Event Recording

Pools of Identity: Best Practices Start With Personal Password Behavior


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
I think passwords are like cobalt. They're probably something that are gonna be around for quite some time. I'd like to first start off and thank everybody for being here. I think as an overall presentation over the next 20 minutes, this will be slightly more lighthearted. There's no cyber global attacks being happening so far as what I'm gonna cover, some of the last presentations were a little bit scary I must say. And if I'm nervous at all, it's probably from what I heard about especially the two presentations ago. What I'd like to talk to you today is a, it really about pools of identity and it goes into the topic of how end users today are dealing with the whole concept of dealing with all of their passwords on many different levels. And I'd like to to highlight this by first giving you a user example.
And I think for all of you that work in IT supporting users, you probably know people or certainly your help desk knows people that have this exact situation. So I'd like to talk about that first and I'll give you an example. Next. I'd like to go into some research that we've recently done about passwords and how that's starting to change over time. In particular the generational difference of how, as an example, baby boomers who are confronted with technology are handling all the way to the other end of generation Z. These are the post-millennials. And then finally I'll talk a little bit about what you can actually do about it. So let me start off by telling you about Anna. Anna is the director of marketing in her company and she's been with the company for about five years. She's part of Generation X and despite that, she's actually quite technical since covid, she's learned how to work from home.
In fact, she works from a lot of different areas. She's very busy at home and a lot of her view on her identities in the different pods of Id have greatly changed over the years. And so I'll talk a little bit about how she deals with this. And of course one of the things that you can always find on it with is a iPhone. She does a lot of her work while she's on the go on her iPhone talking to her team and so forth. There's three different pools of identity that Anna has to deal with. And the first one is probably the easiest to manage around for her anyway. It's part of her organization's IT infrastructure. They have an identity provider that they've set up and it's been properly done. It has two factor authentication and works quite well. And the positive side for Anna is that she's getting access into a large set of applications with only one password and one process that she has to go through for authentication.
So that's particularly helpful. The other side though is that not all applications are SSO enabled. She works in the marketing department and there's quite a few niche applications that not everybody uses. And then they start maybe with an Adobe suite or maybe something like Dropbox to manage all of her content or perhaps all of her social media accounts. And not only she has the access but several other people within their team. She also, they also have to access this. Each one of those has a separate password that she has to manage around. So in this particular case, there's 10 applications. So now she's up to 11 passwords that she has to memorize and she's been told not to use the same password it again for different sites. That's her work environment. Well what about her personal environment? Well that's changed completely over the past three years, whereas before she did a little bit of online ordering in perhaps 2019.
She does a lot of that right now, especially over the past three years. And that number has dramatically increased. In fact, if she looks at what she's accessed on a monthly basis, she now has 53 different services that she has to access. So you start adding all these up, she's accessing somewhere on the order of 80 different services or applications with somewhere on the order of 64 passwords again. And she's being told through her IT training that she should not be duplicating any of her passwords. So that brings me to a question to all of you. How many of you, and for the audience viewing remotely, I'll tell you approximately how many people raise their hands. How many of you would say that collectively between work and your personal life, you have 25 or more passwords that you have to memorize? Okay. And I think for the people that aren't answering, you're off the grid.
How many would say that they have over 50 to manage? Okay, so we're now dealing with a slightly larger number. And let me just take it to the extreme. How many are dealing with over 100 different sites or services or passwords that you have to manage? It's pretty much impossible to do this by hand. You can't memorize if you're using really good passwords. That many passwords. How is Anna doing it? Well, she has a system. So while she's not using the same password as she's using for her own social media, for her Facebook, as for as an example, Amazon, what she has done is she's created a tier of different levels of passwords. Many people tend to do this so they have their super secret password, maybe that's their outlook.com or their Gmail account. Then they have a couple of other passwords if they're using passwords for banking or maybe medical health and so forth.
And Anna uses all of these and it actually works out okay or at least it did when she first started using it. What she found however though, is over time she started to forget which password she used for which of the accounts that she was logging into. And of course what happens when you do a password reset? Can you go back and reuse one of your four passwords? No, you can't. You have to choose a new password cuz you can't have a duplicate of your old password. So now that starts to proliferate this. Now she has more and more passwords so it creates a lot of pain for her and it frustrates Anna. I'd like to move on now and talk a little bit about some of the research that we've done at last pass. Every single year we do an annual report that looks at the psychology of passwords and for all of you with mobile phone devices on the very last slide of the presentation.
