Ted Harrington is the #1 best-selling Author of Hackable: How to do Application Security Right. He is also the Executive Partner at Independent Security Evaluators, a company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. Ted has helped hundreds of companies — including Google, Amazon, and Netflix — fix security vulnerabilities. He also hosts the Tech Done Different podcast.
In addition to this, Ted is a professional keynote speaker and the Co-founder of IoT Village, a traveling hacking event series. Previously, he was the Chief Executive Officer at NMG Technologies and the Director at Wolfpack.
Here’s a glimpse of what you’ll learn:
- Ted Harrington defines ethical hacking
- Why is security lagging behind technology developments?
- How a team of good hackers can actually strengthen your cybersecurity strategy
- The importance of recognizing security risks and taking steps to reduce them
- What are the differences between vulnerability scans, vulnerability assessments, and penetration testing?
- How to build a strong security perimeter around your company’s technology
- Ted’s top security tip: use a password manager
In this episode…
Hackers are evil people trying to destroy companies and wreak havoc on the world of privacy and security. Right?
Not necessarily. The word hacking and the term hacker have become grossly abused. Hackers are neither good nor bad — they are simply problem solvers. They see a system and say, “It’s supposed to do one thing. Can it do this other thing instead?” As Ted Harrington explains, the differentiating factor is the hacker’s motivation: are they after personal gain or trying to harm an organization? Those are attackers. On the other hand, ethical hackers find vulnerabilities in order to fix them and make the technology stronger. By identifying all the holes in your security perimeter, a team of ethical hackers can show you how to make your defense almost impenetrable.
In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Ted Harrington, Executive Partner at Independent Security Evaluators, to discuss how ethical hackers can improve your company’s cybersecurity. Ted talks about why many companies’ security is lagging behind technology developments, the benefits of ethical hacking, and his tips for keeping your passwords secure.
Resources Mentioned in this episode
- Ted Harrington on LinkedIn
- Ted Harrington’s website
- Hackable: How to Do Application Security Right by Ted Harrington
- Tech Done Different podcast
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: firstname.lastname@example.org
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
You can get a copy of their free guide, “Privacy Resource Pack,” through this link.
Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:21
Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional, and I provide practical privacy advice to overwhelmed companies.
Justin Daniels 0:37
Hi, Justin Daniels. Here I am a technology attorney who is passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I’m the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.
Jodi Daniels 0:53
And this episode is brought to you by honest thinking this time, Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, fast, ecommerce, media, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. Hi, you’re staring at me? Yes, as I should, as you know, it’s like evil stare what’s going on? No, cuz
Justin Daniels 1:37
I’m looking forward to finding my hair. I’m looking forward to finding out how I can ethically hack all of your devices today.
Jodi Daniels 1:43
I’m sure you are. We did learn earlier a trick on how to teach children how to ethically hack moms text messages, dude. Let’s see what we’re gonna learn today. All right, well,
Justin Daniels 1:54
I’m excited to introduce our guest it is Ted Harrington, a number one best selling author of Hackable: How to do Application Security Right, and the Executive Partner of Independent Security Evaluators, the company of ethical hackers famous for hacking cars, medical devices, web applications, password managers, and soon to be Jodi’s devices. He’s helped hundreds of companies fix 10s of 1000s of security vulnerabilities, including Google, Amazon and Netflix. He hosts the Tech Done Different podcast. Hello, Ted.
Ted Harrington 2:28
Hey, guys, thanks for having me. Excited to be here.
Jodi Daniels 2:30
Absolutely. Well, one has to ask the question, how do you get into a career where you hack everything and try and find all of the problems? So tell us a little bit about your career journey?
