Policy

What ‘Have I been Pwned?’ taught DHS’s internal cyber chief about passwords

"I get emails from this website on a monthly or basis,” DHS CISO Paul Beckman said Tuesday.

January 28, 2020

Paul Beckman speaks Jan. 28, 2020, at the Zero Trust Security Summit presented by Duo Security and produced by FedScoop and CyberScoop. (Scoop News Group)

A website that informs users if their email address has been swept up in a data breach isn’t just popular with vigilant business owners or private security sleuths. The man charged with protecting the Department of Homeland Security’s systems from hackers also maintains an account on the “Have I been Pwned?” website, and it regularly reminds him of the risks passwords pose.

“I get emails from this website…on a monthly or bimonthly basis,” DHS CISO Paul Beckman said Tuesday at the Zero Trust Security Summit presented by Duo and produced by FedScoop and CyberScoop. “That is how often my username and password is getting compromised.”

Beckman said he registered both his personal and DHS email addresses on the website. The good news for him is that he uses a “second factor” — something like a SMS message or an authentication app — to log into his accounts and keep hackers out of them.

The anecdote shows the security mess that, some security professionals argue, passwords have wrought, and how one more layer of verification can be a saving grace.

Because computer users the world over are guilty of reusing passwords, hackers will often use credentials stolen from one account to unlock another. Making it easier for people to log in with unique credentials can go a long way toward cutting down on breaches, security analysts say.

“We need to get to a better way to consolidate that and make it easier to manage our credentials,” Beckman said.

Beckman, of course, isn’t the first to urge agencies to, at a minimum, adopt multi-factor authentication to help secure their systems. Last February, the General Services Administration began requiring administers of .gov domains to use two-factor authentication. For some agencies, the bar began pretty low: a 2018 assessment from GSA found that the State Department had enhanced security controls, including multi-factor authentication, on just 11 percent of required agency devices.

Awareness of multi-factor authentication’s importance within the federal government has grown in the year since the GSA directive. But standards like WebAuthn and FIDO2, which allow users to easily authenticate to services on their mobile and laptop devices, hold even more promise for security.

“It is things like WebAuthn and FIDO2 that I do believe are going to be the future,” Beckman said.

What ‘Have I been Pwned?’ taught DHS’s internal cyber chief about passwords

More Like This

FBI director warns of China’s preparations for disruptive infrastructure attacks

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

Ex-White House cyber official says ransomware payment ban is a ways off

Top Stories

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

Multifactor authentication could be long haul for some federal agencies, CISA official says

Feds likely to miss deadline for strengthening encryption, multifactor authentication

SEC fines brokerage firms over email hacks, customer data exposure

Why combining FIDO2 and PKI provides broader enterprise-wide security

Google to make multi-factor authentication its default mode

Biden’s cyber executive order to include new rules for federal agencies, contractors

Yubico pushes an enterprise security plan geared toward corporate America

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics