The Perils of Passwords

Hello! I’m Joe Campbell Principal Security Architect Dell Software

So… what’s the problem? Just in case you didn’t know 1

3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more Data from survey conducted by Telesign

40 percent of those surveyed say they had “a security incident” in the past year Data from survey conducted by Telesign

FUN FACTS! While you learn fun things about passwords, consider how we know these facts…

Top 10 Literary, Movie or TV passwords Swordfish From the movie Horse Feathers Caput Draconis Harry Potter and the Sorcerer’s Stone Alligator From the TV show Scrubs Actually the same code I have on my luggage… From the movie Spaceballs Open Sesame From the book One Thousand and One Nights ZXCVB From the movie Hackers Valley Forge From the movie National Treasure Z1ON0101 From the movie Matrix Reloaded Peek-A-Boo From the TV show Babylon 5 Joshua From the movie Wargames

Are you kidding me? 2,000, , ,843 password 211,659 Adobe123 *Data captured from the Adobe Hack

We all know what comes next

Let’s Talk Solutions There’s more than you think 2

Web Access Management More than a ‘user convenience’. SSO and WAM must be viewed by us as an essential link in the security chain Password Reduction Technologies Priviledged Access Management Often overlooked, priviledged user credentials are the hacker’s holy grail Multi-Factor When you finally see the light and know that passwords aren’t enough

Web Access Management This isn’t simply Single-Sign-On Apps are more and more web based Apps are mobile The security ‘glue’ is the IdP, the Identity Provider An identity provider can eliminate the biggest risks of password proliferation

Web Access Management Why do we care? Complete control from a single dashboard Secure access to web applications Secure access to web services Audit all authentication attempts (good or bad) Audit all application access attempts You can secure an application that doesn’t have security

Privileged Accounts Privileged Accounts are the accounts that are used to get access to sensitive information AD Administrator Domain Admin DNS Admin SQL Database SA Your Bank User ID and Password Having access to these credentials is a blessing and a curse “Please don’t take away my SA access!!!” “Please take away my SA access!!!”

Privileged Accounts Why do we care? User account credentials cannot be comprised An admin can’t have the credentials beaten out of them!

Multi-Factor AuthN You are welcome to my Google Credentials: User ID: Password: EyeLoveMonkeys2! Multifactor authentication includes: Something you know, something you have, something you are Passwords are compromised all the time Latent password fingerprints are left in strange places

Multi-Factor AuthN Why do we care? Kim Jong-Un may have your password, but he doesn’t have your phone. Multi-factor is easy (don’t forget to leverage a risk engine!) Soft Tokens: Mobile Phone, Windows, Java Hard Tokens: Yubikey, OATH Compliant device Text Messaging Generation A simple Swipe? To put it simply… nearly all recent breaches would have stopped dead in their tracks with 2FA enabled somewhere.

Face it… you must do something

Are you the ‘Department of No’ ? 1. Executive/Director sponsorship 2. Focus on the people 3. Be nimble and promote intelligent change 4. Become the ‘Department of Yes’

You can reach me here: