Interview: Password Security In A World Beyond Passwords

Darren Guccione is the Chief Executive Officer and Co-founder of Keeper Security, a leading password, secrets and privileged access management solution that helps organizations to secure their users’ accounts by eliminating poor password practices.

Having started out as an engineer with a passion for creating innovative technologies, Darren has become a serial entrepreneur with over 25 years of experience in the technology space. Before co-founding Keeper, Darren co-founded Callpod and OnlyWire and held a role as CFO and Director at Apollo Solutions.

We spoke to Darren to discuss the importance of password management in a world that’s becoming increasingly passwordless, and how organizations should go about choosing the right password management solution. We also discussed how we can expect the cybersecurity landscape to evolve as we move further into 2023 and beyond.

Could you please introduce yourself and your security background, and tell us why you co-founded Keeper Security?

Sure. My name is Darren Guccione and I’m the CEO and co-founder of Keeper Security. I have a background as an engineer—I’m also a certified public accountant, but I started off in engineering—and I’ve always had a passion for invention.

Within cybersecurity, the possibilities for invention are endless. I learned a lot about cyber through the doctrine of self-help—whenever you innovate in an industry, I think it’s important to have an open mind and go where there is no path. So, the whole premise of the company, in terms of invention and innovation, is really about listening to critical, unmet needs of the market in terms of where their pain points are, and then designing solutions that deliver against those pain points at speed.

I don’t have a formal education in cybersecurity. I’m an engineer that spent a ton of time absorbing everything I can across the identity and access management industry and innovating within that framework.

What made you want to move into the identity space specifically?

It’s a big problem and I love tackling big issues. Enterprise cloud is one of the largest technology markets in the world. Every size business across every sector is now engaging with the cloud. And with that, you’ve got this mass proliferation of devices coupled with distributed, remote workforces. So, you wind up with an exponential increase in endpoints; there are more computers, more devices to protect, and more people to protect, working from different locations on various networks as they access systems that are typically related to their employment.

We saw a very exciting opportunity to be able to not just build a great business, but also provide a lot of social good and protect millions—if not billions—of people globally against cyber criminals.

Who are your typical customers, and what are their main challenges when it comes to password security?

We serve every go-to-market segment. On the consumer side, we serve individuals and family members, students, and professionals. On the business side, we serve home offices—people that run their businesses from home—small to medium sized businesses, and enterprises, both in the private and public sector, as well as government agencies and higher education. We do it all.

So, we want to make sure that we can provide a great product that’s affordable, accessible, very easy to use, and easy to distribute to a wide scale group of people that really includes everyone who transacts on a mobile device or computer.

How does Keeper’s password manager differentiate itself from other solutions in the password management space?

The nucleus of our business starts with security. That’s always been the cornerstone and the foundation for the business. We have a really strong team on the research and development side of our business, with PHDs in cryptography, and we invest millions of dollars a year in security.

It’s built into our infrastructure and our processes—it’s not just built into the product, it’s built into every segment of the organization, from the board of directors all the way outward. Every single person within the organization is responsible for cyber, so we have a mindset that starts with cybersecurity and we build that into our solutions.

So, objectively, based on the architecture and documentation, what we do with multilayer encryption, our use of the latest technologies, our patents, and in terms of being the innovators in the space, our biggest market differentiator is that we are the most secure product in the industry.

Secondly, we’ve always been the most multi-tenant or cross-platform solution in the market. We built a solution that seamlessly integrates with any type of technology stack or infrastructure so whether you’re operating on-prem or off-prem, whether you have a cloud, hybrid cloud, or even a multi-cloud environment, we can accommodate you. And our solution is designed to seamlessly integrate with those types of structures for any size business.

You mention the importance of security within the company as well as the product, and that’s currently very topical in the password management space, with two popular password management providers having experienced breaches in recent months. Why should end users continue to use password managers when such breaches are possible?

A password manager is definitely the best way to manage and protect your passwords for any application, website, or system. There is no other way to do it efficiently, effectively, and securely. The key here is that you don’t want to reuse passwords or use weak passwords—more than 80% of data breaches are the result of weak or stolen login credentials, secrets, or passwords. There are literally over a hundred different types of attacks that attackers can plant to seek entry into your digital life.

And it’s important to remember that just because one company had a breach, that doesn’t mean that the entire industry has a problem. You have to look at the company in and of itself and ask how secure that organization’s infrastructure is, and how their product is architected.

For Keeper, it starts at zero trust and zero knowledge. We make sure that the customer is always in complete control and the only one who has knowledge of their master password and the encryption keys that are used to encrypt and decrypt their information.

When you log into your vault, there’s a key that’s generated instantly on the fly. That key is used once to decrypt the vault. Then we have multi layer encryption, i.e., different sets of keys for each folder and each record within that folder. And when every single record has a unique key, it’s very difficult for a cybercriminal to decrypt an entire vault—even if they’re able to steal the binary and gain access to the end user’s device.

