Ricardo Signes: Welcome back to the Digital Citizen podcast. I’m Ricardo Signes the CTO of Fastmail, the email provider of choice for savvy digital citizens everywhere. Here with me is my colleague, Fastmail COO Helen Horstmann-Allen.
Helen Horstmann-Allen: Hi, I’m Helen. This episode is the second half of our first two-part show. Rik will be finishing up his conversation with Troy Hunt about digital security today.
Ricardo Signes: For those of who didn’t listen last week’s episode, Troy’s a Microsoft Regional Director and a most valuable professional for developer security. He also created “Have I Been Pwned” and Why No HTTPS?
Helen Horstmann-Allen: So what will the two of you be talking about this week?
Ricardo Signes: In this week’s episode, we really focus on what Troy refers to as engaging in good cyber hygiene, which means participating in everyday tasks that keep you safer online. This can range from setting a unique, strong password for every new account, to generating a masked email address for every new account you create.
Helen Horstmann-Allen: I’m a huge fan of masked email. Of course, I’m an email nerd so I’ve been using unique email addresses for every account for years. And once you start doing it, it’s amazing to see how it not only lets you protect your privacy, but it puts you back in control of your email. What’s a piece of cyber hygiene that’s important to you?
Ricardo Signes: Well, masked email is probably at the top of my list. But masked email’s just one very specific way of separating your digital identities. I have more than one normal email address, and if I sign up for a web service or some piece of software that I use for taking care of my life, I make a different account for each part of my life. So I have a work to-do list and a home to-do list. It’s good cyber hygiene. It separates my identities and my data, but it also helps me think about the balance between the different parts of my life.
Ricardo Signes: So trying to talk about some of that, and about the importance of building secure products and making choices that benefit the end users when you do so. So you should stick around at the end of the episode. I’ll give you some takeaways, which are just things you can actually do to be a better digital citizen. You can also find them on our website at fastmail.com/digitalcitizen.
Ricardo Signes: Also, if you want to get involved with this season of the show, check out the survey listed in our show notes and send us a question. We’ll be randomly choosing some to answer in our end of season bonus episode.
Ricardo Signes: Troy, I’m curious, did you start out interested in having a career in security or did you kind of get sucked in?
Troy Hunt: I started out as a software developer. I guess I began doing that professionally in the ‘97 era, which I’m pretty sure dates myself, but that was the time. And it really wasn’t until probably about 12 years later when I was working for Pfizer, I was running their application architecture for Asia-Pacific, and I’d spent a lot of my time just fixing, not even necessarily fixing but just going through and finding egregiously bad code. Now, whether that was performance or business features, or the other one that was coming up a lot, was security. And I was just sending the same messages back over and over and over again. And we’re sort of talking, I guess, 2007, 8, 9 ish era now. I eventually went, I’m just going to start writing this stuff in a blog post targeted at developers, and then I’ll just send them there when they do something stupid. And that was really where it began without any expectation of it actually going anywhere, and next minute here we are.
Ricardo Signes: Certainly gone somewhere. I think you’ve given us a lot of great blog posts and a lot of good products to go with it. I think of myself as a generalist. I try to keep an eye on everything and when I meet someone who knows a lot about one thing, I start to ask myself “how much of what this person knows should I know?” I know it’s not going to be everything. What do you think are the fundamentals of security thinking that everybody who’s using the internet should have a grasp on?
Troy Hunt: I am increasingly of the view that it’s less about the technology and more about the people and the usability and the way of thinking, and I’ll give you a really simple example that will just resonate with everyone: and it’s arbitrary password complexity criteria. You know how you go to sign up on a website and you put your password in, the same terrible one you use everywhere, hypothetically, and then the website’s like, “This password is terrible. You must have an uppercase character,” and… I’ll capitalize the first letter. Yeah, that’ll fix it. So everyone does that.
