PW - I know...But I Have a System

but now i'm again really really proud to introduce a good friend of mine from my home city of bergen on the west coast of norway cecilia uh she works as a tester software tester tester tester is fair yeah but uh she's she's really good well she's actually awesome at a type of testing that i'm fascinated about because she looks into how she can abuse whatever kind of app or software you have for purposes like stalking and harassment and other fun things you can do to other people and she's incredibly good at that but today her talk is i know but i have a system and it's about well i will leave that to you cecilia go

ahead thank you pat uh welcome uh to my talk about password managers and the ones who's not using them now um first password managers i assume you know what they are please not if you know what a password manager is okay i'm just gonna say this anyway password managers are really useful tools to manage passwords uh pass keys pin codes passwords like all of this i'm going to say passwords but it's going to cover all the other type of secrets as well it's really useful to do this in businesses as well like it's good for you as a private individual but in businesses you really need to um manage uh a lot of passwords that first

some reason or another must be shared like uh routers don't really care that you have a lot of admins they only have one password all the admins need to know that password and so on but even if you are uh buying the software or tool and rolling out of the company there's a lot of people even though it's useful that won't be using it it's kind of annoying like this is really good for you why wouldn't you be using this tool and this is what my talk is about um before i hope i hope i really hope that you had the opportunity to see me alonseem's talk yesterday about why the kids couldn't care less about your password

advice it's really good uh and if you're on youtube now uh go back and see the recording it's it will give more context to this talk in mia's talk she talks about how kids the young people are sharing passwords and why it's important for them to share passwords and also she talks about the consequences of sharing passwords and what's going on and it's important that we who influence uh policies um products and do security training understand the context that the kids are in and the habits that they have because in a few years we're gonna hire them and we really need to facilitate and mitigate the risks that their bad habits is bringing with them

uh shortly about me i am cecilia uh if you want to find me on twitter i'm sinobelle i work as a consultant when it comes to testing and security at the company called bulba my specialty is usability as per sad or abusability of software how can i how can i how can i be bad towards someone with your stuff i have a bachelor degree in educational psychology and i have a master's degree in philosophy of technology so that's what's going on in my head all the time i spend a lot of time thinking about human users what's make them human how do why are they doing things absorb uh observe looking at what they're doing and so on

if there's something you don't understand please write it down i'll take questions at the end okay i like humans this is very important to understand i like humans i may sometimes loathe individuals but in general i like humans i find human and people fascinating i love watching people it's kind of rude but i really like like watching and trying to figure out what is making you tick why are you doing this and so on

now this is a kitten slide it means that i'm this is something very basic that i need to tell you so we're on the same page and you understand me uh but if you're on board what i'm saying already you can just look at this adorable kitten

password managers is in a company primarily for managing password passwords related to the company uh as i mentioned the routers the service the databases the hr systems the banking the alarm system this phone email logging onto your computer opening the doors you know all that stuff but it's also a very good tool for the individual employees to manage the huge amount of passwords a lot of the time that they meet in the business context a recently changed job it was wonderful that i could just leave all the passwords that i didn't need anymore behind it was oh beautiful uh i didn't have to drag it with me and just you know start pulling it out in

between my private passwords because i have different vaults for that

if you want some advice on how to choose an enterprise solution for password managers uh go see my talk from two years ago at passwordcon in 2019 six minutes in and such watching there okay let's move on i work in norway um norway is a very digital country like digital banking is the norm everybody is using like digital biking nobody's using cash anymore if you want anything done anywhere you have to take your devices with you because you're going to go through a digital process of some kind it doesn't matter if your likes broken or if you're buying a house or if you're going to pay taxes or stay at a hotel so if you're

going to come visit norway make sure that your data plan is in order norwegian businesses is also very digital they do their banking their taxes their reporting their their everything digital this is not only like the big businesses and the big industries it's also like this one person plumber company type of things all of them are digital to some degree that means that uh the maturity level of security between old different companies are very very different like we have the ones that are really solid have security training everybody is on board on routines and all that but we also have a lot of the middle ground where the i.t people is typically good but then there's the rest of the company

of course i do understand spending money and time of mitigating risks in the higher risk areas which is the ita department often managed um but you need to move at some point you need to move from that hybrid situation between uh good combined with very bad security into like everybody should be on board on having like a good security culture in our organization uh and getting a grip of like on this situation password manager is really a good stat to do it's very low threshold it doesn't cost a lot by the way keep it that way it's it's easy [Music] but when rolling out um password managers in a company you're going to discover that there's a