Ted Harrington 2:48
Sure, yeah. So I mean, for anyone who’s listening who doesn’t know what Ethical Hacking is, maybe I can just define that really quickly. So no, we’re talking about because the word, the word hacking and and the term hacker as becomes just so grossly abused. And if you were to believe whatever the media thinks, or however they portray hackers, you think it’s a bad person doing evil. And that’s really not entirely true. Because a hacker is neither good nor bad. A hacker is a problem solver. A hacker is someone who’s creative hacker is someone who looks at a system and says, hey, it’s supposed to do this thing, can it do this other thing instead? And the fork in the road comes after that point, which is when it comes down to what the motivation is? So is it to harm an organization or gain some sort of personal gain? Well, that would be what attackers do, or is it to try to find vulnerabilities in order to fix them in order to make the tech stronger. And that’s what ethical hackers, that’s what people from my corner of the world do. And so, I’ve always been really drawn to the idea of creative problem solving things that are really difficult to do, how do you serve others, you know, that kind of stuff. And throughout the course of my career, all the different steps along the way, I was sort of looking for that combination of principles. And it was about 10 years ago, when I met, the guy who would become was now my business partner. And we started talking about this idea of ethical hacking. And at the time, I wasn’t even in security, I was working, I was running a tech company that sort of was in water was in water conservation. And I started hearing about this idea of like, wait a minute, you get to do the bad guy stuff. But you’re a good guy and you get paid for it. You don’t go to jail, and you help people I’m in let’s do it. And once you sort of go down that rabbit hole, you will never look at the world the same way again. I mean, I never look at a line that everyone else is waiting in. I’m like, I should get in the back of that line. I’m like, how would I go to the front of this line? How do I do that?
Jodi Daniels 4:49
I love it. It’s such an interesting, I say this all the time, but I always find careers, paths and journeys and experiences. super fascinating and interesting. So thank you for sharing and now Next time I look at a line, I’m gonna say, Well, Ted told me I can go to the front of the line.
Ted Harrington 5:05
Well, the question we have to ask is this system, right? This system that is a line is built to do a certain thing in a certain way. And the question we have to ask is, well, what if I did something different? And I’m not, I’m not advocating that people, you know, do things unethically or break rules, or steal or anything like that. But I think lines are something that we can all relate to that, like, no one likes waiting in line, right? But you’d be shocked how many people just literally will stand in a line because it’s there. We had this funny thing happen at I forget which conference, it was, there was a conference recently, and I wasn’t personally able to attend this conference. So I heard this story secondhand. And I was like, I can’t if it wasn’t people that I trusted. I mean, it sounds like there’s no way this story is true. Where I had a bunch of I’d signed a whole bunch of books and sent it with my team who was at this conference, and they had a table, and they’re giving these signed copies of my book away. And so there’s, you know, this long line of people waiting to, you know, to try to get their hands on the signed copy of a book. And eventually we run out of books. And so the next person who gets the front of the line, we run out of books, and the person on our team who’s been handing them out, she says, I’m so sorry, we’re out of signed books. And this person who’d been waiting in line for like 40 minutes, says, Oh, cool. I was wondering what this line was for. I’m like, you stood in line for 40 minutes not knowing why you were standing in it, what are you doing? But that’s the way people think about systems all the time is they try to a normal person looks at a system and says, How do I comply with the system? What are the rules of the system? I’ll follow the system. And hackers, both the good guy and the bad guy. And they say, Well, what are the rules of the system? How can I defeat the system within those rules?
Justin Daniels 6:46
Basically, ethical hackers are another word for entrepreneur, they see a system and they want to break it or do something different.
Jodi Daniels 6:55
There you go. Exactly.
Justin Daniels 6:57
Well, speaking of technology, why do you think technology? As I talk to you today, I’m now working with NF T’s and I do things in the Ethereum blockchain. All this is evolved, but security seems to be stuck back in 1991.
Jodi Daniels 7:15
Why do you just seriously think, Yeah, I figured why not.
