How to Choose the Best Password Manager: Security Features That Matter

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we're taking a look at password managers, something that

we've been recommending for years.

We all know that you need one, but which one should you choose?

Well, uh, we're, we're taking some lessons from the LastPass breach and we talk about

what features you should look for when picking the best password manager for

your needs, including at least one topic.

I haven't seen anybody else talking about.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that we had no backups of the

production database we just lost.

I don't want that to happen to you, and that's why I do this podcast.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the show.

Hi, I am w Curtis Preston, AKA, Mr. Backup, and I have with me a

guy who has no idea how happy he's about to be when I tell him the

news that I'm about to tell him.

Persona, Molly, how's it going?

Persona.

Uh, I'm good.

Okay.

I wanna know what

So, so those of you that watch us on YouTube watch PSA's face when

I tell him this, I, I finally found a use for my, my planer.

I, I've had it for how long now?

For like

three years, I wanna say.

three years.

And I bought it primarily due to peer pressure from my power tool.

Pusher.

Prasanna Malaiyandi,

and uh,

salesman.

You know that.

yeah.

Yeah.

Um, so I am there, there's this, you know, um, those of you that

follow the podcast know about the big TV that I bought and everything.

And, and now there's this hole in the wall, and I want that hole to continue

because I want to get access to underneath the stairs, which is where I, you know,

it's a great, like, big storage area.

And, uh, I have decided.

Um, I, I had this whole plan that I, I was gonna make a hidden door.

It turns out to be way more complex than I wanted to do,

to, to have it truly be hidden.

Right.

Uh, and so I, I've decided to go complete opposite, which

is, uh, it's gonna be a door.

I'm gonna, it's gonna look like a door.

It's gonna look like a regular door.

I. I'm gonna frame it like a regular door, but it's not built like a regular door.

It's too small.

And so I need to build a door and, um, like, unless I wanna spend

like a ridiculous amount of money for a solid core door, and then

trim it down to size, it's only 19 inches wide and 48 inches high.

I'm gonna build my own door.

And I said, well, I'm gonna build it out of two by fours and then, you know, and

build a frame with pocket screws and everything.

But then I'm like, I need all these two by fours to be exactly the same size, and

also to have sharp, sharp corners, not the rounded

corners that you typically have in a two by four.

And so I said, I know what to do.

I, I can finally pull out my, my, um, planer that I've had for quite a while

and, uh, I did a, I did a test run of it today and oh, the, the two by four that

goes through it is, is just gorgeous and I knew you'd be very excited.

See, aren't you glad you have a planer?

Yes.

The three, the, how much was that plater?

Like $500 maybe.

I think it was like four 50 on sale or

Yeah, so like, let's say a $500 planer is saving me $200 on a, on a door.

So Yeah.

So there you go.

you also used it last time for your last project too.

did, I didn't use it.

Yeah, I, I remember.

Yeah.

So I've, I've,

inch off of something.

yeah.

Yeah.

Which is essentially what I'm doing here

too.

I'm, I'm doing, I'm trimming it both.

Both ways.

Right?

I'm, I'm making it, I'm making, I'm turning a rough two by four

into a piece of like, finished

wood that I'm gonna use.

Um, you know,

anyway, I just thought you'd be very exci.

I

knew that you would be very excited about that.

excited.

Um, so anyway.

All right.

Well, we should probably talk about what we came here to

talk about, what the people

came here to listen to.

This is no

longer called a backup wrap up.

This is now called the Woodworking Shop.

yeah.

Uh, I'm pretty sure there are pretty established podcasts for that.

So I, I, so the core of this, uh, episode is going to be about how

if I was starting, you know, I already have a password manager.

You have a password manager, I'm happy with my password manager.

Um, and, um.

we've also talked about pass keys.

And we've also talked about PAs keys.

And by the way, my password manager now supports PAs keys,

right?

So, um, so my question is, um, but, but.

The, the core of what we're gonna talk about is, if I was picking, if I was

starting today, what, what are the, what are some of the things that I

would look at and we can make, we're gonna talk both in terms of feature

functions as well as one really crucial thing that I haven't seen listed

when I see other people talk about, hey, how to pick a password manager.

Um, so we're gonna talk about that, which really comes from.

A big lesson that was learned from a very big hack of a password manager.