mismatch between the amount of employees that you have and the people using it sometimes it's closer sometimes it's worse

of course it's not a surprise like the tech savvy people they will when you roll out the password managers and said oh we're gonna start paying for this um this is the tool that you get to use some of them is gonna go yes you choose the one that i that's that's my favorite there's gonna be like a small crowd of those people and then it's gonna be like uh a early majority that's like okay fine this is a neutral sounds like a good idea i'm just gonna set it up because no um then there's gonna be a huge amount of people that is more like late adopters they're like yeah i didn't get i did get the email um

i didn't have the time at the time but since you have sent me four five six emails now maybe i should do this then you're gonna have a lot of people who don't just they don't now i don't have numbers for this um but very often the non-users are in administration they are managers or newly employees also people who are suffering a life crisis may also have very difficulty in adopting new habits and starting using like password monitors because it takes a lot of thinking or some thinking tech savvy people will set up a password manager enterprise solution within 15 minutes they'll do it before their lunch it's not a problem for non-technical users the time they need to

allocate to start using a password monitor is in my experience one hour and a lot of people push like they avoid starting because they're not sure how long it's going to take they just know it's going to take time an hour setting up means installing it on more than one device orientating yourself in what is this software what does it do try out how it's working discover some features that you like or hate and adding enough password for this to be a useful tool for companies um the success rate for non-tech people to start using password monitor is very affected but how much time do they have to get started if they are squeezed on time

or if setting up a password manager is competing with more rewarding tasks also known as my job they're not going to do it a lot of companies think or may think um well that's okay we're just going to order them we're just going to tell them to do this and we will write it into our company policy emails will be sent out reminders are being sent sometimes everyone send out threats like if you don't do this this and this can happen we'll cut your salary in some way and i understand that because employers have the right to instruct their employees it's completely normal but if security was that easy we could all go home i wouldn't have a job

so what happens is that people when you try to order someone to do something that they don't want to do or have conflicting feelings about is that they may do the absolute minimum so they don't get in trouble for instance so they don't get their salary slashed um they will do the registration process but it won't be using the software and you end up in this like the non-tech users or the non-users end up in a hybrid situation where you can see they have installed things and they will show up in your list as installed but this there's no improvement of security at all

so my first advice make sure everybody has enough paid time to set this up at least an hour okay moving on you have to understand people don't like managing not dealing with passwords uh even people like me in bed they're they're they're conflicted feelings uh there's a lot of some conscious processes that go on in a human mind at all times um it's not impossible to manipulate people into dealing with password managers but it's not ethical it's incredibly disrespectful and it may have unforeseen spillover effects into other areas of life for instance one of the reasons people hate dealing with passwords is because they feel that uh the rules around password change all the time and

um that it's difficult that is like they have to remember things like there's a lot of when we when we make policies it lasts a long time in people's mind nothing goes really away [Music] in addition um when people feel trapped or forced they tend to start behaving slightly irrational and reactive they will do the opposite of what you're telling them to do or a version of opposite for instance if i tell you do not hack the hotel while you're here i'm instructing you and what happens is your beautiful minds were still like well i'm not hacking the hotel or i'm not hacking the ho you start putting effort into both sort of comply with what i said but

also trying to defy me and that is that is the magic of instruction it's terrible so when i do security training uh we have to be very careful in how we instruct people if it feels manipulative or forced it's only human to react that way the ul the fire some way you insist of me changing my password every other week i'll defy that in some way yeah i like to talk with people and i like to listen to people i like to know what are their thoughts and how do they feel about for instance password managers my goal is to understand them better so that i and you can facilitate both the subconscious decision that they're going to do all

the time that they're not aware of but also be respectful for the reasons that they think they have for doing things people don't really understand themselves well but but we still have to be respectful towards them and if you listen to the reason that people give for not using password manager you start to discover all these irrational thought patterns that they have so my challenge to you is listen to them in the respectful no sarcasm way so that they can see their own irrational thought patterns and we can change and mitigate the risks associated with them for instance the first one hands up if you ever heard the first one only a few okay and i say um