Ted Harrington 7:20
I was good with it, you know? So why is Why is security lagging? I’ve grappled with that question a lot. And the best answer that I can get for it is a very human one, which is that people genuinely one of two things, they genuinely don’t understand it, or the business pressure, which also doesn’t understand it is too heavy. And when the business pressures you to do a thing in a certain way, that’s counter to the good security decision, you have to follow the where the pressure, you know, is pushing you. And so if you’ve got an executive or a leader who’s pushing a business priority doesn’t necessarily understand the security implications. And that’s not a value judgment. That’s just, I mean, there’s tons of things I don’t know anything about. Um, but if someone who is a leader, and maybe they came up through sales, and that’s how they eventually became leader of the whole organization, of course, they’re not going to understand security, they shouldn’t, that’s not their background. And so when they’re making decisions that are counter to their best interest in security, all the people who report into that organization, they kind of have to follow that. And so, I think that’s really where it comes down to. And that’s why I spend so much of my time and energy trying to educate, you know, reading books appearing on great podcasts, like what you guys have delivering keynotes stuff like that, to try to really drive that education, because until we can first understand the challenges, and then make sure that the business prioritizes, how to solve them correctly. I don’t think it’s going to change very fast.
Justin Daniels 8:51
kind of tend to drill into this concept a little more, especially in my line of work. From what I see is, for example, after a ransomware event, you know, we like to do an after action report, think about what went wrong in the military. When you do it, well, you want to think like your enemy, so you know, where they might be thinking much like an ethical hacker might. So what do you think stops businesses from taking the same type of mindset with the not so good hacker?
Ted Harrington 9:24
Well, I think there’s some good news in there, which is that definitely on the pioneering and of companies, companies are doing that. Exactly. And I mean, I think when I look at in our consulting practice, anyone who’s hiring our company, they want to think like that, like that’s why they’re hiring. It’s like we need someone who can help us think like a hacker. We want to understand how we might be attacked, exploited so we can defend against it. So there definitely are companies doing that. That’s a really good sign. But they’re probably not the majority. They’re there. If you look at any sort of adoption bell curve right there, one of the ends of it They’re not in the middle, you know, majority or whatever. And so for those other companies who aren’t quite there yet, I think it’s maybe it’s one of two things, either they don’t know they should do that, or they don’t know how to do it, because it is a really different way of thinking. I mean, even just that story just talked about the line a second ago, like most people don’t think that way. And most people shouldn’t think that way to be honest, because once you start thinking that way, you can’t unthink it? I mean, there’s literally nothing that I do, where I’m not like, how if I wanted to, how would I break this system? Whatever the system is, and that’s everything from, you know, analog systems, like, like a line or a, you know, even just like a parking meter, like, oh, how could someone get free parking? If they wanted to this thing supposed to collect payment? How could they do it without payment? And most, that’s a weird way to think. And I don’t think most people should think that way. But it is critical that there is a person or team who is thinking that way. And it’s usually probably ideally beneficial to have that be someone outside an organization who kind of is independent from the bias that might exist in any company. That’s certainly what I advocate.
Justin Daniels 11:04
So one of the things I wanted to get your take on just thinking about the conversation we’re having now is, you know, you mentioned about the guy in sales, who becomes the CEO of the Corporation, because you know, sales are the lifeblood of company. And you know, most business, people on sales are executives, they want to be positive, they always think the best is going to happen. And when we turn to security, we talk about privacy, especially on our show is, well, most people think, well, that’s not going to happen, or oh, I don’t want to think about risks. I’m here to sell a tool or make this drone work. And how do you think that mindset plays into it where people only want to think about the positive as opposed to thinking about? Yeah, there’s some stuff behind door number two, that could be a problem?
