeds, out of putting them on a sticky note. Watch the old 1980-something movie WarGames. >> [LAUGH] >> As he sits down in his principal's office, and he sees the secretary pull a sheet down. And there's the passwords, and they're all scratched out. And only the current one is available, we don't wanna get into that business. >> Now back then, we typically only used one system. And you'd log into a mainframe, you had this one password. But in today's world, you've got people that have email. They have network servers, they have Facebook. They have all these different accounts. That is a lot of passwords to remember. So doesn't that encourage us to write them down on paper? >> It does actually, Don is very right on this. Because we have so many different places that we're logging into, makes it really difficult for us. Even if we create a really strong password, well, maybe I can't use that password at this login, right? Maybe I can't use that password over in this login. So we end up having this multitude of different passwords. Now we have a really good way of creating strong passwords, That we can use, but they'll still be different. Which password did I use for this login? I don't remember. I'll just try them all. Well maybe you've got seven or eight different passwords that you want to rifle through, and maybe that hits a lockout threshold. You've tried the login too many times, and now your account is locked out. And that's well, man the anxiety starts coming. I know when I've typed in about three or four passwords, and they are not the right one I'm starting to go I wonder if I'm about to get locked out of this system. And you just, you get anxious about it. You don't want to do that because then you've got to call the help desk, and say help me unlock this thing. So we have to come up with some system that will help us with that. >> All right, I know how to solve the problem. I can come up with one strong password, use that same password everywhere, right? >> That would be nice, but unfortunately that's just not practical. Maybe that will work, you might be able to get away with that. I have done a pretty good job in my own life of, I think I have three passwords that I can use. If it's not this one, it's this one. If it's not that one, it's this one, right. And those have worked just about anywhere I want to log in from email to systems that I work with to creating logins for whatever purposes, right. So I've kind of boiled it down to about three. But not everyone wants to go through that kind of headache, so we've come up with what's called password managers. And these are freely available, and maybe your company will implement them or maybe they have already. You just need to be aware of them so that you can use them. >> Yeah, there's a lot of software out there like Last Pass, and Key Pass, End Pass, pass in the name. [LAUGH] >> [LAUGH] >> That help you managing passwords and the key secret that they have is that they allow you to use a different password for every single system that you touch. Normally that would be a nightmare, right? And if I log into 100 sites, I have 100 different passwords, there's no way I can remember that. I'm gonna write it down. Well, these programs allow us to write it down, in an encrypted database that is protected, that we can call. And it actually improves our security. Because when you reuse a password in more than one place, you're trusting that all of those sites are securing your data the same way when in reality you're gonna get the weakest security out of all of them. So, your Facebook password is probably pretty secure. They're one of the most secure networks in the world. Your Apple password is pretty secure but then, maybe you log in to some forum or some sites to find out a little information and used the same password there. And their security is not up to snuff. Maybe their site is run by just one person with a very limited budget. And if that site ever gets compromised and the one password that you use everywhere just got obtained, now they can log into Apple or Facebook because they've got the one password you use everywhere. So, you're better off using a different password everywhere if you can. But it's too much for our human minds to wrap around, at least for most of us, some of you are savants and you remember these. [LAUGH] And so that's where these password managers come in really handy, is that ability to have a secure database of passwords you can call up. And you can use really complex, really long passwords that you would never remember. And different ones for every single site, but it's okay because it can all be pulled right from this database. So definitely a technology you'll want to look into if your company already hasn't. >> Well, Don, I fully agree with you on that. Well, around here, we like the LastPass. We work with that. It's very simple to install and use, so there's no good reason not to go ahead and use something like that. I love how it can create complex passwords for you and then it stores them. You don't have to do anything about it. You just have that one password to log into that. And then Last Pass takes care of the rest of it for you. All right, very good. Now let's talk about some, just some best practices. Maybe you're wondering what happens if you do try the wrong password too many times. Or why is it that it has me use a different password. How come I can't use the password I used last time, things of that nature. These are best practices that maybe you're in charge of a system that requires that kind of thing to occur, or you're just wondering what happens when this does occur. So let's just talk about that. Really quickly, we talked about this. how many attempts do we get. Well, that varies by organization and it's just kind of a feel thing as I've noticed. Maybe it's six tries and then you get locked out. Maybe it's ten tries and you get locked out. But you do need to come up with some Lockout policy. You get X amount of tries before the system is locked that user out and that stops those bad guys out there from just knocking at the gate and trying to get into the door. So, that helps that. It'll put a pause on that and raise a flag up to the people or the powers that be that are watching over these things to say, hum, looks like we might have a bad guy going on here. >> Yeah and on your diagram earlier, you said that if I had a seven character password it could be broken in 0.24 minutes, right? >> Yes. >> Really, really fast. But that's assuming that we have unlimited guesses and we can just rapidly guess. So, by having a password lockout, if your IT department says you get five tries then you're locked and then you have to call tech support and get unlocked, right? That will make it one attacker only getting five guesses. What are the odds of getting your password in only five guesses, extremely low. So password lock out policies can be annoying especially if you are the one who is locked out and you are in a hurry. But they effectively eliminate brute force attacks. So really useful thing so don't be frustrated If you are locked out because it is a really useful thing. So don't be frustrated when you see a lock out because it's gonna stop somebody guessing and all you have to do is to call the text support and say hey I tried