Event Recording

Per Thorsheim - Password Security in 2019 - More Important Than Ever Before!


There is no other computer related issue that affects more people globally and more frequently than passwords. We can easily authenticate

100 times day using pins, passwords, biometrics, cards and other technologies. At the same time we see time and again that weaknesses, vulnerabilities and flaws in these mechanisms are exploited to gain unlawful access to systems and data. New consensus on passwords & digital authentication exist, but a major challenge persist: how do convince everyone we've done passwords wrong for 30 years, and need to change everything? This talk will provide fascinating insights into the psychology & technology of passwords, with good advice, humor and the best news you have received in a very long time!

So how many of you love passwords? Oh, okay. Well, it was worth a try. I love passwords and digital authentication. I have already given you this short introduction, my reputation and my car plate. And as I told you, I'm, I'm, I'm 48 years old. I have a daughter aged 13, or she's gonna be 13 now in, in a few weeks and I'm divorced. And of course, again, as I said, that has nothing to do with me being obsessed with passwords and digital authentication, but not only that as a single male aged 45, I even do have my own YouTube channel. And it's all about passwords and digital authentication because I am the founder and main organizer of passwords con, which is the first and only conference in the world, which is only about passwords and digital authentication. It's a nonprofit conference that I do usually in corporation with others.
I'm now going to do it again in Stockholm in, in two weeks time. And I've done this now since 2010 at different places around the world, including Las Vegas, four years in a row. And also as an example with bookham here in Germany and this time it's for three full days, and we are only talking about passwords. Or as I say, if I talk about passwords for eight hours without a break at all, and that's not a problem for me to do, I call that a good introduction to basic password security, eight hours. So that's how obsessive I am about this topic. Now, back in 2016, I was contacted by the us national cybersecurity Alliance. And they asked me if I would assist them in writing more or less the us government consumer recommendations on passwords and the national cybersecurity Alliance is the us government, but it's also Microsoft and Google and, you know, blah, blah, blah.
Everyone is sort of a member of the us national cybersecurity Alliance. And these are the password and recommendations that I provided for them, which are in existence even today. Recommendation, number one, make your password a sentence for some reason. I don't know why, but even today, the majority of people do not know that you can also use space in your passwords. So you can write a sentence. Doesn't always work. Doesn't always work. No, because of incompetent engineers, period. Yeah. Shame on them. Yeah. You can't handle a space on a computer. Please give me a break. But in most systems, even Microsoft windows, you can use space. So you can write a simple sentence in whatever language you want or preferably in the language, you know, of course, so I can write down, I was born in Bergen Norway and use that as my past phrase or password, if you like.
And if you do something positive, something from your past. So for all the gentlemen, you know, try to avoid anything that has to do with your wedding date, you know, use something positive from your background. And it's easy to remember, but it's impossible more or less to hack. So that's advice. Number one, second advice, unique account, unique password. I'm not gonna say this is a requirement from my side, but it is a recommendation. The thing here is I know this is very difficult to do. You can't remember all your pastors for all your accounts? Neither do I, I have more than 400 accounts online and I'm no genius. I can't remember all my passwords or sentences for that matter. So I'm done tip number three, I have written down my passwords or in my world, I'm using a password manager, a piece of software that will generate passwords for me, completely random. It will fill them in into any application or websites that I'm using and it will remember them for me. And what I need to remember is my master password for my password manager that I have on my phone, on my iPad and on my computer, both at work and at home.
And one of the things I've also done, my master password can actually be found on a piece of paper inside an envelope back home in my bedroom next to my bed. And well, I haven't written it on the outside of the envelope, but I could have written digital Testament. I will get back to that. And last but not least, even though I am a fan of passwords, you should use to fast on vacation wherever possible. And if you are a service provider of anything publicly online to people, you should offer them the opportunity to use some kind of two-factor authentication because in a way, passwords are not enough and you should do two-factor authentication as well. Now I also do bring some good news. My keynote today was perhaps a bit depressive, I think, but on my next slide, I have the best news of the day. This could be the best news this entire week for you. This could actually be the best use of the year for you unless you got married or had a child.
And I've never tried this in Germany before. I don't know. I'm not that used without German audience. So I don't know if you, you know, if you have a, you know, a standard of applauding people before they have finished talking, or if you ever stand up and applaud people, or maybe you give a whistle or, you know, as I say, if there are any singles in the room, feel free to give me a hug, the next slide. So I'm sort of looking forward to see the reactions to my next slide. This is gonna be the best news of today. Are you ready?
