Tech Insights with Alisha Christian

Passwords, MFA, and Passkeys: What Your Business Actually Needs to Know

Mercury IT

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 40:37

Most of us have been managing passwords for decades, and most of us are still getting it wrong. In this episode, Alisha Christian sits down with Mercury IT's cybersecurity expert Chris to cut through the noise on one of the most overlooked areas of business security. 

They cover why password length now matters more than complexity, why your browser is the worst place to store credentials, and how to choose a password manager that actually works for your team. 

Chris also explains how MFA can be bypassed, including the real attack methods that have caught businesses off guard, and what phishing-resistant MFA like passkeys and hardware security keys looks like in practice. 

Whether you're a sole trader or managing a team of fifty, this episode is worth your time. 

Why Passwords Still Matter

Alisha Christian

Hi, Chris. Great to have you back again.

SPEAKER_04

Thank you.

Alisha Christian

I don't think you really need too much of an introduction since we are here quite regularly together.

SPEAKER_04

We've we've done a few of these, yes.

Alisha Christian

We have done a few. So today we're going to be talking about passwords. Okay. Now before everyone goes, oh, I've had no all about passwords. It is something that we kind of need to touch base on quite regularly because, you know, things are changing with AI and all that sort of thing.

SPEAKER_04

So No, agreed, agreed. Like when you said, okay, you know, we've got the next podcast coming up, what are we talking about? And we had a couple of topics there, and you know, passwords were uh on there again. And you kind of think, really? Passwords? Like, but the interesting thing is whenever I bring up passwords at normally at the live events and I have people there, I will say certain things and I can visibly see on people's faces that they need to go and change something. Like you could see the look of fear. Yeah. So I even though I go, okay, we've been talking about passwords for the last good eight to ten years, like constant often the same sort of thing. But I don't know if it's just um like there's too many things or you don't get around to it. It's it's one of those kind of like, oh yeah, I'll sort that out at some other time. And then all of a sudden you get that email from whichever provider that goes, We're sorry, we got hacked. Uh your passwords are out in the open or whatever the story is. So you get caught up in some sort of breach, you know. And there are ways to minimize that. So we that that's what we're going to talk about. We just want to go through what are those things exactly.

Alisha Christian

Yes, exactly. So that everyone can stay as safe as possible. Um, so just touching on that, the um, you know, getting an email from your provider about being involved in a data breach. Um, how often would you say that's happening these days? Are you seeing it more?

SPEAKER_04

Uh not necessarily more. I I think it's been a lot anyway. Um, so you know, and then uh you get the big ones that kind of take over media. So, you know, the Optus, Medibanks, etc., those are obviously take up the limelight. But generally there's lots all the time. There's just uh smaller ones, uh ones that may not necessarily be reported on either. So yeah, it is happening all the time. So uh we still need to be managing our uh passwords effectively.

Alisha Christian

Yeah, because I mean that is a scary email to get. It's not ideal.

SPEAKER_04

No, it's not ideal. I think you know, a lot of the time the advice is uh the same. It's about changing the passwords, it's making sure that you're not using the same passwords on other services that you have. Uh so don't reuse your passwords, in other words. And uh then being vigilant. But the interesting thing is we always say, but you need to be vigilant all the time. So getting emails that are asking for information or asking you to log in somewhere, you should always be vigilant uh around those sort of things. But that's the general the general gist of it.

Alisha Christian

So has it sort of changed, do you think, over the last few years with um passwords and that sort of thing, like having to tighten them up? And I know you're always saying don't reuse it, make sure it's extra, extra long.

SPEAKER_04

Yeah.

Length Beats Complexity In Practice

SPEAKER_04

It has changed a little bit, and that's because of um you know, computers obviously get faster and faster every year. So a you'd need longer passwords to keep the same sort of security. Um, so that is a is a thing. But the other thing is they've tightened up uh what those controls look like. So some of the advice has changed a little bit, uh especially on corporate accounts. So the idea is with the kind of use of MFA these days, um, one of the things that did change, for instance, is the recommendations from NIST, Microsoft, all the kind of big vendors was you don't need to change passwords regularly. Like that, so which is very different for people. So normally they're told, oh, change your passwords every quarter or you know, twice a year or once a year or whatever it is. And there's normally a number people would stick with. Um, and unfortunately for some people, they'll work in organizations where they're changing passwords every month.

