Pratum Blog

Person holding phone using MFA to access laptop

Go ahead, try to predict the death of passwords. You’ll wind up sounding like the 1960s futurists always predicting that we’d abandon cars any year now for personal aircraft buzzing above the gridlock. Back in 2004, even Bill Gates pronounced passwords obsolete when he declared them insufficient for truly securing critical data. At the time, Gates noted the chronic issues of people using the same password on many platforms and writing them down so they can remember them.

The kids learning to walk on the day that Gates threw that password shade are now college students generally continuing the sins of their digital ancestors. Most people still use ridiculously weak passwords, with “123456” being the most popular choice of 2020. The top 50 passwords of 2020 can all be cracked by automated hacking tools in under a day, with most being crackable in under 1 second. But that’s not say we’re not worrying about those lame passwords, since Google reports that searches for “password strength test” jumped 300% in 2020.

But choosing a stronger password throws us right back into the hassle loop. Stronger=harder to remember, which explains why about 2/3 of Americans use the same password across multiple sites. That’s a bigger problem than most people realize, considering that roughly 15 billion passwords are for sale on the dark web on any given day. (You can check whether your e-mail address or phone number as been part of a data breach at this site.)

The Trade-Offs of Passwords

So we all agree: Passwords are a pain and actually pretty mediocre at their one job of securing data. Roughly 80% of system breaches involve a compromised user credential. And the research firm Forrester estimates that about half of IT help desk calls relate to password resets, at an average cost of $70. In one case study, Aetna insurance noted how customers would deluge the help desk with password resets during open enrollment (one of the few times each year most people touch their insurance app). The company dubbed it “Password Armageddon.”

Even so, passwords survive largely because switching to other tools requires more inconvenience for users and a significant migration effort and expense on the part of the IT team. This chart from Microsoft sums up the trade-offs between passwords and several alternatives we discuss below:

Password Convenience Quadrant

If you’re looking to improve your organization's IT security or Identity and Access Management, here are some options to consider.

Passphrases – These extended versions of passwords are harder to crack because of their length and mix of words. A basic one might be “HowIMetYurMoth3r!” That’s better than a password or a string of normal words, and it meets common password requirements for capitalized letters, punctuation, etc. It throws in a couple of curveballs with a misspelled word and a number standing in for a letter. But it still lacks enough of what experts call entropy, or randomness. Humans almost inevitably think in patterns, so if you want a truly strong passphrase, use a randomizer tool like Diceware. Of course, a great passphrase still has a major weakness if you reuse the same one on multiple platforms.

Single Sign-On – Many companies have adopted this setup, which lets users rely on a single username and password to access a wide variety of programs and services. No more typing in a different password for Office 365, the company intranet, the expense reporting system and every other cloud-based service. SSO has clear advantages in the realm of user experience and workload for IT teams constantly dealing with password issues. SSO’s main challenges are complexity of implementation and dealing with legacy applications that may not support it. And SSO obviously carries the problem of giving a hacker access to all your systems if they compromise the SSO itself.

Multifactor authentication – If you’ve ever talked to a cybersecurity expert, you’ve probably heard them preach the importance of MFA. We’re doing it again here. Virtually every vision for eliminating passwords requires MFA because of stats like Microsoft’s finding that MFA reduces the odds of being compromised by 99.9%. MFA lets people access data by providing two of the following three things:

  • Something you know – This is the password or PIN. If you know it, someone else can at least theoretically figure it out, too. Which is why you need other factors.
  • Something you have – Also known as an “ownership factor,” this is a physical item like a cellphone, badge, hardware token, etc.
  • Something you are – Biometric factors, which could be fingerprints, retina scan, voice recognition, etc.

Password Replacement Options

Password-less Authentication – These systems rely on MFA’s “something you have” and “something you are” elements to grant access. There’s no password to memorize, or steal. So logging into a system typically requires you to have an item (your phone, a hardware token, etc.) and a biometric factor like those described below. Many of the systems also incorporate some version of public key cryptography that generates a unique key for logins. In simple terms, this system puts a padlock on a system that everyone can see. But only you get the key.

PINs – They’re not quite the same as a password. Microsoft now supports PINs that are tied to a specific device. That means that even if you gave a hacker your system password, they couldn’t get into anything without accessing it through your physical device. That turns the computer itself into a “something you have” factor for MFA.

Biometrics – Scans of fingerprints and facial features have gone mainstream in recent years with smartphone features and Windows 10’s Windows Hello option for logging in with a facial or fingerprint scan. Your unique appearance is far more difficult to steal than a password, but hackers are finding ways to spoof faces to fool the systems. So even with the go-to security system of every spy movie in place, MFA still provides a needed extra layer of security.

