With so many working from home (WFH), security is being tested perhaps like it never has before. The good folks at Specops have made their password auditor product free during this trying time.
We spoke with Darren James of Specops about this release and some other tools the company has released to help people through the rough spots. Darren had some good insights he shared and we discussed. Have a listen.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Alan Shimel: Hey, everyone, it’s Alan Shimel and you’re listening to a DevOps Chat. Today’s DevOps Chat features a company called Specops, and we’re joined by Darren James of Specops. Darren, welcome.
Darren James: Thanks very much, Alan. Good to see you.
Shimel: Thanks for joining us. So, Darren, I don’t think we’ve done any Specops podcasts before, and so, I don’t know how much our audience is familiar with Specops. Why don’t we start with maybe just a quick kind of who Specops is, what you guys do, where you play.
James: Sure, absolutely. So, Specops is a company, a software company that’s based in Stockholm, in Sweden. We’ve got offices all around the world. We’ve been running since 2001, and we specialize in authentication and password management tools, particularly based around Active Directory and Azure AD.
Shimel: Interesting. Interesting. So, it’s an area I know a little bit about. You know, as we, one of the things was you know, AD—not to get us too far off track, but you know, Darren, AD was one of the unspoken monopolies of Microsoft, if you will.
Shimel: It really became the standard that we all used for identity and access management. And one of the things we’re seeing is, with the proliferation of cloud and cloud-based apps and SaaS and remote working and more people using Macs and stuff like that is AD having to respond, and almost like—it’s almost like people maybe have gone back a little bit to the LDAP days from which AD comes. I’m curious, are you guys seeing that, or it’s still AD 85 percent of the market, 90 percent of the market?
James: I think, you know, what you just said there, the latter. I think, unless you’re a brand new startup who’s sort of born on cloud apps, it’s very unlikely that you’ve not got an Active Directory in your organizations that’s really managing your users and groups and policies. And sure, you’re absolutely right, the advent in the last few years of Bring Your Own Device type technologies, that’s probably lessened a lot of the reliance on Active Directory when it comes to managing work stations, but still your user management, their basic password seems to, a lot of the times, it seems that Active Directory is still the source of truth when it comes to that account management side of things, whether you’re syncing passwords up to Azure AD or Office 365 or some other sort of meta directory, it always seems to be easier to manage at the moment, or it still seems to be easier to manage for a lot of organizations with their on-prem Active Directory.
But yeah, who knows what happens in the future. I’m sure Microsoft themselves want everybody to move to Azure AD at some point in the future, but I’d say 99.9% of the customers that we speak to all have a reliance on their on-prem AD.
Shimel: Interesting. You know, and Microsoft Office 365 is going to Microsoft 365, which I guess is—I don’t know if it’s just wording or there’s something else behind that. You know, we have another section within DevOps.com called IT as Code, and it’s really aimed at that IT generalist, the people who were responsible for those AD servers and are responsible for those AD servers. And not just the servers, but you know, the interaction that employees and users have with it as well as, you know, for so long, the exchange server was the go-to for e-mail, and it still is for many, many organizations. But we’re seeing that also migrate up into Azure and as part of the SaaS world.
But, you know, Darren, we find ourselves in interesting times around this COVID-19 situation. No matter where we are in the world—Asia, Europe, North America, South America, Africa, Middle East, Australia—many, many of our listeners are listening to this while working from home. And this has, especially for organizations that did have sort of on-prem AD, you know, or maybe hadn’t moved to the cloud or weren’t, didn’t really have a remote worker workforce in mind, right, it’s put a little bit of a—it’s thrown a curve into the, or a fly into the soup here, into the ointment.
James: Absolutely, yeah.
Shimel: Yeah. What are you guys seeing and how are you responding?
James: Well, I think one of the biggest problems that a lot of organizations said is that they really haven’t got any sort of plan for managing their users off-site for an extended period of time that we’re seeing at the moment. So, you have all of these issues that you had with the, with your kind of road warrior workers where maybe their password would expire, you know, while they’re out on the road, they didn’t get any notifications about that password expiring. And of course, it then becomes very hard for them to change their password because they might not be able to get a VPN connection in because their password’s expired or they’re logging on with a cached credential and that’s causing account lockouts and all sorts of other things. So, having to manage that kinda situation on a much larger base now can be a real challenge for a lot of the customers that we see.
Another issue as well is that you’ve also had a lot of people with Password1 with a capital P as their password since the year dot.
James: And now, they’re having to log in from their home computer or from a remote computer that doesn’t really have all the protections that you might normally see inside an internal network, so you might be entering that password into your personal computer, which may have a keylogger or some other nasty piece of malware on there.
So, again, you’ve got those challenges of lots and lots of weak passwords out there that ideally should be changed and, again, form targets for hacking and various attacks from nefarious sources out on the Internet. So, it’s those sorts of weaknesses that we’re seeing come to the fore at the moment, and especially a lot of phishing attacks based on COVID-19. People saying, “Oh, click here”—getting an e-mail saying, “Click here to receive your free Coronavirus testing kit and enter your username and password.” We’ve seen a few of our customers mention that.