do you have a password manager and they was like oh no no um i have a system well yeah now i can of course i can i can prove why they're wrong why systems are crap but instead of trying to like beat common sense into them with my words i just says that's okay you can have a password manager even though you have a system and then interesting things start happening because that was sort of like their mental block like don't talk to me like this is my way of rejection or rejecting uh that huge imaginary task that you've given me another thing that people say is well yes but i don't have access to anything

important and that one is real like when i hear that it makes me sad because it means that they don't think what they're doing is important that's terrible why would we hire them and pay them if they're if they wasn't important so i tell them well i think you're important and the things that you do are very important and you have access to a lot of things that are important please listen to me i work in security i should know and then again interesting things can happen uh i started but something happened i like that one um because it's it's very easy it's usually a technical problem so i said just now oh let me look at

that with you so we can resolve that with you not let me do that for you uh the i used it but then is harder because that means is a technical issue but they have lost faith in the product and the tool so i have to re like motivate them again before i can solve their technical issues like it's worth the time it takes to learn this thing um the one it doesn't really work well with things that can happen a lot of the time that means that the password input prompt happens in the wrong type of fields we can't necessarily fix it it's a whole long thing i can't fix it now um so

when that happens i would just have to remote to them and say oh that's normal but you'll be fine you can deal with that you can do this anyway like you're okay um and they um um i have it uh but i can't really understand what happened that's also a technical issue like typically in the first part of the process when they're signing on something got messed up and they're stuck it's like okay let me look at that with you so that we can figure it out and the last one oh i have it but i don't really use it um that is um human speech for it's boring i don't see a value to this

hang on sorry i just need my cursor on the right screen

well what do i what can i do about it's being boring well yeah it's boring it's super boring adding a bunch of passwords so um you know what grab a bottle of wine and some friends and set it up you know adding password is boring but you're going to do it anyway it's good for you anyway do a password and prosecco

so conversations like these are delicate but you do if you get that moment where you catch their interest acknowledge their feelings so that you can change their mind like you can expand that little gap that you get if you mess it up by either like not acknowledging the feelings or if you uh says oh yeah but you have to wait forever ever and ever to have this result or yeah we're gonna send somebody who's not gonna be able to fix that but sort of like helping you you're going to cement that feeling that they have that this thing this thing is not something i want in my life

learning to use a password manager is learning and a lot of the time we think that okay but you can just learn it no you can't you have to make your mind ready for learning the first step is feeling safe if you're afraid of losing your job while you do something you're not going to learn well or at all you're going to spend all your energy on trying to get out of this situation and avoid losing your job that's not the learning that we want

now this is purely speculative from my side but i don't have the numbers for this but my general impression when it comes to issues of the non-users a lot of the managers have this problem they think they should be able to do this um but you know they worry so much they worry about failing because they're well they're a manager one they're supposed to be like the best or better than older people there's a lot of worrying happening so but you need to get your managers on board like it's tempting to ignore that the managers are not using password monitors but if you do you're going to fail managers influence and has a lot to say

about how you prioritize your time if the managers is not on board they cannot help their team they cannot help with recovery which is a big part of an enterprise solution they are not pushing password managers to new hires and they do not show that this is a valuable thing to spend time on and if they don't show that you're not going to do that you're going to do your job instead okay that's my second advice get the manager award yes uh after making sure that people feel safe like there's room for mistakes and so on uh people need to feel that this is something they can actually manage to do and especially the non-tech like the

administrative people they need to feel that this is something that within their reach of like managing to do um so when they ask for help or they're open to get help i will set it up for them while they're with me and then i tell them to add the passwords and when they've added a few passwords i say um and now you do this and this to set up the next device i don't go from i set up the first device and now you're going to set up the next device that's too big of a step you need to feel that you can accomplish something in between and adding the passwords are really really easy

just yeah gentle caring attention and i you can do this you'll be fine

a million years ago when the dinosaurs were young and roamed the earth a man i know was a manager this is not the mana that was a manager you were not a manager um there was actually somebody else who was who is also a dinosaur email wasn't something new but not everybody was using it and this organization recognized that had a problem they are using email to communicate internally in the organization it's a good efficient tool but so many were not using email they were not plugging on and the problem was that so they didn't get the information that's the first problem and the second problem is that they consumed a huge amount of support time

