How to Choose the Best Password Manager: Security Features That Matter

In this episode of The Backup Wrap-up, Curtis and Prasanna discuss how to choose the best password manager in light of recent security breaches. They examine the LastPass hack that resulted in $150 million of stolen cryptocurrency and what that teaches us about password manager security.
The hosts break down the critical security features to look for in the best password manager, including encryption strength, iteration counts, multi-factor authentication options, and passkey support. They emphasize that even with the LastPass breach, using a password manager is still far safer than not using one at all.
This episode provides practical guidance on evaluating password manager security beyond the standard feature comparisons, with specific recommendations for cryptocurrency users and insights into the technical aspects of password vault protection.
Here are some references for today's episode:
https://www.rubrik.com/blog/company/25/rubrik-information-security-team-update
https://www.bleepingcomputer.com/news/security/ransomware-gang-encrypted-network-from-a-webcam-to-bypass-edr/
https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/
You found the backup wrap up your go-to podcast for all things
Speaker:backup recovery and cyber recovery.
Speaker:In this episode, we're taking a look at password managers, something that
Speaker:we've been recommending for years.
Speaker:We all know that you need one, but which one should you choose?
Speaker:Well, uh, we're, we're taking some lessons from the LastPass breach and we talk about
Speaker:what features you should look for when picking the best password manager for
Speaker:your needs, including at least one topic.
Speaker:I haven't seen anybody else talking about.
Speaker:By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.
Speaker:Backup, and I've been passionate about backup and recovery for over 30 years.
Speaker:Ever since.
Speaker:I had to tell my boss that we had no backups of the
Speaker:production database we just lost.
Speaker:I don't want that to happen to you, and that's why I do this podcast.
Speaker:On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.
Speaker:This is the backup wrap up.
Speaker:Welcome to the show.
Speaker:Hi, I am w Curtis Preston, AKA, Mr. Backup, and I have with me a
Speaker:guy who has no idea how happy he's about to be when I tell him the
Speaker:news that I'm about to tell him.
Speaker:Persona, Molly, how's it going?
Speaker:Persona.
Speaker:Uh, I'm good.
Speaker:Okay.
Speaker:I wanna know what
Speaker:So, so those of you that watch us on YouTube watch PSA's face when
Speaker:I tell him this, I, I finally found a use for my, my planer.
Speaker:I, I've had it for how long now?
Speaker:For like
Speaker:three years, I wanna say.
Speaker:three years.
Speaker:And I bought it primarily due to peer pressure from my power tool.
Speaker:Pusher.
Speaker:Prasanna Malaiyandi,
Speaker:and uh,
Speaker:salesman.
Speaker:You know that.
Speaker:yeah.
Speaker:Yeah.
Speaker:Um, so I am there, there's this, you know, um, those of you that
Speaker:follow the podcast know about the big TV that I bought and everything.
Speaker:And, and now there's this hole in the wall, and I want that hole to continue
Speaker:because I want to get access to underneath the stairs, which is where I, you know,
Speaker:it's a great, like, big storage area.
Speaker:And, uh, I have decided.
Speaker:Um, I, I had this whole plan that I, I was gonna make a hidden door.
Speaker:It turns out to be way more complex than I wanted to do,
Speaker:to, to have it truly be hidden.
Speaker:Right.
Speaker:Uh, and so I, I've decided to go complete opposite, which
Speaker:is, uh, it's gonna be a door.
Speaker:I'm gonna, it's gonna look like a door.
Speaker:It's gonna look like a regular door.
Speaker:I. I'm gonna frame it like a regular door, but it's not built like a regular door.
Speaker:It's too small.
Speaker:And so I need to build a door and, um, like, unless I wanna spend
Speaker:like a ridiculous amount of money for a solid core door, and then
Speaker:trim it down to size, it's only 19 inches wide and 48 inches high.
Speaker:I'm gonna build my own door.
Speaker:And I said, well, I'm gonna build it out of two by fours and then, you know, and
Speaker:build a frame with pocket screws and everything.
Speaker:But then I'm like, I need all these two by fours to be exactly the same size, and
Speaker:also to have sharp, sharp corners, not the rounded
Speaker:corners that you typically have in a two by four.
Speaker:And so I said, I know what to do.
Speaker:I, I can finally pull out my, my, um, planer that I've had for quite a while
Speaker:and, uh, I did a, I did a test run of it today and oh, the, the two by four that
Speaker:goes through it is, is just gorgeous and I knew you'd be very excited.
