Cloudflare TV

Leaked passwords, no passwords, and AI generated captions for video

Presented by João Tomé, Garrett Galow, Mickie Betz
Originally aired on 

In this week’s episode, we explore the realm of passwords, leaked passwords, two-factor authentication (2FA), and also AI generated captions for video.

Host João Tomé is joined by Garrett Galow, Director of Product at Cloudflare, to discuss a recent blog post on how we help keep customers safe through leaked password notifications accessible via our dashboard. We also discuss the use of passwords in 2024, the importance of 2FA or multi-factor authentication like hardware keys, offer suggestions, and explore how passwords might become less common in the future.

Lastly, Mickie Betz, Senior Systems Engineer of our Stream video product, discusses Stream Generated Captions. With just one click, users can effortlessly generate video captions using Stream’s latest feature: AI-generated captions for on-demand videos and live stream recordings. Mickie explains how the Stream engineering team developed this feature using our own Workers AI and the Whisper model—an open-source Automatic Speech Recognition model—with just a single API call.

Mentioned topics:


Transcript (Beta)

Hello everyone, and welcome to This Week in Net. It's the June 28, 2024 edition, and this week we're going to talk about different blog posts, from passwords to video captions with AI.

I'm your host, João Tomé, based in Lisbon, Portugal, and with me I have Garrett Galow, Director of Product at Cloudflare.

Hello Garrett, how are you?

Hey, I'm good. Thanks for having me on today. Where are you based? I'm based in Austin, Texas.

Where we have a big office with a lot of folks, right? We do.

I actually live very close to the office, so it's great. I can go in whenever I need to to meet with folks, and if people come to town, which a lot of people do, it makes it really easy for me to catch up with those folks as well.

You've been for a few years at Cloudflare, seven years, right?

How has that experience been?

Yeah, it's been amazing. I think when I joined the company a little more than seven years ago, we were a tenth of the size employee-wise, and so just to see the incredible growth of the company from internally, employees, the customers were able to help, and the services were able to provide, it's been pretty amazing to see what we've been able to do.

I feel very lucky to have been a part of this. And you've worked in different products, in different areas, right, throughout the years?

Yeah, I actually, most of my time has been spent working on sort of platform services, so things that all of our customers use in some way, but maybe aren't like the products they're purchasing.

So account login, user management, permissions, all of that stuff, like how do you, which we're going to talk about today, not to give it away, but like, how do you keep your account secure?

How do you manage who has access to your account? How do customers access the API, right, the API platform, authentication?

How do we help teams expose APIs to customers and do that in the proper way?

And then some of our enterprise platform services, so how do partners manage Cloudflare at scale?

What are the other capabilities that we provide to enterprise customers to allow them to manage Cloudflare at scale?

Or they might have, you know, 10 teams or, you know, 2000, you know, in teams trying to use Cloudflare, like how do we make that easy for them to do?

We're doing this specifically, and you already mentioned a bit, because of the blog post you wrote, it's a blog post about helping keep customers safe with leak password notification.

In this sense, for those who are not very expert in password problems, how much of a problem is password reuse, specifically still?

Yeah, so everyone, you know, has had to create a password to sign up for some website, right?

These days, with the proliferation of online services, you probably have upwards of 100 passwords, you know, 100 sites that require a password to log into.

And it's very, you know, it's a lot to try and manage, right?

And so naturally, what people end up doing, especially before a lot of the more modern password manager softwares really have come to maturity is, you know, they'll kind of reuse the same password, or they'll, you know, reuse the same base of a password with a variant.

And, you know, theoretically, if you had a very strong, good password, like that might be okay.

The problem is that, unfortunately, not every company takes security seriously, or, you know, even if they do, things can happen.

And so we've had, you know, countless data breaches, where basically, companies have something like their database, copied and taken from them.

And so these bad actors get, basically, not the raw passwords, but it's something called a hash, which we can talk a little bit about, basically an encoding of the password.