So, um, this, this episode started with the fact that there had been a

handful of cyber incidents in the last, uh, week or so since, you know, in,

in the time that we're recording this.

And, um, you know, I see three there, there was, there was the, um, the

one that you talked about where the.

The, the ransomware gang encrypted the

network from a webcam, right?

Uh, we've got the rubric, um, uh, hack, we've got the, uh, and we've

got this, this FBI notification that LastPass has definitely been

involved in some actual breaches of

Well,

wallets.

the, breach against LastPass where they exfiltrated some data was then used.

Right, right,

wanna make sure that LastPass wasn't actually involved in committing

Yeah.

Yes.

Yes.

And, and

yeah.

And, and again, we're, uh, we're doing our best to sort of, uh.

What do you call it?

Uh, distill the things that we can read in the news.

We're not involved in any of these.

Um, uh, and you know, and we're also not cybersecurity experts, uh, but you know,

I think we can, um, we can distill what's important for the audience here, which.

Anyone that listens to this podcast more than a few times is going to hear

us recommend a password manager, right?

They're gonna hear us talk about the 3, 2, 1 rule.

They're gonna hear us talk about the importance of offsite backups.

They're gonna hear, talk about the importance of immutability

and the importance of having a password manager, right?

And so since we're talking about a lot, I don't think we've done an episode where we

sh we just talk about, um, you know, how to pick a password manager and, um, so.

The, and, and, and they do fall into a couple different categories.

We'll get to that in a sec, but let's, first, let's just,

uh, sort of do a roundup here.

So the first one that I see is this, this rubric, um, notification.

So the good news here is that this isn't, you know, I, I initially

called it rubric hack, but basically.

Rubrik noticed some, um, anomalous activity on, on a server that

they have that contains log files.

Um, you know, they took the server offline.

They went and changed a bunch of passwords, you know, rotated keys, uh,

to mitigate any risk they don't have.

You know, as, as is often a case, they don't have any,

any, uh, evidence that that.

Anything, uh, you know, there was any malfeasance other than the fact

that they saw some activity in a log server that shouldn't be there.

Um, and so they, they did what they should do, right?

They

notified the world and, uh, rotated the keys.

yeah, and I was

actually quite pleased because I. That they notified people, right?

Because that's something that you don't normally publicly disclose,

right?

Or you just disclose it to the specific customers or whatever else.

But they were upfront about it and we're like, Hey, we saw this.

We took action.

Nothing happened.

Everything is good because we've also had cases, right?

Ransomware cases where they did, they weren't forthcoming, right?

The Okta

hack as an example, right?

right.

Exactly.

transparent is, I think another thing

that we always stress on the podcast as well.

It is.

And, and they, and they basically, they, they were as transparent as could be.

They put a blog post on their website.

Right.

And, um, so, uh, basically as a result, of course notified the world.

Um, this, what's

that?

to Rubrik.

Kudos to Rubrik.

Right?

So, um, the next one I'd like you to talk about because it's a really interesting

thing, this idea, this the webcam

hack.

Um, Yeah.

go ahead.

a company that, uh, got attacked by ransomware

and they were looking back to figure out, okay, what happened?

And, uh, so this ransomware gang got into the network and they compromised a

server and they tried to deploy malware.

And while they tried to deploy the malware, it was basically caught by the

endpoint detection and response software

Right.

that basically was like, Hey, you can't run, you look bad,

so we're not gonna let you run.

Right,

So then they kept looking around, they're like, okay, how

do we continue to attack this?

And they saw that there were a bunch of servers and PCs and other things,

but they all had EDS on it, EDR agents.

And so what they decided to do is they noticed, hey, there's a webcam

the network and it's running Linux.

Yeah.

Yeah.

they were able to, oh, and it had a vulnerability, so they were able

to basically take over the webcam.

They were able to monitor the live feeds as well, and at the same time,

they basically SMB mounted the file shares and the NAS servers from the

webcam and on the webcam, they deployed their malware and had it go encrypt

all of the data in the company.

That's just, I mean, it, it's, it's amusing a little bit.

It's amusing if you're not them.

It's amusing that it, that it was a webcam, but it, it, it, it just reiterates

that, that I. Issue that like any device on your network that has a brain.

Right.

We've been joking recently that I got a new washer and dryer and

they have an app and I'm sure that washer and dryer is running Linux.

