In a dark room with tinted, panoramic windows visible to the 45,000 guests at the annual RSA Conference on cybersecurity in San Francisco, usernames and passwords scroll up on a giant monitor.
"This username here has a very strong password that would take centuries to crack," said RSA senior manager Percy Tucker. "Yet, we have it. We know what it is. Because they're using an insecure protocol."
RSA and Cisco teamed up on the open-air security operations center for the conference to show that even data security professionals can sometimes leave their private information vulnerable to attacks.
"Just one weak link in the whole chain can basically compromise the whole network," said Avast security researcher Martin Hron.
Avast set up an elaborate demo to prove that a single device on a home network can allow cybercriminals to access any connected device in the home: security cameras, smart speakers, and even smart door locks. A common vulnerability, they say, is leaving a new device set up with the default username and password. Starting in 2020, devices sold in California will have to come with a randomized username and password that's different for each unit sold.
Passwords, however, could soon go away if Stina Ehrensvard has her say. She's the founder of Yubico, a company that makes physical keys that can plug into a device's USB port. A new standard approved by the W3C will allow such keys to be used in place of a password on many browsers and mobile applications.
"Username and password," she said, "is the single biggest threat to the Internet. All the breaches you see out there, 80 percent is due to a hacked password or another weak credential."
When those breaches do occur, they can sometimes go undetected for weeks or months. Stopping that is the aim of Chronicle, a startup that's emerged from X, the "moonshot factory" of Google's parent company, Alphabet.
"Sometimes, you'll see two or three years of breadcrumbs that ultimately correlate into something that is very dangerous in the world: a big virus, a big malware outbreak, a big breach," said Chronicle CEO Stephen Gillett.
Chronicle's new product Backstory aims to help follow those breadcrumbs by giving companies unlimited cloud storage for their network access logs — data that is routinely stored for a set length of time, but rarely kept for years or decades. It was born out of Google's own internal security procedures.
"We developed a lot of interesting ways of tackling security challenges," said Chronicle co-founder Mike Wiacek. "Once we realized that a lot of other companies didn't have those capabilities, the idea was born to start Chronicle."
Companies like Chronicle will need to hire new analysts and researchers as they grow — a problem, given the security industry's ongoing talent shortage. The government of Ireland has stepped into what it sees as an opportunity: creating university programs based on the needs of the security industry, including American companies looking to expand into Europe. The initiative is called Cyber Ireland.
"And that's about showing that we're more nimble, that we're able to respond to the needs of industry, but also the needs of the threats that are coming down the line," said IDA Ireland vice president Aidan McCauley.
Reiterating a recurring theme of the conference, McCauley added, "Hackers only have to be lucky once to get your details and information, and cybersecurity is about making sure they don't get that one opportunity."