Insights Into Things Podcasts

00:00:02:15 – 00:00:07:05
Narrator
Insightful podcasts.

00:00:07:07 – 00:00:15:23
Narrator
By informative hosts for.

00:00:15:26 – 00:00:23:28
Narrator
Insights into things through a podcast network for.

00:00:24:00 – 00:00:52:01
Narrator
Welcome to insights into technology, a podcast exploring the latest in computers, networking, home automation and mobile computing and all things technology related. Our hosts will take a deeper dive into the latest and greatest in tech trends, and give you the information you need to enable your tech centric world.

00:00:52:04 – 00:01:34:10
Joseph
This is insights and technology. Episode 20. Scammers, spammers and AI auditors. Oh my. I’m your host, Joseph Whalen, and this is your Tech News of the week. Our first article comes to us from Security Affairs. They tell us an apple a day won’t keep these hackers away. The US Cybersecurity and Infrastructure Security Agency has expanded its known exploit IT vulnerabilities catalog to include critical flaws affecting Apple iOS and iPadOS, as well as Mitel SIP phones.

00:01:34:13 – 00:02:23:25
Joseph
The Apple vulnerability, identified as CVE 2020 5-24200, involves incorrect authorization that could allow attackers to disable USB restricted mode on locked devices, potentially exposing sensitive data. Apple has released emergency updates to address this issue, noting exploitation is, quote, extremely sophisticated targeted attacks. The Mitel vulnerability CV 202441710 pertains to an argument injection flaw in SIP phones, which could be leveraged for unauthorized access or control.

00:02:23:27 – 00:03:00:20
Joseph
Cece’s inclusion of these vulnerabilities underscores the necessity for prompt patching to mitigate potential security breaches. So what are the implications of this for enterprise security? Well, unpatched Apple iOS and Mitel phones, the vulnerabilities pose serious risks to enterprises, including data breaches, operational disruptions, cyber espionage and compliance violations. So depending on what your organization does and what they have to be compliant with, depends on where your risks really lie.

00:03:00:20 – 00:03:47:27
Joseph
Here. Organizations must apply patches immediately, monitor their network activity, and implement zero trust security to mitigate potential exploitation. Challenges in vulnerability management mean to detect and prevent sophisticated attacks. Of this nature, organizations should deploy behavioral based threat detection, endpoint protection, and network monitoring while enforcing zero trust security principles to ensure timely updates without disrupting operations. Enterprises can use automated patch management, phased rollouts, and redundancy planning to minimize downtime while keeping systems secure.

00:03:48:00 – 00:04:32:03
Joseph
One of the broader implications of this, all of this and really any other type of, critical vulnerability like this sees is inclusion of these vulnerabilities in its Kev catalog signals an active and urgent threat, emphasizing the need for implementing immediate patching to prevent real world attacks. Organizations can balance security and end user convenience by enforcing adaptive security policies, such as context aware access controls and device management tools, ensuring protection without overly restricting productivity.

00:04:32:05 – 00:05:00:18
Joseph
And before we move on from this particular story, the one thing that I kind of feel compelled to point out is that while, prompt patching is important, it’s also important to make sure that you test these patches out all too often, a patch that’s put in by one manufacturer can interfere with the functioning or, the connectivity of existing software on the system.

00:05:00:20 – 00:05:26:14
Joseph
So it’s always best to have a sandbox environment that you can go in and put these patches in to simulate what a day in a life is in your regular environment, with all your regular applications and some database access and network access. Make sure everything is working there and not broken, and basically have a smoke test test plan available to you to go through and do these basic tests to make sure nothing breaks.

00:05:26:16 – 00:05:38:07
Joseph
So I always recommend that before putting patches in place, regardless of how critical those patches are. Testing is very important to make sure it doesn’t cause any widespread issues.

00:05:38:10 – 00:06:13:27
Joseph
There’s no more. This comes to us from Bleeping Computer. JPMorgan Chase Bank has announced that starting March 23rd, 2025, it will block Zelle payments to, receipts identified through social media platforms. This decision aims to combat the significant rise in online scams, as nearly 50% of reported fraud cases between June and December of 2024 originated from social media interactions.

00:06:13:29 – 00:06:53:07
Joseph
Zelle, a widely used digital payment network, facilitates quick transfers but lacks purchase protection, making transactions with unfamiliar parties risky. This policy change underscores the challenges financial institutions face in balancing user convenience with security by restricting payments to known and trusted contacts. Chase seeks to protect customers from fraud, but may also impact small businesses and individual sellers who rely on social media platforms for commerce.