Alisha Christian

Oh, I remember we were doing that.

SPEAKER_04

Now, if you recall, the problem with doing that is people immediately look for a shortcut to do that. So I've got to remember my password, which is relatively long, and then don't forget it's uppercase, lowercase numbers and symbols, right? And it's got to be at least 12 characters. So it's so it's complicated. So when you're changing it every month, people are just gonna whack on a one, two, three as the month changes, right? And hackers obviously know that. So it's way easier to crack a password if you know that there's some sort of um pattern in the password. So people are literally tagging on you know February or you know, feb jam, etc. And that doesn't help at all. So that is the advice change is going, okay, don't force your people to keep change because they will literally put it on sticky notes because it gets too complicated, right? That's right. So to avoid that, it's use a so that the current advice is basically the longer the password is, the better. The complexity requirements are not that important.

SPEAKER_00

Okay.

SPEAKER_04

So the uppercase, lowercase numbers and symbols um are not as important as the length. So for instance, if I take uppercase, lowercase numbers, and a symbol in an eight-character password, right, that's going to be broken almost instantly. If I do a 16-character password that's just all lowercase letters, that's fine. That will last way longer than your eight-character complex password.

Alisha Christian

That's surprising.

SPEAKER_04

Yeah, look, don't get me wrong, if you use a phrase that's common, that's looked up in a dictionary, it would also be cracked instantly. It's got to be something relatively random. You know, so if you go like, you know, I don't know, three grey elephants, it's long. Yeah. But that's might be cracked pretty quickly. It's it's standard words being put together.

Alisha Christian

So um so it's best to have gibberish then.

SPEAKER_04

It's it get you get creative, but that you can remember.

Alisha Christian

Yes, okay.

SPEAKER_04

So it's still a something that you can remember. Like the one the the password I've used uh for quite a while now is because you know.

SPEAKER_00

Don't tell us what it is.

SPEAKER_04

Definitely won't. But I do use complexity in it, but because I can remember where it is. So I'll give you an example. So I've come up with a phrase that's pretty out there, right? It's pretty random phrase, and I've got a number in the front that depicts whatever I'm talking about first. So for instance, 34 elephants as an example, but then I go like, you know, wandering through the woods, blah, blah, blah, blah, blah. It's long. But then I don't use the whole words, I just use the first letter of all the words. And where I've got the word the in the sentences, I'll use like an uppercase T. So all of a sudden I've got a you know, 23 character password, which I can rattle off really quickly because I know what the phrase is. Yes. Right? It's super complex and it's long.

Alisha Christian

So you'd be using something like this for say like your last pass password.

SPEAKER_04

General, yeah. So something for a like a master password that's securing your password uh database. So your password manager is definitely the way to go. Again, teamed up with multi-factor authentication. So you're not relying on just that password, especially for your um password manager.

Alisha Christian

Yeah, okay.

SPEAKER_04

Which kind of leads us on to password managers.

Password Managers Versus Browser Storage

Alisha Christian

Yes, exactly. Well, I was actually gonna say, because um obviously I hear you talk about password managers all the time. We've talked about it multiple times um on the podcast. So when I try and explain it to say my mum, yeah, husband, they're sort of like, well, how does that actually work? How does that keep it secure? Like, what happens if that gets hacked?

SPEAKER_04

And then all and I suppose the key thing there is I say ask Chris. Yeah, it it can get hacked. So, you know, LastPass has had a problem before. And so they do have problems as well, uh, definitely. But the the key thing here is it's it's the average person has more than a hundred passwords. And at first you go, no, I don't. And it's like it's your gym login and it's this and it's that. There's so many things that you don't think about. You know, you signed up for light and easy, there's a password there. You know, it's just there's so many. If you actually start adding them, it's ridiculous. And then you have a security expert that like me that goes, don't reuse your passwords. And they go, How am I remembering a hundred passwords?

Alisha Christian

Yes.

SPEAKER_04

It's just you can't, right? As soon as you go above like 10, you're gonna start to struggle. So use a password manager. The very next question I'll get from that though is okay, but all my passwords are stored in the browser. It's it's doing the password management, and that's where I go, don't do that.

SPEAKER_00

And they're like, Okay, they're like, That's exactly the questions I've been getting.