Troy Hunt: And then the funny thing is when I talk about it in front of an audience and I’d sort of say to people, “Look, if you’re trying to use that same lowercase password you use everywhere and the website demands an uppercase, what do you do?” And the nervous expressions around the audience, because everybody knows what they do, but nobody wants to say. And eventually that one person puts their hand up, “Capitalize the first letter.” Everyone kind of laughs nervously. And I kind of make a joke about it and go, “Isn’t it funny that this is such a predictable pattern that everybody does it, yet somehow we think it actually makes a difference.”
Troy Hunt: So I really like the idea of trying to pick apart things like that and look at how effective they actually are for people. I think that just having a practical mindset around A) definitely understanding the technical controls, but B) understanding how humans interact with them is just enormously important.
Ricardo Signes: I’m a person who uses the internet, so of course I have encountered this problem and I hate it intensely where I’ve got to enter a different password or rather the same password, with 15 variations to get it right. Obviously everyone isn’t following the same guidance in how to tell users to make passwords. Is there even much agreement about what the design choices are to lead people to coherent choices?
Troy Hunt: Well, there’s not, and I don’t think there should be. And the simple reason for it, is that the profile of different services is fundamentally different, and I’ll give you a really good example. I wrote a blog post a few years ago, and it was just analyzing the minimum required password length of the world’s largest websites. And consistently it’s six characters, eight characters, but then Netflix was four characters. And what I sort of talk about when I discussed things like minimum password length with people is I’ll say, “Why do you think Netflix would be four characters?” Because your brain is telling you, this is terrible, but Netflix is full of really, really smart people, right? So this wouldn’t have happened by accident. There would’ve been a reason. People sort of think about it and then usually they come to the conclusion that this is probably due to the nature of the input device that people are using.
Troy Hunt: So if you are using a remote control, which many people still use in order to be able to authenticate to services on a Smart TV, if you’re using a remote control, that is a woeful user experience, isn’t it? I can imagine Netflix saying it makes sense to make it easier for people to be able to log in by having shorter passwords, because we want to have customers. That’s where the money comes from. We need customers. So you got to think about what is the right balance.
Troy Hunt: Now account takeover attacks aren’t good. They cost an organization money. So you definitely don’t want that. But where is the compromise so that we can actually make sure that people get on and use the service without having all their accounts taken over the whole time?
Ricardo Signes: Right. So there’s not going to be one good choice for everybody, but probably it’s the case that the situation we’re in now is also no good, right, where it’s driving us to bad choices, or at least to obnoxious patterns of behavior. When I talked to Michael Faye at 1Password on last season of the show, I said, if you could change anything about what people do for security, what would you change? And he said, “I’d just get rid of passwords.” Do you think that’s a direction we want to go in?
Troy Hunt: I think the discussion that we always need to have, and I feel gets lost in statements like that, is then what? So, I’ll give you a couple of examples of what people often say are alternatives of getting rid of passwords. They’ll say, “All right. You should use passwordless authentication, which involves sending an email.”
Troy Hunt: Now there was a period there where UserVoice went through this process and I was scathing of them publicly about how terrible this was. And what had happened is you’d go and you’d sign in and then you’d wait. You’d wait for the email. Now, I’m in Australia. That’s a long way for emails to go. So sometimes you have to wait a little while and you’re just waiting to log in. Sometimes an email in a passwordless model like that might go to junk. Sometimes the delivery may be delayed too long. Did you get the right email address? And then it comes in your inbox. And then you click on the link and it might pop open in another client, not the one that you’re expecting. I don’t think because of me, I think just because of common sense, UserVoice then got rid of that and just rolled the whole thing back and it’s now usernames and passwords.
Troy Hunt: And what I think people sort of miss with passwords for all the criticism it cops is that passwords have something going for it that no other authentication message have ever been able to do yet, and it’s simply that everybody understands how to use it. I can go to my parents and go, “Hey, how about you use U2F to do your 2FA because it’s a cryptographically secure device that can’t be phished and technically it’s beautiful?” And my mom and dad would go like, “You lost me at U. I know how to use a password.” Now, it’s not to say it won’t change over time because I’m sure it will. People like my kids who are now growing up as digital natives with these concepts ingrained into their psyche and smart devices with them the whole time, they will be more receptive of alternate authentication mechanisms, but it’s not going to happen overnight.