00:06:53:10 – 00:07:31:16
Joseph
This move follows increased scrutiny from regulatory bodies, including the, a lawsuit filed by the Consumer Financial Protection Bureau against major banks for inadequate fraud protection measures on platforms like Zelle. So Chase is Zelle banned for social media? Sales could significantly hurt small businesses by eliminating a fee free instant payment option, thus forcing them to adopt pricier or less convenient alternatives like PayPal or credit cards.

00:07:31:18 – 00:07:55:09
Joseph
Sellers may need to adjust by offering secure payment methods and building customer trust to maintain sales. There’s a number of different avenues out there that you can go for your online payments. Most of your online e-commerce platforms already have already built systems that you can. You can lean on. It’s also important to focus on user education when you have situations like this.

00:07:55:11 – 00:08:23:15
Joseph
Educating users about peer to peer payment risks is crucial. Most people don’t realize that. They just assume if it’s a payment system, it’s secure, and you can’t always assume that as platforms like Zelle lack fraud protection, making transactions with unknown parties is very risky. Awareness of scams, verifying recipients, and using secure payment methods can help prevent financial loss.

00:08:23:17 – 00:09:01:22
Joseph
In the end, they’re trying to protect the consumer here. But in protecting the consumer, you may inadvertently wind up hurting businesses. There’s also regulatory pressure surrounding decisions like this. Legal actions and regulatory scrutiny push banks to strengthen consumer protections by enforcing stricter policies, such as Chase’s Zelle restrictions. Increased oversight from agencies like the CFP can lead to safer financial transactions, but may also limit payment options for consumers and businesses.

00:09:01:24 – 00:09:26:19
Joseph
We’ve talked about this many times. Security and convenience are mutually exclusive. The trick is finding a balance of one to the other. The more secure you get, the less convenient you are. Users, invariably will always lean towards convenience. So when you have restrictions like this in place, you have to be mindful of people that are going to try to work around.

00:09:26:21 – 00:10:01:27
Joseph
Some of these enhancements and you know, it’s not just nefarious people that are trying to game the system here. People that find it to inconvenient are going to kind of work their way around and probably break the system even more. There are a number of alternative payment solutions out there, for secure social media transactions, you can use PayPal goods and services, Venmo for business, or square, which all offer fraud protection and dispute resolution.

00:10:02:00 – 00:10:32:22
Joseph
Platforms like Stripe or Shopify Payments also integrate with online stores, providing added security for both buyers and seller. And as with anything with with, cyber security, it’s a cat and mouse game. Every time we try to patch one thing, something else is, is going to be exploited or taken advantage of. The advantage here is this is a policy choice that Chase is making as a preventative measure.

00:10:32:24 – 00:11:15:04
Joseph
So kudos to them for being on top of things from that respect. Our next article comes to us from Krebs on Security. Fish and chips. Cyber criminals serve up stolen mobile wallet. Cyber criminals in China are revamping credit card fraud by turning Phished payment data into mobile wallets on Apple Pay and Google Pay. Victims unknowingly provide their payment details through phishing scams, which criminals then link to digital wallets on attacker controlled devices.

00:11:15:07 – 00:11:54:02
Joseph
These devices, often loaded with multiple stolen wallets or sold in bulk, enabling fraudsters to make contactless payments in physical stores, bypassing traditional fraud detection. The scheme poses major risks for businesses, leading to increased fraud, chargebacks and reputational damage because transactions occur through legitimate mobile wallets. Detecting fraud becomes more challenging. The large scale sale of compromised devices also highlights supply chain vulnerabilities.

00:11:54:04 – 00:12:31:14
Joseph
To mitigate these risks, enterprises must strengthen fraud detection, enforce multifactor authentication, and again educate consumers on phishing threats. So there’s every week there’s a new increase in fraudulent transaction warning we seem to hear about on the news. Businesses may experience a surge in unauthorized transactions leading to financial losses and chargebacks. So be mindful of obviously all the security procedures in place for handling these types of transactions.

00:12:31:16 – 00:13:08:13
Joseph
The other downfall to this is while we most institutions already have fraud detection systems, when you have a massive dump of material or means by which to commit fraud, you run the risk of straining the fraud detection systems that are already in place. The use of legitimate mobile wallets by fraudsters can make it challenging for existing security systems to identify and prevent fraudulent activities and the supply chain threats.