But even with that, that encoding, which is, you know, more secure than the raw password, it gives bad actors a way to eventually figure out what these passwords are.

And then what they do is they know that people typically reuse these passwords.

And so if they have, you know, a user email, and a password that they know, and service A, they'll go to other services where they, you know, you can, there's only so many banks, there's only so many, you know, big email providers, right?

It's not that hard to figure out what they might be. And they'll test those, you know, password combinations.

And lo and behold, sometimes, they're right, because someone used the password exactly, or they'll, you know, they know the common variants of how people kind of vary their passwords.

And so they'll use those as a way of gaining access to those accounts.

And they're able to do this at scale.

So they can do it for thousands and thousands of users. This is why companies have like rate limiting, basically, they limit how many times you can attempt to log in from this, from a certain IP to try and prevent this.

But they'll do this.

And so they're able to get into some of these customers accounts where they don't have some of the more sophisticated account security protections, like two factor authentication, or single sign on some of these other capabilities that that help avoid this problem from happening.

And obviously, once someone's, you know, able to log into your account, you know, they're able to do, you know, whatever it is that you may be able to do in that account.

And, you know, you hope that the company has things to notify the user and and ways for them to recover their account and hopefully, you know, repair whatever damage was caused.

Makes sense. This reminds me of sometimes us humans are not aware of, we are actually quite predictable.

So we do stuff that others also do, we have typical behaviors, and attackers can use those typical behaviors and do a bunch of tests, recurrent tests, to try to see if one of those will work, right.

So it's not a matter of you have a password that was breached, in the sense that some company had their passwords breached.

It's a matter of when that happens, what do you do?

What types of security measures do you have? You mentioned the two factor authentication we at usually use and suggest folks to use not only the multiple factor, but also using hardware keys, for example, instead of the SIM card, your telephone sometimes, because sometimes that can also be spoofed.

So having like that type of IGN of having different passwords in different services, be aware of if there's data leaks, you should change it.

It's important.

Of course, folks don't have like the time to track data leaks. That's why this service happens, right?

It's to put the knowledge that is out there into service of customers with notifications.

You don't have to know about it. You just have to get the notification and act upon it, right?

Yeah. So kind of specifically what we're doing and what the blog post talks about is, for that exact reason of, it's hard to know, there are certain tools you may use, if you've adopted a password manager, whether one through your OS provider, like Google or Apple, or one of sort of third party ones, like 1Password, they've started to build in these services to tell you, Hey, I use Apple password manager.

And it tells me basically, Hey, we think these passwords either aren't very secure, or that we think they've been seen in data breaches, right?

And so it tells me that I should do something. You can also subscribe to services like Have I Been Pwned that will send you emails if your email, it shows up in a data breach.

But again, right, those are all actions you have to take on your own.

And many customers, many people start using those password managers.

And so what we wanted to do is basically say, when you log into Cloudflare, we're going to check your credentials against many of these data breaches.

And we're going to try and inform you, you know, if we believe that your password may have been compromised, so that you know that it is and so that you can then change it because, you know, yeah, I have some, you know, cert web services I've used in the past that aren't that important.

They don't have anything critical for me.

I don't want the account to get breached. But if it did, you know, it wouldn't really cause me too much pain at the end of the day.

But like Cloudflare, for example, runs my personal website, runs other things of mine.

And it could be very impactful if someone got into my Cloudflare, my personal Cloudflare account, and was able to, you know, point redirect my website to malicious software or something like that, right?

That's the kind of thing we don't want to have happen.

It's obviously very damaging to a business running on Cloudflare, very damaging to those users accessing the website.

And so we really want to help protect against that by notifying customers that they can take action.

There's actually a number here on adoption of two-factor authentication, specifically hardware keys, which has been shown to be able to eliminate 99.9% of account takeovers.

So that's a big number there. Yeah, it's actually, yeah. You know, there's a bunch of stats.

