Expert discusses the importance of keeping internal computer credentials as safe as your passwords. The need for security never goes away.
TechRepublic’s Karen Roby spoke with Robert Haynes of Checkmarx, a software security solution, about World Password Day, May 6, 2021. The following is an edited transcript of their conversation.
SEE: Security incident response policy (TechRepublic Premium)
Karen Roby: So, passwords are still a thing. Many thought that by this day and age they would be a thing of the past, but they’re still very alive and well and still causing unfortunately many issues for us humans when our passwords are compromised for various reasons. But today, and I like this, we’re not talking so much about humans and our passwords and the mistakes we make, but we’re talking about passwords kind of behind the scenes, machines talking to each other. This is something that you specialize in. What is it that people need to know about this?
Robert Haynes: Just as we all use passwords to access the things we want to do, like our banking or our social media, in the background, we have IT services talking to each other. Jst like we need to make sure that we authenticate ourselves, we authenticate these passwords between services. So, maybe I need to talk to a database or I need to talk to a cloud service. Obviously, we need to authenticate that. We dress up passwords and we call them credentials. But it’s the same thing, essentially. So, some way of identifying that once one service is talking to another, we can know who they are and there’s probably nearly as many of those floating around the internet as there are human passwords. The results of them being compromised or lost are just as important, if not worse.
Karen Roby: Certainly, the results can be catastrophic for a company when compromised. And I think it would probably surprise people if you don’t really stop and think about it, that again, behind the scenes, these credentials passwords are out there, but that’s part of the backbone of some companies and how we communicate.
Robert Haynes: It’s the part of everything. We need to authenticate between services. But if I have somebody else’s credentials I can do lots of bad things with them. And I could start mining some Bitcoin with your Amazon accounts, or I could access a database or I could change your signing certificate to make it look like it’s coming from me and I can do all sorts of terrible things if I have access to that. So, we have to protect those machine credentials just as well as we protect our user credentials.
Karen Roby: How do we best do that?
Robert Haynes: You know, there’s loads of parallels between how users look after their passwords and how we have to do that with machines. The common advice, we probably hear lots of times on World Password Day is maybe not write your password down on a sticky note and leave it on your desk. So kind of do the same thing with machines. How you store those passwords in your machines in some sort of encrypted way, how you pass them to your systems, do that in an encrypted way so that nobody else can see. Don’t leave them lying around. Because for instance, if I leave some credentials lying around and I forget they’re in my code, and I maybe put my code in a publicly accessible place, like a GitHub or other source code repository, someone’s going to find that really, really quickly and they’re going to use it. Make sure that we store our passwords securely, make sure that we don’t tell them to anybody. Rotate them. Don’t use the same one everywhere.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
These are all exactly the same tools and techniques we need to use inside the machines or inside of services that we do in our normal sort of social media passwords.
Karen Roby: As I mentioned at the beginning, Robert, many would say that they thought by this year, 2021, we’d wouldn’t be talking about passwords anymore. And here it’s World Password Day. So, we’re talking about them. And I think people have come along and are starting to figure out, “Oh, maybe 12345 is not the best password.” So, we’re advancing a little bit, but will there be a day that we don’t have passwords? Will there be a day that the weak link of humans sometimes is not involved? So we don’t need to worry about compromise anymore? That’s a big question. I understand that.
Robert Haynes: Will we ever need to stop worrying about authentication and identifying? No. Will we get away from passwords? A password is essentially a secret that you know, and whatever you’re trying to talk to knows as well. So, it’s like a shared secret. Will we get away from a shared secret mechanism? Maybe, but there’s a degree of simplicity and ease. If I have this thing and I know it and you know that I know it, then I can authenticate. So, it’s very simple. It’s relatively easy to do. It’s hard to get away from that. We can be more and more sophisticated about adding extra factors in there. Like where you’re coming from, what time of day it is, other things.
But essentially the shared secret where I identify myself as somebody that I have, we’re getting close. We have some sort of public key type things that we can go, but they still rely on me having a thing. We’re always going to have to protect some secrets. We’re always going to have to worry about this in some way, shape, or form. Hopefully, I say it won’t be down to passwords and usernames as much, but there’s always going to have to be some way identifying one thing, one person, or one device talking to another device. And someone’s always going to be trying to find a way around that. So, we’re never going to stop worrying about it. Really, however we change how we authenticate, someone else is always going to be trying to spy on us while we do it.
SEE: Cybersecurity: Don’t blame employees—make them feel like part of the solution (TechRepublic)
Karen Roby: Yeah. And that’s the scary thing, Robert, is there’s always someone lurking ready to pounce when people are vulnerable and we’ve been vulnerable this last year with so many people working from home and IT teams have been stretched to the limit. Security really is at the forefront now. It’s got to be.
Robert Haynes: Yeah, absolutely. And I think the key thing, you can forget all the technological solutions, you can forget all the things that technology might put in place. A lot of it still comes down to training and just training users, training us. I mean, we all make mistakes. Training ourselves to be secure with how we use our passwords, where we store our passwords. All those best practices we know, and the same training can apply to the people that are developing the systems we’re using the background as well. So, training everyone to be secure with how they handle secrets is still super important.
Karen Roby: Super important. Doesn’t matter what level of education you have when it comes to IT. Right?
Robert Haynes: Absolutely. We’re all human. We all make mistakes. We all need to be reminded. Like World Password Day, we need to be reminded that we need to check up on our passwords.
Karen Roby: Yep. Now’s the time to do it. Certainly. I really appreciate, Robert, you being with me here today and talking about this on World Password Day, because obviously cybersecurity and anything related to it is something we can talk about basically every day.
Robert Haynes: It never goes away.