Speaker:See, aren't you glad you have a planer?
Speaker:Yes.
Speaker:The three, the, how much was that plater?
Speaker:Like $500 maybe.
Speaker:I think it was like four 50 on sale or
Speaker:Yeah, so like, let's say a $500 planer is saving me $200 on a, on a door.
Speaker:So Yeah.
Speaker:So there you go.
Speaker:you also used it last time for your last project too.
Speaker:did, I didn't use it.
Speaker:Yeah, I, I remember.
Speaker:Yeah.
Speaker:So I've, I've,
Speaker:inch off of something.
Speaker:yeah.
Speaker:Yeah.
Speaker:Which is essentially what I'm doing here
Speaker:too.
Speaker:I'm, I'm doing, I'm trimming it both.
Speaker:Both ways.
Speaker:Right?
Speaker:I'm, I'm making it, I'm making, I'm turning a rough two by four
Speaker:into a piece of like, finished
Speaker:wood that I'm gonna use.
Speaker:Um, you know,
Speaker:anyway, I just thought you'd be very exci.
Speaker:I
Speaker:knew that you would be very excited about that.
Speaker:excited.
Speaker:Um, so anyway.
Speaker:All right.
Speaker:Well, we should probably talk about what we came here to
Speaker:talk about, what the people
Speaker:came here to listen to.
Speaker:This is no
Speaker:longer called a backup wrap up.
Speaker:This is now called the Woodworking Shop.
Speaker:yeah.
Speaker:Uh, I'm pretty sure there are pretty established podcasts for that.
Speaker:So I, I, so the core of this, uh, episode is going to be about how
Speaker:if I was starting, you know, I already have a password manager.
Speaker:You have a password manager, I'm happy with my password manager.
Speaker:Um, and, um.
Speaker:we've also talked about pass keys.
Speaker:And we've also talked about PAs keys.
Speaker:And by the way, my password manager now supports PAs keys,
Speaker:right?
Speaker:So, um, so my question is, um, but, but.
Speaker:The, the core of what we're gonna talk about is, if I was picking, if I was
Speaker:starting today, what, what are the, what are some of the things that I
Speaker:would look at and we can make, we're gonna talk both in terms of feature
Speaker:functions as well as one really crucial thing that I haven't seen listed
Speaker:when I see other people talk about, hey, how to pick a password manager.
Speaker:Um, so we're gonna talk about that, which really comes from.
Speaker:A big lesson that was learned from a very big hack of a password manager.
Speaker:So, um, this, this episode started with the fact that there had been a
Speaker:handful of cyber incidents in the last, uh, week or so since, you know, in,
Speaker:in the time that we're recording this.
Speaker:And, um, you know, I see three there, there was, there was the, um, the
Speaker:one that you talked about where the.
Speaker:The, the ransomware gang encrypted the
Speaker:network from a webcam, right?
Speaker:Uh, we've got the rubric, um, uh, hack, we've got the, uh, and we've
Speaker:got this, this FBI notification that LastPass has definitely been
Speaker:involved in some actual breaches of
Speaker:Well,
Speaker:wallets.
Speaker:the, breach against LastPass where they exfiltrated some data was then used.
Speaker:Right, right,
Speaker:wanna make sure that LastPass wasn't actually involved in committing
Speaker:Yeah.
Speaker:Yes.
Speaker:Yes.
Speaker:And, and
Speaker:yeah.
Speaker:And, and again, we're, uh, we're doing our best to sort of, uh.
Speaker:What do you call it?
Speaker:Uh, distill the things that we can read in the news.
Speaker:We're not involved in any of these.
Speaker:Um, uh, and you know, and we're also not cybersecurity experts, uh, but you know,
Speaker:I think we can, um, we can distill what's important for the audience here, which.
Speaker:Anyone that listens to this podcast more than a few times is going to hear
Speaker:us recommend a password manager, right?
Speaker:They're gonna hear us talk about the 3, 2, 1 rule.
Speaker:They're gonna hear us talk about the importance of offsite backups.
Speaker:They're gonna hear, talk about the importance of immutability
Speaker:and the importance of having a password manager, right?
Speaker:And so since we're talking about a lot, I don't think we've done an episode where we
Speaker:sh we just talk about, um, you know, how to pick a password manager and, um, so.
Speaker:The, and, and, and they do fall into a couple different categories.