This is one that we, you know, pulled, but I've seen lots of numbers everywhere.

And, you know, any form of 2FA pretty much will circumvent the vast majority, 90, high 90 percentiles.

You mentioned, you know, there's different kinds of 2FA.

SMS-based 2FA is one that, you know, isn't recommended by certain bodies anymore.

And it makes sense, like, you know, there are a sophisticated attacker can go after your SIM card and hijack your phone number and use that to intercept your SMS tokens.

You know, that's not the most, you know, they're not going to do that to just random, you know, people like my mom's not going to get an SMS takeover because it's not like the value.

It's better to have it than not to have it.

Right. Even if it's SMS, if it's using your phone. Yeah. And so it really, a really important factor here is, you know, you have to think about, you know, blanket security advice is nice, but not always the most helpful.

Like you have to think about for you yourself, you know, what are the most important things that you have?

Like for me, my email, my bank accounts, my financial institutions, right.

Those are the things that are really critical where if someone was able to compromise my account, right.

It could be very damaging to me personally, financially, you know, all of these things.

And so knowing for those services, especially like, what do you have there?

Right. You know, maybe, maybe if you're a certain individual, certain prominence, like you don't want to use SMS 2FA because that, you know, there is more risk there.

And so you want to use Authenticator TOTP where you get a code on your, you know, you have an app that generates codes on your phone, or you want to use the hardware key where you use the physical thing that you plug into your laptop, right.

Those are the kinds of things you want to think about.

Whereas, you know, if it's just a kind of a regular site, maybe it's not as important, maybe SMS 2FA is fine.

And obviously it depends on what, you know, the provider supports.

Not everyone supports all options, unfortunately.

Makes sense. Regarding what CallFair does for, to check for leaked credentials, any highlight you want to mention about this part of the blog?

Yeah, so it kind of the basic way is, is, you know, I won't go into all the specifics of password hashing and all of these things.

But needless to say, like, you know, when you sign up for a service, you know, they don't just store, or they definitely should not, mostly people don't anymore, like raw passwords.

You know, they do this thing called hashing, which is basically a irreversible way of encoding a password.

So it takes a string like password, turns it into this long, you know, string of letters and numbers, and it's a reliable function.

So every time you hash the word password, it will give you the same output.

But it's not possible to easily go backwards from that hash value back to the original string, right?

So we keep these. And what we can do is, you know, in some cases, we have, you know, internal data breach information that we've collected ourselves that we use, you know, we provide services for customers where you can turn on leak credential checking.

So you can kind of get the same thing in line with your application and know if these credentials were potentially compromised for your customers, if you're running a website.

We also can can call out to third party services that we can securely and safely without violating these passwords security check if they've been leaked.

And so we use a combination of these tools to basically determine, okay, do we reasonably believe that this password, based on all this data that we have access to, was breached in some fashion.

And if we do, then, you know, what we'll do is we'll warn you.

When you log in, you'll get a modal warning pop up that basically says, like, hey, we detected this password, you know, has been we believe it's been compromised.

We recommend that you change it. Obviously, we recommend you turn on to a phase like extra security.

But, you know, sometimes you're logging into Cloudflare, you have something really critical you need to do, you need to change something, something's wrong with your website, we won't block you.

But we will only give you a handful of attempts before we will start to block you from using that compromised password to log into Cloudflare.

So give you three attempts.

And then at that point, you know, before that, you can change it in the dashboard, we'll send you an email at the same time with a link to reset your password.

But after those three attempts, we are going to ask that you require that you reset your password before you log into Cloudflare again, because we don't want we don't want the the potential thing of someone then using that password to log into your account and taking it over.

Of course, it's a risk, and it's better be safe than sorry, in a sense.

Yeah, it's, it's, you know, it's kind of thing where it feels like, you know, oh, that will never happen to me.

But the problem with these kinds of attacks is they're not targeted, right?