00:13:08:13 – 00:13:42:13
Joseph
Again, we’ve almost every week we’ve got a supply chain story here that we talk about the sale of compromised devices in bulk, suggest organized operations that could infiltrate legitimate supply chains, posing risks to businesses and consumers alike. This boils down to better authentication. Enterprises must implement robust, multi-factor authentication and educate consumers and customers on recognizing phishing attempts to mitigate these threats.

00:13:42:16 – 00:14:21:17
Joseph
I can’t say enough about that one authentication, obviously, multi-factor multiform authentication, secure authentication. The days of using SMS as a second form of authentication should be behind us. Unfortunately, they’re not. At this point in time. A lot of people still use it, but using secure keys. YubiKey is, time based. One time passwords. There’s a there’s a number of techniques out there that are more sophisticated than SMS.

00:14:21:19 – 00:14:43:04
Joseph
That’s all we had for cyber security. We’re going to take a quick break. But before we do, I want to invite our listening and viewing audience to. If you don’t already do so, subscribe to the podcast. You can find audio versions of this podcast listed as insights in the technology, and you can find audio and video versions of all the networks.

00:14:43:04 – 00:15:04:25
Joseph
Podcast listed as insights into things anywhere you can get a podcast these days. I would also encourage you to reach out, give us your feedback, tell us how we’re doing. Give us your thoughts on some of the stories that we’re doing here. You can email us at. Comments and insights into things.com. You can also call in to us to leave a voicemail.

00:15:04:27 – 00:15:37:21
Joseph
You can reach us at (856) 403-8788. That’s (856) 403-8788. And you can find links to that and all of our social media on our main website at Dot. Insights into things.com. We’ll be right back.

00:15:37:24 – 00:15:55:25
Narrator
Insights into entertainment a podcast series taking a deeper look into entertainment and media. Our husband and wife team of pop culture fanatics are exploring all things, from music and movies to television and fandom.

00:15:55:27 – 00:16:39:25
Narrator
We’ll look at the interesting and obscure entertainment news of the week. We’ll talk about theme park and pop culture news. We’ll give you the latest and greatest on pop culture conventions. We’ll give you a deep dive into Disney, Star Wars and much more. Check out our video episodes at youtube.com. Backslash. Insights into things. Our audio episodes at Podcast Insights into entertainment.com, or check us out on the web at Insights into things.com.

00:16:39:27 – 00:17:19:14
Joseph
Welcome back to insights into Technology. Our next article comes to us from The Intercept. IRS ups the ante with Nvidia tech. The Internal Revenue Service has announced a significant initiative to combat corporate tax evasion by integrating advanced artificial intelligence systems into its auditing processes. Partnering with Nvidia, a leader in AI hardware and software, the IRS aims to enhance its ability to analyze complex financial data and identify discrepancies in corporate tax filings.

00:17:19:16 – 00:18:10:27
Joseph
The move comes in response to growing concerns over sophisticated tax avoidance schemes employed by large corporations, which traditional auditing methods have struggled to detect. By leveraging Nvidia’s AI technology, the IRS expects the process expects to process vast amounts of financial information more efficiently, enabling auditors to pinpoint irregularities in potential evasion tactics with greater accuracy. This collaboration signifies a broader trend of governmental agencies adopting cutting edge technologies to enhance regulatory enforcement and enforce and ensure that corporations contribute their fair share to public finances.

00:18:10:29 – 00:18:41:26
Joseph
So they talk about the enhanced detection capabilities here and ensure that’s one of the things that’s touted about AI. The integration of AI allows the IRS to sift through massive data sets, uncovering patterns indicative of tax evasion that may be imperceptible through manual analysis. Enterprises may need to reassess their tax strategies, ensuring transparency and adherence to regulations to avoid detection by the IRS.

00:18:41:26 – 00:19:18:01
Joseph
As advanced systems. Operational considerations would include preparing for more frequent and detailed audits by companies, potentially allocating additional resources to manage compliance and reporting requirements, which obviously, you know, there’s a cost to that. So in addition to the cost of finding fraudulent tax practices, you may now have to pay additional fees or salaries to people to prep for these audits more thoroughly.

00:19:18:03 – 00:19:46:16
Joseph
Of course, anything with AI brings up data privacy concerns and this is no different. And you? There are very few things other than perhaps medical records that are more private than finances. The use of AI and financial scrutiny raises questions about the handling of sensitive corporate information, and the measures in place to protect it from unauthorized access or breaches.

00:19:46:18 – 00:20:17:27
Joseph
Is this going to affect the future of regulatory practices and technology? Well, this initiative could set precedent for either regulatory bodies to adopt AI, signaling a shift towards more technology driven enforcement mechanisms across various sectors. Anyone who listens to this podcast knows that I’m a big proponent of AI and what it can do. But I’m also very cautionary when it comes to AI.