Right.

I know, I know, It's not running Windows and it's not running Mac Os so pretty

sure it's running, you know, Debian or something on, on some little card and, um.

I noticed that I got, and I installed the app on my phone, and so I get

notifications that laundry's done, which is kind of cool, right?

Um, but I got the notification from the phone of saying, Hey, you're,

this, this, um, this, uh, app has been

monitoring your your location

for the last, do you want to?

And I'm like, why does my washer dryer need to know where I

am?

But yeah, we, we, we put a lot of these smart devices on our network and that,

you know, they have vulnerabilities

and, and and it's, you know, we talk a lot about, you know, you're only

strong as your weakest link, right?

When you have all these devices on your network, uh.

Yep.

They, they all have to be managed.

So I was gonna say, they all have to be managed from a cybersecurity perspective.

And so in the end, this device had a vulnerability that

was most likely patchable,

right.

All they had to do was update that webcam, but it wasn't because

it was just some random device

sitting on the network that nobody was uh, securing.

Yep.

And they couldn't run their EDR agent on it and all

the rest of that.

Right.

So,

and this is where I think sometimes network security becomes

your best friend, because why?

Is there a reason that a network camera needs access to your corporate network?

I don't know, but.

Yeah.

Well, there might've been.

I mean, you know, I, I mean, are you suggesting basically

it should be on a separate

network or, okay.

Yeah.

Yeah.

that makes sense.

Um, the, um.

I was just thinking about my house, not, not the corporate 'cause.

Yeah.

Anyway.

Uh, I

don't have, I know, I know it's very common to create a,

a smart device network, right?

Uh, they can all hack each other, but not,

um, yeah.

So, um, and then let's talk about the big one.

Big one.

So we'll start, we'll go back to, we'll just remind, you

wanna remind, uh, the listeners.

What happened in 2022 with LastPass?

Yeah, so LastPass is an online password manager, um, where you,

they manage your passwords for you.

Everything is encrypted with your master password, so they don't actually have

access to the data, and then you're able to access it from anywhere, any

device that you want, any website.

Right?

so what happened is in 2022, attackers got into LastPass by deploying.

Malware on a plex server of an employee and then

That's back.

We're back to why is there a plex server on the corporate network?

What?

What is a plex server, by the way, for those

that don't know what that is?

media server, so it

allows you to stream videos and audio and other things like that.

Yeah.

So, uh, now granted, I don't know if that was on the corporate network,

it might have been someone's home network, which they, I'm piggybacked

on.

I don't know those details,

but.

What they did was they were able to then get into LastPass object

store system and basically copy out these encrypted vaults, which

contained all of the end users' passwords.

I. Right.

So, so that gave them access to an, to encrypted versions

of the user's passwords.

The vaults were encrypted,

right?

So if, and, and of course the end of the story is that, and, and by the way, just

a couple weeks ago we talked about, we, we had this phrase of like, I know a lot

of, I don't know anyone that's been hacked because they had a password manager,

but I know lots of people that have been

hacked because they didn't have one.

And now we're gonna talk about a

story where.

Where apparently people did get hacked because they used

the wrong password manager.

So, um, which is what led me to

wanting to do this episode.

So, yeah.

2022, right?

So

it's been.

Two and a half plus years.

Right.

And so there were some challenges.

Initially LastPass was like, Hey, don't worry, everything is fine.

You had a master password.

Those weren't compromised.

Right?

All the rest of that.

Um, but it turns out it was in completely true.

Right.

depending on when you actually created your vault, they might

have used a weaker algorithm.

Right,

and also not enforce sort of more or longer passwords.

And so the less iterations they use, as well as the shorter the passwords,

that makes it slightly easier to crack.

Yeah.

And so I guess, and again, I'm not, I. I'm not an expert in this, but could they

have upgraded this vault like over time?

Like if once they, once they went to a strong word, a stronger

encryption algorithm, couldn't they have upgraded that vault?

Uh

I don't, I don't think they could have,

hmm.

I think it would've required recreating a vault, which I'm sure isn't too difficult.

Right.

Right, and moving your passwords over.

Yeah.

Yeah, that'd be, um, it's just so, but they definitely did not do

that, apparently.