Speaker:We'll get to that in a sec, but let's, first, let's just,
Speaker:uh, sort of do a roundup here.
Speaker:So the first one that I see is this, this rubric, um, notification.
Speaker:So the good news here is that this isn't, you know, I, I initially
Speaker:called it rubric hack, but basically.
Speaker:Rubrik noticed some, um, anomalous activity on, on a server that
Speaker:they have that contains log files.
Speaker:Um, you know, they took the server offline.
Speaker:They went and changed a bunch of passwords, you know, rotated keys, uh,
Speaker:to mitigate any risk they don't have.
Speaker:You know, as, as is often a case, they don't have any,
Speaker:any, uh, evidence that that.
Speaker:Anything, uh, you know, there was any malfeasance other than the fact
Speaker:that they saw some activity in a log server that shouldn't be there.
Speaker:Um, and so they, they did what they should do, right?
Speaker:They
Speaker:notified the world and, uh, rotated the keys.
Speaker:yeah, and I was
Speaker:actually quite pleased because I. That they notified people, right?
Speaker:Because that's something that you don't normally publicly disclose,
Speaker:right?
Speaker:Or you just disclose it to the specific customers or whatever else.
Speaker:But they were upfront about it and we're like, Hey, we saw this.
Speaker:We took action.
Speaker:Nothing happened.
Speaker:Everything is good because we've also had cases, right?
Speaker:Ransomware cases where they did, they weren't forthcoming, right?
Speaker:The Okta
Speaker:hack as an example, right?
Speaker:right.
Speaker:Exactly.
Speaker:transparent is, I think another thing
Speaker:that we always stress on the podcast as well.
Speaker:It is.
Speaker:And, and they, and they basically, they, they were as transparent as could be.
Speaker:They put a blog post on their website.
Speaker:Right.
Speaker:And, um, so, uh, basically as a result, of course notified the world.
Speaker:Um, this, what's
Speaker:that?
Speaker:to Rubrik.
Speaker:Kudos to Rubrik.
Speaker:Right?
Speaker:So, um, the next one I'd like you to talk about because it's a really interesting
Speaker:thing, this idea, this the webcam
Speaker:hack.
Speaker:Um, Yeah.
Speaker:go ahead.
Speaker:a company that, uh, got attacked by ransomware
Speaker:and they were looking back to figure out, okay, what happened?
Speaker:And, uh, so this ransomware gang got into the network and they compromised a
Speaker:server and they tried to deploy malware.
Speaker:And while they tried to deploy the malware, it was basically caught by the
Speaker:endpoint detection and response software
Speaker:Right.
Speaker:that basically was like, Hey, you can't run, you look bad,
Speaker:so we're not gonna let you run.
Speaker:Right,
Speaker:So then they kept looking around, they're like, okay, how
Speaker:do we continue to attack this?
Speaker:And they saw that there were a bunch of servers and PCs and other things,
Speaker:but they all had EDS on it, EDR agents.
Speaker:And so what they decided to do is they noticed, hey, there's a webcam
Speaker:the network and it's running Linux.
Speaker:Yeah.
Speaker:Yeah.
Speaker:they were able to, oh, and it had a vulnerability, so they were able
Speaker:to basically take over the webcam.
Speaker:They were able to monitor the live feeds as well, and at the same time,
Speaker:they basically SMB mounted the file shares and the NAS servers from the
Speaker:webcam and on the webcam, they deployed their malware and had it go encrypt
Speaker:all of the data in the company.
Speaker:That's just, I mean, it, it's, it's amusing a little bit.
Speaker:It's amusing if you're not them.
Speaker:It's amusing that it, that it was a webcam, but it, it, it, it just reiterates
Speaker:that, that I. Issue that like any device on your network that has a brain.
Speaker:Right.
Speaker:We've been joking recently that I got a new washer and dryer and
Speaker:they have an app and I'm sure that washer and dryer is running Linux.
Speaker:Right.
Speaker:I know, I know, It's not running Windows and it's not running Mac Os so pretty
Speaker:sure it's running, you know, Debian or something on, on some little card and, um.
Speaker:I noticed that I got, and I installed the app on my phone, and so I get
Speaker:notifications that laundry's done, which is kind of cool, right?
Speaker:Um, but I got the notification from the phone of saying, Hey, you're,
Speaker:this, this, um, this, uh, app has been
Speaker:monitoring your your location
Speaker:for the last, do you want to?
Speaker:And I'm like, why does my washer dryer need to know where I
Speaker:am?