They're not going after specific individuals, they are shotgun approaches, if you will, where it's just, how do I get as many credentials as I can try as many as I can, and see which ones hit.

And when they do, they're not actually doing anything that, you know, they're not typically doing specific targeted attacks, they're just, you know, trying to do like crypto mining, redirect websites to, you know, their own services, things like that, that they can do very generically.

So these aren't targeted attacks.

But that means that, you know, the risk is almost sort of more there in that, like, they're not they're not trying to get used specifically.

That makes sense.

We in terms of projecting the future, there's this area in the blog also, as an industry with the CISO's Secure by Design pledge, also being mentioned, for those who don't know this area and what's coming and the efforts made to make two-factor authentication more widespread, adopted in a sense, what should they know of what's coming, where this area is going?

Yeah, so this is a US government agency.

They published this Secure by Design pledge, which is basically a set of five or six recommendations for how the industry can basically do better to help secure customers from cyber attacks and the various threats.

Cloudflare is one of many companies signed on to this pledge. The pledge sort of I think was first announced like about a month ago in May.

And so it's basically a year long pledge to say like, we're going to take action against all of these different parts of the pledge and talk about the work that we're doing.

So this to us is sort of precursor work of like, this is not MFA, but like plenty of our customers don't have 2FA enabled and we want to make sure that they are as secure as possible.

But over the coming year, we're going to be doing work to simplify better and provide more opportunities to use 2FA and Cloudflare as part of this pledge and as part of just generally helping to build better Internet, but also just helping to secure our customers on Cloudflare.

When we talk about the Internet, there's also always this element, add security, but also make it easier for folks to use it, not like a burden.

In what way, and you mentioned this in the blog, having first, what is the single on authentication and what, in what way making two-factor authentication, making authentication easier, quicker, but also safe has an impact in terms of you being safe, but you don't lose a lot of time to authenticate in a sense.

Yeah. I mean, there's, there's obviously this sort of general efficiency of like, you know, it can be kind of annoying that if you log in, you need to like open up your phone and find a code in an app and paste it in.

You kind of mentioned earlier, like at Cloudflare for ourselves, right, we use hardware keys.

So in my computer is this little USB device. Whenever I log into any of our internal systems, right, I just tap my finger against it and it's able to, you know, authenticate me, you know, outside of my password, which I provide.

And that's like so much easier.

It's so easy, but you know, it's hard, hardware keys are a thing you have to buy, right?

You have to understand how to use them. And so there are, actually the other problem, right, is, is if customers set up 2FA, but they don't set up, you know, multiple second factors or things like that, if you lose your phone or it breaks and you didn't have that backed up somewhere, right, you might lose, you know, access to that account, right?

And that's a really big problem.

It's very painful to try and recover your account. You know, we have to be very careful, right?

And how do we handle that recovery process? Because you don't have the second factor.

How do know that it's you? And so, you know, there's certain things like allowing customers to sign in with other providers like Google, right?

Most people have a Google account. Lots of people use Gmail. Google obviously has a ton of built-in security features.

And so, you know, instead of, in many cases, right, if your Google account is, you know, fairly well secured, it actually can be beneficial to reuse that Google account.

And so you don't have more passwords, right?

You have the same, you know, user account, same user email and all these services, and you log in with Google, right?

And so that can be like, for many people, a more secure way because they can ensure that their Google account is well protected.

They have second factor auth. They have, Google now has a lot of like multi-device auth, right?

If you've logged in on multiple devices, they'll use that as a way of checking when you log in on a new device, right?

So they, you can sort of rely on those security measures in some places.

And so there's lots of different providers that provide that kind of social login or single sign-on kind of technology that we want to leverage to help use this, right?

Like, how do you not have to have a hundred different, you know, passwords that you have to manage anymore?

Or a hundred setups of 2FA, right? If you want to put 2FA on all of those things, now you have a hundred different codes in an app you have to go find, right?

And, you know, if you happen to lose your phone, right, you might now be locked out of all of your accounts.