So if you've been a, if you've been a, uh, so basically the more money you've given

to LastPass, the better your chance you

have of being hacked, which is somewhat ironic.

I was looking at an article,

Mm-hmm.

to that here from Krebs on security, Brian Krebs,

and he basically had a picture which said, okay, if you use the

algorithm, if you had an old password vault, using the less strict stuff.

Right.

And a common complexity password, you could crack it using a single GPU in

one year and it would cost you $7,500.

Yeah,

Right.

Versus if you had the newer stuff right, it would take

you 10 years and cost $75,000.

that's interesting that it's still.

oh, a

password of average complexity.

Gotcha.

Right.

So it could, right.

So if we think about it, right, it's been two and a half years,

$7,500 isn't a lot of money.

And I think also what they're looking at, especially if you're able to figure

out like who do you want to target,

Mm-hmm.

right?

You don't need to crack everyone's vaults.

If you've identified people whose vaults you wanna crack,

then it could be very lucrative.

Mm-hmm.

Right.

In terms of the payout, and I think this is what we saw in 2023, in

September of 2023, Brian Krebs had also written an article where he

was like, I think that people are actually going after crypto wallets.

Right, right.

Right, and, but they couldn't prove it at the time, but there

just seemed to be some linkages

So,

seemed to link to the fact that people were using.

so let's talk about that.

Um, hang on one second.

Um, so let's talk about that.

And again, I just for the record, not a crypto guy, not

not a cryptocurrency person.

Um, but historically all you need is a passphrase and you're in and

you have the crypto wallet, right?

Um, and you can see everything that's in the crypto wallet.

You can take everything out of the crypto wallet and, um, and so

apparently a bunch of people had that.

There is a way to address this now.

Uh, with something called BIP 39.

And so this is the idea of adding a past phrase on top of your seed phrase,

so you, you have to have two pieces of information to get into a crypto wallet.

Assuming you've enacted this concept called bi BIP 30,

that's hard for me to say.

BIP 39.

And, but apparently there, I'm, I'm sure I am absolutely sure that there are

tons of wallets that haven't done this.

'cause it's probably, again, like what we were

talking about before, it might be difficult to redo

this once this has been done.

Don't know.

But a bunch of wallets had just this, uh, seed phrase and they

stored their seed phrase in LastPass,

and

to do, right?

Which you would think would be a good thing to do, It's a,

yeah.

Yeah.

It's

stored, it's accessible.

Yeah, I, I mean there, there, you know, I looked at some other discussions

of ways to do this better, ways to do this, and, um, basically the, the

only good way to do it, I think is to do the, the BIP 39 so that you can,

um, so that you need two things, but

then you

need to remember another thing, right?

do you know what the worst way to do it is?

Um, put it on a sticky note.

Put it on a flash drive and throw it in the dump.

Yeah.

I wonder how that guy's going.

That guy that bought the dump, did he buy the dump?

I don't know if they actually bought the dump yet or not.

For those who don't know, there's a guy who bought a bunch of Bitcoins,

had it on a hard drive, the keys, and then basically tossed the drive.

So it's sitting in a landfill with something like a couple billion

dollars worth of Bitcoin at this point.

Yeah.

And he's been looking for that hard drive or a flash drive forever.

Yeah, I bet.

Um, so they stored without an additional, uh, BIP 39, um, pass phrase.

They stored their, you know, they stored their, their seed phrase in

last pass, their LastPass vault was accessed because of the LastPass hack.

I'm assuming they probably then had one of the older encrypted.

Uh, vaults, I'm assuming, uh, this is

definitely an go ahead,

Even if they didn't.

Right.

I wonder if with, because that article was from a while ago with

newer technologies, right?

Newer GPUs.

I wonder if the timings that we had talked about the 10 years is still applicable

Yeah, I don't know.

Um,

was also a single GPU, right?

So if you have a

cluster of GPUs.

Right.

Yeah.

Um, but what we do know is based on this article from, um, Krebs on

Security from Brian Krebs, that it, it, that the first article was, it

appears that people are having their,

um, the wallets stolen and, um,

the, the latest thing, what's that?

I think it was like 30 million, $40 million.

Yeah, so the latest thing was what, what happened, uh, the last couple days,

So in the last couple days, the feds actually have said that, oh yeah, there

was a bunch of cyber heists, I think it was $150 million cryptocurrency heist.

