Adopting Zero Trust with Bitwarden: The Mighty Password

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google.

There’s no avoiding it, the headlines have not been kind to the ways we access systems today. Users are still using 1234, password, and even their dog’s name. Not just using these weak passwords but also reusing them across multiple platforms, making it incredibly easy to breach someone once they’ve been caught up in a previous breach. On the vendor side, well we all know what’s happened there in the past 12 months, and now more than ever, password management platforms have growing targets on their back as high-value assets.

But we are not here to throw rocks in the glass house nor try to dissect what goes well or goes wrong in these situations; however, we should all focus on what we can take away from them and ensure they are not repeated. This concept aligns well with Zero Trust, where we should assume systems are already breached, that your users – be it intentionally to shitpost in a discord channel or accidentally fall for a phishing lure- and we should remove as much implicit, unchecked trust as possible. At least until Skynet takes us all out, but we have a few good years ahead. 

Jokes aside, we have a great episode for you and appreciate Bitwarden lending us two of their C-suite members who cover a range of topics, including how they navigate these challenges. This week we chat with Bitwarden’s CEO Michael Crandell and Chief Customer Officer Gary Orenstein. Bitwarden offers an integrated open-source password management solution for individuals, teams, and business organizations. It also offers a self-hosted solution, which appeals to those who want greater control over their secrets.

Key Takeaways

• The use of a Zero Knowledge architecture means that the company, whether cloud-hosted or self-hosted, should not be able to access sensitive information without the user’s permission.

• Open-sourced solutions offer additional layers of trust as there are more eyes are on the product and can vet it for security

• Passwordless authentication is the future

Bitwarden World Password Day Stats

Access the full report here.

• 57% of Americans are excited about passwordless authentication options like biometrics, passkeys, or security keys.

• Best practices are still diluted by bad habits, with 88% of Americans reusing passwords across multiple sites.

• 28% of US respondents have used a password that included the word “password” or a variant spelling of the word.

• 67% of Americans use easily identifiable information in their passwords, such as company/brand names, well-known song lyrics, pet names, and names of loved ones.

Editor’s Notes

On our experimentation working with vendors:

Over the past few months, we’ve trickled in a few episodes with varying degrees of conversations with vendors. This episode in particular works well since passwords will always be relevant, but going forward, we’ll likely only pursue direct conversations with others if there is a timeliness factor or paired with another practitioner. If you, our readers, have other suggestions, do let us know. This is a passion project for Neal and I, but we occasionally listen to feedback.

I am once again asking for your time (Bay area edition):

In the Bay area? Neal (mostly since I voluntold him) be presenting a threat intel 101 presentation as it relates to ISO 27001 on June 22 at Drataverse. If you are interested in attending, reach out to me on LinkedIn as I have some comp passes left. We have a pretty pretty awesome lineup of CISOs, GRC leaders, and other amazing experts in their own fields joining us. This will hopefully be the last time I annoy you about the conference, but no promises.

Weekly InfoSec Headlines and News

Some impactful news stories and community posts from the past couple of weeks.

• Dr. Zero Trust has launched on Patreon, go back Chase, it’s only $3

• FBI disrupts sophisticated Russian cyberespionage operation

• Embracing zero-trust: a look at the NSA’s recommended IAM best practices for administrators

• Reddit user gets Snapchat’s new AI to write ransomware

• Google Launches Cybersecurity Certificates for Entry-Level Workers (also gets you 30% off S+ cert)

• Microsoft launches bug bounty program for the new Bing

• VirusTotal now has an AI-powered malware analysis feature

Zero Knowledge Architecture

First, not a sales pitch, no sponsorship here. We also discuss this concept in a previous episode. 

Bitwarden’s zero knowledge architecture means that the company, whether cloud-hosted or self-hosted, should not be able to access sensitive information without the user’s permission. All information is only unencrypted on local devices when in use and is then locally encrypted when transmitted to Bitwarden’s servers for storage and synchronization with other devices. Bitwarden stores login credentials, passport numbers, credit card numbers, and time-based one-time keys, all of which are encrypted locally and at the server level. Multi-factor encryption is also implemented, which encrypts the encrypted information Bitwarden receives. This architecture ensures that user information remains safe even during a breach.

Open Source and Community Involvement

We like to harp on this, but Zero Trust does not mean never trust. It means you start at a zero baseline, constantly verify, and then build a pathway toward granular levels of trust. Open source is one of those critical differentiators cybersecurity vendors can chip away at building trust in that the code is out in the open. This also means users have more control over the platform as they can contribute. 

Bitwarden has a large community, evidenced by having a full-featured free version that is translated into 50 languages. The company takes feedback from the community on feature requests and vulnerabilities. They also run a bug bounty program at Hacker One.

Passwordless Authentication

According to Michael and Gary, passwordless authentication is the future and is at the start of a lifelong journey of different passwordless technologies. Biometrics, such as fingerprint or face ID, and security keys are already popular but may not appeal to the most security-minded people. As for the concept of passwordless actually being… without a password? It’s more so a shift to passkeys that still act as a form of credential.

World Password Day

Bitwarden conducted a global survey in honor of World Password Day which occurs on May 4 every year. The survey found that 57% of people are excited about passwordless authentication options. However, 88% of people still reuse passwords across multiple sites, making having strong and unique passwords at every website more important than ever. 

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello everyone, and welcome to another episode of AZT. You’re adopting Zero Trust. I’m your producer alongside our co-host and the the primary interviewer Neal Dennis.

And today we have a wonderful, A couple of guests that we’re gonna be able to chat with something that I know Neal has poked in, in probably every episode that we have recorded in the first season and probably leading up to this season too.