00:20:18:00 – 00:21:06:03
Joseph
It’s in its infancy right now. Its capabilities are increasing exponentially, and the dangers of unauthorized exposure of information as a result of that are increasing significantly as well. And I think in a situation here, we have to be super cautious about what information gets put into the system, how that information is protected. But we also need to be very vigilant about hallucinations, about inaccuracies that come out of an AI system that may have inherent biases built into them, that may have data sets that are, fraudulent, or data sets that are inaccurate.

00:21:06:06 – 00:21:26:19
Joseph
So I wouldn’t put too much faith in this right now. To me, AI is a helper tool. It’s not going to take over any functions that people already do. It’s not going to take over the IRS job. This is one of those things. It’s like having a calculator. You know, you can do the math by hand and you can show it on a piece of paper.

00:21:26:21 – 00:22:01:05
Joseph
That’s great. Then you pull out the calculator and you double check it to make sure it’s right. I think using AI to help identify potential fraud in these cases, and then going and doing a proper audit after it’s identified is probably the best way to go, rather than relying entirely on the AI. Bleeping computer tells us that Microsoft puts location history on the map to nowhere, if anyone was using location history previously.

00:22:01:06 – 00:22:32:19
Joseph
It’s kind of an old, service. Microsoft has announced plans to deprecate and remove the location history feature from Windows 10 and 11. This feature, primarily utilized by applications like Cortana, allowed access to 24 hours of device location data stored locally. With its removal, location data will no longer be saved on the device, and the corresponding settings will be eliminated from the operating systems.

00:22:32:19 – 00:23:19:22
Joseph
Privacy and security page. The Location History API enabled applications to retrieve historical location data collected. When location services were active. Microsoft advises developers to review their applications that utilize the Windows Device Geolocation API and transition away from relying on the get geo position history async function to prevent potential functionality issues in the future. So, you know, it’s it’s it bears a bit of scrutiny to take a look at application dependencies.

00:23:19:25 – 00:23:54:05
Joseph
We’ve ran into this system or not the system. But this problem at my my employer, several years back, probably 2017, 2018, I would say we had a proprietary in-house, sales tool that was written on custom tool that was written that relied heavily on Microsoft Office products for its infrastructure, and it ran an access database and, you know, several other functions and access.

00:23:54:08 – 00:24:25:18
Joseph
And what we discovered was that as Microsoft continued to progress in their office suite and advance the technology, there, they started deprecating functions that our application was dependent on. And as a result, we had to come up with some workarounds and kind of include fixes to get by some of the stuff, or we’d stick, some alternative code in to compensate for it.

00:24:25:20 – 00:24:49:20
Joseph
But ultimately we had to move away from it because the infrastructure that we were relying on just wasn’t reliable anymore. Users should identify which enterprise applications rely on the location history feature and develop a migration plan to audit alternative solutions.

00:24:49:23 – 00:25:09:17
Joseph
Which use this change as an opportunity to review and strengthen data privacy practices. Any time you know we have a chance to crack open code, I try to encourage my developers to always do some code review. Invariably, every time you touch the code, you have a chance of breaking it. I’d like to kind of turn that into a positive.

00:25:09:17 – 00:25:27:03
Joseph
I’d say, right, every time that you crack open the code to make a change, or put a patch in or feature update, take your time, divide it in half, spend half of that time doing code review of the code that you’re working on to see if it can be optimized. A lot of times it can.

00:25:27:06 – 00:25:51:10
Joseph
You also need to communicate these changes to your users. Proactively inform users about how this change affects them, and what steps are being taken to maintain or improve their experience. You may lose functionality as a result of this, and that loss of functionality may be in place for some time until the software can be patched. Just make sure your users are aware of this.

00:25:51:12 – 00:26:20:06
Joseph
The last thing you want to have happen is for the users that rely on this functionality to see it go away and start putting in tickets and panicking and. Be unable to, to actually do their jobs. So communications is important. You can also look at third party services, investigate third party location services that offer compliant and secure storage solutions to replace the deprecated feature.

00:26:20:09 – 00:26:48:12
Joseph
Obviously, there’s going to be a cost involved in that in those cases. So yet they’re kind of where the cost benefit there. And make sure it’s the right fit for you. This also is a great opportunity to look at updating security protocols, revised security protocols to address the shift from local to potentially remote storage of location data, ensuring robust protection against unauthorized access.