Ted Harrington 11:52
Well, first of all, I think that’s a wonderful mindset. I think that that is the one of the most important ingredients for entrepreneurial success, like, you have to believe that you’re going to succeed. And if you don’t believe that, then you’re right out the gate, you’re not going to. So I would never want to stamp down someone’s optimism. But one of the things we do have to realize is that there’s a lot of cognitive bias that exists, especially amongst driven executives, entrepreneurs, leaders, people who are trying to change the world, there’s this bias, that’s that is very much like, well, I’ll find my way through it, or I’m going to be the lucky one what happened or it hasn’t happened yet. And so that means it won’t happen. And when we think about really any type of risk, security, of course, being one of those types of risks, when you think about building an organization, we always have to be thinking about all types of risks. So how does a company think about things like their competition, new regulation, changes in the marketplace, competitors, poaching, their top talent, all of these things are risks that leaders are thinking about all the time? And how do they deal with those risks? They don’t drown in their sorrows, that, hey, some competitor might come and disrupt the industry and put me out of business, but they’re aware of it. And they make sure that part of their plan includes how are we going to deal with that? How are we going to identify the risk? How are we going to measure it? How are we going to reduce it? And really, security is the same thing. It should, it’s not the thing that should stop you from having progress and solving the problem you’re trying to solve. But it should be seen as one of those things that you need to consider. And one of the things that I really strongly advocate for, and I don’t hear a lot of people making this case, is that what most people think about security is, it’s the removal of a bad thing. Right? Like if you invest in security, you won’t get hacked, that’s when most people will try to think about it. And that’s a good way to think about it for sure. I’m not advocating against that. What most people don’t do, is they don’t think about how can it be the pursuit of a good thing. So most people think it’s avoidance of a bad thing, don’t get hacked. And I say, in addition to that, we should think about how can it be pursuit of a good thing? Because the fundamental truth is that a company who can demonstrate security, so who can actually invest in security, do it right, and prove it that resonates with their current and prospective customers, because the current and prospective customers, they want to work with companies who are secure. So it’s this enormously differentiating competitive advantage that companies who who are doing security right have over pretty much everybody else.
Jodi Daniels 14:26
That is very similar to the privacy side of the equation where a lot of companies are focused on I have to comply with XYZ law because there’s a fine and if I don’t, then, you know, I might have a huge cost. And actually, what is a significant driver that is often overlooked is that your customers are expecting that 52% of customers or people won’t buy from a company over privacy and security concerns. More than 80% of people are concerned over that. And so I really like how you recognize that it can be a competitive edge that it can be a differentiator, because when you’re comparing company A and company B, if they’re all the same, which one are you going to pick? Well, you’re gonna pick one that has some edge. And if one of those edges is privacy and security, that’s really important. If we think about now, how can a company make sure it has that edge? So maybe turning to tactics a little bit? Why does a company need to be doing? We talk about training, good measures, vulnerability scans assessments, we’ve been talking about ethical hacking so that we can identify the problems in advance. Can you share a little bit like you helped explain what Ethical Hacking is? Can you help us understand the difference between a vulnerability scan and an assessment? Sure,
Ted Harrington 15:45
yeah. So let’s use a metaphor. Let’s talk about cars to try to illustrate this because the question you’re asking is an astronomical problem insecurity right now, which is that terms are used inappropriately, to mean different things and what they actually mean. So this is a very, very common case right now that there’s one other term that you didn’t ask about that we should mention, because people will be familiar with it. And it’s relevant to these two terms you asked about, which is penetration testing. So what is happening in most organizations right now is that people are asking for penetration testing. The reason for that is there’s a lot of regulatory frameworks that literally require it. It’s become the term that everyone’s like, I don’t know what it is. But that’s the security testing I’ve heard of. So like, I’m gonna ask for that. So people ask for penetration testing. But the problem is that they’re usually sold something else, they usually sold vulnerability scanning. But what they actually need is usually something else is usually vulnerability assessments. So let me illustrate what these three things are using a metaphor. And we can use cars as this metaphor. So penetration testing is kind of like when the car makers are building a vehicle. And they want to know, how will it perform in a specific crash scenario? For example, what happens in a head on collision? Will the passenger survive? So what do they do? They literally crash it into the wall, and they measure what happened. That’s what penetration testing is kind of like you take a completely built system, something that’s gone through all kinds of testing