So, us at Specops, we want to try and help our customers or even our prospects or the general IT community through that kind of—through this difficult time at the moment. So, we’ve released a couple of tools over the last week or so that should help people in that respect.
Shimel: Yeah. You know, Darren, it goes back to something I said before, which is—this is exactly why we can’t have nice things, right?
Shimel: The internet could be such a help here during these surreal times and there’s so much that we can do and we’re kinda stymied because—you know, because bad people do bad things. And, you know, the same way we’re having a pandemic of COVID-19, we’re having a pandemic of COVID-19 cyber—
James: Yes, yes.
Shimel: – you know, phishing is one aspect of it I think you mentioned, right? To a lot of our audience—because at these times where it’s not just our usual core audience who’s listening to this, Darren, who know very well what phishing is and those things, but we might have some people who maybe aren’t familiar with phishing, especially from the aspect of working from home on a different device or what have you—what are some of the kinda COVID-19 phishing scams that you’ve seen?
James: Well, typically, as I say, the one I just mentioned. So, you’re being sent an e-mail from what looks like an official source, because it’s very easy to scam an e-mail or send a scam e-mail out from any e-mail address you like. And then it may have a link inside it. And that link, again, may look official—but of course, if you hover over that link and you looked at the URL a little bit closer, you might see that it goes off to some less-than-respectable website.
James: And when you click on that link, that may well look like an Office 365 log in or it might look like a government website or whatever it may be, but at that point, it may ask you to create an account or enter your logging details if it’s—let’s say it’s pretending to be Office 365 and you’ll type your credentials in there and of course, you’re not actually logging into Office 365 with those credentials, you’re giving those credentials to that nefarious character.
Shimel: I mean—yeah. I mean, Darren, here in the U.S.—I just wanted to just quickly add to that. You know, in the U.S., we passed this bill where shortly, hopefully, a lot of people will be receiving checks from the U.S. government, $1,200.00 or so.
Shimel: And already, we’re seeing phone scams, too.
Shimel: Purporting to be the IRS, saying, “Hey, we wanna direct deposit your money. Can you give us your bank info?”
James: Absolutely, absolutely. I mean, we’ve seen that as well with our service desk, you know, because typically, working in an organization, you contact the service desk from an internal number. Now, your service desks are having to field calls from external numbers. And so, someone pretending to be Darren calling up the Specops service desk, how does that service desk actually know that it’s Darren at the other end of the phone. So, you have all of these very unusual circumstances, and particularly in that scenario, it’s quite easy to lure that service desk agent into resetting a password or giving over information that they shouldn’t necessarily give information over to. So, you’re absolutely right, all of those things are now at the forefront of an attack on our organizations.
Shimel: I don’t know, could it maybe be ransomware?
James: Yes, absolutely, yeah. Clicking on links and downloading some nasty piece of software.
Shimel: Again, it’s why we can’t have nice things.
James: Yep. [Laughter]
Shimel: You know, it amazes me. I mean, I was somewhat heartened, Darren, when this first started breaking out, you saw some, you know, criminal cyber gang saying they were gonna stay away from health care and hospitals, and that’s all dandy—fine and dandy, but it has—
James: Very nice of them. [Laughter]
Shimel: Yeah, very—exactly. [Laughter] The life you save may be your mom’s. But, you know, in spite of that, it’s just awful that, with everything else and all the anxiety and stress that this whole situation brings, we’ve got to worry about people trying to phish us, and—not just individuals, but as you said, even the service desk folks—
Shimel: – who are under pressure to keep the wheels on.
James: Exactly. That’s the biggest problem, isn’t it? Everybody’s now under pressure to try and generate or keep our businesses running as smoothly as they possibly can. So, everybody’s fighting for every last scrap. So, you know, having to put in a delay to try and authenticate somebody at the other end of the phone, it’s very easy to put pressure on that service desk agent. So, yeah, we—
Shimel: It really is.
James: It’s important. But, you know, it’s still very important to maintain that security, because I don’t know what it’s like in America—well, in fact, I’ve got a pretty good idea, but of course, if you do start giving away sensitive information, then your company is criminally irresponsible for that, as well as financially responsible. So—
Shimel: The world is too interconnected to have borders around cyber—
James: Privacy and things, yeah.
Shimel: You know, [Cross talk]—
James: And so—
Shimel: – we all have customers and connections in Europe.
Shimel: And then here, of course, California has a law; we’ve done more of a piecemeal thing. But no, you’re right. I also wanted to just highlight, though, that Specops can help you in this crazy time that we find ourselves in, not only if you’re a Specops commercial customer where you have some freeware and some stuff you’re making available to people.
James: Absolutely. So, you know, one of the problems that we mentioned earlier or I mentioned earlier about having weak passwords and account lockouts. We actually have a talk with Specops Password Auditor that you can download for free from our website, and up until a week ago, it would tell you how many users have got compromised passwords in your network, so you could see how big the problem was. But it didn’t really give you, allow you to do anything about it.