because they logged on so really they forgot how to do it in between all the times so this manager thought about it for a while uh and it was getting close to summer and in the summer they had a freezer and in that freezer there was ice cream that you can buy so he sent out an email to everyone blind carbon copy not carbon copy so it looks like it comes to you personally and he said you can go and have an ice cream for free if you want just reply to the email and say that you took one so i can keep track of it the important thing is do not tell anyone of course they told anyone

first rule of fight club don't talk about fight club they told they were gossiping did you know you can get ice cream if you read your email once in a while so what happened was that people who didn't like to read their email because they find it difficult were now like maybe i should check them up on my email because i might get a free ice cream you can do this with password managers i highly recommend adding first of all the password for the wi-fi into the password manager in your company so whenever people are asking uh what's the password for the guest network or whatever you say look in the vault if you have

um if you have like discounts or agreements or some kind discount codes or other kind of services that are nice add them as well and then it becomes like the people who are using password managers they get extra perks you can have them as well we're not in our key there's no like in an out group you can get it you just need to set up a password manager if you need help you can just talk to that person be fine you can also do this by with your parents guess what i'm telling my mom every time she asks what's the weavey password again look in the vault mom you just need use your thumb to log in

so yeah this is how i build culture not ordering people this is culture yeah you made your users feel safe you made the humans feel like they can master this now they're ready for learning what are you gonna teach them

this is this text is in norwegian it says do you want to forget all your passwords this summer second line is get help with setting up your password manager at the 24th of june in the cantina 12 to 15. uh this is a drop-in situation you can just drop in it's very casual not dangerous at all um i had their christian cowick who's sitting over there my colleague he helped me out with this and the results were really fun because people were coming in and they were like like you know the shameful pose that is will will i get hurt by doing like coming here and confessing that i hadn't set up my password manager a year ago

like i should or something and i was like no judging here i'm only here to help you i'm not being sarcastic there's no judgment and what happened was that afterwards people were like they feel relieved they were rid of the anxious guilty feelings they were happy so guess what happened they told people so now we have a lot of non-technical security advocates in our organization that is winning that is really winning it's fantastic because usually security is like the i.t people is doing that uh and if we're gonna deal with that it's because we like them and do them a favor by dealing with security so yeah but now we have the non-technical people and it's like

you can talk to her she's really nice she will just help you and stuff so yeah to sum it up it is normal that not everybody is ready to use your tool people can change their mind about password managers even if you didn't get like catch them the first time around there's hope but you need to be ready for when that possibility present itself or you need to facilitate that that happens like uh we did with the summer promise of you're allowed to forget all your passwords uh and also make sure that you facilitate growth and learning in general because when they're done learning about password managers they're going to be ready to learn about

other security stuff and then you can be like what do i want to teach them next it's awesome yeah questions

thank you cecilia questions yes

hi thank you you can take down the mask so i can hear you brother it's allowed thank you for the presentation uh have a question in the context of a larger company do you have tips about teaching developers and the id people to actually implement like sso 2fa so that the burden of having to do things and manage security properly is not on the user side but more on the actually having a safe services and users just having to remember one password and this kind of stuff i do uh and that's security training in general yeah just okay so security training you have to start like really low bar like what is the absolute minimum that we need them to know and

start with training that first and then it's like okay what is relevant for your position don't do gen like don't teach everybody the same thing is it relevant for this person's position yes or no if it's not don't don't spend don't insist on they going through all these like security training things if it's not relevant and if it's relevant let people like do it as a group thing um if you can um do it physically it's much easier to learn things uh and feel safe when you can see that there's no danger you can see people's faces they're like they're relaxed they're okay i can ask them questions i'll be fine um but but don't expect that mfa or all the other

things is gonna happen like they probably learn in school no they didn't make sure that they are onboarded properly like and also this is one of my best tricks ever feed them hungry people don't learn so do onboarding with food give them time and be nice you can teach them anything really thanks for your talk um on the subject of feeling safe using a password manager how do you counter the impression that people have when they're told by their i.t department that they should be using a password manager that the i.t department has some sort of an evil motive around that like oh they want to get old i they know that i'm going to store my bank password in there

and they want to get to my bank account or something like that how do you how do you deal with that impression uh first of all um doesn't matter what the question when you meet the user if they have a question or a concern take them serious again they're gonna have like subconscious uh it's mostly about their feelings they're just worried so just take them serious um show them if they want to uh use some time because if you reassure them like spend time on them i acknowledge that you're worried uh is there anything i can do to help you understand this better or easier worries and then you have a conversation like do that in the beginning whenever you're