Yes. Yeah.
Yeah. Well, we gotta do this one more time. Are you ready for the best news for the, of the day?
Yes.
Good, excellent. And that is frequent. Mandatory change of passwords are stupid thing to do. Yes. Free hugs after my talk, because, and this is, you know, this is not a joke. This is very serious research conducted not only by me, but by researchers and security professionals all over the world. For many years, we have found that doing this to your use source actually decreases security because instead of doing long, strong, unique passwords, people will just go into a very simple habit of Monday one, Monday two, Monday three, as an example, when they are creating their passwords, that is an incredibly predictable pattern for Annie hacker and thus changing your password. Really ain't gonna do shit. In fact, 50% of you, maybe as much as 60% or at least your colleagues, when they change their password, they will just update the password by one at the end 50 to 60% of all employees at large organization does exactly that. And number two, and I don't have to tell you this at all, but forcing people to change passwords frequently destroys the use experience. People hate doing this. And number three, it is actually a waste of valuable time. Have you ever received a question from Annie user? Why do we keep on doing this? Why do we have to change our password on a regular basis?
And most security people they'd actually don't know why. It's just like the policy says we have to do. I saw it on Google. I Googled it. And Google said, change your password on a regular basis. Well, why doesn't Google do that to your account? Why doesn't apple do that? Or Facebook, are they complete idiots? No, they actually have pretty good security researchers. And most of them have been to my conference as well to learn how to do things. So these are the good news for the day. Maybe I have some more as well. We'll see. In June 16 during my passwords con conference in Las Vegas, I had Jim Fanton one of the authors of the new version of the N S P hundred 63 B standard. Do a talk about this standard. It was released in June, 2017. So it's two years old now or two and a half years old. And this is the us government standard for digital authentication. One of the things you can find in this standard is stop forcing people to change passwords on a regular basis. And there are other highlights in the standard as well. And I'm promoting this standard absolutely everywhere to my Norwegian government, to governments and standard organizations in other countries as well. And just three weeks ago, I learned that the Danish national cert team has also published new recommendations on password security and way and behold. They are basically based on the N standard, which is two and a half years old.
And I wouldn't mind, you know, if, you know, if, if there are any here from the German BSI or similar like that, you know, gimme a shout out. I really want to talk to you. I want to change the government of Germany on this stance as well, if possible, and being obsessed with passwords. I'm also very often met by people saying that really passwords it's. So like lame it's like everybody was doing that 20 years ago is no fun anymore because what the really cool thing today is biometrics. And when Steve jobs of apple was on stage and launching the iPhone five S the first iPhone with the touch ID, some smart guy, I, I don't know where he was in the world. I think he was in American the very shortly after the announcement of the iPhone five S with touch ID, he put out a single picture on Twitter, illustrating the exceptional security of touch ID. And this one picture coming up on my next slide is basically my entire opinion on the security of biometrics. It looks like this
Because people do not understand that the way we are using biometrics today for security is actually implemented as a usability feature, not for security purposes. As soon as people, friends of mine, colleagues of mine got the new iPhone fives. They came to me like, ha, now per now you can try to hack my fault. There's no way you could break through the, you know, the exceptional biometric security of touch ID. And I said, well, you know, research says there's one in 50,000 possibility that I will actually have a fingerprint pretty similar to you. One in 50,000. Now that's not good compared to a four digit pin with 10,000 combinations, but pin codes are passwords. And I research pin codes as well. And even though you have 10,000 combinations available, chances are very high that you have selected one pin out of just 100 combinations. So these friends and colleagues, they come up to me and I take their phone. And I say, ah, so you want, you, you want me to sort of try to break the touch ID? Ah, yeah, try it, try it, try it. And I say, well, I'm not gonna do that. I'm just gonna swipe left or right. So I get to the pin pad and then out of curiosity, which yeah, where you born or when it's your birthday. And people were like, give me back my phone
That easy. I'm no fun at parties at all, because I do this party trick all the time and way too often. I can guess your pin in one, two or three attempts.
So you should do two factor authentication everywhere. And today, a lot of people do that using their phone. And as I was talking about in my keynote mobile hijacking, if I can be you, if I can be your phone, chances are that I will, in many, many cases, be able to bypass the two authentication of your account or to do a password reset or account reset and still gain access to your account. As an example, in social media, I didn't mention port out and SIM swap and spoofing attacks, so I'm gonna repeat them. But to me, it's very important to say that good usability provides for good security, but good security if implemented without good usability with will be really bad security. It is pretty amazing to see what some people will actually do. If security is bad, they will do pretty much anything to bypass security in order to actually do their job. And if security is implemented in such a way that it prevents your colleagues from doing their job, they're going to hate you. And then you will not be able to do your job properly.