Neal: I feel violently attacked at the moment. Sorry. No,

Elliot: Hey, I only mean that as in love and inspiration that, you know, this is just one of those critical pieces of zero trust, and not even just zero trust, but cybersecurity in general.

But you know, without further ado I would love to introduce our guest today. So, over at Bit Warden we have Michael, which is the c e o, and Gary, who is the chief Co correct me on your title. Gary.

Gary Orenstein: Chief Customer Officer. Thank you. Yeah.

Elliot: There we go. Chief customer Officer. So highly integrated gets to have all the fun conversation with customers fully understands their pain points and nope.

Looks like Neal’s got something to say before I run over ’em. Nope.

Neal: No, you’re good. I was just gonna say, I got something to share with you, Gary, having. You know, working on the client success side, I got, I got a wonderful video you’re gonna wanna see later.

Gary Orenstein: Wait.

Michael Crandell: Well, I’m a serial entrepreneur, Elliot. And I guess most recently was c e o of a company called Right Scale. That was a very early player in the cloud computing space. Where zero trust, you know, became very important very quickly in the hyperscale clouds, as, as you all know, as we all know. And then had a chance to get introduced to the founder of Bit Warden Kyle Spearin, who’s now our cto as well as founder.

He, he founded the company in about 2016 ish, 2017, and grew it almost single-handedly. To quite a successful early startup. And then he saw the chance to grow it to something much bigger and the need for funding to do that. So I, I got introduced to him. I fell in love with the product, the community, with Kyle.

He’s married by the way. So, no question there. But and just thought, Hey, this. This is a really important technology that has a big community behind it. And it’s differentiated by number one, being open source which as we’ve discovered since, is a critical factor in business perception of the solutions they use in the, in the security space.

It’s just very simple. There are more eyes on the product and vetting it and making sure it’s secure. As I’m sure people know happens in our business and industry has happened, some other players you don’t wanna wonder what a company’s doing with your sensitive information and if it’s open source, you can tell.

He had also built it to be optional, whether you run it in the cloud or self-hosted. And, and again, just the huge community involvement as evidenced mostly most importantly, by having a full featured free version that anybody in the world can use. And we are translated into 50 languages. For all those reasons, I fell in love with it.

Linked arms with him helped raise money. And actually a few short weeks after that met Gary and, and he joined and, and now what lays ahead are some new products for us we’ll get to talk about today, as well as the whole new new frontier of Passwordless authentication and that, how that will help us all.

So that’s my story.

Elliot: Love it. So, that is a wonderful background and I love that there’s, you know, basically you’re pairing your expertise in leading organizations. And, you know, really helping focus your energy on scaling organizations who can use that sport cuz it is realistically a pretty competitive space. Now on our, our show, we certainly don’t throw out names and we won’t, we don’t really talk about headlines and all that, but I mean, Headlines are hard to avoid to an extent, but we will, we will avoid that to the extent that we can.

But obviously I think with recent news in the past, like six months, a year, maybe a little more than that like the community definitely rallies around organizations like bit, or in particular, as you pointed out, the open source element to it. And you know, Reddit is a unique place, but. Every time something comes up where they’re like, Hey, we need a solution for it.

I always, always, always see bit warden at the top of those lists where people are just rallying behind it, highly recommending it. So, it’s just great to be able to have that conversation with y’all and get kind of that perspective. But with all that said, Gary, let’s kind of get a little bit of a rundown on your background as well, and then we’ll kind of jump into it.

Gary Orenstein: Sure. So I’ve spent most of my career in the technology sector predominantly focused on enterprise technologies on selling to companies. And one of the wonderful things about joining Bit Warden is the ability to merge that aspect of our business with the ability to cater to individuals as well.

You know, when you think about the tools that we use at home and at work, There’s not that many email maybe messaging, maybe collaborative docs or something. Maybe a couple more. But password management is actually in that category two, and it makes for a really interesting dynamic. To be able to work with a product that has this 360 degree experience.

How do we stay safe at home? How do we stay safe at work? Is one of the things that really appealed to me when I got introduced to the company and and Michael and the team. Today I lead the sales, marketing, and customer success efforts. And as you indicated, one of the wonderful things about bit Warden is the amazing community that has rallied around. The product and the mission of helping everybody stay safe online can’t be you know, one person or one company that helps the entire world. So we’re thrilled to have folks who participate in the Reddit community and other online communities pretty much just helping each other stay safe.

And if there’s a defining characteristic of a bit warden user, it might be that they can’t help. Wanting to help and help each other stay safe. And so that’s a nice aspect of the com, the community that keeps everybody together.

Elliot: Yeah, I, I absolutely love that. And as you all both had pointed out, I think the reality is that open source resources in this space are just super critical. Especially like if you’re a startup, having those kind of opportunities for other people to help build and, you know, be part of that conversation and be part of the narrative in general.

You know, it just allows them to truly understand what they’re working with, whereas again, try to avoid particular headlines. But, you know, when there’s proprietary stuff in the mix is the only focal point. It’s hard to really have that visibility until something goes south or, you know, they just decide to open up a little bit of information.

But yeah, I think that transparency is a big play in there. And then, You know, coming from where Neal and I used to live in that collective defense system, as you were pointing out here, is like, you know, this space, people truly care. They want, they’re mission oriented, they want to help each other. But yeah, Neal and I can definitely speak to that probably all day about, you know, joining forces in the community aspect of cybersecurity in general.

Michael Crandell: Sure. You know, Elliot, I would just add people were very serious about the fact that our users invest a lot of trust in us and it’s, it’s a, a responsibility and a mantle we take very seriously, and something that goes very much with zero trust. The purpose of your podcast and the headline is Zero Knowledge and, and people can of course, confirm that by the open source architecture.