and what’s called hardening to make it you know, better and more secure. And then you simulate a real world exercise that has a really narrowly defined scope, and a very binary outcome, like, did the passengers passengers survived or not? That’s really what it’s looking at. So a penetration test is kind of similar, right? You’re looking at, hey, could an attacker escalate privileges within this, whatever these parameters are, that we’re looking for. So that’s what penetration testing really is. But if you were to Google right now, that term, most of the results you get back are going to be for vulnerability scans. And that’s a problem because they’re two really different things. So vulnerability scan, if we use our car metaphor is more like when the check engine light comes on in your car, you go to the oil change, place your mechanic, they stick that little thing into the dash, and it, you know, interrogates the computer and spits back some codes and says, here’s how you turn off the check engine light. It’s very cheap, it’s very inexpensive, it’s very quick, but it can only look for known issues. And think about how different that is from what penetration testing is, it’s really like the scan of the onboard computer is pretty different from crash testing the car. But what people are really wanting is this third thing altogether, which is a vulnerability assessment. And what a vulnerability assessment is, is a comprehensive evaluation of how all the different systems might work together, how might someone attack this system? In all the different ways it could? So for example, we use this metaphor again, that’s like the automotive safety engineering department. What do they do? They look at things like how does the side impact beams work with the lane departure technology work with airbags work with the seatbelts work with the the roll cage all these different systems? How does it all work together to make sure we maximize the likelihood the passenger survives an incident is that holistic view that people are looking for? It’s the really specific custom ways that the system might be defeated. That’s really what people are after not just something cursory, like a scan would be, or something very narrowly scoped like what a pen test might be. And by now understanding the difference, hopefully, people can walk away and say, Okay, I first of all, I recognize there is a difference. Second of all, I recognize the difference is significant. But most importantly, they’re able to walk away saying, What should I do with this information? And what you should do with it is not necessarily just memorize the terms as much as I want people to use the right term to describe the right thing I recognize. The horses left the barn, right? Like we’re not going to get the whole world start using the right term. So instead, what do we do? We start with a goal. So as organizations think about how do we measure where how we’re doing on security, start with your goal is your goal to have this Real World exercise a very narrowly scoped situation that has a binary outcome. That sounds like you want a penetration test. Do you want just a quick, inexpensive? Look at the most common issues knowing that you’re excluding anything that would require even a slight degree of sophistication? That’s where you want to scan? Or are you looking for a more holistic view? You want to understand custom severity, you understand? How do all the components of the system work together? How do you fix it? That’s where you want your vulnerability assessment.
Jodi Daniels 20:31
I think that was a really well done way. I love metaphors and analogies. So thank you for breaking it down. And I think it’s helpful because not every company will always be able to jump to one of those, but they’ll be able to understand at least what they’re getting, hopefully, when they’re talking to someone about what they’re right. Next up.
Justin Daniels 20:53
I think Ted’s point, most companies ask for things, and they don’t know what the terms they’re using mean. So they end up getting something that doesn’t do what they think it does, or they put over reliance on something that isn’t as comprehensive as they think it might be.
Ted Harrington 21:10
And I’ve had a lot of empathy for that, like I took it, my heart goes out to that, right, because think about, let’s put ourselves in the shoes of the person who’s buying that service, right, they’re buying that service, because they don’t do it, that’s something you should first of all have independent anyway, you’re probably not the security expert to begin with. Or if you are the security expert, your expertise isn’t necessarily in ethical hacking. So you go to find somebody and say, I need this thing, give it you know, sell me this thing, and you’re trusting then that person can give you what you need. And unfortunately, that’s not necessarily what’s happening. So that that’s a does not cool. That’s that was a big motivator for I want to write my book, because I saw stuff like that happening all the time, I’m like, I cannot stand to allow that to happen anymore. So it’s a, it’s a practical reality that everybody faces even if they don’t realize it.
Justin Daniels 21:56
So kind of building on what you’re talking about that one of the things that I’ve seen multiple times in the last 12 months, is with the quick pivot to the remote workforce. The perimeter, your security perimeter is now basically your employees assets that don’t belong to the company. And I’ve had multiple ransomware incidents whose root cause was something that happened on the employee’s computer that moved on to the network. And so my question is, how do you think about security and what you do in light of a security perimeter that is now basically your employees own computer systems? It’s not well defined anymore?
