Source: Paul Sigismondi, Ph.D., is a research physicist and educator. He has a B.S. in Physics from the University of California at Berkeley and a Ph.D. in Physics from the University of North Carolina at Chapel Hill. His research interests include theoretical astrophysics and quantum field theory.

Security from intruders is an ancient quandary and the internet has created new challenges. The purpose of this evaluation is to explore a digital identity and authentication solution called PhotolokÒ that addresses the security problem caused by the digital transformation that has invaded our daily lives. Since the digital world is still evolving, it’s helpful to begin with a review of security solutions because we still use century-old methods that will be replaced someday with digital solutions like Photolok.

A functional security system must allow quick, easy, and convenient entry to those with permission, but must make invasion by an unwanted intruder a highly unlikely occurrence. Ancient security arrangements typically involved gates, walls, watchtowers, moats, and armed personnel. In these arrangements, the main objective, which is still operative in modern systems, was to make invasion a taxing and dangerous enterprise for the intruder. Like today, robust and effective security required manpower and maintenance. Furthermore, the administrators had to acquire an awareness of the ever changing techniques that clever intruders were attempting in order to subvert the security systems in place.

The lock and key, which likely existed in rudimentary forms in ancient Egypt, provided localized security for people’s homes, safes, and the like. The advent of the combination lock eliminated the necessity of transporting keys and required merely recall of a numerical code to secure entry. Like the modern password system used for cybersecurity, these systems had their drawbacks.
From the standpoint of user convenience, what happens if the user loses his or her keys or forgets the combination? Spare sets of keys, pieces of paper with combinations written on them, keys placed under mats, and unlocked back doors and windows litter the praxis of those trying to prevent lockouts, while securing their property traditionally. They also create more possibilities for unwanted intruders to gain access to the keys or the combination. Since the user was not always able to access spare keys or a place where the combination is stored, the security system had to be penetrable without keys or the correct combination to be practicable. And, if a locksmith can pick a lock or crack a safe, then someone with nefarious intentions could certainly learn to do the same.

A combination lock has 59,280 distinct codes. There are less than 100,000 distinct lock and key combinations for a typical home door. If an 8-letter password is assigned at random to logon to an internet account, there are nearly 209 billion distinct possibilities for that password. In practice, a randomly assigned password is extremely difficult to remember. So instead, users are generally allowed to choose their own password

People tend to choose memorable passwords composed of common words and pass phrases. This significantly reduces the number of passwords practically in use. Zipf’s law, a well-known rule of thumb in statistics, states that the frequency of a given event within a distribution is inversely related to the rank of that event amongst the most highly ranked members of that distribution. Practically speaking, this means many people will choose the most common passwords in use. For example, in 2021, an estimated 2.5 million users adopted the most common password, “123456”, Nearly a million users chose “123456789”, and a little over 300,000 users chose “password”.

Zipf’s law has the effect of concentrating a population into the highly ranked events within that population. In fact, fitting the data for the top 7 passwords yields a frequency that is inversely proportional to the rank to 1.3 power. If this relationship were to hold consistently, then 50% of the passwords in use would be one of the top 7 most common passwords. This phenomenon gives internet intruders (bots and cyber hackers) a distinct advantage. (A ‘bot’ – short for robot – is a software program that performs automated, repetitive, pre-defined tasks. Bots typically imitate or replace human user behavior. Because they are automated, bots operate much faster than human users.)

Given that a modern intruder is often an automated bot that can make billions of attempts with the most common passwords on multiple targets each second, traditional passwords are vulnerable to statistical attack. Even, if a user is astute enough to choose a more secure password, there are other methods that bots can try in order to penetrate password secured systems, which include phishing, ransomware, malware, insider threats, and distributed denial of service attacks, to name a few.

reCAPTCHA is a common solution to prevent BOT attacks. After the user has successfully entered their username and password, they are prompted to prove they are a human either properly identifying distorted text or by identifying images with similar content. At this point, every hacker has seen the limited suite of images used in the reCAPTCHA algorithm and can use this information to their advantage. In addition, off the shelf software can now crack the reCAPTCHA algorithm 70% of the time.