But we, we don’t, we design a system so that we don’t get hacked, but we also design it so that if we do get hacked or breached, user information is still safe. And we can go into that more if you like. But that’s around the zero knowledge architecture where. Fits very well with a zero trust kind of approach where even if there were to be a breach, people’s sensitive info is safe.

Neal: I know real quick, I know I would personally like to go down that rabbit hole for people to better understand it. So depending where Ellie wants to take us for the next couple minutes, I think that’s gonna be our lead off here in a few seconds. If not now.

Elliot: No, you’re totally right. I was gonna make you hold it bay for like a minute because the bit warden team is going to be releasing new research, which I think this episode comes out slightly after that. But I’d love to, you know, dig into what you’re planning on dropping or we’ll have dropped at this point, and then we will absolutely unleash Neall into that rabbit hole with y’all.

So, yeah. With world Password Day having come or God, or here where, wherever will we publish this? Yeah, I’d love some insight into, you know, what you’re seeing out there in the world.

Gary Orenstein: World Password Day is May 4th, and it’s just a chance for us to celebrate all things, passwords and passwordless. And what we’ve done for the last several years is a global survey in the keeping with the global holiday to understand password management habits and. Practices and, and we survey just general internet users.

I think the the criteria is that you, you are an internet user, so this is a wide spectrum of people. And we’ve got some great data that’ll be coming out. For folks who want to check out more detail they, they’ll be able to go to the Bit Warden blog and see information there.

Some of the interesting stats there’s a lot of excitement about Passwordless technology. You know, I have a, a, a line that I like to share is if you ask people if you like passwords very few people will say yes, but if you ask people if they like their password manager, Everybody will say yes because the password manager helps remove the, the interaction with the passwords and, and actually makes it it’s a, it’s to some degree a passwordless experience when you’re just logging in with your fingerprint or face id.

So, new stat of 57% of people excited about password list authentication options. That means everything from biometrics. To security keys, to new pass keys that are coming into the market. At the same time, what we find is that understandably people are still, mm, maybe sometimes not complete in how they handle their own passwords.

To the degree that they might should. So, 88% of folks still reusing passwords across multiple sites, which is one of the big no-nos. You wanna have strong and unique passwords at every website you visit in case there’s a problem with one, it won’t affect the other. Some people still admitting that they, they do use the word password and some of their passwords, which is an easy way for somebody to get.

Into your account also. People sharing 37% that they use easily identify valuable information in their passwords, such as name of children or partners or pets. And so that’s also another area where you wanna make sure that your, your passwords are, are, are really random. So there’s a whole bunch of data that will be available for folks to share.

We also have historical surveys that are available for people who want to see that. We, we have something at Bit Warden called the Survey Room the Bit Warden Survey Room. And so if you just Google that, you’ll get to the whole roster of research, both the new research that’s coming out for World Password Day, as well as some historical survey.

So we’re, we’re looking forward to that, a chance to celebrate good security for all. And so, yeah, that’s what’s coming up there.

Elliot: Awesome. And we will obviously plug all that into the recap for this episode. And hopefully even if we publish this after May 4th maybe we’ll do a little clip and tag that out there so we can get that in front of our audience. But with that all said, Neal I’m ready to unleash you. Let’s go down that rabbit hole.

I know you’ve been ready to go for this conversation, so it is all yours.

Neal: I have to be mindful that Elliot does actually have good thoughts and opinions and then not try to interrupt him. Earlier on. I’m very notorious for just steamrolling him and then he just, Forgives me later and I send him like a pastrami sandwich. No. So the, that meme said,

Gary Orenstein: I’ll I’ll take up astronomy sandwich if, if you got one.

Neal: That, that was in March?

No. When we think about some of the stuff that y’all offer, and like I said, I wanted to come back to zero knowledge on purpose. I wanted to come back to what that means for, for the larger audience to understand just the implications behind that. Because I imagine anyone who’s clicked onto a a multimedia giant streaming service has probably gotten the adverts for their equivalency of something recently.

And, and what Zero knowledge really does actually mean in, in the true sense of, of both the provider as well as for my, my security and awareness. You kind of touched on it a little bit, but if you want to kind of maybe dive down into the rabbit hole with that a few more minutes, that’d be wonderful just to level set the construct a bit.

Michael Crandell: Absolutely. What we are storing and allowing users to easily create access, utilize in their day-to-day work is login credentials. There’s other information too, but the basic use case is your username, which is often your email, but it could be just a username and a password. That’s the most common.

Basic login information. Sometimes there’s also, for example, a time-based, one time key that can get added to that, like an authenticator key, et cetera. But because that information is so sensitive, we wanna make sure that we reduce to a minimum layer or minimum level, the ability for that to get breached.

And so the central concept there is that bit warden as a company. Bit warden at the server level, whether it’s cloud hosted by us or self-hosted by a company and a company’s IT department should not be able to get to that sensitive information by itself, meaning without the user’s permission. And the way that’s implemented is that all of that information is only, only exists in its unencrypted state on local devices when it’s being used.

So when you’re on a laptop, for example, and you’re using the browser extension to auto login to a site or to autofill those identity form fill areas to log in to a website it’s unencrypted there, but anytime else when it’s transmitted to bit warden’s, servers for storage, synchronizing with other devices, et cetera, it is locally encrypted.

So that’s the basis of what we mean by zero knowledge. We have no knowledge of your sensitive information, not only including passwords and and login IDs, but anything else you store there, which can include passport numbers, credit card numbers the T O T P codes, et cetera. And on top of that, we’ve recently implemented another layer of encryption, encrypting the encrypted information we receive.