And they basically said, yeah, that was actually from the

last pass breach that happened.

so.

I mean this, this is frustrating.

Um, it's frustrating because you would think that if you're a crypto person

and you know that, that key is the only thing that you can change your crypto,

surely you can change your crypto key.

because You can't change it because it's almost like a private public key.

You basically have to toss it and get another one.

I cannot change once it's broadcast.

Well, okay, you,

could transfer it to

you could transfer your money, so why are they not doing that?

That's all I'm saying.

I'm just saying people that do crypto wallets, I would think would be rather

obsessed with, you know, with security.

so this $150 million cyber heist that happened last year that the

feds were able to recover some money for,

it was actually against a co-founder of the cryptocurrency platform called Ripple.

I don't, I don't understand this.

I mean, I'm, I'm, I'm an amateur at this stuff, and that's the first

thing I would do if I stored my, I don't care what last Pass had told me.

If I was a LastPass customer and I had stored my seed phrase in

LastPass, and they told me that the vault, everything should be fine.

I'd be like, screw that.

I'm transferring my money to a different

vault.

Right?

A different wallet and, uh, with a much stronger passphrase, you

know, all, all, all those things.

I, I don't, which is why when, when I read, I, I think it was Brian

Krebs article, and he was like, these people know what they're doing.

You know, he's like, these are not amateurs.

These people know what they're doing.

And I'm, I don't know.

I, I know, and I know it's just like blaming the victim or whatever, but

first off, I mean, this isn't what this episode is about.

But, but I mean, we're, we're 28 minutes in.

It's still what the episode is about.

But I mean, if you're a crypto person, I don't know.

I would, I would be looking at BIP 39.

I would be looking how to enact out on a new wallet, and I would be transferring

everything I have into that new wallet.

I would be doing that right now.

Um, and if you, and I'd be doing it sooner than that if I was in the LastPass

hack, but that's just me.

So there was a security reach researcher, let me see if, what was his name?

Zach, uh, XBT is what he goes by.

He's a blockchain security researcher and he basically said over the last

many months there have been several six figure heists from cryptocurrencies.

Mm.

So

it's not, it's just that this $150 billion one is like the

big

just, yeah, it, it, yeah, it got it, got it.

Got news, right,

and it

yeah, and they were saying that all the other six figure people,

they hadn't seen like the similar high, uh, similar patterns that had

happened in other crypto heists.

Like I know we've talked in the past about like sim swapping,

right?

In order to get your phone number and then they're able to unlock

your account, all the rest of that.

But none of those happened to these people.

They're like, yeah, we didn't expect anything.

And then all of a sudden our wallets were drained.

This is not helping my lack of interest in cryptocurrency

anyway.

All right, so I. So here's the thing.

All of this was caused because someone, a, BA, a bunch of people

used the wrong password manager.

So let's, let's just talk about some of the things that we would

look for in a password manager.

And the first thing I want to talk about is, is how do you figure out

that there u the, the strength of, of encryption that they're using

to store your encrypted passwords?

So a lot of this should be public information,

right?

Most of the password managers talk about different options, what you

can do, um, what algorithms they use.

Um, one thing to look for is things like how many iterations.

Right,

which is basically taking the thing that you give them and running it

through their encryption algorithm.

Many times,

the more times, the more iterations the better, because

then it makes it harder to crack.

It

takes a lot longer.

Right, So, um.

That, that, that, that would be one of the first things I would do.

If, if I was, if, if I was concerned about security and I was looking into a password

manager, I would ask that question,

how do you protect the vault itself?

What do you do to, you know, protect that fault?

So that would be one of the first things I would do is I would ask

them how they protect the vault.

Um, there are some, there are some, um.

What do you call it?

Um, table stakes features, things like, obviously the idea

of automatically detecting and saving new passwords automatically

auto-filling those passwords where you have, you know, where you have it.

Um, and, and by the way, there's a bunch of, there's a bunch of, I'm looking

at a particular post and there's a bunch of features that are listed.

I'm only gonna do the ones that are just focusing on security.

Um, I would.

I would be very wary of a password manager at this point

that doesn't support pass keys.

Right.

Um, the, um, what do you think about, uh, MFA with password managers?

I, I definitely, yeah, I was, I was actually surprised you

talked about passkey before MFA.