Ricardo Signes: If we think the password is sticking around, is the password manager going to loom larger in everybody’s life? Right now, I spend real amounts of my time trying to convince friends and family that they should use a password manager because they shouldn’t use a single password everywhere. Is that going to become something everyone needs to think about?
Troy Hunt: I would like it to be something everybody thinks about, not just because it is quote unquote, a password manager, but because it becomes a tool for managing secrets in your digital life. I’ll give you some examples of this. I mean, let’s imagine we could do, I was just U2Fing my way into everything and I didn’t need passwords anymore. Yeah. I still have things like credit card information, which I wanted to store securely. I like being able to use one password to auto fill my home address into a website. I like being able to share secrets with my family through shared vaults. There’s still loads and loads of use cases there before we even get to the single thing that most people think password managers do, which of course is actually managing your passwords. And all at once we go down that route, it’s like, yes. And we are going to have these things certainly for the foreseeable future.
Troy Hunt: And one of the joys, I guess, for password managers is it’s one of those rare instances where something that improves your security actually also improves your usability. And I love showing people like, look, this is how easy it is now when I log onto a website. That’s a beautiful thing.
Ricardo Signes: If someone is not building the software that they run, are there things they can do beyond using a secret manager, using a password manager to get a better model for their own security and how to think about the problem of security, even though they can’t fix the user interactions that are being handed to them?
Troy Hunt: It’s a really good question and I think in many ways, this sort of divides the demographics that we’re speaking to into two different parts. There are those who are building systems and there are those who are using systems. What I think is important and the reason I’m reiterating these two parties is I do feel that all of this is a shared responsibility where those of us who are building systems need to sort of lead people down the path of success for want for a better term, with their security things. And us as individuals need to take some responsibility, too. Everyone gets to make decisions themselves about their own, I’m air quoting this for people listening, cyber hygiene. We get to choose. What sort of password do we use? Who do we give it to? Do we turn on 2FA? What information do we provide to a service? We get to make a choice.
Troy Hunt: And that is something which will compound your risk, in addition to things like insufficient account takeover controls on behalf of the service. So I just want to sort of really, really make that point where everybody has got a role to play. And everybody, in some cases such as account taker attack does have some blame to wear too. Now, what else can we do? Well, it’s really all the fundamental stuff we keep hearing day in and day out, use a strong and unique password.
Troy Hunt: And of course, password managers are great for that. Turn on two factor authentication. It’s not fun. It gets in the way, that’s the whole point. But then, yeah, so to sort of go to the point of shared responsibility, I have 2FA on pretty much all my things. It is seamless on something like Facebook. I can’t remember the last time I actually had to put in my second factor on Facebook. That’s an absolute, no brainer in terms of friction. But the accounting software I use, it feels like every other day I log in and I say, “Okay, now get your token.” This is now friction. So that’s again, sort of an example of where there’s a lot that we can do as individuals, but the service needs to try and find that sweet spot of actually making it usable as well.
Ricardo Signes: When we talk about these two camps, the users and the developers who, as you say, are also users, we’ve got the sets of responsibilities, like as someone using a system, you need to be situationally aware. And those of us who are building the systems need to reduce those risks. Some of those we’ve talked about in the sense of the user experience and the way the system guides you to make certain choices. What are the other places that those of us who build systems are getting things wrong on behalf of the user?
Troy Hunt: Extended validation certificates. So certificates that have identity verification built into them. And when I say people they’re pushing developers, system integrated security pros, people who have decision making control over the designer or website and they’re saying, “Yeah, go and do this, go and put this on the page because then when your users come to your website and they see either your extended validation certificate, or they see your site seal on the page, they will trust you,” as opposed to not trusting you if it’s not there. And I feel that this is a great disservice because anyone who actually sits there and looks at it critically for a moment realizes that none of this makes any sense whatsoever. And I think it’s just this set of assumptions that in a case like this are commercially driven imperatives as well, which sort of detract us from the actual useful stuff that we can do as developers and security professionals.