So, as an example, when you're going to create a new account, you are usually met with enter an email address, you know, as your username, and you probably have to choose a password and repeat the password on screen, but you're not allowed to see the password on screen for some reason. So, first of all, entering a new website, I would say, make sure that you put the cursor in the email or username field at once. So I don't have to move, move my Mo mouse point or, and click in the window before I can type. It's a very small UX tip, but a lot of websites doesn't do that. Second, choose a username. Now email addresses are in a way public information. If I ask you for your email address, you will most probably give it to me. Passwords are considered secrets. Usernames are not.
And today a lot of breaches online are focusing on email addresses and passwords. So if you look at Twitter as an example where I'm very active, they actually give you the opportunity to log in using your Twitter, handle your phone number or your email address. What they don't do is to allow me to choose which of those I want to block. So if I could, I would block myself from using my email address to log in because my email address is public information. While my phone number, as example could be more of a secret. It's a very small trick. My phone number is short and then my email address. So I would have to type less and my username would be sort of half secret. Most pieces have never thought about doing this at all. So there's a discussion to be had at many companies. Why are we only allowing email addresses to be used as usernames? Why is that? Why can't we use anything else? Like phone number or whatever random string people want to use for password policies? Most website say, yeah, it has to be minimum a characters long. You have to use uppercase lowercase specials, numbers, emojis, and a DNA blood sample. Tracy. Why,
Why do you have to do that? I'm using Chinese simplify Chinese. I'm going, I'm going to do my password and simplify Chinese. There's no difference between uppercase and lowercase and simplified Chinese doesn't exist. So are you saying that with the 15,000 different symbols? I know in simplify Chinese, if I use 10 of those symbols, that's not a good enough password. You gotta be kidding me. Most password policies are made by people in the Western world for Western people. We can learn a lot from other cultures, other countries about password security. And we also tell people, you have to choose a strong password. Well, why can't we generate a pass phrase, a simple sentence and give that to users. Like here's a pass phrase for you. You can use this one or you can choose one by yourself instead of always just saying, you have to come up with something and there's no way we are going to help you with anything. Aren't we supposed to be user focused customer centric. We are at knowledge, choice hotels among working every day to improve that we want your visit to us to be as good, as easy as possible.
And also for the password field, you could have a button like an open eye or a closed eye where you can choose to a either see or hide the password on screen. Again, very simple UX trick. But at one point I did talk to some designers who were using an open eye to show the password and you could click and the eye would close. So you didn't see the password on screen. And I said, are you religious by any chance? No, they said, well, have you ever watched a lot of the rings? Oh yeah. Many, many times. And our single open eye means what? And they were like the evil eye. Yes. In many religions, our single open eye is even less itself. So try to avoid using symbols and use text. Instead. Now I have forgotten everything I learned in my German classes when I was 15 years old.
But as far as I know, the open and close or show and hide in German are more than four characters long. So you need to figure out, you know, what text to use in there, hide show and hide. And then if you actually allow people to see the password on screen, while they typing in type it in the additional value for your password feel is suddenly redundant. And then registering for an account will take shorter time and less work to do signing up for an account means more customers do it as easy as possible, but do try to maintain security.
Now, my ex-wife and she's a very good friend of mine. Even today. She tells me rather often that per you know, you're 48 and, and you're single. And if, if you, you know, ever have any hope of ever meeting anyone again, you know, you have to talk about something else and passwords, you know, you need a hobby, you know, well, you need a life. She sometimes says as well, but you know, you can't just do passwords as your hobby. You know, fishing, beer, drinking, you know, play a game of chess, you know, get yourself a fast car, you know, something that you can talk to women about. And I'm like, well, I, I do have other hobbies as well. It's not just about passwords. And she says, no. Passwords is your only thing you care about. And I say, no, I'm interested, interested in pink coats as well.
I say, I mean, you can't just be like shallow in one area. So back in 2013, I was at a school with students age 17 in, in Bergen, on the west coast of nor where I live. And I asked all of them, I gave them a few tasks to perform. I said, pen and paper, please. And write down your gender, male, female, or, you know, alien, very easy to do. Second. I said, please generate a four digit pin code that you are absolutely sure. You can remember in a month from now on and write it down on a paper, four digits, four numbers in a pin code that you are absolutely sure you can remember in a month from now on. And I gave them some time to think and they wrote it down. And I said, I want to collect all these pieces of paper because I do statistics on the, on, on these things. You know, that's my view of our perfect Friday evening is to do statistics on people's pin coats. So I do ask them to do this. And this was in 2013 and these are plus minus 17 years old.