Ted Harrington 22:40
Well, here’s the hidden secret within the question is that the perimeter didn’t exist already, even before COVID. And so what COVID did was COVID revealed that reality. So before, a lot of companies had this very misplaced reliance on the idea of a perimeter of the idea that bad guys on the outside, the good guys are on the inside. I remember really vividly, I was at a conference after I had delivered a keynote. And I was in the whatever, happy hour thing that happens afterwards. And I was talking to somebody, and we were talking about this idea. And I was I was asking them about what they do with their organization. They said, No, we’re, we’re pretty secure. Yeah, I mean, we’ve got everything locked down. You know, we have a Norton Antivirus. So I think, what more could we need? And I’m like, oh, boy, like, here’s here’s a tech leader who thinks that a, a tool like that is the only thing that they need. They think that we’ve they literally said, Oh, we’ve got these really great firewalls. And what it reveals is that a lot of organizations don’t understand that. Attacks originate from the inside, whether the insider is themselves and attacker or attackers escalate privileges to get insider status. And so the perimeter has long been gone. And the companies who are doing well with security have already recognized that. And they’re implementing tactics that are known as defense in depth. So if you think of defense in depth, like, think of it like a castle, so for anyone who’s ever been to Europe, we’ve all seen, you don’t have to have been to Europe, if you’ve seen Game of Thrones, like if you went to high school, you you’re familiar with the idea of a castle, and castles have they have the moat and the drawbridge. They have either the archers on the turrets, they have guys pouring the hot oil down, you have fortified compartments within the castle itself. These are all defenses that layer on top of each other in order to do two things. Number one, make it harder for the attacker to get in. And number two to make it harder for the attacker to succeed. Once they do get in, make it hard for them to succeed. And in the case of a cyber attack, extract whatever the assets are that they’re looking for. And so when we think about the move to a remote, remote workforce, what we have to do is we have to realize it’s the same principle. We still have to think about the Any amount of access or privilege that is provisioned to anybody changes the way in an organization might be attacked. And so I actually think from a security standpoint, and I don’t, I don’t mean this, I’m not celebrating a pandemic that so many people have suffered from. But one thing that is a silver lining that came out of the pandemic, is it has actually forced companies to rethink their philosophy on security. And that is a
Justin Daniels 25:24
very good thing. Anything on that? was pretty good. So yeah, when I think of the castle, it’s funny you say that, because when I use the castle, I take it from Lord of the Rings in the Battle of Helm’s Deep, and add the relief army for good measure.
Jodi Daniels 25:43
I think they’re all great analogies. So Ted, as a security Pro, I imagine that you’re able to share all kinds of really interesting stories. And people then always ask you, well, what what should I do? What are some good couple quick tips that I should implement, either personally or at my company? We always like to ask all of our guests, what is the best privacy or security tip that you would offer?
Ted Harrington 26:09
Yeah, I love that. I get that question all the time.
Jodi Daniels 26:12
And feeling you might be read Ted’s book, yet? Yeah. Well,
Jodi Daniels 26:19
that’s in the next, we need to try to help me
Ted Harrington 26:24
in the book. I’m actually not even sure if that is a real struggle that I have, because who I really serve are the, you know, people at companies who have resources to solve these problems. And I have a lot of empathy for the individual who’s like, Okay, I’m now aware that security is scary, but I’m just a person, what do I do. And, obviously, you can’t do the same thing that a company can do, you don’t have the same money or access to people or certain skills. But there are some basic things. And my favorite recommendation, because it’s easy to do. And it’s really effective. And it makes people’s lives easier, is a combination of two things. So number one, use a password manager. And number two, use it in a way that actually modifies the passwords that are in the password manager, I’m happy to explain that second part, if you want, I’m in the process of writing a blog about it. So I can give people step by step advice on on how to do that. What that second part does is it makes it so that if the password manager ever gets hacked, the passwords themselves actually don’t get hacked. But if we focus just on one piece of advice would be the first one, which is use a password manager. And the reason that I think they’re wonderful is because the most important thing that an individual person can do is use long, unique passwords for every service. And the unique is important. And here’s why. Attackers know that people are lazy. And attackers are just like you and I, they’re efficient. So when any company gets hacked, the credential pairs, the username and password usually wind up in a database available on the internet or on the dark web. So what does an attacker do they go get that database. And they make this assumption. Well, the credential pairs that are in this database of whatever XYZ web app that got hacked, I bet you a lot of these people use those same username and passwords on other services. So they’re going to take those and they’re going to try them on other services. And a huge percentage of those are going to work. So that’s a really big problem if you’re reusing passwords. So what a password manager does is it enables you to make sure that you’re using a unique password for every service, you don’t have to memorize them anymore. You don’t have to have them written down, you don’t have to, like have some weird scheme in your head where it’s like, well, you start with my dog’s name, and then a year and then I modify it by the month. It’s like, no, it’s just you don’t have to know what the password is the password manager memorizes it for you. And it makes your life so much easier, you have significantly improved security. Because we’re using unique passwords, you can use the most complex password that each site will allow. And you only have to remember the master password to log into the password manager itself. It auto populates it for you. It’s such an incredible improvement for the individual user. And people who rightly asked the question of, well, what about the password manager getting hacked, that’s where the second piece of advice would come in how to use it slightly differently. But even in that case, using a password manager is going to be better than not using a password manager.
