AI and the Future of Passwords with 1Password CEO Jeff Shiner

Okay, so before we get into this topic, let’s delve a little bit into your background and your journey to one pass through. Tell me what that was like. So I’m an engineer. I’ve been an engineer since I graduated at Waterloo in 92. So quite a while ago, spent a decade at IBM working on compilers left, went to a startup, was called back to IBM to build their ecommerce platform. From there, I moved, actually. Well, I lived in Canada still, but I did the Road Warrior thing in the US. 

For about six and a half years as an ecommerce consultant and then came back to run One Password in 2012. Okay, awesome. So everybody here knows that data has value. I don’t think that’s actually going away, especially with what we’re seeing today. So the rise of generative AI has actually exacerbated this massive collection of information on the Web, and it’s created by all of us. 

So now we’re seeing a much more advanced market demand for personal information, and now there’s even more risks to individuals. At this nascent stage, do you actually see a larger threat and whether or not these large language models can be trusted? Yeah, so I think when we look at it, there’s a term I like to use which is online first, identity. If you think of the last, let’s say decade or so of the Internet, it started off where you would browse sites but not provide data. And then over time, you would start to take action, say, for instance, purchase on sites, and you would provide a small amount of data, important data, but a small amount of data. And as that progressed, you provide far more information online now than you’ve ever done before. Not just logging on and providing credentials or providing your address or your credit card, but also the reviews you leave, the reviews you read, the shopping patterns you have, the social interactions that you have. And all of that data is tremendously valuable to the large language models and is ultimately used to make decisions. 

And when you think of a large language model or you think of Chat GPT or any of these, they will take all of that information and they will formulate an opinion, be it about a business or be about any of us, the old way or still the current way. But the short lived way is if I want to Google something, say I want to Google one password, I’ll see a list of results. And as a human, I can choose. Do I click on the onePassword.com link and learn about what onepassword says about onepassword? Do I click on a review site, do I click on a newsletter? But in the world of AI, it’s going to give you an opinion of that topic and it’s going to state it as fact. And that can be incorrect. It’s interesting because if anybody has ever played with Chat BT, this is the reason why a lot of people are moving away from Google, not on math, but in particular is because you can get much more granular with your search props. And from this perspective you could actually now I think they’re starting to find surface much more new risks when it comes to people. 

Bad actors actually asking Chat GPT to do specific things that could actually harm people in manipulation, in impersonation. We’re seeing ad tech data brokers that are aggregating and profiling information. But if you think about generative AI, are you looking at this as being able to create much more sophisticated attacks against not only groups, but now individuals? Yeah, absolutely. Now again, AI has many, many very useful, positive uses, but it can be used for ill as well. So a good example is the recent move it breach that’s affected a large number of companies and governments. And there’s been a lot of personal information that’s been taken as a part of that breach. And when we look at things like generative AI, what it can do is it can use that information to understand and then target attacks against individuals, either those specific individuals or others that they may know using that information. 

So whereas today phishing is a great example I actually got, which I’m sure many of you probably got, I got one a couple of days ago. It was a text message from the Canada Revenue Agency saying, we have a refund for you if you would just log in, provide your bank information, we can give you money. Not at all suspicious, right? But imagine a much more sophisticated, targeted attack where it’s giving me information about myself, giving me information like my social insurance number, it’s giving me information about when I had submitted my taxes and that it can become a lot more believable. And this is what generative AI has the power to do, is to change it from sort of a splatter paint attack into a very targeted, very believable attack. And I think more and more we need to look for ways that we can combat those sophisticated attacks. Okay, so let’s look at this from a password perspective. If there’s so much information out there based on every individual, is there a probability that generative AI can even guess my logins and passwords? Yeah, it’s a question that I’ve gotten before. 

I think it’s a fascinating question. Does Generative AI know enough about me as a person to guess my password? Right. And it’s not unreasonable to assume because a lot of people use passwords. Again, I like to say somewhat jokingly, like fluffy cat. Right? If I have a fluffy cat, that’s going to be my password. I don’t think it’s going to get to where it can guess your specific password. But we did some research. 

It’s two years ago now, so it’s probably even worse. But two years ago, we did research with the hacking community, the ethical hacking community, on what it would cost for guesses. And so how many guesses can they get for a certain amount of money? And through that research, we found that it takes $100. And it’s like crypto mining. It’s electricity costs for $100. They can get 10 billion guesses at your password. So then the question becomes, do you have more than $100 worth of information behind whether it’s PayPal Amazon, whatever the account is, and can chat GPT? Well, not chat GPT, but can AI in general help narrow it down or give algorithms so that they can guess it in that first 10 billion guesses? And I think the answer in most people’s cases is, yeah, it can. 

That’s kind of scary. So let’s move into data hacks, because those seem to be a little bit more sophisticated in being able to extract a lot of that information. So you have a system that’s supposed to protect people’s passwords. It’s also a way for people not to reuse the same password over and over again. Tell me about the benefit of putting all your people’s passwords, my password, into your system. And how does that help me and give me some kind of security that my information is safe? Yeah, again, I think people have heard this before. In general, it’s strong, unique passwords have a strong password that’s been machine generated for every different site or app that you use. 

And then the question which I think you very reasonably ask is, well, what about one password? Right? There’s an account password or a master password to one password. What happens if we get breached? All of my information is in one place, and I think that’s where what we do is meaningfully different. So when you sign up for one password, two things happen. One, you choose an account password that you as a person are going to remember and use to log into one password. But secondly, we generate a secret key, which is a machine generated password that stays local on your device. We never get it as well and is a big 128 bits of gobbledygook. And what that prevents is if we ever were to be breached, and of course we haven’t, we’re going to kill ourselves. 

