Passwords, a necessary mechanism individuals and businesses lean on for access to services they use every day, are mostly despised by cybersecurity professionals. At the very least, they are begrudgingly accepted as the best and most universally adopted security feature available today.
“I hate passwords. They don’t work and we’ve lived with them,” said Netenrich CISO Chris Morales.
Despite the gloomy experiences linked to passwords, the cybersecurity industry and digital platforms at large are built on them. Strong passwords and password managers are among the core recommendations made by the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.
Cybersecurity Dive, for the past couple months, has been asking CISOs, security-minded executives and threat intelligence analysts what they do with their passwords.
Here’s how seven cybersecurity professionals manage the complicated and sometimes discouraging loops every individual encounters when they need to access services.
Michael Sikorski, CTO and VP of threat intelligence and Palo Alto Networks’ Unit 42 outfit:
Sikorski uses password managers. “I can’t even tell you what my password is for my Netflix account or my bank account,” Sikorski said.
“It's a gigantic, randomly generated password that I don't even know. So even with a gun to my head, the only thing you can do is get me to unlock my password manager, but you're not going to get that password from me because I don't even know it. And therefore, I'm not reusing it, and you can't just reset it.”
Sikorski said he also has multifactor authentication turned on for everything that supports it.
Chris Morales, CISO at Netenrich:
“I don't know any of my passwords because they all suck,” Morales said.
He uses Microsoft Authenticator, but that experience has effectively accelerated his push to bid adieu to passwords once and for all.
“Basically before this year is done, I don’t want to have passwords anymore,” Morales said.
“I have two-factor authentication on for everything. I always have — all my personal accounts, at work, everything is two-factor — but that only gets you so far as well.”
Jaya Baloo, CSO at Rapid7:
“I personally have been one of the OG adopters of password managers,” going back almost a decade, Baloo said. “I’ve always been kind of personally professionally paranoid, which I think kind of goes with the job.”
Ever since 2012 when Baloo moved out of professional services and became a CSO, she’s been quite guarded about her hardware, passwords, and how her data is stored.
The measures Baloo has taken to maintain a defensive posture haven’t always been easy for non-security minded individuals to implement, but that’s no longer the case, she said.
Matthew Prince, CEO and co-founder of Cloudflare:
The head of the content delivery network and security services company uses Keeper and physical passkeys with Cloudflare Access, a zero-trust network access product.
“I now not only manage all of my company's experience through the same sort of setup, but I've shifted my entire personal life,” Prince said.
“Because frankly, using a password manager, authenticated with a hard key, is significantly easier and better than having to dig your phone out and look for, you know, the text message that gets sent to you, or having to remember passwords.”
Chester Wisniewski, field CTO of applied research at Sophos:
“I personally carry a YubiKey token and I use it for everything,” Wisniewski said.
“I store my passwords in Bitwarden. I like Bitwarden. I don't use their cloud service. I have my own hosted instance that I use and protect in my own little way. I use Bitwarden like any other person would with a browser plugin and autofill my passwords in the right spots, and I use my YubiKey to unlock my password vault.”
The information security veteran said physical passkeys show real potential to be a game changer if adopted well. Passkeys like YubiKey eliminate the need for another token, but “it unfortunately has a bit of complexity on the implementation side that might slow it down,” Wisniewski said.
John Dwyer, head of research at IBM Security X-Force:
“I do use a password manager, but I do not use a cloud-based one. I use a local one that is backed up on another encrypted hard drive that I have. And I just move that around with me everywhere,” Dwyer said.
“I have yet to accept the risk of using a cloud provider for my password managers, so I just do the manual effort of always having my password stash accessible to me. But I do run the risk, if I ever lose access to that hard drive or my live copy, I’m going to be doing a lot of forgotten password links.”
Chris Niggel, regional CSO of the Americas at Okta:
“Password managers are an excellent tool for managing those knowledge factors, credentials. Certainly, I have them, I’ve deployed them onto my parents. They’re very good for just managing disparate systems,” Niggel said.
“I have many applications that I use in my personal life and I will put those in Okta as well for convenience, but many individuals aren’t comfortable with mixing that personal and business, so there’s going to be an option for both.”