So after collecting all the pieces of paper without looking at them, I do ask them how many of you chose 1996? And a lot of them blushed and started laughing out loud because among the girls, 1996, which is their ye birth was the most popular selected pin code. I mean, how drunk do you have to be before you forget the year you were born? I should ask women that I can ask the men about that. So they laughed, but there were also some boys in the room and they were like, stupid. I mean, seriously, come on. You can't be that stupid. These boys said. And I, you know, I, I know my own kind because I can tell you that among these boys, 1996 was the second most Poplar pin code. But do I have any suggestions from the audience here today? What do you think the most popular pin code was among these 17 year old boys? Raise your hand.
13, 13, 13,
No other questions. All suggestions. Most popular pin code selected by boys
6 9 6 9 6 9 6 9 9 1 2 3 4.
Yeah. So the joke goes like this. Every time I do this slide and every time I talk to people, no matter the country, us Sweden, Ukraine, Norway, Serbia, many other countries where I've been, when I ask for suggestions, there will either be a male or female, of course, answering first. If it is a male, they will suggest 6, 9, 6, 9, or 1, 2, 3, 4. And in a way, showing women our mentally amazing capacity, or sorry about that, a male myself. So I, you know, I'm just, I'm throwing rocks on myself here, or it will be a female answering first and they will also suggest 1, 2, 3, 4, or 6, 9, 6, 9. Thus, just proving your belief in our excellent mental capacity as men everywhere I go. These are the exact same suggestion coming up again. And again, again, again, again, but it was not 6 9 6 9 1 2 3 4. It was 1, 3, 3, 7 ring, a bell. Are there any women here who understand the point of 1, 3, 3, 7? Raise your hand. None. Okay. When I said it out loud here, how many of you selected 1, 3, 3, 7. Some of the boys in the upper right corner. They were like, yeah.
Ah,
And all the girls were like, what? And I explained to them that if you read the numbers, as if they were letters, it says L E E T elite short for elite. And if you play computer games online and you are getting beaten really, really badly by somebody else in a computer game at the end of a round of, I don't know, battlefield online or something like that, PlayStation PC, you will write back to them 1, 3, 3, 7, and maybe exclamation mark. And that means like, whoa, you're really good. And all the girls, no exceptions. They're like, oh God,
No,
Because none of them had, none of the girls had selected 1, 3, 3, 7, and none of them were playing computer games. And then I was at the university in Toronto, in Norway. And I did the same thing with students. And there was one woman who raised her hand. She had picked 1, 3, 3, 7. And I just like, I ran down to her. Like, you could be the woman of my dreams. I told her like, really, you could be the woman of my dreams that I have to ask you. Do you play computer games? Since she said, no, so still single. But she said, I understand the meaning of 1, 3, 3, 7, it's about computer games. And I was curious, and I asked her then why did you choose 1, 3 37? And her amazing response was incredibly simple. My postal address at home is 1, 3 37 is just outside the city center of Oslo, our capital in Norway, which of course made all these gamer boys go like I wanna move to Olo just outside Oslo city center. That's where I'm going to live when I grow old. So this is proof of us being simple and very predictable creatures. Even when you are to select a pin code or a password.
And these are the most common four digit pins in the world. If your pin is up on screen, now I do advise you to change it. But 5, 6, 8, 3. Does it make any sense? 5, 6, 8, 3. Say again, no
Love,
Love. Look at the letters below the numbers. L O V E.
So what I have done, I've been doing some additional research on this. I've been asking people to do a four digit memorable pin code. I try to do a four digit non memorable. I'm basically asking you make a four digit pin code that you think you will not be able to remember in a month from now on. And I've also been asking people to do a sub digit memorable pin code, just to see what happens. Now. One of the observations you can see is that if I'm asking you to use a memorable pin code, you will most likely not be using the number six in your pin code. And if I try to ask you to do a seven digit memorable pin code, you will also most likely not be using the number six. On the other hand, if I'm asking you to do a random pin code, because a pin code that you can't remember is basically a random pin code, and you can choose anything from zero to nine, you will not be using zero because people don't consider zero to be a random number based on research at the Cambridge university in UK.