Ricardo Signes: On this very specific topic, I feel like this is one of many examples where what we’ve seen introduced is an indicator intended for users that you can trust this. Can we hold out hope that at some point we’re going to have a real, this can really be trusted marker?
Troy Hunt: Well, we do have ways of doing this. If you think about the mobile device ecosystem with app stores, I know as an iPhone user, that if I go to the Apple app store and I see, let’s say I see the Netflix app and I download it, I can have a super, super, super high degree of confidence that this is a Netflix app, because it has to be independently assessed by Apple before it actually goes up there in the store. Now compare that to, I get an email or an SMS. I’m getting a lot of these lately saying, “Hey, go to this website that looks like Netflix,” my confidence level there is very, very low.
Troy Hunt: Part of the challenge as well is that as I sort of alluded to before that there are these financial imperatives from particularly the likes of commercial certificate authorities, as well as all sorts of other InfoSec companies to try and convince organizations that something will actually provide value. So one of the points the CA’s making is, they say one key indicator of a fake site is a misspelled URL. Fraudsters may change up a URL name slightly like using amaz0n.com and it’s got a zero instead of an O or they may change the domain extension like amazon.org instead of amazon.com. And they’re saying people should look for that.
Troy Hunt: This is ridiculous for multiple levels. I’ve been getting a lot of fishing SMSs lately, which have been along the lines of, “Hey, you’re expecting a package delivery. Click here for more details.” And clearly what they’re trying to do here is create this sense of curiosity. When will your package arrive? And then they have a URL here and the URL is this one in particular is exterminator.code.nz. Now, can I trust that site? How the hell do I know if I can trust that site? Okay, it’s from New Zealand. Maybe I’ve got feelings about New Zealand. I don’t know.
Troy Hunt: You go to this website and the website itself is perfectly legit. And it is literally pest control website, but that URL links through to a page, which then bounces you off to a phishing site somewhere. So how do I as an individual, how can I possibly make a decision based on this? So I’m sympathetic. And I do feel that some of this sort of traditional advice just simply doesn’t hold water anymore. And we’ve really got to look at how do we have better controls of a technical nature as well.
Troy Hunt: Now, a good example is if I do click on that full link, I get a great big red phishing page warning from Chrome. Now you can’t miss that. That’s great. That’s really there in your face. So even if I haven’t sort of passed the test of being able to read the URL and somehow magically decided whether it’s trustworthy or not, the technology is saving me.
Ricardo Signes: Let’s talk a little more about people’s technical choices. We’ve been talking a lot about people’s technical choices, mainly what data they give users and how they guide them along the path. One of the other things I’ve seen that you’ve done in the past to help people make good technical choices is the hack yourself first workshops. They look really interesting and I wonder, could you give us like a little summary of what they are?
Troy Hunt: Yeah, they’re super cool and I’ve done it more than a hundred times now which, yeah, it feels like it’s been rather exhaustive. So I started doing this workshop in 2015 when I got my joyful, joyful life of independence. And I used to travel around the world a lot and run these particularly in Europe and the US and many, many dozens and dozens of times in person, either for private organizations. We had to be at a bank somewhere or a big company and see, “Hey, can you come in and spend two days talking to developers,” and this is really what it’s orientated at. It’s targeted. I do have a lot of security people in there as well, but primarily developers. And let’s help you break your own things first, hack yourself first so that you can see what attackers do so that you can then get endorsed in how important it is not to have, for example, have SQL injection.
Troy Hunt: So I’d do this all the way around the world and I actually started well before COVID doing them remotely as well, because Australia is on the other side of the world to everything and travel was hard. So by the time COVID came, it’s like, okay, we just flicked the switch. And it’s just all remote now. And we go through, I think it’s about 16 different modules in total two day course. Yeah. SQL injection and cross site scripting, password hashing and cracking.