SPEAKER_04

The problem is with the browser, the browser's not secure. Like, there's been so many bits of malware that have come out that will actually uh specifically grab a copy of the passwords from the browser. So, and we're talking about what's called a drive-by hack as well. So you don't even need to click on anything, you would go onto a website, it would run some ad that's got malware embedded in, unbeknownst to the actual provider of the website. This happened to the Financial Times as an example. So it it's it happens everywhere. Okay, so because they sell advertising, and then they might not necessarily check that the ad that they've you know provided on their website is clean, so malware's been embedded in the ad. People browse to the to the website and it just grabs all the passwords. They don't even know it's been grabbed, nothing popped up on the screen. Oh so that's why I tell people don't use your your browser. So Chrome, I don't care what you're using, don't store your passwords in there. So, next is when you do get a password manager, make sure you delete your passwords out of your browser and then switch it off. So when it says, Oh, do you want me to store the passwords for you? You go, no. Okay, don't store the passwords. I will store them in my password manager. And then you get an extension that goes into the browser that's secure to the password manager. So it's still there, it's still easy to use. It's still gonna fill in the passwords for you. Um, so that's definitely what you want to do.

Alisha Christian

That's actually really good to know because that is definitely when I mentioned having password manager to like friends and family. That is well, but I already installed them and that's secure because in my keychain or whatever it's called.

SPEAKER_04

Well, the keychain's an interesting one. So if you are on an Apple device and you're using the keychain password manager, that is a secure password manager, right? It probably doesn't have all the features that a password manager would because password manager is design specific. So I would still say look at using a password manager if you absolutely don't want to. You are on an Apple, a keychain is way better than storing it in your browser.

SPEAKER_01

Okay.

SPEAKER_04

Definitely. So that that is a thing. Uh, but the top top level advice is use a password manager. So Google Password Manager, there's LastPass, OnePassword, Dashlane. There's so many out there that you could use.

Alisha Christian

Um there any that you don't recommend?

SPEAKER_04

Uh any that are not as specifically, I'd probably pick one that is well known. Uh so like I'd rattle off a few. If you do a Google search, they're gonna pop up at the top generally.

SPEAKER_01

Yeah.

SPEAKER_04

Um speak to friends and family of who's using them, you know. So personally, I've used LastPass and I've used OnePassword. I'm kind of happy with either uh fine. Uh, but there are others out there that are just as good, you know, whether it's Dashlane or whatever. Uh there's keeper is quite popular as well. So there's a couple that you could use. Um, is it an effort initially? Yes.

Alisha Christian

Oh yes. I can definitely vouch for that.

SPEAKER_04

And that and that's where you you have to just kind of set out, well do it in chunks. Like don't try and tackle it all in one go. So install the password manager, set up a decent master password, enable the MFA, the multi-factor authentication. So it's sending a code to your phone or something along those lines, and we'll speak more about that later. And then open up the browser. Now, for a lot of them, you can actually import your passwords directly from your browser because they know you're using your browser. So it goes, so there's an import, it goes, do you want to import the passwords from Firefox Chrome Edge? You go, Yep. Some you have to take a few more steps. It will walk you through step by step. Go into here, click here, export, it exports the passwords, and then on your password manager, you click file import, import the passwords, and it will all come through.

Alisha Christian

Oh, I should have asked you about this ages ago.

SPEAKER_04

But as soon as it imports into that, then go into the browser and delete them. Okay. Because otherwise you're going to have them in two places. They get taken from the one side, you think they're secure in your manager and they're not. They're already been taken off the browser. So definitely password manager. Once you get a password manager and you start you, you'll never look back. I love it now. Yeah.

Alisha Christian

And I love it when it you know suggests the big long password, and I go, no problem.

SPEAKER_04

Because you don't you don't know any of the that's what I say to people. It's like, I only know my master password. Like, I do not know any of my passwords. That most of them are 90 plus characters long. Like where the website is. If you just go in there and it goes, how long do you want the part and you just drag the slider all the way over? It's like 99.

Alisha Christian

I don't I think I've normally suffered about 16 or 20.