The rapid advancement and efficacy of techniques currently employed by cyber hackers necessitate more robust security systems. Traditional password secured systems are also vulnerable to non-statistical attacks (phishing, ransomware, and man in the middle attacks, etc.) and to statistical attack, especially when sufficient latitude is given to the user in choosing a password. Photolok is a system that is nearly impervious to non-statistical attack and has an incredibly low probability of statistical attacks, comparable to truly randomly assigned passwords. At the same time, it is far more convenient to the user in terms of recall than a randomly assigned password that the user did not participate in choosing.

Photolok is a novel concept that employs proprietary-coded photos as the key to entry. The system can either assign the user photos or allow the user to choose photos from a proprietary library of photos that currently number over 6400. At login, the user is prompted for an email address. As an added security feature, there is an option that requires the user to input an access code that is emailed or texted to them after they have entered their email address. Subsequently, the user must locate one of their account photos, which appears randomly amid a panel of photos.

The Photolok identity and authentication system can be customized to allow the user to choose up to 5 photos as well as label special security photos for 1-Time Use and Duress. This identity and authentication system is highly secure and easy to use given that the photos are easily recalled and must be spotted by a human. More importantly, Photolok also protects against most external attacks, including keylogging, shoulder surfing, phishing, ransomware, and man-in-the-middle attacks while preventing horizontal penetrations.

This leaves a statistical attack as the only viable means of penetrating the Photolok system. However, this is highly unlikely. The number of possible combinations formed by choosing a minimum 3 photos from a library of 6400 is nearly 44 billion, which is about 5.5 times the total population of the world. The number of people fully employed in the US is about 132 million. If every one of those workers participated in choosing 3 photos out of 6400, the probability that there would be at least one duplicate set of photos in that large sample is 0.32%. Even if the entire world’s population were given this task, the likelihood of at least one duplicate set of photos occurring within the choices is still only 17%. Therefore, penetration of the Photolok system is nearly impossible.

Furthermore, the above analysis overestimates the probability of breakthrough. There is no limit to complexity of the Photolok system. Photos can be added to the library. Administrators can also ask the users to choose more photos. As stated above, the choice of 3 photos is a minimum. In many cases, users will want to use 4 photos with nearly 69 trillion photo combinations. With the ability to change a few operational variables, security can be further enhanced in a flexible manner with no extra burden to the user – e.g., increasing the size of the proprietary photo library.

As opposed to passwords, bots can’t identify the photos to target. The randomization of photo localizations effectively neutralizes any automated attack. Furthermore, the bots won’t be able to collect the digital data behind the photos, which may change each time a login attempt occurs. With almost 100% certainty, any attempt at penetration by automated bot will result in failure and automatically locks the user’s account.

In conclusion, Photolok represents a significant and promising evolution in digital security systems. It seamlessly eliminates many of the flaws inherent in the present security paradigm. Most importantly, it enhances online digital security, while simultaneously reducing the burden on the user, which is critical for mass adoption.

Note: to learn more about Netlok’s Photolok logon solution, click www.netlok.com.

LastPass divulged that although user’s plaintext passwords were not accessed, what the hackers did get included the following information:

In summary, if your LastPass password was at least 12-characters long (the current LastPass default), contained some complexity, wasn’t an easy-to-guess password, and was not used on any other site or service, then you’re probably OK. If not, you need to immediately change all your passwords, both the LastPass master password and all the passwords you stored in LastPass.

However, the plaintext information that was stolen (listed above) is incredibly useful to any hacker doing social engineering and phishing. It allows an attacker to specifically target (i.e., spear phish) a potential victim using information not known to the general public and other hackers.

For example, with a list of the web sites that someone logs onto, a phisher can craft specific phishing emails that pretend to be from that web site. It could include the user’s name, telephone number and mailing address. Each added detail adds to the veil of false legitimacy to a social engineering email. Each included detail increases the percentage of people who will become victims.

The sky is the limit on the types of spear phishing scams that can be created and delivered using the information that was stolen in the LastPass breach. Kudos to LastPass for making sure the most critical user information, the user’s passwords, were stored in an encrypted state.

But this breach, like all the others before it, are calling into question about what type of user information should or shouldn’t be considered “critical information” and always stored in an encrypted state. If the information can be used to identify or contact you, it should probably be encrypted by default.

LastPass users were relieved to learn that their stored passwords were not directly compromised, but what information was taken by the hackers is likely to have spear phishing repercussions for years to come.

To start off I’m repeating the tradition of my same New Year’s wish as a newsletter editor since 1996: “A world without war, crime and insanity, where honest people can flourish, prosper and reach greater heights”.