If I can, before I leave later today, if I can steal 11 phones in this room or 11 credit cards, the only thing I know is that you have created your own four digit pin code. That's all, I don't know, your gender age, birthday, nothing else. Chances are that for every 11 calls or every 11 phone in three attempts, I will be able to guess your pin code. Well, I'm not in the habit of stealing credit card phones. I'm sorry, but again, this is solid research published in academic papers. So feel free to try to disprove them. So what I have done with my daughter 13 years old, I have shown her how to do a very long pin. And she actually do not know her own pin code for her own phone, because you look at the letters below the numbers and typing in a very typical Norwegian name, like Johansen that translates into 5 6, 4, 2 6 7 3 6. And my daughter has a 10 digit pin code. And she has no idea what the pink code is, but it is a very simple word to remember incredibly easy way to generate a strong pin code for your phone.
I have also been supervising or co-supervising PhD students, master students and bachelor students in several countries. One of them was Martin Martin. Luga at the technical university of Norway, and she was given a task by me. And that was to figure out how do people create their Android lock patterns? This is based on work from professor Marcus Duma at the Ette bookham.
And when he presented his work on, you know, how people make these lock patterns, I asked him, well, I'm left-handed does that actually influence the way I create my patterns? And he said, no idea. We haven't looked into that. So I said to mark, well, I want to know if left-handed or right people or right-handed people if they make, if they make different block patterns or not. I want to know if you are Arabic speaking person, right from right from right to left, or if you are Chinese, Japanese, and right from top to bottom, or if you use one of those very few languages in the world where you're not only right from the right to the left, but you start at the bottom and then you go upwards on paper as well. If that will influence the way you create these lock patterns. And what we found is, well, people are predictable. 10% of everyone will be using a standard English alphabet letter as their lock pattern. And this was published in an academic paper a few years ago. And I do know from police and forensic experts, that that paper has actually helped them get access to phones. They couldn't get into previously and been able to extract evidence as an example in murder cases, which has been extremely helpful.
I'm getting closer, but I will also talk just for a second about behavioral biometrics. One thing is normal biometrics, something, you are like a fingerprint, but there's also something called behavioral biometrics. The way you walk, the way you wave your arms or anything else, the way you behave your voice. And a couple of years ago, I discovered that bank ID in Norway, which is the service all Norwegians are using for signing into the online bank, no matter which bank you are using, it's the same common system for everyone. They have secretly been creating behavioral biometric profiles of more than 2 million Norwegia based on how they type on your keyboard. Because the funny thing is, if you put a keyboard connected to a computer in a room and you ask people to go into that room and just start typing on the keyboard, write a sentence, words, whatever, and you don't know the gender, the age or anything else. You just go in there and type, as soon as you have typed approximately eight characters on the keyboard, we can with pretty good confidence. Tell whether you are male or female.
There is a distinct difference between how men and women do touch type on the keyboard that can be measured. So I found that bank idea had been using this and they were using this as some sort of not authentication, but as a fraud detection system, but they hadn't told anyone from a privacy perspective. So as a basis of that together with a friend of mine in the UK, we created a, created a Chrome plugin called keyboard privacy, which essentially blocks these kind of systems from working at all because we change the difference, the speed on how you type. We change that before it's entered into the domain that you are typing into, it's available for free online keyboard, privacy for Google quote.
So I do recommend you to look into web of N it's a new standard for online authentication. I'm not going to explain it, but look into it. It's really, really good, and it can make life more secure, much easier. And I will go back to the beginning about writing down your passwords, because a lot of people think that I'm joking. This is a one minute video that I created. This is available on YouTube. The narration is in Norwegian. So I will do it in English for you instead. And I made this video after a teenage girl was kidnapped, abused, and killed in Norway. And the police called me for assistance. Newspapers asked me, how can we get access to this girl's Facebook profile to see if we can find her because she was missing for several days. This is the video, two hour young ones, their mom and dad. If you are reading this letter, I have gone missing against my own will. In this letter, you will find the username and passwords for my email, my Snapchat, Facebook and Instagram account. Please use it together with the police to come and find me and remember that I love you.
And it has put into an envelope which has, which says for emergency use only available on the shelf in my room, because today people go missing just like people have gone missing for many, many hundreds and thousands of years. And digital traces are becoming increasingly important for us to find them. So my recommendation is that if you have kids, if you have friends, family, or coworkers that you care about, tell them to trust you and to write down their passwords on a piece of paper, which is called a digital Testament and use that if needed. Thank you. Thank.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00