Troy Hunt: And what’s cool about it is developers get to, let’s say with the password hashing. They get to crack hashes. They get to, yeah. Literally try and reverse a hash back to the plain text equivalent to the password. And by doing that, they look at it and they go, “Oh, yeah, I can see why MD5 is a terrible way of storing your hashes,” or even salted SHA-1 is terrible. Now let’s go and talk about work factor and adaptive hashing algorithms and Bcrypt and things like this.
Troy Hunt: And what’s fun about it is that I could sit there and teach the content and it would just be content. But because of what I do with “Have I Been Pwned” there’s all of these wonderful examples of here’s what happens if you get this wrong. Funny thing is I’ve done multiple workshops where people are like, “We got you in because we don’t want to end up on ‘Have I Been Pwned’.”
Ricardo Signes: It sounds like a lot of fun, by the way. When people get to the end of it, I’m sure they’ve learned a lot and I hope they’ve had fun. Do you think you’re getting them to have a change in how they think about it or is it, are you getting people to have the tools for solving problems they already knew were there that they just didn’t know how to fix?
Troy Hunt: I think it’s a combination of learning a lot of mechanical things so, learning how SQL injection works. And I believe that there’s a big difference between actually learning what is happening when queries are concatenated and then passed off unchecked off to the database server and they just run, actually seeing that, that gives endorsement in, let’s say parameterizing your statements like nothing else. In fact, this is one of the first exercises is literally is looking into registration form and going, what’s wrong with this? And a pretty default position is the minimum password length is too short. It should be a minimum of 12.
Troy Hunt: And then because I think I’ve just heard every single possible answer for every single part of the workshop before, I’m like, “Okay, so you don’t like customers, do you?” “Who’s paying your bill again, mate?” And then we’ll have that discussion we just had about, okay, well, we actually need to be conscious about the context where it’s like, we’ll talk about something and I go, “Oh, there’s a blog post for that.” And that probably happens many dozens of times over the course of the workshop. And I think what’s cool about it is that, I just put all that stuff out there publicly for people and then somehow it turned into something useful and valuable in terms of running a workshop.
Ricardo Signes: Right. Well, Troy’s blog is linked below in our show notes so if you’d like to check out all the great information there, please do. Hope you enjoyed the interview.
Helen Horstmann-Allen: What do you think the key takeaways of your conversation with Troy were, Rik?
Ricardo Signes: There’s lots of terrible ways to meet whatever password rules are in front of you on any given site, like pick whatever password you usually use and then stick on all the funny characters until all the lights go green. That works, but you’re a lot better off using a unique password in every site and every account, which is a lot easier if you use a password manager like 1Password. And password managers, aren’t just for passwords. They’re also a great way to store and share secrets securely like your credit card information and other sensitive information that you need to have on file.
Ricardo Signes: Cyber hygiene is important and we should think about what kind of passwords we’re using, whether we’ve turned on two-factor authentication, whether we know how to recover our accounts in case of disaster. And, and this one’s really easy to overlook, what information we’re just handing over to people when we sign up that they don’t need and have no business collecting from us and we give it to them for no reason.
Ricardo Signes: Finally, if you’re someone who builds technology, Hack Yourself First workshops are a great way to discover potential vulnerabilities and learn more about how hackers operate.
Helen Horstmann-Allen: We hope you’ll find these to be useful steps you can take towards better digital citizenship. We’ll be back in two weeks with a new guest so subscribe if you’d like to listen to our next show.
Ricardo Signes: Thanks for listening to Digital Citizen. Digital Citizen is produced by Fastmail, the email provider of choice for savvy digital citizens everywhere. Our show is produced by Haley Hnatuk. Special thanks to the incredible team of people behind Fastmail. Digital Citizen is hosted by me, Fastmail CTO, Ricardo Signes. You can subscribe to our show on your favorite podcast player. For a free one month trial of Fastmail, you can go to fastmail.com/podcast and for more episodes, transcripts, and my takeaways, you can go to digitalcitizenshow.com.