Passwords, not only a pain but dangerous

by Jeremy Walker

Hopefully, you enjoy a bit of storytelling- not that kind of storytelling. The kind that paints a picture. I started off as a young fresh 20-year-old enlisting in the United States Air Force in 2003. I went through the communications technical school before I was requisitioned by the AFCERT, Air Force Computer Emergency Response Team.

My position was essentially that of an edge intrusion analyst. I spent some time monitoring traffic at the packet level, which was fun. I saw more than my share of telnet clear text credentials passing over the wire. Some of those passwords were pretty interesting. Found out who liked who and who did not. In all seriousness though, I cannot believe we thought cleartext passwords were a fine idea.

After my time there I decided to go back to school full time, so I transitioned to the reserves and got after it. I took the only available position which was for all intents and purposes an airplane loader. That stuck for a month or two before I moved over to the local communications flight. I started off at the help desk where I found myself resetting more than the sum-total of available members’ passwords. Never quite figured out the math there, but it was A LOT. My part-time reserve gig only lasted for a few months before I began working with the unit full time.

I had several different titles and responsibilities there, but most were information technology-centric. I finished my undergraduate degree in Social Sciences and nabbed two more AAS degrees in Electronic Systems and Information Systems. The social science degree is a long story we can get into later. Everything was going smoothly then my good friend said let’s go to Afghanistan.

A few months later I am a system administrator working with United States Special Operations Command (USSOCOM) and United States Central Command (USCENTCOM) bound. This is where I got my first real taste of “classified networks” which are basically “protected networks” on steroids. These networks are the be best when it comes to passwords. It is actually illegal to write down your password and they are all a minimum of … probably should not specify, but “quite” long with mind-boggling restrictions. We had hardware tokens for some systems as well, but even the pins were “supposed” to be unique and long. Now I am in Afghanistan. I flew there. It was not a pleasant experience. Glad I had the opportunity to go, and I would not change it. I was fortunate enough to spend two years there working for and with a number of domestic and international agencies in the broader intelligence community (IC).

People were literally risking their lives for passwords- Not an exaggeration. If people were at a forward operating base (FOB), there was no way to get them their high-side password, other than in person. That meant them or us traveling through Afghanistan. Not good.

On or around the first quarter of 2014, I flew back stateside. Equally unpleasant, but again- worth it. A couple of notable items before we skip ahead:

  • Completed my graduate degree in Information Technology with a specialization in cybersecurity.

  • Brief 1099 stint with SOCOM again in support of a contracting transition

  • Went on a two-month sailing trip with my father

  • Went on an amazing trip to Europe.

The place Hurlburt Field, Fort Walton Beach Florida, the time Fall 2014. I started working with the 39thInformation Operation Squadron as a “Cyber Instructor” and later course developer. I had an amazing time there. I ended up with around 400 hours of cybersecurity instruction on topics as fun as reverse malware engineering. I also had access to some fantastic training networks and designed a course or two, and I did a bit of moonlighting as an Adjunct Professor of Information Assurance program with a university in the northeast where I taught a cyber policy and information assurance management. I had students that we're unable to complete homework due to forgotten passwords.

From the 39th, I moved to a cybersecurity test engineering position with an organization on Eglin Air Force Base. There I was able to use many of the skills I honed in the schoolhouse to perform penetration testing activities on weapon systems as part of the test and evaluation process. Default passwords were a sore subject every time they were discovered, which was often. During my time with the mysterious “organization”, I was in the process of “becoming” married, and it has been a wonderful transformation. Alas, we had to move. I was looking for flexibility and loved security, so I found a penetration testing firm that was location optional.

I thought Afghanistan was exciting, “LEGALLY-breaking into” financial institutions was a thrill. “Hacking” was always an option and many organizations required a fair amount of technical prowess, but I was astonished what you get by asking- Passwords, Laptops, Keys. Passwords were everywhere, like little treasures. It is amazing that a sticky note can lead to full domain compromise. A guessed password could lead to a password hash being retrieved and pulling an entire customer database. As much fun as I was having the travel was intense, and I needed a break.

Now in Tampa Florida, I began working for a defense contractor as a Solutions Architect where I had the opportunity to translate customer use cases and draft a fair number of whitepapers. A new contract meant a bit of shuffling, so I transitioned to a cybersecurity engineering role where I was in charge of strategic security planning for a product line. The system was quite complex and, no kidding had over two pages of usernames and passwords associated with it. Keeping the policies and password recycles worked out was cumbersome at best.

Leading me to Identité. Passwords for me, like many others, have been a constant source of consternation. Not only pain but dangerous. I soundly believe that eliminating passwords is the foundation for future information security. Identité was eliminating passwords in favor of certificate-based authentication and they were doing it in a meaningfully better way. I read the white paper and dug into how they were implementing FIDO better with Full-Duplex Authentication® (FDA). I was hooked. I wanted to be a part of creating a password-less world.

As a new member of the Identité team, I look forward to helping shape a stronger security landscape through password-less authentication and beyond. Every password we eliminate is one less password to be reused, shared, or stolen. One by one and then hundreds, thousands, or millions at a time, every password we can remove from our cyber ecosystem helps make us all safer.

The End

23 views4 comments