A week ago, what we decided to do was completely change that process. So, now, you can download the full version of Specops Password Auditor, and it will give you the names of every single user in your Active Directory that is running a compromised password based on a 718,000,000 word database that you can download for free from us. So, I don’t know if you’ve ever seen haveibeenpwned, the website? I’m sure you have.
James: Yeah. So, Troy’s database with 555,000,000 passwords in it, we’ve used effectively all the same sources as that, but Troy’s just the one guy, he’s done a fantastic job. We have a team of DevOps guys that are building up this database all the time. So, we’ve just got—well, nearly 200,000 more hashes in our database at the moment.
So, if you are worried about things like that, you’re worried about your users typing in their very weak passwords into lots of externally facing portals these days. You can now identify those users, get in touch with those users, and encourage them to change their passwords to something a bit better. And then, run a report again, you know, you can run it as many times as you want until you weed out all of these things.
Shimel: That’s great. Where do people get that, Darren?
James: It’s on our website. You just head over to Specopssoft.com, look for Specops Password Auditor. You do need to sign up—you know, marketing, that’s what they like to do these days. But it is completely free and, yeah, there’s no sort of adware. It can be run offline if people are worried about running this tool, you can download the database, run it offline. It doesn’t need to be on an internet-connected computer, so.
Shimel: Sounds good.
James: And it doesn’t crack anybody’s password, it just compares the hashes. So, it runs within seconds, even on a huge environment. So, it’s not their sort of—it’s not like L0phtCrack or John the Ripper or any of those sorts of tools, it’s just comparing hashes.
Shimel: One of the things I, and there’s gotta be a pony in here, there’s a solution waiting to be found is, you know, so someone—I mean, the average person today has, I think I had read something maybe a year or two ago. The average person today probably has about 80 different plus sites that he or she has passwords for.
James: Sure, yeah.
Shimel: And, in some cases—I know in my case, it’s closer to 150. And I try to keep a different password for each one, though there’s a lot of variation, right?
Shimel: And so, when you go run against a password auditor like that and it says, “Okay, you know, these 50 passwords need to be changed” or these, even 25 passwords need to be changed, it’s somewhat daunting to go to 25 different sites at once and change those passwords. I wish there was some automated way of taking that to the next stop, saying, “These are the sites where your passwords are compromised or may be compromised, and click here, you know, give me 25 different passwords” and—you know, anything that’s a password manager function.
James: Yeah, I mean—yeah, I mean, Password Auditor will only look at your Active Directory passwords.
James: So, it will look at all of your users and it’ll tell you which—
Shimel: Just [Cross talk].
James: – yeah, which AD passwords are compromised and give you the names of the users that are using those. But you’re absolutely right—when you’re trying to manage all of these identities and all of those passwords associated with those identities, having to update passwords across 25, 30, 100 different sites is crazy. But again, what I always try and encourage—if someone asks me, you know, “What sort of—what should I do with a password? How should I—what sort of password should I type in?” I always try to encourage people to use passphrases rather than passwords. And then they go, “Oh, but I don’t stand a chance of typing in a 20 character passphrase. How do I get around that?”
And again, my advice would be—and it’s the same advice that the British government, the NCSC, has been giving out, is to try and think of three random words that mean something to you, but nothing to anybody else. So, it might be the first car you ever bought, the first school you went to, your mother’s maiden name—those three words are very easy for you to remember and very easy for you to type. So, it doesn’t need to be complex. You could add some numbers or digits or dashes or special characters in there somewhere if you wanted to, but it’s not important. As long as those three words are together, that’s fine.
And then every now and again, particularly for the different sites, I like to chuck in maybe something to do with that site as my fourth word, and that way I’ve got a very long password that’s very easy for me to remember on a per-site basis. But that’s just the way I like to do it. And sure, you know, I chuck a few extra characters in there as well.
But that’s, I think, quite a nice way of getting across the passphrase. You shouldn’t use things like, you know, the first line of a song or the title of a movie or a famous quote or phrase, it’s a bit of a misnomer passphrase, but just having those three random words, I think, is a great way of dealing with that problem—certainly for me, anyway.
Shimel: Absolutely. Hey, man that’s great advice. Great, great, great advice right there. Darren, when we started, I said, you know, the double-edged sword here is that we keep these to about 15 minutes. We’re probably closer to 20, and I know you have to get off, so we’re gonna call a break right here.
But you know what? For those listening, we’ve been doing our TechStrong TV every day, and I’ve invited Darren on maybe next week to record a video segment for that with us. So, Darren, we’d love to have you on here again—not on DevOps Chat, but on TechStrong TV.
James: Perfect. I’ll put my makeup on for that day.
Shimel: Yeah. [Laughter] We’ll call Makeup in. Yeah, I’ve got a face for radio, but—
Shimel: – anyway, I wanna thank you for joining us on this episode of DevOps Chat. Thanks, Specops, for making the full version of Password Auditor available for free to people during this crazy time, and best of luck and stay healthy.
James: Yeah. You, too. Thanks, Alan. Good to talk to you.
Shimel: Alright. Darren James for Specops here on DevOps Chat. This is Alan Shimel and you’ve just listened to another DevOps Chat. Stay well and healthy, everyone.