Episode 038: 8‐13‐2024 Immortal passwords versus vulnerable humans - GluuFederation/identerati-office-hours GitHub Wiki

Title: Immortal passwords versus vulnerable humans

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Lee Tschetter, Sr. Product Manager at Cerby
• Co-Host: Gautam Dev, Security Guru

Linkedin Event

Description

Immortal Passwords refers to the concept of password practices and protocols that are designed to be incredibly secure and resistant to various forms of cyber-attacks, essentially making them 'immortal' in the face of evolving threats. These passwords typically adhere to stringent security standards, including long character lengths, a mix of symbols, numbers, and letters, and regular updates. Additionally, they are often managed through sophisticated password management systems or algorithms that can generate and store complex passwords securely.

Vulnerable Humans, on the other hand, highlight the inherent weaknesses in human behaviors and practices when it comes to password security. Despite the availability of strong password guidelines, many individuals still use weak passwords, reuse passwords across multiple sites, or fail to update them regularly. This makes them susceptible to common cyber threats such as phishing, brute force attacks, and credential stuffing.

Homework

• Lee's Summary Google Doc

• Cerby Graphic

Takeaways

• There are a large swath of "disconnected apps" used by enterprise--websites that aren't covered by the corporate SSO. Social media is a good example--a personal account on Linkedin may have access to public-facing corporate content. There is no SSO to Linkedin and access to certain individual profiles might be delegated to an admin. How do you govern Linkedin access?

• For end users, Cerby's product makes it easier to authenticate; for enterprise IT staff, it makes it easier to show compliance with security requirements for password rotation or MFA. Stop expecting humans to do work that should be automated--that goes for end users and IT staff tasked with documenting access for compliance.

• You could say Cerby is a password vault that uses federated login (e.g. Entra, Okta, etc) and offers better IGA tooling. But Cerby is also at war with lame MFA. They will try to figure out how to hack the website authn requirements so there is no need to bother the end-user.

• Cerby can potentially consume Shared Signals from the OpenID Provider and act on that information. Or perhaps Cerby can expand into fraud detection. It's an interesting space between the enterprise sanctioned apps and the expansive edge of everything else you need to get your job done.

Livestream Audio Archive

Will be Here