Speaker:But yeah, we, we, we put a lot of these smart devices on our network and that,
Speaker:you know, they have vulnerabilities
Speaker:and, and and it's, you know, we talk a lot about, you know, you're only
Speaker:strong as your weakest link, right?
Speaker:When you have all these devices on your network, uh.
Speaker:Yep.
Speaker:They, they all have to be managed.
Speaker:So I was gonna say, they all have to be managed from a cybersecurity perspective.
Speaker:And so in the end, this device had a vulnerability that
Speaker:was most likely patchable,
Speaker:right.
Speaker:All they had to do was update that webcam, but it wasn't because
Speaker:it was just some random device
Speaker:sitting on the network that nobody was uh, securing.
Speaker:Yep.
Speaker:And they couldn't run their EDR agent on it and all
Speaker:the rest of that.
Speaker:Right.
Speaker:So,
Speaker:and this is where I think sometimes network security becomes
Speaker:your best friend, because why?
Speaker:Is there a reason that a network camera needs access to your corporate network?
Speaker:I don't know, but.
Speaker:Yeah.
Speaker:Well, there might've been.
Speaker:I mean, you know, I, I mean, are you suggesting basically
Speaker:it should be on a separate
Speaker:network or, okay.
Speaker:Yeah.
Speaker:Yeah.
Speaker:that makes sense.
Speaker:Um, the, um.
Speaker:I was just thinking about my house, not, not the corporate 'cause.
Speaker:Yeah.
Speaker:Anyway.
Speaker:Uh, I
Speaker:don't have, I know, I know it's very common to create a,
Speaker:a smart device network, right?
Speaker:Uh, they can all hack each other, but not,
Speaker:um, yeah.
Speaker:So, um, and then let's talk about the big one.
Speaker:Big one.
Speaker:So we'll start, we'll go back to, we'll just remind, you
Speaker:wanna remind, uh, the listeners.
Speaker:What happened in 2022 with LastPass?
Speaker:Yeah, so LastPass is an online password manager, um, where you,
Speaker:they manage your passwords for you.
Speaker:Everything is encrypted with your master password, so they don't actually have
Speaker:access to the data, and then you're able to access it from anywhere, any
Speaker:device that you want, any website.
Speaker:Right?
Speaker:so what happened is in 2022, attackers got into LastPass by deploying.
Speaker:Malware on a plex server of an employee and then
Speaker:That's back.
Speaker:We're back to why is there a plex server on the corporate network?
Speaker:What?
Speaker:What is a plex server, by the way, for those
Speaker:that don't know what that is?
Speaker:media server, so it
Speaker:allows you to stream videos and audio and other things like that.
Speaker:Yeah.
Speaker:So, uh, now granted, I don't know if that was on the corporate network,
Speaker:it might have been someone's home network, which they, I'm piggybacked
Speaker:on.
Speaker:I don't know those details,
Speaker:but.
Speaker:What they did was they were able to then get into LastPass object
Speaker:store system and basically copy out these encrypted vaults, which
Speaker:contained all of the end users' passwords.
Speaker:I. Right.
Speaker:So, so that gave them access to an, to encrypted versions
Speaker:of the user's passwords.
Speaker:The vaults were encrypted,
Speaker:right?
Speaker:So if, and, and of course the end of the story is that, and, and by the way, just
Speaker:a couple weeks ago we talked about, we, we had this phrase of like, I know a lot
Speaker:of, I don't know anyone that's been hacked because they had a password manager,
Speaker:but I know lots of people that have been
Speaker:hacked because they didn't have one.
Speaker:And now we're gonna talk about a
Speaker:story where.
Speaker:Where apparently people did get hacked because they used
Speaker:the wrong password manager.
Speaker:So, um, which is what led me to
Speaker:wanting to do this episode.
Speaker:So, yeah.
Speaker:2022, right?
Speaker:So
Speaker:it's been.
Speaker:Two and a half plus years.
Speaker:Right.
Speaker:And so there were some challenges.
Speaker:Initially LastPass was like, Hey, don't worry, everything is fine.
Speaker:You had a master password.
Speaker:Those weren't compromised.
Speaker:Right?
Speaker:All the rest of that.
Speaker:Um, but it turns out it was in completely true.
Speaker:Right.
Speaker:depending on when you actually created your vault, they might
Speaker:have used a weaker algorithm.
Speaker:Right,
Speaker:and also not enforce sort of more or longer passwords.