SPEAKER_04

Yeah. It at the end of the day, it does doesn't really matter as long as it's long enough. But the thing is, if you don't have to remember it and you're not typing it in, oh yeah, it's exactly and then it syncs to your phone. So, you know, whether you you're logging onto your banking on your phone, it's putting the password in automatically for you. The other good thing about that is you're not typing the password. So even if you had a a piece of malware called a keylogger installed on your machine unbeknownst to you, um a keylogger can't grab it because you're not typing it in. It's been filled in automatically by the password manager. So a keylogger can't grab it either. That's a bit of an added bonus. There's a lot of benefits uh of using it. So it's definitely high-level advice is decent passwords, long enough is important versus complexity. Um, decent master password, pair that up with multi-factor authentication and use a password manager. Your password manager can also manage your MFA pieces as well. So providing codes and stuff to log in. Like normally you use an authenticator, Google Authenticator, or you know, uh Cisco Duo or you know, the Microsoft Authenticator. There's lots of different authenticators that you can use. Um, your password managers can normally manage those bits for you as well.

MFA Basics And What Changes

SPEAKER_04

Some can.

Alisha Christian

So, what is the difference with all the um MFA? Like we're told to put MFA on, but there's so many different, you know, I'll sometimes get a something pop up and say, oh, you need to MFA, and it'll be like, oh God, what happened? My authenticator, Google. It's like, ah. Or like uninstalled it because I don't have enough stories, so I'm trying to reinstall it. Often hear MFA, 2FA, are they the same thing? Not the same thing.

SPEAKER_04

Yeah, um tech technically different, but but the same, essentially. It's kind of a broader term, smaller term uh type thing. So 2FA is just two-factor authentication. So the idea is you got one factor, your password, and then another factor, whether it's uh facial recognition, thumbprint, uh pin uh, or code to your phone, some something else, a different factor. Multi-factor, same sort of thing. It could still be two, but it might be more as well. So, you know, um, so generally the they refer to as MFA in most cases, but two FA, you'd see it as the same thing. So it's just switching on 2FA or MFA. So multi-factor authentication is what you want.

Alisha Christian

Because there's lots of different ways that you can kind of receive that, and it probably depends on what um provider or platform you're using.

SPEAKER_04

Yeah, agreed. Uh so what you're talking about is the different MFA or 2FA types that you can get. So, like I said, thumbprint or PIN or um facial recognition or code to your phone or et cetera. So this is quite important, and from a business perspective, we are seeing uh many more breaches that are taking place. Like I've we've literally dealt with two breaches in the last two weeks. So it it happens all the time. And what what was significant about this though is they breached the MFA. In other words, the clients had MFA turned on onto the account and it was still breached. Now a lot of people go, oh wait, hold on a second, you told me you're putting on MFA, I'm safe. Uh safer. Safer, yes, nothing's 100%.

Alisha Christian

Yes.

SPEAKER_04

But what we need businesses to start doing now and start looking at and migrating to is what's called fish-resistant MFA.

How Attackers Get Past MFA

SPEAKER_04

So let me explain how they break into an MFA situation because you think MFA's got to be safe, right? Because I'll run through the scenario. Um, username and password hits enter on your Microsoft account, you're logging in, and um it pops up onto your phone going, is this you logging on? And sometimes it says enter the numbers, like let's say 12, and you'd enter 12 and it would it would log you on, right? So that is a an MFA situation. It's it's being pushed to the phone, there's a code, you go, yes, this is me, I'm logging in. So generally you'd use push authentication as seen relatively safe. You go, yes, this is me. Now there's a couple of ways around that. One is called MFA fatigue. So I think you at work, you've logged in, and you've gone, yes, this is me, and you're busy working in a Word document or PowerPoint, you know, you're trying to get my next event ready for me. Thank you. Um, and you're busy working away, and your phone pops up and goes, Is this you trying to log into Microsoft? So you're busy working. So you go, no, that's like a bit odd. And you carry on working and it pops up again on your phone. And you're like, no. And it just keeps digging ding, ding, ding. And eventually you go, like, what is up with the like I'm logged in, I'm working, I'm logged in already. And you hit yes, and now you've logged someone else on. So, and that happens to large organizations as well. So, it actually happened to Cisco a few years ago, uh, where someone, a remote worker using a VPN into their systems, MFA fatigue, just keep digging her phone, and she went, yes, and it logged someone in. They got on to pretty quickly to sort out, but that's what that's what could happen. So that's MFA fatigue. That that's the first one. The other one's called an adversary in the middle uh attack. Some people know it as a man in the middle attack. So the idea is just the um the criminal gang essentially sitting in between you and what you're trying to authenticate to.

SPEAKER_00

Okay.