We call it multi multi-factor encryption. Multi-factor encryption to go with kind of. Multi-factor authentication, right? So it’s a parallel concept, so we re-encrypt it at the server in case somebody is using a master password, which becomes the encryption key that I is not very powerful as we see from the survey results.

Gary just went through. There is a tendency for users to use simplistic passwords for the obvious reason. That they’re easier to remember for, for people. So that basic encryption scheme, end-to-end encryption means that bit warden cannot get at the data, and we basically encrypt all the sensitive data.

There’s nothing that’s unencrypted like the URLs you visited, something like that. Because our business model does not rely, and we do not track users or advertise to users or harvest any data about users. That we use in some other way. The sole purpose of what we do is helping you manage your passwords in a, in a healthy, secure way.

Neal: No, that makes total sense from my perspective at least. So I think that’s awesome because in a general security posture, you know, zero knowledge, zero trust, they, they are. You know, very mutually inclusive of one another from an approach to security. You know, from a zero trust perspective, we talk about limiting accesses to things that only need accesses, but from a zero knowledge combination perspective, if I get onto a server, I.

And, and start trying to pivot through there. You know, it’s not just a matter of access controls and where I go from there. It’s also important to think about the identity of that platform and what it just tertiary has access to, just to communicate with and how visible that is during a particular session.

Right. So, you know, zero knowledge from network traffic, zero knowledge from just general IT perspectives are, are very important. You know, I, I think moving forward a little bit, With what y’all are offering and, and the goals and growth here. You know, we talk about, we’ll get to passwordless security mentality here in a minute.

I do like the ideas of these things a lot, but you know, we talk about the authentication methods that build into this stuff. So from a open source project perspective, I, I imagine I’m, I’m assuming there’s probably a lot of buy-in for that growth, the passwords of security, given the stats that you referenced.

But how much of this from, from a Company perspective is homegrown, and how much of this is truly like crowdsourced open source people working in tandem with y’all. Not just ideas, but actually co-opting and, and, and threading things together with the company.

Michael Crandell: Like most open source companies, I would say the majority of the developers, the. The software engineers that work on the code are team members at Bit Warden. They’re, they’re employees or or international team members who work on the code. We do take poll requests and contributions from the community, and it’s beyond just the coding.

I would say the relationship with the community is multi-pronged in the sense that we get a lot of input for feature requests. We get comments on vulnerabilities that may pop up. We do run Bounty Bug bounty programs. We have one at Hacker One. So there are a whole, and we get security researchers analyzing the code, so we get feedback across a number of fronts besides just the, the coding front.

And I would say in that aspect I’ve, I’ve never been at a company that had this much community involvement. And I, and I think in our category of password management, we, we definitely must be the most broadly based participation from from any community.

Neal: Oh, that’s awesome. So as the community grows, as the product grows, as things progress. So I’m gonna take us down in the passwordless piece here. So from a growth perspective, how, how important, how impactful do you see the passwordless mentality being? And then flip that a little bit, what technologies do you see being critical to the success of that mentality moving forward?

Gary Orenstein: so we think we’re at the start of a lifelong journey here of different passwordless technologies. You know, even today. There are lots of great passwordless technologies such as biometrics that can be used on your mobile phone or on your laptop desktop devices. Security keys are another thing that’s well Well liked in the bit warden community for just that, that, that extra bit of security that fits people who for whom they, they want to cover those potential attack vectors.

And then of course, the, the newest stuff that we’re seeing is something called pass keys which is new approach to create unique credentials for. Users to log into specific websites using device specific information. That to, to, to much degree the, the PAs key replaces the password. And it, the workflows of that allow and ensure that people are creating something that’s strong and unique, just like in the. Past World War World, password world. We want to create strong and unique passwords. We want the same thing with pass keys. The good news is there’s a wonderful industry standards organization, the Fido Alliance, that’s helping push a lot of this forward. 5 0 2 specification, web off end specification.

Bit Warden is a, a member of this group and contributing actively to all of these fronts. And we just think we’re gonna see a lot more of that. Support both of you know, the things I mentioned earlier and the past key support both at Bit warden and at you know, websites around the world.

Another thing I’ll add is that as part of the bigger picture of recognizing this movement to Passwordless Technologies, earlier this year, bit word announced a acquisition of a company called passwordless.dev and the. Main product there is the ability to help developers instrument passwordless authentication for their applications with just a few lines of code. And so sort of, we know lots of people are gonna wanna implement Passwordless technologies for their websites and their user bases. And bit warden password dev is going to help them do that. So that’s a high level overview and we can certainly dig into more details in different areas. Or Michael, I don’t know if you wanted to add something into that.

Michael Crandell: I just add a word about the journey that you mentioned at the very beginning. This is gonna be a journey over a long timeframe, this transition into passwordless. And the important thing about our vision, we’re not strongly opinionated about, you know, you hear companies saying, kill the password, and we gotta go a hundred percent this way and that way our view is very practical. All of us are gonna live in a world where we’re gonna have to authenticate with services and apps to do our work, to live our lives, some of which are password based. And it’s gonna be that way for some of them for years to come, and some of which are various kinds of password less technologies. And the, the vision for Bit Warden is let’s help people use the best, most secure, easiest way to authenticate regardless of what context they find themselves in. As things move to passwordless, let’s support people a hundred percent and, and make sure that’s easy and whatnot, and have the same tool, help them on a password based site the way it does today so that people don’t need to think about it so much. But it’s a, a seamless transition and you’re covered everywhere in effect.

Neal: Oh, that’s cool. So. On diving into a particular flavor. We talk about passkey structure and you know, virtualized login credits, whatever on the fly type things. You know, credit card companies have that as a construct, right? For credit card procurement, especially if you’re using your phone. Visa, MasterCard, both do that if you want them to.