00:26:48:15 – 00:27:33:13
Joseph
It’s it’s inconvenient when you have a situation where a library or a third party, component that your application relies on either changes or breaks or goes away. It’s hard to really write your entire code from scratch anymore without using shared libraries. So this is a problem a lot of people line up facing. And it’s important when you embark on writing your application and you start using these third party tools and libraries, it’s important to keep a list or keep a, software bill of materials so that you know everything and all the components that you touch.

00:27:33:16 – 00:27:59:07
Joseph
And when one of the components is deprecated or stops working, at least you know where you have to go to make those changes and you have a plan moving forward. Important to have a plan. The last story that we have, I think this is our last story. Yes, our last story today comes to us from Financial Times, which we’ve never used before.

00:27:59:10 – 00:28:38:15
Joseph
They tell us the test tubes and transistors. Google’s AI code scientist accelerates discovery and our AI story. We can’t get away from AI these days. Google has introduced an AI powered laboratory assistant designed to accelerate biomedical research by automating routine tasks and analyzing complex data sets. This code scientist tool leverages advanced machine learning to process vast amounts of data with precision, helping researchers focus on innovation rather than manual data handling.

00:28:38:17 – 00:29:21:13
Joseph
The AI assistant is expected to improve efficiency and drug discovery, diagnostics and other life sciences, potentially shortening the time required for breakthroughs. Google aims for this technology to complement human expertise rather than replace it. Positioning AI as a powerful collaborator in scientific advancements for commercial and enterprise computing, this development holds major implications. Pharmaceutical and biotech companies can use the AI assistant to streamline research and development, reduce costs, and accelerate time to market for new treatments.

00:29:21:16 – 00:30:01:06
Joseph
Enhanced data management and analytics capabilities could lead to more precise decision making and predictive modeling. However, enterprises must navigate integration challenges, ensuring compatibility with existing workflows and upskilling staff to maximize AI’s potential. Companies that adopt this technology may gain may. I’m sorry. Can companies that adopt this technology early may gain a competitive edge in innovation and operational efficiency?

00:30:01:08 – 00:30:32:29
Joseph
So I again, this is this is probably the first time we’ve really seen it used from a scientific research perspective. And what the potential could be. Enterprises in the pharmaceutical and biotech sectors can leverage this AI assistant to streamline research processes, reduce the time to market for new products, and any time you can reduce time in the development of pharmaceuticals or reduce cost in the development of pharmaceuticals.

00:30:33:01 – 00:31:04:07
Joseph
There’s a very good chance that the impact, but positive impact of those things will trickle down to the end users eventually. So that’s something to be excited about. Not only should we get more breakthroughs, hopefully they’ll be less expensive when they come to market. The tools capability to handle and interpret data sets, large data sets offers businesses improved data management and analytics, leading to more informed decision making.

00:31:04:07 – 00:31:43:22
Joseph
So the impact of this is significant across the board. You could use this for forecasting, logistics control, policymaking, security analysis, anything that deals with large chunks of data. You can potentially use an AI bot like this to help process that data. I know from a cybersecurity standpoint, log parsing is one of the areas that I am eagerly awaiting to see how I can help improve that, because pouring through security logs is, exhausting.

00:31:43:24 – 00:32:06:11
Joseph
Early adopters of this technology may gain a significant edge in innovation and operational efficiency over competitors. Anytime you’re early to market with some new technology, there’s a chance that you’re going to get a leg up on people. I obviously isn’t that new. It’s been around for a few years now, but using it in new and creative ways is new.

00:32:06:11 – 00:32:34:03
Joseph
And who he who can use it the most creatively stands the most to gain from it. There are, of course, potential for integration challenges with existing systems. Companies must assess the compatibility of this AI assistant with existing systems and ensure staff are adequately trained for a seamless adoption. And I think that’s probably the biggest hold up you’re going to find.

00:32:34:06 – 00:32:58:24
Joseph
Companies don’t seem to have a problem investing in AI. They see the potential, I think, where you’re going to see any roadblocks, it’s going to be the people who have to use this. You’ve got you know, a lot of people are. Ingrained, we’ll say, in the routines and the work habits that they have now. And it’s just human nature to not not embrace change.

00:32:58:27 – 00:33:25:09
Joseph
And AI is a major change, but a lot of people are afraid of AI. So, so educating your people one on what the potentials are, the benefits, but to how to use the tool. You hand somebody a hammer, everything looks like a nail tool. So you have to teach people how to use this technology to ensure that they’re going to use it properly, to the benefit of the company and to their own benefit.