Um, well, you know, it's like that's the, that's the new thing, right?

Um, but the, the, the idea that, again, this is your password manager.

This is everything, right?

And so if somebody gets a hold of your key and figures out your key.

Uh, being able to, um, make sure that they're not able to directly

log into your, to your account is, um, I, I would think table stakes.

What do you,

wouldn't you agree?

Oh yeah, for sure.

And yeah, whatever the mechanism is that you use to do that.

But please do not use SMS or, uh, email

OTA or

to codes, because yeah, those are not

Yeah.

Yeah.

Well, what would we use instead?

Persona,

you don't want me?

ISMS.

That's what everybody uses.

What do you want me to use instead?

you can use an authenticator app.

Take your pick of whichever one you want.

You could also use like UB keys and other things like that,

Yeah,

I li I like the Authenticator app because essentially it's free, right?

They all also known as OTP or one-time password generators.

Uh, so Google Authenticator is probably the most common.

Uh, I happen to like hy uh, A-U-T-H-Y, uh, also free.

I. Um, and basically that, that's so much better than, um, there

are commercial versions of these that, that are more expensive.

That, that, the big thing with those, uh, that I found because I, I I, like, for

example, my, my bank requires me to use the semantic one-time password generator.

The big difference between that and um, uh, authe and Google Authenticator.

Is that they generate a new key every 30 seconds,

but it's doing it every 30 seconds.

Like, uh, like every 30 seconds on the 32nd thing, right?

According to like the

atomic clock somewhere.

Uh, whereas like with semantic, when I pull it up, it generates a new.

Pass code at that

moment, and you have 30 seconds from that moment.

So that's what you get from a commercial one versus the the free one.

Um, yeah, you, you've gotta use that.

Right?

Um, and so please, please, please don't use SMS or email as

your, as your second method of authentication.

Um, the, um, what about the inclusion of biometrics?

It's a great way.

Well, I consider that almost an MFA, right?

It.

Well, it is.

Yeah.

Right.

Um, I like this concept where there, what, what, and I remember going through

this back in the day and that was they would pull in all the passwords

that are stored in like my browser.

Uh, and then, and then, you know, just.

Figure them out.

And then they would look at them and they would say, Hey,

let's do a password health check

on these passwords, right?

So that you can go fix them.

Um, and I, and also that did not give me the greatest sense of security,

the fact that they were able to just suck the passwords out of my browser.

But I, I'm assuming that means that it's authentic

because I'm in the browser and they're authenticating to the browser.

I don't know for sure.

But, um, the next thing is, um, automatic generation of new passwords.

Um, right.

so here's my question.

I know we talk a lot about password managers.

I know we're

talking here about like passwords of like websites and things like that,

yeah,

and I know we did an episode a couple, maybe three weeks ago,

four weeks ago, about pass keys.

Does pass keys just solve all of this?

PAs keys.

PAs keys do solve all of this.

Um.

the how do you get to your actual password manager?

Yeah.

Um, but again, but not everything

supports PAs keys yet.

Right.

PAs keys does make this much, much easier.

Right.

Having said that, I. If you're going to use a

password use as long as, because again, a 15 character password and a 40 character

password takes the same level of effort for the password manager to put it in.

And so use as long as a password as your password manager will allow you to create

and the website will allow you to put in.

Um,

me.

When the website is like the max

password length is 16 characters, and you're like, oh,

Yeah.

Or, or the, the worst, in my opinion, actually worse than that

is when they tell you that the,

some of the characters that you used are not allowed

and you're like, ah.

Yeah.

Um, but yeah, that, that should be, that should be, uh, a feature.

And when you're creating those passwords that you should be able

to like, uh, 'cause some, some websites again, won't take special

characters, which is crazy, but, um, you know, you can turn that on there.

There's also where there's a feature in Dashlane, I don't know

if you've seen this, but there's a feature in Dashlane where they

will purposefully use lookalike.

Letters next to each other, or, or, you know,

to, to, to further confuse, uh, things.

Um, but yeah, that, that's, um, um, and then of course, obviously the big thing

you're looking, you know, everybody should have syncing across multiple devices.

Um, I'm just looking at

different things.

What,

eh,

what.

sinking

I am saying for a commercial password manager, why would you, I

mean, that's, that's table stakes.

yeah.