You have to opt in and you have to take advantage of the process flow. So I’m a big fan of the idea of. Of that one time use legit login, whether it’s something you spin up and you still type it in, or whether it’s just some kind of legit true passwordless mentality, pass through login, authentic, some other way.

Right? I love push notifications. I love the ability to, you know, pick in your actual physical key and do things automatic and programmatically that way. So I guess my, my question on that sense, you know, the. The push for that idea to where, you know, things like Like fishing sites and stuff like that.

And hopefully to some extent, some of the, the more Becky type things business email compromise type stuff where you Outlook 365, type your creds and congratulations, your CEO now sends out a million emails. I like the idea of how that literally helps mitigate that basic construct. Right? Now it’s kind of fun because then it puts more focus on targeting the individual, which in theory, You know, from a, a more direct approach to social engineer then becomes a lot harder because there’s other echelons of things you have to consume to be able to do this now.

Right? Whether it’s devices or other aspects of things. So on that vein, you know, how do y’all feel about that hierarchy and do y’all think from an escalation perspective where we’re gonna have to pay attention in, in the attack stream and, and exploitation efforts? You know, we go passwordless, but what do we think might be some of the concerns therein or ways to.

Worry a little bit more, I guess.

Michael Crandell: So I think one important thing to understand about the discussion about Passwordless is that at some level, in a very simple terms, passwordless isn’t, there’s still a credential, if you will. There’s still a key. Now it’s called a PAs key. There are many attributes about it that are better than passwords.

The biggest one being users don’t need to remember it. It’s generated, stored, managed in an automatic way by your face ID or touch id, Android biometrics, like security key, other things like that. So, it, it fits the bill of a strong, unique password that you don’t need to remember. It’s also good because you can coordinate both sides and have more than one pass key. Allow authentication and access to an app or service which starts to get at what you’re talking about, where you can, you don’t not just have a single credential to get into something, but it can be more context-based or situation based. One of the challenges that, that pops up is that the big proponents of this are, are the large software companies that, that have big.

Software ecosystems, Microsoft, apple, Google, and they’re helping accelerate the adoption of past keys, but what’s not so much in their interest, we believe is supporting the portability and interoperability across platforms. They, they tend to be focused on serving the population within their wild garden or ecosystem.

And so one role for a company like Bit Warden is to support that interoperability, that multi-platform aspect. For pass keys, just as we do with passwords today, we operate across basically Mac, os, Linux, windows, Android you know, iOS, a host of browsers. An api cli, command line interface, et cetera, you need to be able to get at it wherever and whenever you need it, when you’re traveling, when you’re not. So, but I do think that once you start to solve those problems, you get a much more secure solution because again, the strong, unique credential, in this case, a passkey or multiple of those per site. Is guaranteed in the, in the Passwordless approach. And then where are the areas that that come into play are different areas, like is in the very early days of face ID people we’re trying to construct.

Models of faces and see how much they had to plaster on to get a match and things like things like that. So the same principles still apply around just the vulnerability points shift also lot on most of these platforms. The past keys themselves are, are saved in the secure vault on the device. So key chain or the equivalent on Windows, key chain on Apple, et cetera. And that that is typically a very safe place to store them. But that comes into play too. In terms of, of where are the vulnerability points. So I don’t think they’re, and then you get sensitivities by users, people who don’t want their face used for face id. Or, you know, get into paranoid situations about how your fingerprint might be used without your consent and things like that. So I think it is a big leap forward, but it’s not without its weak points.

Neal: Now. Fair enough. Yeah, go ahead.

Gary Orenstein: was just gonna say, there’s a stat we have in the upcoming survey because while the. Large number of people are super excited about passwordless authentication. 55% prefer to use their memory over their fingerprint or their face, and 36% were worried about that fingerprint or face ID being used against them. And so for the people who I might put on the more conservative side of the security profiles they don’t want. Biometrics to be unlocking their universe. They want their own specific brain to, to be doing that. So now granted for most people in their day-to-day business, it’s a different story.

They want as much, you know, taken away from them and streamlined as possible. And you know, at Bit Word, we, we, we try to reach a broad number of people and have these solutions that can fit the way that you wanna instrument your own security profile.

Neal: No, I, those are fair points. So I think both of y’all hitting on, on the bigger picture is, is that at the end of the day, it’s still some kind of digitized fingerprint, right? Whether it’s your actual fingerprint or password that you type in, it’s still something that has to be captured and something that has to be replayed, encrypted, decrypted, the whole nine yards.

And so I think that’s one of the fun, fascinating things for me is that, you know, we make it easier for the user that there’s. Levels of complexity and what can still be targeted at that point. But at the end of the day, for a threat actor, it, it’s still a repo and it’s still something that ultimately is still a credential of some sort.

And we find a way to replay it. We find a way to replay it. But I think putting back onto the zero trust flow. That’s where the multiple echelons is this. So first up, zero knowledge, very important because, you know, for y’all, you know, not having access and awareness of what actually it is that that idea is, or how it’s being applied or where it’s going to or attached to sites.

Those are all big things cuz then it limits my opportunity as a, as some kind of threat to actively engage purposefully and intentfully against specific sides. And then secondarily, you know, from the growth perspective, if we tie this back to zt. You know, session specific constructs. Again, I love the idea and a zero trust perspective because as a developer and engineer, to your point, you have the same website, but you probably have five or six different ways you have to log into it to interact with it on given things.

And each one of those profiles can have segregated security settings. So if it’s just a generic, you know, customer facing interface, so you can check to make sure the UI looks pretty, sure we can log into that through China. But if it’s the dev site that you’re managing right. Maybe not necessarily a good idea depending on where you’re officially located.