Along with reading faces and fingerprints, companies have spent years researching some other incredibly subtle ways of identifying you. Your computer may eventually identify you by your typing rhythm, and your phone may recognize you through the pressure you exert on the screen. (It’s an old idea. During World War II, telegraph operators recognized each other by their tapping rhythms in a method known as “Fist of the Sender.”)

Advanced threat detection – Next-gen endpoint detection tools such as Managed XDR can stop hackers even if they have an authentic username and password. (This process is sometimes known as risk-based authentication.) These tools constantly watch for developing threats by tracking where a user is logging in from, what they’re trying to access and more. With this 360 defense in place, even a stolen password won’t be enough for someone acting suspiciously to get to critical data.

Need help figuring out how to implement some of these tools to move past passwords’ inherent limitations? Contact us today.

Digital Forensics Investigator working on device
How many years of old e-mail messages apply to this case?
Will it really cost thousands of dollars to find the electronic records?
What’s our legal liability for messages that “self-destruct” after they’re read?

When it comes to digital evidence, the questions change at the speed of innovation. And that makes challenges related to electronically stored information (ESI) a key issue in nearly every court case. With court decisions hinging on digital evidence, it’s critical that business leaders, IT pros and attorneys all understand what courts are looking for.

“I can’t think of any case where there isn’t some amount of ESI,” says Judge Helen Adams, Chief Magistrate Judge for the U.S. Southern District of Iowa.

Judges Expect You to Do Your Homework

In such a fast-moving legal area, judges don’t expect anyone to have perfect answers. But judges are signaling their shrinking patience with attorneys who won’t make the effort to become competent with e-discovery. For one cautionary tale, Judge Adams recommends reading DR Distributors, LLC v 21 Century Smoking, Inc. et al. In the January 2021 ruling, Judge Iain Johnston of the U.S. District Court of Northern Illinois clearly showed that he was fed up with a case that had dragged on for eight years and included more than 400 docket entries. Judge Johnston declared in the ruling’s opening sentences, “Through a series of missteps, misdeeds, and misrepresentations, Defendants and the former defense counsel find themselves looking down the barrel of a sanctions motion Howitzer.”

Judge Adams says, “It’s a great learning tool for lawyers if they want to know what not to do.”

Even after that warning shot, Iowa’s Judge Adams remains optimistic. She thinks that most ESI headaches can be avoided if all parties simply do some homework and focus on communicating clearly and frequently.

Curiosity Solves a Lot of Problems

Judge Adams’ core advice is simple: Become more curious, ask better questions and talk with more people who can explain all the legal implications of recording almost everything.

“The biggest complicating factor for me is that lawyers just aren’t well-versed in this and don’t ask enough questions of their clients,” she says.

The judge’s most common challenge? Lawyers who claim an ESI request is overly broad and puts an undue burden on their client. “But when you ask what that means, they can’t answer it because they don’t have the info from their client.”

How Much Does It Really Cost to Find That Data?

Judge Adams says that if an attorney pushes back on an ESI request, they should produce supporting details. For instance, an attorney could provide an affidavit from an IT expert explaining where the information is stored and exactly how much it would cost to retrieve it. The judge wants specifics, such as how many documents came up in the initial search, where those documents are stored and how many hours it would take to retrieve them.

Many digital evidence requests try to cover too much time. In a wrongful termination case, there’s probably no reason to request every record related to an employee’s 20-year career at the company. Instead, start by requesting records and e-mails from 6 months before and 6 months after the termination. The results will indicate whether it’s reasonable to expand the scope.

Judge Adams also urges attorneys to bring technical experts with them to pre-trial conferences and into the courtroom itself. “If you have a good IT rep that can talk to us, that would be really helpful,” she says. Just make sure your expert can translate the technical summary into terms that the judge and jury can easily follow.

Talk to the Other Side About Your Concerns

"A lot of ESI discovery issues can be resolved by lawyers on both sides talking to each other early and often and being transparent,” Judge Adams says.

To get all parties talking, the judge follows these procedures:

  • Early in the case, she holds a scheduling conference where she expects lawyers to discuss the nature and amount of ESI that they believe will be involved. In cases where the ESI appears significant, the judge sends the lawyers an ESI template and asks them to confer about the relevant topics and then file an ESI report with the court. Judge Adams says, “If you can work with the other side on the front end and tell them what you really need and what form you need it in, you can probably get that taken care of more efficiently, cheaper and with less dispute than just saying, ‘Oh, it wasn’t what you wanted? Sorry.’”
  • The judge also schedules bi-monthly status conferences with the lawyers in each civil case. Those meetings provide an opportunity for the lawyers and the court to discuss the progress of discovery and any potential disputes. 
  • The parties can raise a dispute by filing a motion to compel discovery. If the parties are unable to resolve the dispute on their own, the judge will enter an order with respect to the discovery that must be produced. 