At the end of the year I spend a few days reading all the IT security pundit’s 2023 predictions and synthesize them with my own perspective. The Crystal Ball editorial is the shortest of the year and takes the longest to write, but it’s fun.

President Ronald Reagan once said, “The future doesn’t belong to the fainthearted; it belongs to the brave.” Sci-fi writer William Gibson added a few decades later: “The future is already here, it’s just unevenly distributed.” So, what will come next in our world of cybersecurity as we head into 2023?

The industry as a whole covered the following topics: This year will bring significant shifts to the world of cybersecurity. We could very well see a barrage of nation-state cyberattacks inspired by Ukraine’s hybrid hot- and cyberwar, an increase in MFA attacks, innovative strikes against drones and space vehicles, and skyrocketing social engineering attacking social media with deepfakes.

As the reach of hacktivism continues to expand, organizations are being compelled to look beyond endpoint solutions and invest in new “umbrella” platforms like XDR, Managed XDR and HDR that can help them manage increasing Infosec complexities. Furthermore, ransomware is expected to remain a major threat as malicious actors experiment with new, even more damaging forms. We must be especially vigilant when it comes to emerging technologies such as self-driving automobiles, humanoid robots or the Metaverse that highly likely will provide cyber criminals with new attack surfaces. It is sure to be an eventful 2023.

As usual, I’m donning my asbestos undies, so you can safely flame my poor behind after reading the new 2023 predictions. Good riddance of ‘annus horribilis’ 2022 which was the year of permacrisis.

In “The Big Lessons From History”, financial writer Morgan Housel sums it up succinctly: “Risk is what you don’t see,” and “The riskiest stuff is always what you don’t see coming.” All the more reason to keep your eyes peeled and send monthly simulated phishing tests to keep your users on their toes!

Frustrating for both users and administrators, password management can be a challenge to manage in any organization. One lost or stolen password may be the crack in your organization’s foundation, allowing an attacker to slip in.

Conventional password recommendations have held that regular changes and lengthy and complex passwords would keep attackers at bay. Many guidelines have been published, but in recent years, conventional wisdom has been changing.

One such guideline, initially published in 2017 but updated in 2020, is the NIST Password Guideline Standards (NIST Special Publication 800-63 Revision 3). A significant change included the removal of the prior recommendation for regular password changes.

The Good and Bad of Password Resets

Despite NIST recommendations to not regularly rotate a user’s passwords, this does not mean there are still no valid reasons to use password resets. Below are some pros and cons of when password resets make sense and where they may fall short.

Pros	Cons
Regular password resets mean a stolen password is suitable for a limited time.	A user is more likely to use a typical password pattern leading to insecure passwords.
When a breached password is found, forcing a password reset ensures users do not continue to use insecure passwords.	An organization can avoid future resets by checking for breached passwords on a password change.
Lost devices should necessitate a password change to ensure that a cached password is not used.	Multi-factor verification makes a lost device more a nuisance than a security issue, especially with encrypted devices.

With all of these potential scenarios, how do password resets schedule or unscheduled cause real economic and productivity damage?

The Ever-Increasing Overhead of Password Resets

Many users dread a password reset. There is always a cost, whether it is due to a procedure or a problem. Imagine the scenario where a user is about to start the workday but needs to rotate their password due to company policy. This is not uncommon, as many users wait until the last minute for a password change, leading to locked-out accounts and longer-than-expected password resets tickets.

In studies, the Gartner Group found that between 20% and 50% of all help desk calls are for password resets. Not only that, each password reset can typically take between 2-30 minutes for a fix. The time and cost savings that a helpdesk could realize with a decrease in password resets means an increased focus on the more complex problems.

The increased interconnectivity of systems often compounds these time commitments. For an authentication system like Active Directory, a password reset would mean that the user account password change must be replicated to all connected Domain Controllers (DC).

With more remote workers, this may mean that the DCs are geographically spread out, leading to longer replication times. Adding additional subsystems in the mix, some even with manual synchronization, can compound the problem even more!

Any user facing the prospect of 30 minutes or longer time to resolution for a password reset will do whatever they can to avoid that. How might users avoid password reset issues? Instead of choosing a strong password, they may opt for one easily remembered, such as a repeating pattern. Or, they may write down the password, often leaving it in an insecure location.

Reset Password Sends Productivity Down the Drain

What happens when a user misses the window to reset their password or forgets the latest password because of how many recent changes there have been? Not only does the user need to reach out to the already overworked helpdesk, but they are stuck waiting for a resolution rather than working in the meantime.