SPEAKER_04

So what they'll do is they could it could start with the standard phishing email. So they send you an email that says, you know, Martin is sharing a document with you on SharePoint. Click here to get the document. Now Martin shares documents with you on SharePoint. So you go, okay, click, right? And it takes you to a Microsoft login page. But the idea here is that's not Microsoft's page, that's their page in between. So you logging onto their page, right?

SPEAKER_01

Yes.

SPEAKER_04

Now it looks exactly the same, there's no difference. So you put your username and password in, and what happens is they then proxy that to the real Microsoft site. So the real Microsoft site goes, oh, Alicia's trying to log in, sends the MFA code to you. Right? Now you're trying to log in, so you go, yes, this is me, right? And they proxy that again to the real site. The real site passes back a basically an authentication token that your browser then stores for your session. So it doesn't keep asking you for your username and password, so that you can work in Word or whatever you're using without being reprompted for the password all the time.

SPEAKER_01

Yes.

SPEAKER_04

So it's kind of like a key, a token. So when that token comes back, the criminal gang grabs a copy of the token and passes it on to you. And you log in and you are none the wiser. You you get your document, it all looks normal to you. And you logged in. But now they have the token. So from their perspective, they don't need your username and password or your MFA. All they do is they they install the token into their browser and then connect directly to Outlook and they've got your mail. It doesn't prompt them at all because the token authenticates you.

Alisha Christian

Yes, okay, right.

SPEAKER_04

So there are ways of then tying that token to your device and things like that, but we're kind of not there across all of it. So generally what happens is you have this token theft that happens with. A adversary in the middle type attack. And this is what happened to literally two clients last week. And we're seeing more and more of this take place. So what you want is you want the fish resistant MFA methods.

Passkeys And Security Keys Explained

SPEAKER_04

And the way to do that is you see that there was that piece in the middle, the adversary in the middle. Now what happens is your client is not authenticating that that is Microsoft's page.

Alisha Christian

Okay. Right?

SPEAKER_04

So there is a way to actually authenticate so do dual authentication. So it's not just you authenticating yourself to Microsoft. Microsoft's authenticating itself to your machine. Okay. And that's where you start to get to the password list login or pass keys. So what I tell people is, yeah, you got MFA, that's your next step, etc. But what you do need to do is start to move over to pass keys. So Google supports it, uh Microsoft, there's a bunch of places, Facebook, whatever. Go and enable pass keys, sometimes known as password list authentication as well. But pass keys is basically storing a certificate on your machine. You're getting a dual authentication happening. So you are you your machine knows it's logging onto the right site because if there's someone in the middle, it breaks that authentication step right immediately. So you're getting a better authentication method. Uh for businesses, you've got like two major options that you'd be looking at. You'd be looking at using pass keys through something like Windows Hello for business, right? So that is it's a facial recognition thumbprint pin and it will log you in without your password. So that's where they go, it's passwordless. So that's logging onto the system.

Alisha Christian

Okay, that makes sense.

SPEAKER_04

And the other one is using a hardware key.

Alisha Christian

I've heard you talk about that before.

SPEAKER_04

Yeah, so we carry keys around. I've got one in my pocket. So it's a uh UB key, is a common one. There are others, but it's not it's a hardware security key. So the idea is you you're logging in, it will ask you for your key, you plug it into your a USB port, and quite often you have to touch it to authenticate. So the idea is that touching is making sure that there's a human sitting at the terminal. So if you just got your machine open and you got the key plugged in and someone manages to hack in and remote control your machine to log, they can't log in because they need someone to touch the key.

Alisha Christian

I didn't know that part about it. So that's the same thing.

SPEAKER_04

So there's a lot of systems. So uh for businesses out there, I would definitely have a chat with my uh IT provider, uh security provider, whoever, and say, hey, I've heard about the um you know fish resistant MFA methods uh or password log uh password list login or security keys. What does that look like for me? And just have a have a look at what that looks like.

Alisha Christian

It's so much for businesses and people in general to think about, isn't it? I mean, I feel like we're I mean just starting to get the message out there about the you know having a password manager, not repeating the same password and now it's kind of like onto the next level. And I guess with AI and all that sort of thing, fishing getting just more and more elaborate. It's just so important to stay ahead of the game.