00:33:25:11 – 00:33:50:12
Joseph
People are afraid that they’re going to lose their jobs. To AI, we have to show people AI isn’t any more than the internet caused people to lose their jobs when when that they hit the mainstream. This is another tool and a tool that can make your job easier. It’s a tool that can make you more productive and people you know how to use it correctly.

00:33:50:14 – 00:34:11:24
Joseph
That’s all we had for the news today. We’re going to take our last break. And when we come back, we’re going to talk about passwords. And our second principles of strong passwords segment. We’ll be right back.

00:34:11:27 – 00:34:32:06
Narrator
Are you tired of your favorite gaming podcast finishing with a play? Oh no. Well check out no credits rolled where we play the games, but rarely finish them. How’s it going, folks? I’m Sam Whalen, your friendly host at No Credits ruled the ultimate gaming podcast where we dish out the latest scoops and reviews on all your beloved video games.

00:34:32:09 – 00:34:54:14
Narrator
Hey, listen, not only that, but we spice things up with some guest interviews and even give you, yes, you a chance to have your say. Tune in every other week for a fresh dose of no credits roll available on all major podcast platforms and hit us up on social media at no credits. Rolled. So why wait? Let’s dive into the gaming world together.

00:34:54:14 – 00:35:07:25
Narrator
We’re finishing games is optional, but the fun is guaranteed. Games.

00:35:07:27 – 00:35:36:09
Joseph
Welcome back to insights into Technology. We are going to talk a little bit about passwords. We talked last week about the, history of passwords, where they came from. We talked about some password myths, common myths. We talked about some of the breaches that we had with passwords and, what some of the common password attacks are.

00:35:36:11 – 00:36:09:25
Joseph
This week, we’re going to talk about the principles of strong passwords. What makes a strong password, what some of the downsides are ensuring strong passwords is a critical aspect of cyber security, helping to protect sensitive accounts and data from unauthorized access today will give you a breakdown of key principles that define a strong password and best practices for maintaining password security.

00:36:09:27 – 00:36:41:20
Joseph
So what makes a strong password? Well, a strong password is one that’s difficult for attackers to guess or crack through brute force attacks, dictionary attacks, or social engineering attacks. Some of the key characteristics of a strong password include sufficient length, typically between 12 to 16 characters. Minimum a mix of uppercase and lowercase letters, numbers, and special characters.

00:36:41:22 – 00:37:05:19
Joseph
Unpredictability, avoiding common words, phrases, and patterns, and uniqueness. Not reusing passwords across multiple sites. Now a good password follows all of these. Not any one of them. So password strength is a combination of all those.

00:37:05:21 – 00:37:16:23
Joseph
So there’s a debate. There’s traditionally been a debate about password length and password complexity.

00:37:16:25 – 00:37:42:21
Joseph
Which one is more important to password strength? While complexity mixing different characters and character types is useful, length is the dominant factor in preventing brute force attack. A long password, even if it consists of simple words, is generally stronger than a short password.

00:37:42:24 – 00:38:25:17
Joseph
Highly complex. A short, I’m sorry, a short, highly complex password. Because it increases the number of possible combinations an attacker must guess the best way to look at this is password cracking is directly proportional to computational requirements and power. So the longer a password is, the more computation power is needed. To calculate each field, you can have the entire password be a through Z 26 characters, and that would be theoretically harder to crack than having a six character password.

00:38:25:17 – 00:39:17:02
Joseph
That’s completely random gibberish. Every iteration of a character in a password requires additional computational power, and the way that encryption and and passwords work now is they’re defined by the length of time it takes to crack them. And you. When we get to the point where our encryption and our passwords are taking years of computational power at at the current rate to to crack, that’s secure by our definition, the password may be cracked eventually, but by the time that password is cracked, as long as that time to crack is long enough, the password may long no longer be relevant, or the account may no longer be active, or the data that’s encrypted with it might

00:39:17:02 – 00:39:54:17
Joseph
not be relevant anymore. So increasing the amount of time to crack a password is really what we’re shooting for. Now, when you talk about. Quantum computers, you know, there aren’t any quantum computers out there that are being used for cracking now. But we recognize the potential for the computational power that quantum computers can bring to us. So policy recommendations for passwords may change dramatically when the capabilities of quantum computers have come along.

00:39:54:19 – 00:40:05:15
Joseph
The role of entropy in password strength. That’s always a an interesting topic that we have to discuss.

00:40:05:17 – 00:40:36:23
Joseph
So entropy in the context of passwords refers to the level of randomness and unpredictable in a password. The higher the entropy, the harder it is for an attacker to guess or crack the password using automated tools. Entropy is influenced by a number of things the number of possible characters used, the total length of the password, and the presence of random elements to prevent predictable patterns.