Right. So I, I like the cohesiveness of the idea of paske or the constructs of those single use digitized efforts. And then we tie that back into the larger picture of Zero trust and start thinking about identity access management as a broader term. Right. So for y’all playing into that world and thinking about Zero trust methodologies, you know, I, I, I think the.

Bridge is pretty straightforward, but can y’all kind of talk about y’all’s kind of thoughts and flows from how y’all approach identity access and where y’all see it purposefully playing into zero Trust mentality and, and you know, support and growth and all that other stuff that goes along with that? I guess it’s a very high level question with a lot of little things we could talk about.

Michael Crandell: Well, I’ll, I’ll take a first swipe at it. And, and I, to start out, I think it’s going to be a a process that evolves in different eras and epics of sophistication. But to kind of go back to the beginning, I think we all know, look, the concept of Zero Trust probably goes back to the 1990s. I think somebody wrote a PhD thesis on it. And it’s taken a lot of years for it to become as mainstream as it is today, probably. In the early years, I thought zero, zero trust was a characteristic of a romantic relationship that had gone bad. But it, it really came more into the four as I was doing the cloud computing stuff. And then when I joined Bit Warden, which is intentionally a 100% remote company, we’re.

Living it every day. And this also happened be because of the pandemic is so much work, it was accelerated to be done in a remote context that it was necessarily either zero trust or not very secure because the network perimeter just is blown up pretty much in that in that scenario. So I think the first level of how this works is that password management is, A super valuable first step in the zero trust, zero knowledge movement, because it is what facilitates a secure identification that gets you into a single access with least privileged access, which is controlled on the other side, right?

But it depends on a unique login at a unique moment that may expire after a while. Bit Warden, for example, has unlocked. Lock out timeouts and things like that. And so our whole system is built to kind of enable at a very initial, basic level, people to f to work with zero trust within zero trust architectures, and with zero trust systems. So to me that’s the starting point, is that people should realize, and, and this is a world where we get into a lot of fear, uncertainty, and doubt of you know, hacks are, we read about ’em every day, everything’s getting breached and identity theft, and I’m always at risk. And yet the people still use the word password in their passwords, right?

So we’ve got this. Weird dissonance going on between the fear that we know is there and what we actually practice. And I, and I will just double click it, it seems kind of obvious, but using a password manager is the first important step there, and it gains you a huge amount of security. A second step would be add mfa, add multifactor authentication if you do both those things and use them properly and rely on the password manager to create.

Unique credentials and passwords for every site that you visit. There’s a huge amount of security taken care of right there. Beyond that, Gary, anything you want to add?

Gary Orenstein: Yeah. Well, for those who are really interested in taking this further, another great. Tool in the toolbox is email aliases, and of course there’s a lot of affinity in the bit warden community for email aliases. So much so that we actually integrated with five email alias services so that when you’re creating a new login for website that you might be signing up with, you can create your email alias through bit warden.

For your favorite site. And we integrated with Simple login, which is now part of Proton Mail, a non ADDIE open source solution Firefox Relay fast mail and Duck dot Go. Recently introduced an email alias service. And all of those integrate with Bit Warden and allow you not only to have a strong and unique password for that website that you might be interacting with, but a unique email address. So again, for the folks who want to, you know, just keep carrying forward, I would take a look at the those email aliases services. Pick, pick a favorite several of them have free options and just give you yourself another added layer of protection.

Michael Crandell: One, one other thing I’d add and I know you’re asking beyond what we just mentioned, the more context specific, not just per website, but for example, location or you know, something that rotates all the time. The obvious first one is a time-based, one-time passcode that is changing every 30 seconds. And of course, anything that works like that has to be coordinated on both sides, on the app or service side, as well as the client. And that’s a special feature of Bit Warden where you can either use your phone and, and take a picture of the scan code or enter the seed for the T O T P code. And bit Warden will then also remember and generate that as an extra layer of security.

And it’s of course a, a version of, of mfa. But if a, a company is installing bit warden and if they like what some of our companies have done, Is there’s a feature you can turn on that that allows a company to have audit entries about what’s going on in the password management system. The company can’t see the actual credentials, but they can see things like the IP address that is logging in and using that in some geolocation, they can do things like calculate impossible travel. A, a concept that’s popular in security circles. What, what it means is two logins happening with, as you know, within a certain timeframe that is impossible for a person to have gone from location one to location two. They’re traveling more than a thousand miles an hour or something like that, and they can kick those out for security personnel to take a look at and investigate. And as you also mentioned, you know, when. Do you want to have tighter controls on certain geographical areas? We all know where most of the hacking in the world comes from in general terms. And, and so those are, doesn’t take a rocket scientist to, to kind of figure out that that’s something you should watch for.

Neal: Do you. O fencing’s a very fun topic as well, and how to apply those things. I, I think it’s critical as are several things for zero trust and, and identity access control as a whole. The, the email Elis approach. I, I’m also, I I love that. I have, I’m, I take advantage of that as well for multiple reasons.

So good, good insights though, so I appreciate that. I, I think for those, once again, looking for an email outta this program, proton, Mel is a very good open source alternative to name a few names In that sense, we’re all in the same vein. So Gary, I did kind of have maybe a little thought flow question for you, being that you’re on the sales CS side.

As, as the wholehearted. So when you interact with the client base, when you are, whether it’s enterprise or whatever, echelon you’re personally directly interacting or receiving constructs from you know, how, how important is it to you in these conversations that they fully understand what it means to be an open source re or an open source platform for them?