Not to be. But if that happened, it’s not guessable. And those 10 billion guesses are irrelevant because even if you chose Fluffy Cat as your account password. That machine generated strong, unique password that we generate for you gets added to that and makes it essentially unguesable. And so all of this is tremendously important. And then the next step is how do we go beyond that and remove the actual password and replace it by something new in technology, right? Okay. So I think beyond that, you’ve secured people’s password and their information, but at the same time, people need to be accountable, I would say. 

So how are the resources out there that give people the information that they need to actually navigate at the speed of generative AI? If there are a lot of phishing attacks that are out there, what do people need to know in order to protect themselves? I think the most important thing for people to know is there are simple things you can do that will lower your risk of being caught in a breach and significantly lower your risk of a breach impacting you on more than one site. I think they’re the simple things we’ve all heard, but it’s surprising how many people don’t do it. I would say, number one, keep your devices up to date. Apply the patches. So many of the breaches we see are patches that have been out for a while and people just haven’t applied them. So keep your machines up to date. Strong, unique passwords, I think, is another key. 

And then the one thing that I think people are somewhat afraid to do, which is talk about security, especially at businesses, make it a safe place to talk about people are going to make mistakes. You’re going to click on a link you shouldn’t have. You’re going to go and say, oh, I think I filled in my credentials on a website that I’m now worried about. And if we’re afraid to talk about that, like I say, especially within your families or your businesses, then there’s no opportunity to remediate that. So from your perspective, because you’re a little bit more of an established company right now, but there’s a lot of startups that are developing great products and technology, but cybersecurity safety of information is not necessarily top of mind. What would you say to them? There’s simple tools that each company can use. There’s a huge and I mean, we’ve seen it at collision this year. 

There’s a huge number of cybersecurity companies who are working really hard so that it’s easy for people to stay safe. That’s what we focused on from day one. How do we make it easy for people to stay safe online? A good example of that now is pass keys. So pass keys are here in most part to replace passwords, and you may have heard about them over the last, say, four or five months in particular, and things like that that are step changes in not only security, but convenience. So from a people point of view, if I can replace a password, something that a human has to know and remember with a pass key, which is just more secure technology, but from an end user point of view is leveraging the biometrics on your device, then all of a sudden we can make it simple for a human to stay secure. Okay, perfect. 

If we’re going to evolve with generative AI, I would assume that one password also has to evolve. And so can an AI based password system actually adapt quickly to some emerging threats? That where somebody may try to breach a one password. Yeah, so I think there’s a lot of tools. So when I look at it with one password, it was a few months ago, I went to my team and I said to each and every one of my execs, I want to plan on how we’re going to leverage AI in your particular. And that’s true of customer support, it’s true of finance, it’s true of engineering, it’s true of product. Because at its core, I think AI is going to make all of our businesses a lot more productive. And I don’t think it’s going to replace humans. 

And that’s something that I think a lot of people fear. And a friend of mine used to saying, which is, AI won’t replace humans, but humans that leverage AI may replace humans that don’t leverage AI. And I think that’s an interesting statement. And so when we look at it from a security point of view now, of course, we don’t get to see anybody’s information that’s in their vaults. For us, it’s an encrypted blob. So when we look at AI and we look at it from a protection point of view, it’s again, a lot of the tools that are leveraged to say, are there attacks on the service? Are there things that are looking incorrect from a security point of view? We look at it in terms of leveraging AI for penetration tests, for a lot of the threat modeling that we do so that we can continue to constantly be aware of the opportunities that are out there for us to improve security and also be aware of the new and evolving types of targets and threats that are out there. It seems like you’re going to be playing whack a mole with this technology as you move. 

Okay, so one last question. What is the future of one password look like? So we know that probably in the next five years, we’re going to see a lot more sensor technology IoT we’ll be instrumenting our homes. We’ll have AR, VR, maybe blockchain decentralized ledger come on board. What specific role will your company play when all this starts to emerge? I think the most important role for us to play is we believe strongly that privacy is a right. People deserve their privacy. And when you look at it in terms of a connected world, and more and more things are connected, we’ve seen that over the last few years, your data gets out there and your data gets into the models and eventually is used to form opinions. And I think the role one password has to play is, can we give you the end user, the choice as to where and how your data goes? So if we look at pass keys, a pass key takes something that you know today, which is a password, a credential. 

That’s what the Fishers are trying to get at. They want my banking information. They want my passwords. Can we replace that with a token, which is what a pass key is, which says, I have the right to enter this, but that token can’t be used by anybody bad to do anything bad with it. And yet we have many more opportunities like that. You still go to a retailer and type in 4500 and the rest of your credit card. Why? Why aren’t we just providing a token in its place? You still go and you provide your address information if you want something shipped to you. 

Why? Why can’t we replace that with a token that the shipping services know but is meaningless to anybody else? So I think more and more, when we look at it from a privacy point of view, can we turn the PII data, the information that we as humans have and and should own and understand where it goes and replace that with things that aren’t personal but still allow us, as humans, to do the business and the shopping and the things that we need to do. That’s amazing. Thank you. Thank you so much, Jeff, for coming today. And that’s it for us. Thank you, everyone, for coming out. Thank you.