So, you know, there's real, you know, it's not just always super trivial.

Just turn on 2FA, don't ever have to worry about it again.

But we love taking hard things and making them easier. So, you know, we're, we're looking forward to helping make that better.

Sure. And it's, that will be right now, those types of feature are still a little bit limited, but it's, it will go open, right?

There will be other possibilities there for the signs. So to the single sign-on flow in a sense.

Yes, absolutely. So it's an area that is expanding.

So expecting easy, easy access, but also security in the landscape of the future for different tools is something people should wait for, right?

Absolutely. I mean, you know, the things now is, you know, make sure your passwords are secure, you know, make them, you know, they don't have to be super complicated.

They just need to be long and memorable.

If you're not using password manager though, I highly recommend using a password manager.

So it does the work of remembering the passwords for you.

You only have to remember your password to your password manager, 2FA on the places that matter most for sure.

But then, yes, we're going to be building out more capabilities over the next year to make it easier for Cloudflare customers to properly secure their accounts.

Last but not least, before we go, about this password area, what do folks usually don't realize and they should even for what's coming for the future, may that be threats or opportunities?

I think two things, one is like a thing you can do and one is a thing that's going to come in the future.

I think one thing a lot of people don't fully understand is it's better to have a longer password than like a complex password in terms of like capital letters and lowercase letters and symbols.

So like, you know, my password for most of our internal cloud service, like 16, 20 characters, but it's basically just like four words.

So it's a very easy phrase to remember.

And actually the length of the password quickly overtakes the complexity of the password.

And so I think that's a lot of thing people don't understand is that, you know, I need a word with some symbols and a capital letter somewhere in there.

And it's like, no, if that's only like six to eight characters, that's actually not very secure because it turns out, you know, adding the symbol set to password cracking doesn't actually make it much more complicated.

So I think that's an important thing is like, it's better to make it easier for you to remember longer phrase, put that together, something that you won't forget.

Don't have to worry about where did I put the capital letter?

What number did I use? I think the other thing is there's kind of an interesting trend of, you know, are we getting to the point where passwords aren't as necessary?

And so you start to see more services that are kind of going passwordless.

You'll sometimes see it referred to as like a magic login where it's like, we'll send you an email link and you'll click a link in your email to log in.

And that can, you know, there's pros and cons to that, obviously of like, you know, that can be a little slower, but it requires that, you know, it shows that they have proof to the email address.

And so I think there's going to be a lot more exploration and work done on, you know, can we move away from, you know, if I'm always logging in from, you know, a Mac book or an iPhone, like, you know, I can use like face ID or touch ID as my authentication method.


And so that like actually provides a lot of proof of who I am. And obviously on, on Android devices, there's similar technology.

Right. And so these kinds of technologies are pretty ubiquitous and you can use them for 2FA today, but I think you'll see more cases where some companies are going to explore like dropping password requirements in some cases as like a way.

And there's obviously like, well, if you have to log in from not your device, like, you know, you might need to do something.

There's, there's definitely still problems there, but I think more and more people are starting to see passwords as more of a burden and less of a true security measure.

It's a little bit of antiquated. It's not very sophisticated. Right.

Exactly. It's not very sophisticated, not very current in a way. And you mentioned a few, a few biometrics, your face, you already use that for your phone and things like that.

That definitely makes sense to use because it's there's security, there's ease of use, not remembering your password.

So it makes perfect sense.

Yeah, I do think it's actually worth calling out that, you know, for us, for our 2FA and now many companies, it's not maybe super ubiquitous yet is that you can use face ID, touch ID, these sort of on-device biometric authentications as your second factor.

And so you don't have to do the code thing. You don't have to get to text.

You don't necessarily even have to have like a separate physical hardware key, which obviously is still, it's a, it's a great thing.

You can use the devices you already have in a way that, you know, not like, Oh, if I want to lie, I just need to look at my phone and it will, you know, send a notification that basically like, yeah, I've, I've approved this login.