Jodi Daniels 29:16
That sounds good. Very common tip on our show.
Justin Daniels 29:24
It sounds like if I’m going to use the password manager, I would put a password in there that is like almost written in a like a form of cryptography. It might have like symbols or things that I know how to translate it. So even if they hack into that they see something that unless they know the code that’s in my head, they couldn’t take the password.
Ted Harrington 29:45
You’re mostly right. Yeah, you would modify you’d modify it by adding something to the password. So like what’s in the Password Manager is part of the password and then you add something to it. You manually type it in when you actually log into the website or whatever you’re logging into. So if a password manager ever gets hacked, they only have part of the password, they don’t have the whole thing. And then the modifier you just remember.
Justin Daniels 30:05
Really awesome tip, I’m gonna have to try that thing.
Ted Harrington 30:09
Yeah, it’s a little painful to like get it set up, because it requires a little bit of change of behavior, like most people don’t set it up this way. But once you get it set up, your life is just so much easier.
Justin Daniels 30:21
No, it’s almost like you’ve gotten your own version of multifactor on the Password Manager, which, that’s a great idea. Thank you for sharing that. Your New
Jodi Daniels 30:31
Password Manager fans over here. The other reason why password managers are so good is the ability if you ever have to share across the family instead of emailing it, you can now grant access without them even seeing the password. So those are some good benefits.
Justin Daniels 30:46
Well, we’ve spent so much time talking about security and ethical hacking in your book, when you’re not busy writing a best selling book or finding security flaws and companies. What do you like to do for fun?
Ted Harrington 31:00
Man, I love to travel. It’s like, I read this thing this morning. And this book that I’m reading, it’s it was talking about peak performance, basically, and it talks about the I forget the exact sentence was but I literally stopped and put the book down when I read this because like, wow, that that just hit me in the heart bone. And it said something like, when you’re doing what you truly love, you don’t have to work on being present. Because you would you wouldn’t rather be anywhere else. And that is exactly how I feel when I’m in another country having a new experience. My eyes are seeing scenery I’ve never seen before. I’m having food I’ve never tried before. I’m hearing accents I’ve never heard before. And that to me is just so so stimulating and rewarding. It’s like as soon as I get home from whatever trip I need to adjust the jetlag. And I’m immediately figuring out what the next trip is gonna be.
Jodi Daniels 31:48
So what’s the next trip?
Ted Harrington 31:50
Oh, well, I just booked a trip to Mexico City go down there for a few days haven’t been there yet. And then probably Costa Rica right after that.
Jodi Daniels 31:59
Here Costa Rica is beautiful. It’s definitely on my list. For sure. Well, Ted, thank you so much for joining us today. How can people learn more about you? Grab a copy of your book and connect?
Ted Harrington 32:11
Yeah, it’s super easy. Just go to tedharrington.com. Everything’s there. Where to follow me on social media information about my book if you need help with security testing, all that stuff is there. Yeah. tedharrington.com
Jodi Daniels 32:24
Well, wonderful. Well, thank you again, we appreciate all the great advice that you’ve shared.
Ted Harrington 32:30
My pleasure. Thanks for having me.
Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.