Passwords? We’re talking about passwords?!
7–8–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, July 8, 2024, and the US is getting back into the office after the Independence Day Holiday and the UK and France are getting new government leaders. Change remains the only constant.
Passwords?! We’re talking about passwords?!
It’s 2024 and, yes, we’re still talking about passwords. Specifically, we’re talking about the largest password dump in history - some 10 BILLION that were dropped on a cybercrime forum last week.
Known as the “RockYou2024” leak, this is being reported as the “biggest password leak ever” and on the 4th of July, no less. This password list appears to be an update from a 2021 leak in the same vein, and we’ve been seeing continued issues with credential exposure in the wild - remember Snowflake?
This could make things even worse for defenders, but I want to remind everyone that passwords are something entirely in our control.
I know that there’s lots of guidance from NIST and others that changing passwords is not required, and the philosophical argument that requiring long and complex passwords with regularly rotations actually encourages unsafe behavior from users (e.g. writing them down, reusing them, etc.).
There’s some merit to each of these things.
For example, if you’re using a full Single Sign On solution, with multi-factor authentication one everything and centralized logging, then you probably don’t need to worry too much about having your users rotate their passwords.
But - we all know that despite our best efforts, there are systems in our enterprises that don’t have all of these protections, they still use just usernames and passwords in 2024.
And so, what do I mean about passwords being entirely in our control? We can set the length, complexity, and rotation schedule of our passwords.
We can set a minimum, and we can reserve the right to rotate (or require rotation) as needed - such as after a massive data breach or other similar security event.
We should, of course, also require MFA and push for SSO wherever possible, but having a requirement for relatively long (15+) and relatively complex (upper, lower, number, symbol) passwords that are rotated semi-regularly (annually) reduces your risk.
Don’t let users share credentials. Enact a policy that prohibits password reuse. Back this up with technical controls where possible.
And, if you’re afraid you’ve got users with credentials that are compromised in this leak - or any other - just rotate passwords to something new.
Buy enterprise password manager licenses.
Teach your users why this is an important step in protecting their identity and your enterprise data and systems.
Rotate them on a frequency that aligns with your organizational risk tolerance (maybe 90 days, maybe 365 days, hopefully not longer).
Unfortunately, it only takes one account to potentially compromise an entire organization, and so the onus remains squarely on us to hold the line here.
Passwords, like many things in security, are decidedly unsexy, and do add friction, but can also add a significant layer of defense against both commodity and targeted attacks - and remain completely within our control.
Fundraising
From a fundraising perspective, despite the holiday week here in the US, with more than $28.5B in newly committed capital - including several multi-billion dollar funds, led by New Mountain Capital’s 7th fund of $15.4B.
Strong start to Q3 and the second half. Let’s see if it continues, and how this capital gets allocated. Sure feels like there’s potential for a flurry of deals in the near and mid-term future.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://mashable.com/article/rockyou2024-leaked-password-database