Gary Orenstein: It tends to be very important for both our individual users as well as our business users because I think both of those constituents want to. Have a, a sense of trust in using the solution. And we cannot think of a better way to establish trust than through an open source architecture. And I, a lot of people have rallied around that cause sometimes it can be counterintuitive to people the first time, if you’re not familiar with, Open source software say, well, gee, how, how does that work?

And, and the answer is that the, the transparency that an open source architecture provides is in a different league compared to a proprietary closed solution. And it is in many ways, the only way that you can establish. A platform of mutual trust. We actually spend time every year in December with an event that we call the Open Source Security Summit which is specifically designed to discuss and educate and learn and explore areas why the intersection of open source and security is so important to establishing trust. We’ve had some wonderful speakers there in the past, including the c e O of Hacker one, and CEOs of other open source companies as well as fun folks in the security area. And, and few technologists like Steve Wazniak who joined us one year. But the but the, the part of that event is rallying around and understanding that.

That open source is the gateway to establishing the most transparent and trustworthy solution, and it, it’s a big part of part of Bit Warden and I think it’s really important to both combination of individual users and our business users.

Neal: thank you Michael. Anything else you wanna add from your perspective?

Michael Crandell: Well, and you know, some people, as Gary said, that are early to the concept. Maybe it’s worth describing some of the justifications used to be used in the past for the other closed source, closed source approach which is a concept called security through obscurity. Meaning if somebody can’t see what I’m doing, it’s somehow more secure on the face of it.

That makes sense. But I think that concept has largely gone by the wayside. And there’s certainly plenty of evidence that projects that are closed source are far from immune from the you know, vulnerabilities and security issues that we all have. I think the big difference is just that we’re open kimono about it. And by the way that comes, that is not always a love fest. It, it comes with a whole variety of opinions. I mean, we are basically inviting anyone to say anything they want. About what we do. And that’s a big step. And it, it’s more than just publishing your source code on GitHub. It’s a way of having a relationship with people and responding to them and taking what they say seriously. And, and so it’s not for the fainthearted. And I, I just count myself. Lucky it’s been. Educational for me, but also very stimulating and, and I’m full of gratitude that I did get introduced to Kyle and had a chance to join a company that is taking that approach.

Neal: Awesome. I’m, I’m, I’m a huge fan of open source projects in general and I I love that you brought up security through obscurity, cuz like you mentioned, I agree that, that that’s gone by the wayside. You know, everybody, we have the commercials to prove this, I think a little bit from. Our two favorite computer com companies from 15, 20 years ago.

I’m a Mac, I’m a pc. I don’t do things as bad as pc, but nowadays it’s tit for tad, almost for, at least for the volume. But I’m, I’m, I’m a Lenox guy by trade. You know, I’ve, I’ve cut my teeth on that back in the day. Like any good want to be hacker and cracker. So open source for me is always a win.

The trust in the community is a big thing. When it’s there, you know, the, to your point though, there’s things that people can take advantage of and there are always people looking to blatantly exploit it, but for me, I think the power of the community at large is when there is that persona out there, whether they’re surreptitiously creating exploit paths or whatever it is, the fix and the awareness of it, I think is just drastically quicker because people are very fixated.

As being part of these open source communities, very fixated on the wellbeing of that community. Even, you know, even if it’s five people for a project that’s supporting 5 million, those five people are still very hyper fixated. Right? And so that’s the nicety. You don’t have to wait every patch Tuesday for something to happen.

You don’t have to wait 30 days later for a responsible disclosure. It’s there and people are already ingrained in solutioning that that concern So real quick, anything from y’all’s perspective, anything else y’all would like to add from a, a growth perspective for the identity access mandate where, you know, we’ve talked about the passwordless security environment a little bit.

We’ve talked about the impacts of that, you know, the combination of zero knowledge with true zero trust mentality and what that flows. Is there anything else that y’all would like to kind of throw out there from bit warden’s perspective?

Michael Crandell: Yes, thanks for asking. There is one thing I’d add and perhaps Gary will have others and that is, we talked at the beginning about passwords and past keys and how at the bottom there needs to be some sort of secure credential. We have just released in a free beta, a new product called Bit Warden’s Secrets Manager. And that’s a tool for developers. That’s analogous to the way password management is used by all of us as as end users of web apps and services. This is what developers use to work with the secrets that they need to access and utilize that are used in software development. For example, most websites that we visit have multiple components.

They’ve got a web server back in the background and an app server and a database server. And as those components come up, they have to authenticate with each other. God forbid there’s a database server out there that just gives out data to whoever, whoever asks for it. You gotta authenticate there.

And so that process is, is somewhat analogous to the authentication with passwords, and that’s what Bit Warden Secrets Manager does. It manages secrets for developers. It’s just out in beta in the last few weeks. There’s Gary, you can help me with where people can find it on the website.

Gary Orenstein: the homepage.

Neal: Okay. Can I just say how awesome that is? Because as a guy who used to be into the development side of the house or have a lot of things, you know, I’m old school where I had my little encrypted file that I personally built out, but then when I get a new system or I forget to back that up, or I forget where it was at, you know, trying to remember where I stored that stupid file or just having completely lost it.

Michael Crandell: or, or even worse, I mean, some of the breaches we’ve seen recently are because engineers put the credential right in the source code that then got published on GitHub.

Neal: Oh my gosh.

Michael Crandell: That’s really you know, obviously not intentional, but that’s what’s at risk there.

Neal: No, I, I will say it’s amazing to me and, and. 22, 23 years of doing cybersecurity intel and stuff like this. I took some open source classes before Osen was a thing in the early two thousands, and one of the very first things they taught us was to look at the source code of a website to see if they had put things in, you know, in the HTML and coding or whatever for the page.