Must-Reads on Digital Evidence

Judge Adams recommends the following resources for coming up to speed on ESI discovery:

  • The Sedona Conference – “I’m not sure lawyers and judges are fully aware of it, but they’re at the forefront of electronically stored discovery issues,” the judge says. Recent publications worth consulting include Commentary on Ephemeral Messaging and Commentary on ESI Evidence & Admissibility. Visit The Sedona Conference webpage to find these and other resources.
  • Rule 26 of Federal Rules of Civil Procedure – Judge Adams notes that Rule 1 of FRCP indicates that the purpose of the rules is “to secure the just, speedy, and inexpensive determination of every action and proceeding." She calls attention first to Rule 26, which talks about scope of discovery. Proportionality is a key point of dispute, with many disagreements centering on whether requesting data from years ago, for example, is truly proportional to the case.
  • Rule 34 – This rule addresses the fact that if parties don’t agree otherwise, then ESI must be produced in the manner in which it is maintained.
  • Rule 37e – Consult this rule for information on sanctions that may apply if a party has not properly preserved electronically stored information. The rule also provides standards for preservation.

Clearly, the legal team expects all parties to do their best to keep up. For help with best practices on finding and presenting digital evidence, contact our digital forensics team today.

5 Ways to Build Your Case with Digital Evidence

Digital Forensics Use Cases

Use this guide to understand how a digital forensics investigator can support your work in a variety of legal scenarios.

Read Use Cases
Three employees working together on computer

It seems like we all would’ve learned this lesson from our own experience with mediocre teachers, coaches and bosses. But let’s review: Which statement from a leader would motivate your end users to make some changes?

“You’re the main reason we’re having this problem.”

“Our team really needs your help. You’re the perfect person to solve this problem.”

Easy choice, right? Not so much in the IT world. Despite everything we know about human motivation, we still constantly hear IT and security leaders trying to coax end users into taking security more seriously. Everywhere you turn, someone is calling an organization’s end users “the weakest link” in the cybersecurity plan. It’s especially common in marketing materials and social media posts from security awareness and training providers.

We’re not saying it’s untrue to say that end users are involved in most attacks. But we are saying it’s counterproductive to approach them as a liability rather than asset.

Research shows that about 80% of successful data breaches involve some form of social engineering. But how many of your employees will eagerly embrace a defense-in-depth security culture if you approach them as the problem instead of part of the solution?

Rather than viewing your end users as a weakness to offset, enlist them as frontline defenders. Call them an extension of the security team. Pump them up as a critical piece of the overall data protection effort. Show them that they can personally make your organization safer.

Changing your mindset—and building it into all your communication with end users—provides a solid cornerstone for building a successful awareness and training program that your user base will embrace.

Employee Security Training Planner

8 Steps to a More Secure Organization

Get it Now

Plan Effective User Training

Recently (though not for the first time) we saw a social media post stating–with passion!–that training end users to spot phishing e-mails is a waste of time and resources. Wrong answer. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work.

Here are a few ways to create training and testing programs that get buy-in from your team:

  • Measure progress. Make a detailed plan for measuring your end users’ baseline knowledge and for measuring their progress after training. The baseline information will help you plan training with the proper relevance, timing, sophistication, etc. How can you deliver appropriate training and testing if you don’t know what most of your users already know? We’ve created sophisticated phishing tests with e-mail messages that fool all but the most attentive IT professionals. Anything less would’ve been too easy to truly test the targeted users. But such a difficult test would’ve completely missed the goal if it was aimed at workers who rarely use e-mail.
  • Set realistic expectations. Aiming for a zero “click rate” on the simulated phishing messages is unrealistic. Phishing training aims to dramatically lower click rates, not achieve a perfect score. While you may get a zero click rate on an individual phishing campaign, it is highly unlikely over multiple campaigns. The takeaway: Publicly congratulate your users for improving their phishing awareness during your next campaign. Don’t chastise users for failing to get a perfect score.
  • Include EVERY user. If you excuse senior leaders from a phishing training program, your end users will know it. And they’ll naturally think, “If the people at the top don’t care, why should I care?” Then the stats from your company’s phishing training and overall awareness/training program will show this attitude. You’ll see more people clicking on simulated phishing messages, and you’ll see people spending less time spent consuming awareness and training materials. Your security culture must start very publicly at the top.
  • That means you need to include IT and security teams, too. Even highly trained security and IT professionals fall for phishing e-mails. Include those users in your tests, even if that means customizing the test messages to reflect each user group’s sophistication level. This case study shows how one Pratum customer tested its IT team with some of the most convincing simulated phishing e-mails we’ve created yet.

So, let’s treat end users as frontline defenders, provide testing in a way that engages them, and view phishing training as a control with some of the best ROI in the security business. Ultimately, these will improve your organization’s overall awareness and training results and help with your “security bench strength.”

For help in planning a training program customized for your users’ needs, contact Pratum today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.