to log in this morning. I got it wrong a few times. I got locked. Or you can say, hey, I came in this morning and I'm locked out. I haven't tried to log in at all, and that alerts the IT department that an attack happened. They know that something incorrect happened. Either way, your data is protected, so you should really be thankful whenever you see that limit. >> And you have the added benefit of, a lot of times this will occur, that you've got something on your mobile device that you log into the system with and now you've updated your password. Well you forgot to update it on your mobile device, so what is it doing? It's hammering away and hitting that lockout threshold. Then you have to call the help desk and they go hum, looks like you might have a mobile device that needs to be checked. Did you update your password recently? Yeah, that's right. I need to update it on my phone as well. Because I've had a lot of people go, I haven't been getting email on my phone for the last three days. When was the last time you changed your password? That was like three days ago. Ah-ha. Well that can really help on that side of things. The user end spectrum, so it's a really good thing. >> And this can vary a bit from company to company as well, right? >> Yeah. >> So I might get locked out and have to call the support desk. >> Correct. >> In order to get up. Or some places make it a little more automatic, don't they? >> Yeah, maybe they'll have a form that you can go on to the internal site, the internal website of your company, and then you can just maybe answer a security question or something in that effect and it'll automatically unlock you. There's a lot of different mechanisms which they used to make it easy for the end user to get back in their system if it's legitimately, I just accidentally type my password wrong a few times and I need to get back in the system. So very good stuff there. Let's also talk about password reuse. How many times should you allow someone to reuse a password. I've seen 12, you have to have 12 new passwords before you can use the old password. It's gonna go hand in hand a lot with how long before the password changes a lot of times. So, maybe 12 is a lot. You know maybe you're changing your password every 20 days and all of the sudden that's not so much. But maybe you change your password every 60 days. All of a sudden 12 is a better number for your end user experience, it's a whole lot easier. >> And the idea here is to protect people from guessing based on our patterns, right? So, if my old password was gator001, and I make it gator002. [LAUGH] >> Somebody could guess that, right? So, if it triggers a reuse, because a lot of them are going to look for how many characters and it'll say you can't read those five characters or whatever It, it would pick up by not changing my password enough. And that'll stop you. And again it's just a, to help maintain the security of your password. That's why that policy is in place. >> That's right. And also it keeps you from going, okay well I'm gonna change my password. I've got gator001, really like it, I'm gonna make it gator002 and then I'm gonna change my password and go right back to gator001. There are mechanisms usually in place for that as well, that keeps you from reusing those old passwords, so someone can't guess your pattern. You wanna stay away from that. That way, the bad guys stay out, the good guys stay in. And the last thing I wanna talk about is the lockout period. A lot of times there is a lockout period, if you do get locked out and let's say it's lunchtime or for whatever reason nobody's at the help desk or it's super slammed and you're having to wait on the phone, typically we can create a lockout period, maybe 15 minutes, maybe 30 minutes, maybe 10 minutes. Of just stopping that and then after that time expires, the lockout will relinquished and the user will be unlocked, allowing them to just wait the timeout if they can't get to an administrator to get that to them. >> And that might sound like a weakened security but it really doesn't. Remember if someone is brute forcing they're trying to throw thousands of passwords per second at the system. If you hold them down for ten minutes, and then they get another five guesses, and then another ten minutes, it slows them down so much it becomes theoretically impossible for them to break a password in any realistic amount of time. So, it helps to alleviate some of the frustration on our part as end-users if we get the password wrong. I know, I just need to wait ten minutes. Or wait 30 minutes. >> Yeah [LAUGH]. >> So, you'll have to check with your IT department to see what your duration is. Some like high security environments won't have a duration. They'll say you are just locked out until you contact the help desk. You've got to initiate that procedure. So, it just depends so that lockout thresholds, the timers, are pretty common and you see those pretty frequently just to help stop those brute force attacks. >> That's right. Well passwords obviously are a very important thing. Also, I want to iterate the fact that, if you are locked out and you don't know why, you haven't typed in your password incorrectly X amount of times and you're still locked out, contact your helpdesk. Contact somebody in authority over that system, so that they are aware that has happened, maybe there is a bad guy knocking at the door and that will help raise that flag for them. So always be aware of that. Then when it comes down to passwords length and complexity is going to be your friend. Use pass phrases it's gonna help you out with that pneumonic device. So you can remember those lengthy passwords and if you can get away with it by all means if you have the means, get yourself a password manager. It's gonna make your life a whole lot easier. Don, I think that's about all I got on passwords for today though. Hopefully that helps you good folks out there meet your complexity requirements, meet your length requirements and stay safe in your environment. >> All right, well hopefully that was a good description for you guys to explain away why we have some of these really weird password requirements that can seem annoying, and frustrating and pointless. But they all actually have a reason. There's a reason they're there in place and we're the ones who help maintain that. The IT department can only do so much. It's up to us to make sure that we follow proper password policies and procedures as well. So, that's a pretty good wrap-up. Daniel, did you have any parting words before we close up? >> Just don't share your passwords please. >> [LAUGH] >> Don't write them on sticky notes. I can't reiteratize that enough, because if you give someone your password and they login and they do something that they shouldn't do. And they're logged in as you, the only thing that we can, and they don't cop to it. What are we supposed to assume? Is that you did it. So don't share passwords, don't write them down, keep them secure and safe, use those password managers. >> All right, well, ladies and gentlemen that is gonna wrap up our episode right here for enduser security awareness. I do hope you guys enjoy it. I've been your host, Don Pezet. >> I'm Daniel Lowrie. >> And we will see you next time. [MUSIC] >> Thank you for watching ITProTV.