And early two thousands, you know, it was a goldmine. You’d find all sorts of wonderful things in there. And then now we flash forward. We had a good, I think we had a good run. On GitHub for a couple years where it wasn’t as blatant, but now we’re kind of coming back into it, aren’t we?

Michael Crandell: It’s challenging. It’s, it’s like password use. I, I, nobody’s intentional about this stuff, but, and, and we all know the right. Rules. But I would say the spirit is willing, but the flesh is weak sometimes.

Neal: true story. I’ll tell you. I’m gonna throw it back over to Elliot and see if he’s got anything else for us before we close out.

Elliot: Absolutely. So, I wanna, obviously we’re basically living in the future and you guys are technologists living on that cutting edge. I’d love to just kind of pick or braid and vision maybe it aligns to the product roadmap, maybe it doesn’t, but, you know, five, 10 years from now, what do you feel like we’ll see is drastically different from today?

Obviously, again, password reuse is highly problematic. Do you feel like we’re gonna move more towards, like, people are just gonna give up and biometrics are the, the way forward? Or, you know, is there gonna maybe be some, some magic bullet where we just don’t see passwords? Love just your perspective on like what might change the next five to 10 years.

Michael Crandell: You wanna give that a stab, Gary?

Gary Orenstein: Sure. For the people who wanna be finished with passwords, I think that’s coming quickly and the technology and the industry standards is gonna be there. To help people through that process and bit warden’s gonna be right there to help people with them as well. That, I think is the, the, the, incentives on behalf of the software and website providers and the desires from the users is too strong and, and good, good way.

The standards are now here the industry has formed around the Fido Alliance, and we’re gonna see that stuff happening very quickly. In 2023 and beyond, there will also be a group who is going to want more control and they’re going to specifically want more control across what we might refer to as, you know, not being reliant or dependent on the mega corpse that are out there.

And are gonna want to be the folks who are controlling their data and their online identities. And I think that’s also a place. Where Bit word will be to help those folks as well. So I gotta see, we’re gonna see both spectrums of that, lots of advancements. The ability to not worry about it for the average consumer but also the ability to control it and own it and architect it for the people who want to do that.

Elliot: Very cool. Michael, anything that you want to throw into that?

Michael Crandell: Sure. I mean, you can look at the statistics there. There’s a lot of work to be done just in the password based world, uh uh, before moving to Passwordless or those who don’t or sites that don’t support it. You know, one of the ways I think about it, we’re very business focused in our customer base, but we also have end users.

I hear stories about people helping their mother, Gets set up on Bit Warden and what they’re essentially doing is overcoming these statistics of bad hygiene with regard to passwords. So there’s still a ways for us to continue to work on making that easier and easier for people to protect themselves.

It’s the old trade off of security and convenience. And we are, are not gonna give up until we make the balance so far in favor of convenience that that the security is also there.

Elliot: Yeah, that, that definitely speaks a little too close to home. Neal, I don’t know if you have any fun stories about setting up family, but my mom in particular is notoriously anti-technology. Like it will break if you touch a computer around here. But setting her up on a password manager was one of those big wins for the entire family.

So, I feel like all of our listeners can speak to that too, cuz they become like the defacto IT person in the family. If like, you know, I’m in cybersecurity, oh, you know how to fix my computer. I gotcha. So yeah, we definitely hear

Neal: Man, I, I short changed that. I installed Snort, came out with a wonderful little inline device about this big, many years ago that you could load up, plug-in line to your home. Wifi or internet connection, whichever side you wanted to put it on. So I put that on my dad’s. So I, I control pretty much everything he sees and doesn’t see.

And then yeah, I get, I get notifications and it’s, you know, it’s an IDs so it’s nothing massively prolific cuz it’s also very tiny, but it gets the job done. And so if my dad, you know, I, I can monitor outbound inbound, and if I feel like my dad’s stuff has been compromised, I can lock it completely like the internet side down anyways, so then everything stops.

And he’s had this happen a couple times where his cell phone no longer connected directly through the wireless, and he had to turn it on the other way. Like, dad, the internet stops working. Just you stop working and give me a call on the landline please. But yeah, I, I, I try to shortchange the things.

We haven’t gone down the password piece yet. I probably should. So who

knows?

Michael Crandell: Neal and Elliot, you’re both good sons. That’s what I’d say.

Neal: Well, I look at it as not too altruistic in nature, cuz when the man finally kills over, if he’s got a bunch of malware and stuff on all his devices, that’s just crap. I have to sort through at a later date when I’m trying to figure out what I keep and don’t keep sitting out.

Elliot: Story.

Neal: No, it’s all good. Yo, it’s whatever.

Back to your point, it’s whatever the lowest common denominator of ease is for that user, and that’s what they’re always gonna fall back to. My dad logs into like three different things and that’s it. He’s 99% of the time reading from a single email. A shocker. He only has one email. Unlike some of us who have like 50,000 all the other fun stuff.

So it’s pretty easy, but. Michael Gary thank you all once again for the conversations and the fun stuff on here. I I want to be mindful of our, our clock here. So Elliot, back, back to you to, I guess wrap things up.

Elliot: You’re very close. Now. We’re good. All right. So, yeah, no I’m gonna double down. Onne, thank you so much for joining Michael, Gary, really appreciate your insight, expertise and be able to chat with our, our listeners and audience. But you know, we will definitely link towards that new research that you’ve dropped hopefully get ahead of the episode too.

But again, thank you so much. Really appreciate your perspective, and I know again, this was just an area that Neal has been really interested in chatting with. So, he, he’s smiling down in there somewhere. But yeah, we really appreciate it.

Michael Crandell: our pleasure.

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: https://www.adoptingzerotrust.com/p/adopting-zero-trust-with-bitwarden