So, if you’re looking for a password security product, you should make sure of two things:

1. The infrastructure and architecture are zero trust and utilize a zero-knowledge security architecture.
2. There’s a clear level of transparency and robust documentation covering not just the product, but the organization. Is the organization FedRAMP and StateRAMP Authorized? Is it ISO certified in Europe? These types of key security certifications should be stated in the company’s documentation as part of their website.

If a user has been affected by one of these recent breaches, what steps should they take to ensure their accounts are safe?

Number one, make sure that your credit is locked. Number two, go to every single site, system and application you use and make sure you have a high strength, random password for each one. It should be a minimum of twelve characters and contain letters, numbers, symbols.

Finally, if you’re uncomfortable with your password security product, do the research and move. A lot of these tools have import wizards, where you can import your entire vault from alternative products straight into the application. It’s fast, it’s easy, and it’s very secure.

In the face of these breaches, what other steps should businesses take to ensure the security of their users’ accounts, besides improving password practices?

There is a problem with cybersecurity posture globally, which is why there’s such a large number of successful attacks. For any organization to become secure, they have to adopt a very specific mindset and implement cybersecurity best practices, which includes employee training across every department and every user. You could have the most robust IT department in the world, but it doesn’t matter if there’s an attack against your customer service team or your design team or your finance team and they have no idea what a phishing email looks like, or they’re sharing login credentials to different websites and applications unsecurely.

In almost any business, users need to share login credentials for some type of service account. We operate in teams, so you need to be able to securely share these login credentials back and forth with full end-to-end encryption. That means complete event logging tracking, role-based access controls, and other notifications to make sure only certain teams have access to certain things.

There’s no silver bullet with cybersecurity, but it starts with the mindset.

The identity security industry is evolving, with many technology providers—including Microsoft and Apple—encouraging their users to go passwordless and use FIDO authentication technologies. Do you believe that the future truly is passwordless and, on that note, where will Keeper sit in a passwordless world?

The idea of having something that’s secure and elegant is always going to be appealing. We have passwordless technology built into our application already, and with this movement toward Passkeys, we will be integrating with that.

But it’s really important for people to realize that passwordless in and of itself is a feature; it’s not representative of a full end-to-end solution in technology. And authentication is not the same thing as encryption. So, when you authenticate into any website application or system seamlessly and elegantly, e.g., by using standard assertion markup language coupled with biometric authentication, that works beautifully. But how do you handle the full end-to-end encryption for every single credential secret, all of your metadata, and all of the sensitive files?

An organization might have SAML 2.0 compliant applications to help authenticate more elegantly. But the key here is that the average organization has well over a thousand different websites, applications, and systems that it needs to authenticate with, which may not be supported with passwordless and single sign-on solutions.

This is where the technology has some way to go, but I think that the vendors are working together to build more elegant, robust solutions that can unify passwordless with authentication and full end-to-end encryption.

What is your closing piece of advice to organizations struggling with identity and access security?

Don’t feel overwhelmed. There are a lot of organizations that know how to spell cybersecurity and hear about it all the time in the news, but don’t understand where they need to start to protect themselves. That’s why this whole premise around education and understanding is so important.

Finally, how can we expect the cybersecurity industry to evolve in the coming years?

There are really four main facets of cybersecurity: prevention, detection, remediation, and response. When you build a strategy, you have to make sure that those four facets are covered, because within those four facets, you’re going to buy different technologies and software.

The direction that the industry is headed is all around convergence. Traditional cybersecurity solutions are purchased serially; they are independent, isolated software solutions that often operate in silos and don’t really work well with each other. So, when you’re trying to build comprehensive visibility across the entire organization, you’re forced to thread these separate, isolated solutions together. That doesn’t work, because it winds up creating a heterogeneous IT environment. So, the solutions of the future are going to homogenize this problem and unify key components and products of the identity and access management framework into one or a series of unified solutions.

That’s going to make it easier for organizations to manage. It’s going to cost them less money to purchase the software, and they’re going to need less people spending so much time on it. So, the future is about convergence, and it’s about building cyber security solutions that are cost effective, easy to provision, easy to manage, and engaging for the end user.

Will that convergence happen through acquisitions, or through security providers expanding their product suites?

It’s a combination of both. When it comes to creating new products, you need to work out whether you should build it or purchase it. It’s an economic decision and it’s a roadmap decision.

Keeper, for example, acquired Glyptodon, who made a beautiful enterprise product for privilege connection management. That became one of the key components of our privileged access management product. Earlier, I mentioned the importance of identifying critical, unmet needs of your customers. Well, delivering against those needs at speed is the key. So, we had to ask how long it would take us to build something like that from scratch, and recruiting the team, building it out, and assigning budget could have taken north of two years. So, we can catalyze things with acquisition, which is why you see it so much in the technology space.

Thank you to Darren Guccione for taking part in this interview. You can find out more about Keeper’s password, secrets and privileged access management platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.