00:40:36:26 – 00:41:09:10
Joseph
A password with high entropy is significantly harder to break through. Brute force techniques. How often should you change your passwords? This is a debate that’s raged for quite some time now, and, it’s one that I don’t know if. There’s been a definitive answer. I know Cisa had put out a recommendation. I’m sorry. Mist put out a recommendation of password changes every 90 days.

00:41:09:10 – 00:41:55:18
Joseph
Minimum. And it came to light later on. The person that came up with that policy just thought it was a good idea. There was no statistical analysis. There was no corroborate adding proof. There was nothing to say that frequent password changes increased your security. So conventional wisdom suggested that you change every 30, 60, or 90 days. Well, recent best practice studies from organizations like Myst have advised against forced periodic changes and said passwords should be updated conditionally if there’s evidence of a compromise.

00:41:55:21 – 00:42:31:16
Joseph
If there’s, if the password is weak or reused across multiple accounts, if an organization requires a change for compliance reasons, they found that frequent, arbitrary changes often lead to weaker passwords, which can be counterproductive. People like to keep things simple. This is goes back to our, security versus convenience factor. My password might be 1 to 3, and I’m forced to change it every 30 days.

00:42:31:18 – 00:42:49:00
Joseph
So by the end of the year, my puppy one, two, three as you know, puppy 123456789. You know, however long it needs to be, that makes the passwords less secure because people have to remember them.

00:42:49:02 – 00:43:18:27
Joseph
So it’s it’s important to not force that artificial change rule on on your users. There. Let’s see. Passphrases. So this is, this is, you know, a fairly new concept. Passphrases. Passphrases are a sequence of words or longer phrase that’s easier to remember, but difficult to guess. The example that my research gave is purple banana drive.

00:43:18:27 – 00:43:57:09
Joseph
Slowly. You might be able to remember that a lot easier. It’s kind of gibberish words stuck together than a dictionary attack probably wouldn’t get all at one time. It’s long, and if you want to make it more complex, you could stick some special characters, a dollar sign, or an exclamation in there to make it more difficult. Adding random character strings, on the other hand, consists of seemingly unrelated letters, numbers, and symbols, and a lot of people, when you use password managers, this is kind of what password managers generate.

00:43:57:11 – 00:44:25:20
Joseph
You know, uppercase, lowercase, random letters, random numbers, random symbols, high entropy, almost impossible for the average human being to remember. So you need a mechanism from which to remember it. Passphrases are easier to remember, reducing the need to write them down. Random character strings provide high entropy, but are difficult for humans to recall without a password manager.

00:44:25:23 – 00:45:03:26
Joseph
Combination of both a long random passphrase with some added complexity offers the best balance of security, usability. So a couple of couple of things here. To finish the topic out, use a password manager to generate strong and store, store and generate strong passwords and so that their unique enable multifactor authentication whenever possible, try to avoid SMS. It’s literally the least secure multifactor available if we’re using personal information or common words or phrases.

00:45:03:26 – 00:45:29:24
Joseph
Don’t use your dog’s name or your wife’s name, or your kids birthdays or things that there may be public knowledge of. You want to avoid using, and be cautious of phishing attempts to try to steal your passwords. So now we know how to build a secure password and how to manage that. Let’s talk about some of the password management tools to help us with with these.

00:45:29:27 – 00:46:05:21
Joseph
With the increasing number of online accounts and the need for strong, unique passwords, password management tools have become essential for cyber security. These tools help users generate, store and retrieve complex passwords securely reducing the risk of weak or reused passwords that hackers can exploit. Password managers or applications that store and encrypt logging credentials for various accounts, allowing users to access them with a single master password.

00:46:05:23 – 00:46:34:09
Joseph
Some of the more popular password managers out there are Bitwarden, which is an open source, cloud based password manager with end to end encryption. LastPass, a widely used password manager that offers free and premium plans. But it’s faced some security breaches in the past. One password is a premium password manager known for its strong security features and family and business plans.

00:46:34:11 – 00:47:08:07
Joseph
Online is another. It’s a password manager with a built in VPN and dark web monitoring for credential leaks. And Keepass is another example. It’s a free, offline, open source password manager with strong encryption but requiring manual synchronization. Each of these tools has unique features such as secure password sharing, multifactor authentication, integration, and different, storage approaches. Cloud based to the local storage.