Yes.

Sorry, I do not use a commercial password manager.

Yes.

I know you're a little, you're a little weird

in so many ways, but, um, I. Yeah, I do.

And I sync it across my, you know, my multiple devices.

Um, and my wife and I actually share, you know, we, because it's

like, I don't know, whatever it is, like 80 bucks a year or whatever.

Um, so we, I realized why are we, you know, why are we paying for this twice?

So

we now we just have

everything.

But what the, what's that?

you just need one vault.

Yeah, I just need one fault and, um, what it does mean is my, my dash

lane account is ginormous in terms of the number of passwords are there.

Um.

I, I do think, you know, read the website, read the stuff that

they do to secure your password.

Uh, most of these things that we talked about are going to be table

stakes for any, uh, password manager.

Do you remember the OnePass?

Was it last, uh, one password?

Yeah.

What about it?

That was the one where they didn't encrypt all the data in the vaults.

Yeah.

Yeah.

They, they, um, I mean the

stuff, yeah, the stuff that they used, luckily the stuff that they used

wasn't stuff that would directly impact your security, but more indirectly.

Right.

It was stuff that, it was like personal information that could

be used to then further, uh, yeah.

that was great too.

Yeah.

So that's a good, that's a good, another good question to ask.

Thanks for bringing that up, is.

Is all of my personal data, uh, encrypted or just the, the passwords.

Right.

Um, now of course you're not gonna be able to check that, but

You know what I do wonder?

So in the LastPass, the cyber wallet heist that were going on,

mm-hmm.

they said most people had stored their key, the seed key

Yeah.

the secret notes field

of the entry.

I wonder if how they had created these vaults, if the attackers were able to

find, what are all the vaults where people had written something in the

secure notes, secure notes field,

Oh, I see what you're saying.

To narrow down those that they,

Yeah.

yeah.

Yeah, I, I have stuff in there too.

I have like, um, I have like a, I have a note that says like, important numbers

and it's like my driver's license number and, you know, the stuff that I keep

getting asked for and I don't necessarily wanna pull up my wallet for Yeah.

Um, the, the phone number to be able to swat, um, uh, persona's,

house, you know, stuff like that.

Um.

I hope, I hope that's helpful to people.

Um, you know, it's when, whenever you see a big thing like this, it,

it's a chance for you to reconsider whatever it is that you're doing,

right?

And, um, uh, if you've, if you've had a password manager for a while, maybe it's

time to, you know, find out, you know, did have they upgraded their password?

Do you need to do something to, to make your password more secure?

Um, it's hard, it's easy to pick apart something in hindsight, right?

It's harder to figure it out, uh, moving forward.

But I still think even, even with LastPass, generally you are better

off having a password manager.

You are much better off having a password manager and or pasky, right?

Um, I, you know, it's funny that you mentioned now, now that I

understand what Pasky are and how they work, I'm not actually sure what.

What role Dashlane pays plays in when I store a passkey in Dashlane,

Just to store your PA key because if someone

gets your PA key, they get access to your account.

Right, so basically,

so, so it's taking the role that like.

The, the key chain takes in.

Okay.

Alright.

So it becomes again the, the encrypted place where I store the encrypted.

Yeah.

Okay.

Alright, makes sense.

Um, so, you know, I've done past keys on a handful of my accounts whenever I

see it now that I, now that I understand what it is and now that it actually

makes my life easier, not harder.

Um, so I've just got like, I don't know, 500 more accounts to go.

Uh, simple.

Yeah.

All right.

Well thanks for the chat again, persona.

Now I'm super excited to hear how the planning goes, so send me pics.

I knew that you would say that.

I know I love watching your face, but I was like, he doesn't know

what it is that I'm about to say.

All right.

Well, thank you to our listeners.

Uh, you are why we do this.

Uh, you know, be sure to check us out on YouTube.

Um, you know, we're available on YouTube.

We're available on, you know, wherever you get your podcasts.

And subscribe if you like us.

Subscribe.

If you don't, well, I don't know.

Go, go find something else to do.

Uh, that is a wrap.

The backup wrap up is written, recorded and produced by me w Curtis Preston.

If you need backup or Dr. Consulting content generation or expert witness

work, check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that you

hear are those of the speaker.

And not necessarily an employer.

Thanks for listening.