SPEAKER_04

It's it's always just step by step, right? If I'm speaking to someone new and they don't have a password manager, my first thing is gonna be get a password manager. Like let's start there. Yeah, then once they got a password manager, they're getting used to that. Then I'd be like, okay, hey, you've heard of this pass keys, and they go, Oh yeah, I've seen because most people have. They go, Oh yeah, I've seen a thing about pass keys. Use them. Start implementing pass keys everywhere. And again, your password manager can manage pass keys for you as well. Okay. Um, so and it's quite good. Like if you've set it up on your machine and then you want to log in onto your on your phone, there's ways that they can QR code the pass keys and that. So you can log on to your phone. Yeah, so there's ways that they could share the pass key but between your devices and that, so they can make it work.

Alisha Christian

Okay.

SPEAKER_04

So it's pretty, it's pretty frictionless, I would say. And also getting to a passwordless system sounds really nice.

Alisha Christian

Yeah.

SPEAKER_04

So that that's kind of where we have it. Does sound very nice. It is where

What Criminals Do With Breach Data

SPEAKER_04

we have it.

Alisha Christian

Yeah. Now, if um, you know, if someone was to be involved in a data breach, um what, you know, I know you said change the password and that sort of thing. Um, what are criminals actually looking for when they, you know, when a data breach occurs? Like obviously they're looking for personal information, what what is of the most value, what yeah, basically are they trying to sell?

SPEAKER_04

There's there's a couple of things. So it's either downloading a list that they can sell, but if it's on the dark web already, it's available. So they're not exactly selling anything at that point. So the main thing is being able to um steal your identity would be a big one. So they could just use other bits of information that's out there to try and pish you a little bit better. In other words, if I send a uh a phishing email to you that's from Combank and you don't use Combank, you just ignore the email, right? So I don't get anywhere. If I know that you use Westpac because of the data breach, then I can send an email from Westpac. Now you're gonna pay attention because Westpac is your bank. Correct. So, and if I add to that, like there's uh a date of birth has been released or a driver's license number, and I send you a phishing email and I go, you know, this is from Westpac. Just so you know this is secure, we know your date of birth is blah. You're gonna be like, this is Westpac, they know my date of birth and my driver's license, you see. Yeah, so they they they're putting factors in there that makes it more believable.

Alisha Christian

So basically they're just taking bits of the puzzle and trying to make the whole picture.

SPEAKER_04

Pull it together so it's more believable. So you click somewhere. And and again, they combine that with some urgency. Hey, we've noticed some uh large transactions on your uh account. Uh we have a hold on it at the moment. Um you know, here's your date of birth, so you know this is a legitimate from the security department. Please click this link or please call this number now.

Alisha Christian

We're always talking about that, aren't we, with um phishing emails and SMS, the just that urgency and just taking that extra couple of seconds to stop.

SPEAKER_04

Then think about it. Yeah, but it's it's difficult when the information is often confirmed. Oh, for sure. Now the that that's phishing. The next one, of course, is um identity theft, which is potentially way worse. Uh, which is, you know, if they do have a copy of your license as an example and maybe a Medicare number, they'll have enough for a hundred points ID. So then they can go and open a bank account in your name. So they just go online, they provide the verification because they got your ID documents, they open the account, they run that account for a little bit, small funds in and out, and then apply for a five grand credit card. Max out the credit card, then uh disappear. So they've bought whatever they want, shipped it to wherever, and uh then the bank comes after you. So all of a sudden you've got Macquarie calling you, going, uh, your uh card's overdue, and you're going, What card? I don't bank with Macquarie, and they go, Well, it's overdue, we're gonna send this to you, you know.

Alisha Christian

And how do you prove it's hard because you know, if everything's done online and it's not sort of face-to-face.

SPEAKER_04

So this is where you you you'd need to potentially look at something like um ID care. Uh they can help with that, give advice, etc. Like I think I've mentioned it before, having like credit reports and monitoring on credit reports. I've seen now that those are not free anymore. Yeah, I think we did speak about that. They've moved on to paid service, which is fair enough.

Alisha Christian

Everything does.

SPEAKER_04

So the idea is as soon as it does that credit, because when you apply for a credit card, it will do a credit search. So as soon as that credit search hits your credit file, you would get the notification. So it's not a bad idea to potentially pay for that to avoid that situation. Because you'd all of a sudden get a hit from Macquarie Bank on your thing and you'd be like, I haven't applied for anything. You can immediately call Macquarie Bank and go, This is what's happening. They could stop the application and then it doesn't go anywhere.

SPEAKER_01

Yeah.