So please have them ready. I have both a QR code and the actual url, so if you'd like to get a copy of this, you can get it straight away. So have your smartphone ready. But I would like to review a couple of the data points that I think you'll find quite interesting that we've seen over the past few years. So let me start off with the fact, and this goes back to something I talked about, about 68% of users are very worried about forgetting their passwords even if they only have three or four. And again, they get into this problem where they have to do password resets. It's very tedious if you're on a mobile device and you're trying to get into a website. So that's sort of the first one. The next statistic I think is particularly interesting because it basically says that only 8% of users think it's a bad idea to use personal information. Your dog's name, your child's name, the town you grew up in, your best friend's name as part of your password. What's interesting is, and I'm sort of reversing this around 92% of people don't think it's a bad or bad idea or at least don't have a strong opinion about it. So that's quite interesting.
The next side is that there's a feeling of anonymity that most people have. Why would someone look me, I maybe have middle level income, why would someone be interested in in what I'm doing? I'm probably not gonna have to deal with a ransomware attack because I just don't have tho that many assets. They're after the big earners as an example. The fact is though that it, these are automated systems that do a lot of these attacks with and so forth. So it's, it's clearly a problem. One other key area is that what's happened over the past four years, just in terms of the number of accounts that have started to grow and grow again, most people have started to add a lot more accounts, many by four x in terms of the number of especially personal accounts where they have to have passwords where before because you simply just cannot get things done. And this is particularly problematic for especially the baby boomers that maybe aren't so technology savvy. They have a very difficult time with my mother who's 85. She has a very difficult time to deal with this and she's got yellow tags. Even as a vendor of a password manager, I still cannot get her to use it. She uses post-it notes and reuses the same passwords and every time I visit I have to teach her and give her an IT lesson.
The other side is that, and I think this is a common theme that I've heard in a lot of presentations today, is that the human factor is really at the root of a lot of breaches that take place. It starts with behavior of employees, it starts with problems such as that, that that ultimately creates the problem. And that really sort of gets down to what can we do about it. And just going back to shadow it, there's a very interesting statistic that about three quarters of employee do use some type of shadow IT application. It might be something that's freeware as an example. There's an application called Slido. If you're doing an online poll as an example, a lot of people have one of these accounts, they're free. And and these proliferate very quickly, strictly speaking they are company applications because that's where you're using it.
And more often than not, it could be that the password that they've used for Slido is the same password that they're using on their IDP password. So it creates a problem. So what do we do about this? Is there a solution to handle this particular problem? Well, yes there is and it really starts off with something that I hope most of you have done and I'd be very surprised if most of you that are managing IT environments have not already implemented at least two factor authentication but some form of multifactor authentication within your system. You can't as an example today even talk to someone about a policy for cybersecurity if you don't have at least two factor authentication already set up, if not multifactor authentication and some of the machine learning mechanisms that are now available to assess threats. The other side that's part of the the human factor is generic IT awareness training.
This is something that we're starting to see a lot more, especially over the past years where many organizations are going to vendors where all of their users need to be certified annually. That means that they need to go through perhaps watch some videos or read some content and take some basic tests to sort of know the more obvious things that probably most of you talk about all the time but might not be so clear. And of course these are all moving targets that that, that everybody needs to know about. And by the way, one of the things that you'll find in the 2022 report, it's really about IT awareness and how that starts to spill over into personal behavior, personal IT behavior and how people are applying that. And then of course I wouldn't be here if I didn't wanna propose to you that you also probably want to consider an enterprise password manager because in fact it's simply impossible if you have 64 different passwords to manage those in your head.
The best way to manage this is to manage these through some secure system with zero knowledge or zero trust so that you don't have to memorize each of those and each of your passwords can be adequately randomized so that it would be very difficult to second guess what that would be. I'm gonna walk through six reasons why an enterprise password manager is something that you should consider. So I think the first thing is that it is the a quick, easy way to mitigate risk, especially related to shadow IT for. So for some of those applications that are out there that probably again are using the same password as the IDP that your users are going into, this is a quick way to get around that. The second thing really has to do with governance and compliance. For you as a CISO or as an IT security manager, when you're talking to your board, how can you prove that you've taken some sort of action? As an example, having certifications that your users have gone through some form of IT awareness. That's a great audit trail that every year you can produce and have some form of governance to work through. The same thing goes with an IT with a enterprise password manager is that you end up with all sorts of reporting and tools to prove governance and actually implement governance to go through and make sure that your team is doing what they need to to look for threats.