So that's a pretty cool technology that, that we have, which you can use when you set up 2FA and that more and more companies are adopting.

Makes sense. Thank you, Gareth. It was very interesting.

Yeah, I appreciate it. Thanks for having me on to talk about this.

And that's a wrap. Hi, I'm Miki.

I am a systems engineer on the Stream team, and I'm based in Asheville, North Carolina.

Stream is Cloudflare's end-to-end video product. And the feature that we just launched is generated captions.

So previously on Stream, you could add captions to your videos, but you had to upload a file.

And the generating of the content for those captions was something that you might have either had to do manually, which could be pretty time-consuming, or if you had a lot of videos, you probably used a third-party transcription service.

And that would include probably some workflow where you sent all your videos over to this third -party transcription service, got the files back, needed to upload them.

So it could be very expensive as far as both time and money.

The new feature that we just launched is allowing customers to generate their captions with a single click.

And on the back end, it's using AI. This is really important for any company that cares about accessibility.

And there's actually two kind of levers within that.

There's more of a stick and a carrot. The carrot is that maybe in like 2016, Facebook did some research on their videos, and they wanted to know what percent of videos are watched without any sound.

And they found something like, I think this is pretty mind-blowing, but up to 85% of videos are watched on mute.

So any company that really wants to expand the reach of their audience should take into account that their videos might be watched without sound and adding captions to them is going to expand their reach.

On the other side, the stick is that there's a lot of regulations around adding captions and accessibility on content online.

And so any company that wants to adhere to the letter of the law and comply with these regulations also needs to care about captioning their videos.

To use it, we have a really simple interface through the dashboard.

It is literally one click button where you can click generate and add captions to your videos.

But if you wanted to use the API, there's also an option to create a whole new workflow through the API as well.

So to start, this is supported for English language captions only.

And we have a two-hour limit for the video that can be captioned. This is just while we're in beta.

It's open beta right now. And the other thing is that this is supported for our on-demand videos or our live recordings, meaning that if you had a previous live stream but it's concluded, it immediately transitions into an on -demand video.

Those are eligible for captioning. At the moment, the live stream, like if it's in progress live streaming, those are not currently supported with this feature.

But in the future, we want to support our live streaming videos as well as add more different language support.

We'd love to hear from customers if they have a particular language that they would like captioned and increasing the duration of those videos that we can process.

And regarding stream, we have one of our newest products.

It's called Cloudflare Calls.

It's a real-time web RTC-based platform for video where customers can develop real-time communication video tools on products.

We use it at Cloudflare as customer zero as our own version of a video conferencing meeting tool.

And we really enjoy it and would love to see other customers who are interested in real -time communication try that out.

Another really great aspect is it's not only easy to use just with a single click, but it's also free to anyone who has a stream subscription, which is, I think, really incredible.

It's part of our mission at Cloudflare to help build a better Internet.

And so anyone with a stream subscription can go try this today.

I think a really neat aspect of this feature isn't just what we're offering, but also how it was built.

We built this feature using Workers AI, which is one of Cloudflare's newest offerings.

And we at Cloudflare have a policy of trying to adopt and use our developer tools to build our developer tools.

We act as customer zero for our own products. And so using Workers AI was very simple.

In the blog post mentioned that in order to integrate with Workers AI was less than 30 lines of code.

And Workers AI allows you to kind of plug and play and run your models, your AI model inference using Cloudflare's global edge network.

We're using Whisper, which is an automatic speech recognition model. It's really accurate.

When we've done testing, it's great with recognition of even like proprietary names and punctuation.

They have something like 95 to 98% accuracy.

But using Workers AI just really streamlined the process for us to build this feature and scale it right out of the box.

Thumbnail image for video "This Week in Net"

This Week in Net
Tune in for weekly updates on the latest news at Cloudflare and across the Internet. Check back regularly for updates. Also available as an audio podcast!
Watch more episodes