The Security Ledger Podcast

The Security Ledger Podcast


Spotlight Podcast: Breaking Bad Password Habits to Fight Advanced Threats

September 26, 2019

In this Spotlight edition of the Security Ledger podcast, Rachael Stockton of LastPass * joins us to discuss the myriad of challenges facing companies trying to secure users’ online activities, and simple solutions for busting insecure user behaviors to address threats like phishing, account takeover and more.

Twenty years ago, if you ran a business, user authentication was a pretty straight forward prospect: tools like Active Directory (or a predecessor) stored user identities that were used to access local endpoints (desktop or laptop computers) and gain access to shared network resources: application servers, file servers, email and so on.

This was all pretty straight forward. From your perspective: your team owned the network and the IT assets that those applications ran on. A perimeter protected your business from the Internet and your workers worked – for the most part – at the office. 

The world has changed tremendously since then, as has authentication. A firms standing up an IT operation in 2019 will likely own few IT assets aside from the systems its employees use. Most every application employees use to do their job will be delivered as a service and – likely – run off of cloud services operated by a third party provider.

Rachael Stockton is the director of product strategy at LastPass. 

Employees also will work from everywhere. Home, remote offices, coffee shops and cars- and do so using laptops, mobile devices and more. Personal and professional activities intermingle seamlessly -often just a browser tab away from each other.  Hackers and other malicious actors have taken notice: leveraging stolen credentials from consumer sites to compromise corporate networks and setting up “watering hole” attacks to harvest  sensitive logon information from employees.

All that makes once straight forward questions about authentication much, much more difficult, while human behavior remains just as hard to change. Rachael Stockton of LastPass notes that authentication technology has to adapt to the new ways that people work and the threats that companies face. “Every employee is a potential entry point (for hackers),” Stockton told me.

I think there’s a difference between the password going away – so not having a password – and us not caring that we have a password anymore. – Rachael Stockton, LastPass

What is the best way for companies to address authentication and identity challenges? Stronger authentication is a good first step. Added layers of security such as two factor authentication can radically reduce or even eliminate whole categories of online attacks.

Still, users are reluctant to change (or break) bad habits, even when they know they’re insecure. In this spotlight podcast, we invited Rachael back into the Security ledger studio to talk about why insecure practices persist in enterprises and how best to break users of their bad habits.

Rachael and I also talk about practical steps that organizations can take to improve your employees online security including better user education, incentives and gamification to more streamlined authentication and single sign on tools.  

(*) Disclosure: This podcast was sponsored by