The other side is there's a lot of users that have a unique use case. They actually are going into other organizations systems and they have to do that maybe because that's part of the service that they're offering. Maybe it's an HR service or it's an IT service, what have you. This is a very common use case and more often than not quite often it's the same account that needs to be used to get into those systems and it's shared among multiple people. How do you secure all of that so that as you have people that are onboarding and off-boarding, that you're never letting accounts get into the wrong people's hands. A proper enterprise password manager will help you manage through that process.
And then finally, you've heard about a lot of things today, a lot of different security threats. The one thing about an enterprise password manager, it's actually probably one of the easiest things to implement. It's an application that gets rolled out to all of your users, they create a secure vault, they start adding passwords and the user interface is actually quite easy to use. So again, there's a lot of things that require intense levels of integration and testing and so forth. This is actually something that's very easy to implement and cost-wise, the ROI is very interesting because it not only increases productivity for people trying to find passwords, but it also de-risks a lot of your potential security threats. And then finally a proper enterprise manager will have interfaces with idp. So in fact the password manager itself can use your singles, can be a downstream SSL application to your idp. It will also have all of the different events that you do wanna know about that you can pass into your SIM environment so that you can use those as part of your overall review of all the different attack vectors and start to make relationships or looking for key activities that might indicate some sort of threat.
And then finally, it's probably the quickest path to a passwordless environment. Again, if you take sort of the assumption that for a given employee to get all the things done within their life, they have to access 64 different passwords by using a password manager with which you can actually make getting into the access of the password manager completely password list through some gesture like mechanisms with with a smartphone as an example. You can make all of your passwords something that users don't have to remember anytime. And so you can get there today and then as new standards come on those can follow. But it's a quick way to get there. So I promised I'm gonna leave this up here for a second. So if you're interested in taking a look at this white paper, it can be very interesting. Have a quick photograph of that and I'm gonna end, but I'm gonna ask if there are any questions about password behavior or less pass in fact in general.
Thanks very much. While you're thinking about that, we have a question online and this kind of segues into my own experience is that I use a password manager, it happens to be last pass and, and it kind of literally changed my life, but most people say to me, Well why didn't you just use the one in the browser? The browser comes with a password manager, why wouldn't you just use
That? So yeah, I guess it has a couple of, couple of good reasons. The first has to do with that you not only have passwords, you have a lot of other digital items that you need to secure. So we actually call it a vault cuz it's not just about passwords. That's really the first thing. The second thing is it's multi-platform. So across any browser environment you're not locked into a given ecosystem of one type or another. And then gen the other side is probably the whole zero knowledge model of everything is locked into this vault and we go through some incredible architecture to make sure that that cannot ever be broken. Where there are risks quite often with browser based password managers.
Okay, and we've got about a minute if we've got a question at the back. Sure.
Thank you Christian Trump trust builder. I have a short question because at the end you were talking about passwordless, I I am also using a password manager. I have like more than 300 lock ins over the years and I really see the B to C use case. But if we're talking about b2c, if I have a single sign on and in a passwordless environment, where do you see yourself then moving into the future? Because I don't see the business case there anymore.
Well, it, it, it still will, It's like a lot of applications. There will be some time that it will take to get everything moved over and the other side is shadow. It continues to be a problem as more SaaS applications are introduced on the market and you know, the speed at which, if you go out as an example, look at the number of websites at large on the internet. How many of those today actually offer two factor authentication if you com if you, if you compare that total number of sites that have a login process using a single factor password process compared to those that actually offer two-factor authentication, the number is actually quite small. And so it's probably gonna be quite some time before we get to the point where we can actually implement password lists. You can probably expect it certainly for I corporate IT applications, but it will take some time and, and maybe even things in banking and healthcare and and so forth. But for the internet at large, the need for a password manager and for just storing everything, the, your credit cards, your passport information, any secure digital items, that will probably take some time. So we certainly, you know, who knows five years down the line. But certainly for the foreseeable future we don't see this as a problem that we hear about going away anytime soon.
Okay, thanks very much Mark. And again, another round of applause for for Mark Troy.
Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Video

Recap Cybersecurity Leadership Summit 2022

Interview

Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00