00:47:08:10 – 00:47:49:04
Joseph
I’ve used LastPass myself in the past. LastPass is great for an individual to use. Not so much an organization. It’s less and fewer authentication options and user management options for, LastPass. I’m sorry for Keepass. I’m also familiar with LastPass. LastPass has had some security issues in the past. The advantage of LastPass post security breach is that they are hyper aware of the security issues that they thought weren’t an issue before.

00:47:49:06 – 00:48:14:22
Joseph
So what you’ll find now is that LastPass is much more secure than it was prior to the breach. Unfortunately, the breach did happen. People’s password vaults were were leaked, and some people did not encrypt their their passwords. So there were there certain issues. The one advantage of using a cloud based one is you take it with you wherever you go.

00:48:14:24 – 00:48:43:18
Joseph
You log on to a website anywhere, and you have your your passwords with you. The other advantages from a business standpoint, you, for instance, if you, have a finance department, your finance manager may have full access to the passwords, but your app and your staff, you might not want them to have the passwords, but they still need to access some of the financial accounts.

00:48:43:20 – 00:49:04:08
Joseph
So one of the advantages of password manager gives you is you can give them access to autofill the passwords. But they never see the passwords. So they have to log in to your banking site. It’ll automatically drop the password in the password itself as mask. If they go into the password manager, the passwords mask their as well, so they never see it.

00:49:04:08 – 00:49:20:17
Joseph
So if that person leaves, you never have to worry about going through and change your passwords and stuff like that. But you can still grant access, which is very convenient. So what are some of the pros and cons?

00:49:20:20 – 00:49:50:09
Joseph
You get enhanced security and encryption. They encrypt and securely store your passwords and protect them from hackers. There’s a convenience factor auto fills like we talked about, reduce the need for the number of passwords. So the advantage here we have a password manager is you have one master password again and a password manager. Every account that you store in the password manager should have its own unique password and passwords that you can’t remember.

00:49:50:09 – 00:50:17:13
Joseph
You don’t want to be able to remember these passwords. All of these password managers have the ability to generate high entropy random passwords at set lands that you can define. So if you let these define your password, you don’t have to worry about making secure passwords. They give you the strong password generation. You’ll also find multi-device syncing that allows access to credentials across multiple devices.

00:50:17:13 – 00:50:40:02
Joseph
The cloud based ones do at least. You also have secure sharing, where you can enable encrypted password sharing with trusted users. So if I need to give an employee a password, I can make it available to them through the password manager. Now there are cons. Obviously not everything is a plus. You have a single point of failure when it comes to a password manager.

00:50:40:05 – 00:51:06:23
Joseph
If your master password is compromised, all your stored passwords could be at risk. Cloud based vulnerabilities. Obviously, you have to worry about some file based managers have suffered data breaches. There are subscription costs to some of these. You know, most of them all have a free version. But if you’re going to get into the team side of the business side, you’re going to have some costs.

00:51:06:26 – 00:51:28:12
Joseph
Some of the premium features are also behind paywalls as well. And there’s some usability concerns. Some users find setting up and managing a password manager complex and it can be this is where you need to have an AI team that’s willing to sit down, and one help you get set up, and to train you how to use it.

00:51:28:15 – 00:51:36:12
Joseph
Password managers without training generally, I find, fail miserably.

00:51:36:14 – 00:52:00:09
Joseph
So to mitigate risks, enabling multifactor authentication for password managers is also highly recommended. All of these password managers, at least the cloud based ones, all have multifactor functionality built in either authenticator app or YubiKey or the dreadful SMS.

00:52:00:11 – 00:52:24:08
Joseph
I think that’s all we’re going to do today. We’re kind of running up against the clock here. We can see the rest of this for another session here. But, before we do go, though, I want to take a moment to once again invite you to subscribe to the podcast. You can find versions, audio versions of the podcast listed as insights in the technology.

00:52:24:10 – 00:52:49:03
Joseph
You can find audio and video versions of all the networks podcast listed as insights into things. We’re available on blue Sky, LinkedIn, Facebook. We do stream five days a week on Twitch. Which, by the way, I didn’t do my shout out. So I did want to have one shout out for a twitch. Follow this week for apex, I see.

00:52:49:06 – 00:53:15:00
Joseph
Thank you very much for your follow. I appreciate that. We would also invite you to give us your feedback. Tell us how we’re doing. Give us your own commentary. I’d love to hear your take on some of the stories that we talk about here. You can email us your comments and insights into things. Dot com, or you can call us and leave a voicemail for us at (856) 403-8788.

00:53:15:00 – 00:53:23:12
Joseph
That’s (856) 403-8788. That’s it for this week. Another one in the box.