Plus, when a user is locked out, the password reset takes priority over other vital tasks since that user can no longer work. Any organization’s priority would be to get that individual productive once again. Thus, a password reset necessarily diverts a helpdesk’s attention.

As recent years and studies have shown, the move to more remote work is not lessening. 58% of Americans reported having the opportunity to work from home at least one day a week. A potential benefit is more flexible work hours.

There are many benefits to flexible working hours, both for employees and employers, but this also means that when a password reset is required, it may be outside helpdesk hours. Without assistance, the employee is stuck until the next day, potentially leading to even more productivity loss.

How Password Resets Hurt the Bottom Line

Moreover, passwords can be an expensive burden for organizations of all sizes. Forrester Research states that the average help desk labor cost for a single password reset is about $70. This does not consider the lost productivity for a user, compounded by the many password resets done in a given year.

According to a Yubico-sponsored report the average user spent 10.9 hours a year on password resets, leading to an average loss of $5.2 million a year in productivity for a 15,000-user organization (based on a $32-an-hour average). The Yubico report focused on the end-user, but that’s not only where the time investment lay.

For IT helpdesks, a Onelogin study found that over 37% of companies spent more than 6 hours a week on password resets. That is time a helpdesk employee could be focused on other more critical tasks, or even lead to an organization needing fewer helpdesk employees overall!

Self-Service Password Resets Save the Day

With all of these challenges, what can an organization do to lessen the impact of password resets? One step would be to implement the latest NIST guidelines and do away with regular password resets. But, a user will inevitably forget a password, or an unrelated breach may also lead to a compromise.

The best way for an organization to save time, money, and productivity is to empower the users with a self-serve password reset solution. Specops uReset offers a variety of features to allow users to reset their passwords without the need for a time-consuming and potentially expensive IT helpdesk call.

Update the cached credentials of remote users to ensure the continuity of work
Accessible from any web browser, the Windows login screen, or the uReset mobile application
Verify identities with a choice of over 15 identity providers
User enrollment enforcement and auto-enrollment options

Password resets, while a necessity in some cases, are highly capable of self-service with a lessened impact on the helpdesk and an organization’s bottom line. Luckily, you can test out Specops uReset in your Active Directory to experience a secure self-service password reset solution.

Sponsored and written by Specops Software

The international ransomware group LockBit claims to have stolen 76 gigabytes of data from the California Department of Finance. The data is said to include confidential and financial documents, and other sensitive information.

(TNS) – California officials are investigating a cybersecurity incident at the Department of Finance after a global ransomware group claimed it stole confidential data and financial documents from the agency.

The California Office of Emergency Services on Monday said in a statement that the state Cybersecurity Integration Center is actively responding to a cybersecurity incident involving the California Department of Finance .

Cal OES describes the threat as an “intrusion” that was proactively identified through coordination with state and federal security partners.” The statement did not provide any specifics about the nature of the incident, who was involved or whether information or data had been taken.

Screenshots from the group’s website show it claims to have stolen 76 gigabytes of data, including “databases, confidential data, financial documents, certification, court and sexual proceedings in court, IT documents and more … ”

The DOJ reported LockBit appeared in January 2020 and has threatened at least 1,000 victims in the United States and internationally. It described the group as “one of the most active and destructive ransomware variants in the world.”

Password manager LastPass announced Wednesday it had suffered its second data breach in three months.

CEO Karim Toubba said the company recently detected unusual activity within a third-party cloud storage service that is shared by LastPass and affiliate GoTo.

He said an investigation was immediately launched into the incident by security firm Mandiant and that law enforcement had been alerted.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” Toubba said.

LastPass is working to identify what specific information has been accessed and the scope of the incident.

Products and services remain fully functional, and LastPass said it continues to deploy enhanced security measures and monitoring capabilities across its infrastructure.

Toubba said further updates would be provided as LastPass learns more details.

In August, LastPass said an unauthorized party had gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.

Following an investigation, Toubba said in September that the threat actor’s activity had been limited to a four-day period and confirmed that there is no evidence this incident involved any access to customer data or encrypted password vaults.

“We recognize that security incidents of any sort are unsettling but want to assure you that your personal data and passwords are safe in our care,” he said then.

Julia Musto is a reporter for Fox News and Fox Business Digital.