SPEAKER_04

Uh otherwise you get in that situation of, like you said, it's hard to then prove it wasn't due or all those bits of exactly because there'd be a lot of people out there that would take advantage of saying, Oh no, it wasn't me.

Alisha Christian

Yeah, well when you know potentially it was. Yeah. Um, so yeah, I do remember that we did talk about that on a previous podcast, and it'd be interesting actually to see how much they do charge to monitor it. I know we did talk about that.

SPEAKER_04

I did just look and I was like, oh, they've they started to charge for it now. Because I used to use it. Actually, I probably need to, I don't think I pay for it, and I should probably go and do that. That's probably it probably feels like just like an additional cost at the time, but probably so sometimes you get a you get that credit monitoring on certain uh personal loans and they might add that as a service. I think Wiser do a service for you. Yeah, exactly. So they'll give you your experience scores and that. I don't know if they've got alerting though. I'm not 100% sure. It's certainly worth looking into.

Alisha Christian

Yeah, yeah, yeah. Because that would be a nasty little surprise, wouldn't it?

SPEAKER_04

No, not ideal.

Alisha Christian

No, definitely not.

Rolling Out Security At Work

Alisha Christian

Um, so just back to businesses. So, I mean, the hardest thing is, as we know, is getting staff on board with all these things. If um, you know, if a business is looking to kind of obviously tighten up their security, um, what's what would you recommend is the best way to try and get staff um on board and rolling it out, I guess, company-wide?

SPEAKER_04

Um I think the best angle I've I've seen and what works is um often businesses will get like someone like myself in to do a like an hour like general cybersecurity. And what I do is I don't specifically focus on the business elements of it. I actually focus on the personal side of things. So I actually cover things off like managing your your passwords personally for Facebook and your Insta and etc. So, because I I do kind of feel like if you've got a better security hygiene, password hygiene in your personal life, that's what you want to protect, it will generally carry over to business as well.

Alisha Christian

Yes.

SPEAKER_04

Um, the other thing to note is for a business, if you're purchasing something like LastPass as an example for business, right? Um, it actually gives everyone a free personal account as well. So that's kind of a nice perk from a business to the user for hey, we're gonna move into password managers, but it gives you one to use as well. That's a nice perk as far as I'm concerned. Because it's something you don't have to pay for.

Alisha Christian

And it just becomes habit, doesn't it? Personal and you just professionally it's correct. Yeah.

SPEAKER_04

Correct. Um, so that is, I think, very useful. So the the idea then being is you've got your own personal one, and then business ones are stored in the business, like there's a business section versus a personal section. Yeah. So I think that's that's pretty good. Yeah. Yeah, because it's a tough thing sometimes to get uh staff on board and it it can be hard, uh just because it's those extra steps and time, right? So you want to make it as easy as possible. And like I said, and as you know, again, experience, once you have a password manager, it's way easier. Like you just don't have to think about stuff, right? Um, whereas if you don't have the password manager, it's hard. Yeah, like if my password manager, for whatever reason, I I don't have whatever, like I'm not gonna remember the password.

SPEAKER_03

I forgot passwords.

SPEAKER_04

It's like yeah, you'd have to do the password and it it gets complicated. So um yeah, password manager is way easier once you got it, and you're more secure then. And so definitely using that is is a good good practice uh generally. And then for businesses to start to move on to passwordless to make things a little bit more frictionless is also a good way. You know, logging onto your machine in the morning because it's just a face scan or thumb or pin is way easier than you putting in your password.

Alisha Christian

Well, yeah, well, we use pin numbers and it's exactly way.

SPEAKER_04

So now it's just you know, it's a pin. And this is an interesting one. Like a lot of people just go, yeah, but a pin is not secure. Like it's a four-digit pin. I mean, you can make it longer, by the way.

Alisha Christian

But our seas longer.

SPEAKER_04

Let's let's say it's a four-digit pin, and people go, like, you know, there's only 10,000 combinations for that, right? But they go, Yeah, but that's even less secure. I've got a 16-character password, now I've got a four-digit pin. How does that keep it safe? The key thing here is when you move to Windows Hello with a pin, that pin is protecting the certificates on the machine. That means if someone's grabbed your username and password from wherever, man in the middle, phishing, whatever it is, and they're sitting in North Korea and trying to log in, it can't.

SPEAKER_00

Okay.

SPEAKER_04

Because they need the certificates on the machine that's protected by the PIN. So it's not that I can just log in anywhere with the PIN now. That's not how it works. Right? So it's tied to that Windows Hello certificate for that machine, and then you could tighten that up even more, whereby you could say you can only log in from a machine that's um enrolled into the Microsoft tenant. So we're starting to get onto technical details for a business. But if you have a an IT provider, a security provider coming to set that up for you, they lock all of that down for you. So only that laptop can log in as you onto that tenant. So if your username and password got stolen by a phishing, number one, you've got MFA to try and protect you as well. But let's say you didn't have that, they're still not logging on because it's not your machine.

Alisha Christian

No, that's right.

SPEAKER_04

Right? Yeah, so there's there's ways of adding that extra protection. And so for instance, all at all our core applications that we use, you cannot log in from just anywhere. It is a uh Mercury enrolled controlled advice that's got all our security uh features.

Alisha Christian

Okay, I'm always hitting roadblocks like it's got all those key features.

SPEAKER_04

So if you went onto your home machine and you went, oh, I'll just log on to you know our our you know PSM, whatever we use, you can't. It would just deny your login. So, you know, and again, enabling things like single sign-on. So you log on to Microsoft, and when you log into um whatever other application you use, it actually automatically logs you in by virtue of the fact that you logged into Microsoft.

SPEAKER_01

Yes.

SPEAKER_04

That's how you make things easier for users. So they're not, you know, every application they're using, they're not getting username and password and MFA, username and password and MFA and MFA. Because I think that's when people get annoyed and it's just a single sign-on, so it's called SSO, because we love our acronyms.

Alisha Christian

Yes.

SPEAKER_04

So single sign-on and it's tied into the Microsoft. You could tie it to the machine, depending on what you're trying to do, and you can make it frictionless. So you're logging in without a password, because it's facial recognition, logs you on, you click onto your um, you know, your customer relationship database that you use. It doesn't even prompt you for a username and password, it just logs you in because you're already authenticated. That's the idea.

Alisha Christian

Yeah, okay. That makes it seem a bit more smooth and all our applications are tied into SSO.

SPEAKER_04

Yeah. So and and security keys. So you log in with a security key, but then we've got access to other applications. There's only one or two applications that are not SSO'd for us. We keep them separate because they're security. Yeah. So there's so if that got compromised in any way, we still have a separate line for some of our security tools.

Alisha Christian

Yeah, which makes sense.

Quick Checklist And Next Steps

Alisha Christian

Well, that's some good information there. Is there anything else that you think is important that people should know about password, pass keys, pass list lists?

SPEAKER_04

Uh if if we just run from the top, um the longer the password, the better. Uh complexity, less important. If you want to use it, use it. I do. So I still try and keep it as secure as I can. Right? So long, longer passwords, user password manager, delete your passwords out of your browsers.

Alisha Christian

Yes, that's it.

SPEAKER_04

So if you're using Edge, Chrome, whatever you use, take it out and use a use a password manager. MFA on everything. So go through each application that you use. Facebook, Insta, I think they're tied together anyway. But whatever you use, and go look at whether you can enable MFA. Use the strongest MFA they provide. So in order of kind of weakness, sending a text to your phone is the weakest, right? Uh doing a push authentication is better. So it pops up on your phone and says, Is this you trying to log in? Okay. That that's pretty good. That's generally the standard at the moment. And then moving to a fish resistant MFA. So moving to a pass key, passwordless, or security key, hardware key. Um, so for businesses, and again, you don't have to do everyone, right? You could go, oh, I'm gonna protect my management because they targeted more, or my accounts payable and accounts receivable. Yeah, protect them more. The rest of the users, you go, okay, they'll just use uh standard MFA for now and I'll just phase it. Yeah, do this. So kind of in order and get to that passwordless situation because it's gonna be more secure. Beyond that, speak to an IT security provider that could start to where I spoke about SSO tying your laptop into the tenant so it's so it's in tune and rolled, it's locked down. There's those other steps. Yeah.

Alisha Christian

Okay, some great advice there. Yep, definitely something to think about and put into action, of course. Yeah, definitely. Yeah. Well, thanks for coming along today. No problem. And um, I'm sure I'll see you soon.

SPEAKER_03

We'll do. Cheers.

Head Shot

Alisha Christian

Host
Head Shot

Chris Haigh

Guest