going to do changes to your culture in the beginning it's going to be a lot of noise but after a while when all the other people are starting to use this it's going to feel safer but in the beginning it's going to be noisy and a lot of insecurity going on this is why it's very important to have the managers on board if the managers use it probably safe enough for me as well hi i think we all know i think we know all these uh shared accounts for third-party services that are used across the department uh do those type of accounts make transition easier because everybody needs to use the server the password manager at the same time when the

password changes or do you think this prevents people from moving because it's more scary and harder to implement i'm not sure if i heard all of your question but i'm good i think you asked uh what about shared accounts is it easier and safer or is going to feel more dangerous because then it's apparent that we're sharing things you in most organizations you need to share passwords that's just the way it is if you do it with within the password manager this is a fantastic trick if you do it within the password manager if i change the password he won't notice because he's so used to just getting like copying the password out of the password manager he's not

going to notice that i changed the password as long as it works and this is one of the things that we don't talk about a lot in businesses and that is unfaithful servants or people who has to leave the company uh in disgrace we need to change those passwords discreetly because the case may not be settled it may it may be a lot of difficulties around it like legal difficulties so being able to change passwords discreetly is actually very important hi cecile thanks for the talk my question is about those old it guys who will not share the root password for all of the like cisco routers and the guy who will not share the password for the special safe

that we keep the special stuff in like that guy right because he knows if he shares that password yeah we might not need him anymore you know are you telling me they're humans yes with their their fears and feed them i promise you if you're gonna ask something big this is social engineering if you're gonna ask something big or uncomfortable from someone make sure they have a like medium plus blood sugar levels so because then they're more patient with listening to you and your reasons because you may or may not have good reasons for getting that password but you may not get the time to explain why you really need that why they should trust you because they're hungry

but me and jim would really like to have a chat with you outside afterwards [Laughter] i'm not sure if i should do this on camera um but my uh a few few others my colleagues know if i show up at work with cake somebody's in trouble it's not because i'm going to be rude or horrible to them it's just that i need them to be able to be open to my what i'm going to tell them that it's going to be demanding that's going to mess with their feelings a bit they're going to feel bad cake helps good trick more questions

so i'm in the compliance and audit space and the shared passwords is always a contention point around maintaining a security controls um how do you deal with knowing who accessed the password and did uh like did a bad uh made a mistake and how how would we audit that you should definitely talk to one password and lastpass because there are two companies that do enterprise and give them to tell you how did you do that because they have functionality for that but since they're not paying me you'll have to talk to their sales people now do we have time like two and a half minutes good i want to show you something because this is um this is my bonus

slide for you uh life changes and when life changes people re-evaluate what's going on and here are some life-changing events these are events that usually trigger large changes in behavior getting married new romantic relationships like if you meet someone or your employees meet somebody they fall in love they're going to start thinking should i share my netflix with them and so on like what is the sensible level of sharing that we want to do and so on so they start reevaluating their life then they're open to you know what it's really useful to have a password manager in that situation oh in our program you can get one free for your girlfriend or boyfriend kids when people

have kids they do the same they realize the world can be a dangerous place and imagine teenagers wouldn't it be awesome if your teenagers had a password manager so they don't get hacked imagine how many passwords that teenager is gonna like has in front of them for the rest of their lives we're talking hundreds of passwords wouldn't it be a good habit to teach your teenager and then you can teach them about mfa later on because it's a super easy thing to have when you already have a password manager life-threatening disease or sudden death what happened uh we heard the news somebody died or very ill and the second quote like this second thought in our

head is what if that happens to me are all my things in order do i have my affairs in order maybe how do i share like all our family pictures how do i make sure that my spouse or loved ones get them if i die have you heard about password managers divorce divorce happen and divorce is one of the most common reasons why people send me a message like hi could we talk about the thing because i didn't do it properly and i realized i'm gonna make a lot of new passwords on a very short time and also i know it's bad to reuse passwords can we do the thing and i said remember you remember i told you get a

bowl of wine and some prosecco and hang out with us that's when they call me it's when the divorce happens and again um yeah these are live life changing events use it for good thank you all for your attention if you have more feedback or comments or anything

thank you cecilia so there's a 15-minute break before we continue with the next speaker next talk thank you i'm in the halls if you have something you can call me talk to me