Speaker:And so the less iterations they use, as well as the shorter the passwords,
Speaker:that makes it slightly easier to crack.
Speaker:Yeah.
Speaker:And so I guess, and again, I'm not, I. I'm not an expert in this, but could they
Speaker:have upgraded this vault like over time?
Speaker:Like if once they, once they went to a strong word, a stronger
Speaker:encryption algorithm, couldn't they have upgraded that vault?
Speaker:Uh
Speaker:I don't, I don't think they could have,
Speaker:hmm.
Speaker:I think it would've required recreating a vault, which I'm sure isn't too difficult.
Speaker:Right.
Speaker:Right, and moving your passwords over.
Speaker:Yeah.
Speaker:Yeah, that'd be, um, it's just so, but they definitely did not do
Speaker:that, apparently.
Speaker:So if you've been a, if you've been a, uh, so basically the more money you've given
Speaker:to LastPass, the better your chance you
Speaker:have of being hacked, which is somewhat ironic.
Speaker:I was looking at an article,
Speaker:Mm-hmm.
Speaker:to that here from Krebs on security, Brian Krebs,
Speaker:and he basically had a picture which said, okay, if you use the
Speaker:algorithm, if you had an old password vault, using the less strict stuff.
Speaker:Right.
Speaker:And a common complexity password, you could crack it using a single GPU in
Speaker:one year and it would cost you $7,500.
Speaker:Yeah,
Speaker:Right.
Speaker:Versus if you had the newer stuff right, it would take
Speaker:you 10 years and cost $75,000.
Speaker:that's interesting that it's still.
Speaker:oh, a
Speaker:password of average complexity.
Speaker:Gotcha.
Speaker:Right.
Speaker:So it could, right.
Speaker:So if we think about it, right, it's been two and a half years,
Speaker:$7,500 isn't a lot of money.
Speaker:And I think also what they're looking at, especially if you're able to figure
Speaker:out like who do you want to target,
Speaker:Mm-hmm.
Speaker:right?
Speaker:You don't need to crack everyone's vaults.
Speaker:If you've identified people whose vaults you wanna crack,
Speaker:then it could be very lucrative.
Speaker:Mm-hmm.
Speaker:Right.
Speaker:In terms of the payout, and I think this is what we saw in 2023, in
Speaker:September of 2023, Brian Krebs had also written an article where he
Speaker:was like, I think that people are actually going after crypto wallets.
Speaker:Right, right.
Speaker:Right, and, but they couldn't prove it at the time, but there
Speaker:just seemed to be some linkages
Speaker:So,
Speaker:seemed to link to the fact that people were using.
Speaker:so let's talk about that.
Speaker:Um, hang on one second.
Speaker:Um, so let's talk about that.
Speaker:And again, I just for the record, not a crypto guy, not
Speaker:not a cryptocurrency person.
Speaker:Um, but historically all you need is a passphrase and you're in and
Speaker:you have the crypto wallet, right?
Speaker:Um, and you can see everything that's in the crypto wallet.
Speaker:You can take everything out of the crypto wallet and, um, and so
Speaker:apparently a bunch of people had that.
Speaker:There is a way to address this now.
Speaker:Uh, with something called BIP 39.
Speaker:And so this is the idea of adding a past phrase on top of your seed phrase,
Speaker:so you, you have to have two pieces of information to get into a crypto wallet.
Speaker:Assuming you've enacted this concept called bi BIP 30,
Speaker:that's hard for me to say.
Speaker:BIP 39.
Speaker:And, but apparently there, I'm, I'm sure I am absolutely sure that there are
Speaker:tons of wallets that haven't done this.
Speaker:'cause it's probably, again, like what we were
Speaker:talking about before, it might be difficult to redo
Speaker:this once this has been done.
Speaker:Don't know.
Speaker:But a bunch of wallets had just this, uh, seed phrase and they
Speaker:stored their seed phrase in LastPass,
Speaker:and
Speaker:to do, right?
Speaker:Which you would think would be a good thing to do, It's a,
Speaker:yeah.
Speaker:Yeah.
Speaker:It's
Speaker:stored, it's accessible.
Speaker:Yeah, I, I mean there, there, you know, I looked at some other discussions
Speaker:of ways to do this better, ways to do this, and, um, basically the, the
Speaker:only good way to do it, I think is to do the, the BIP 39 so that you can,
Speaker:um, so that you need two things, but
Speaker:then you
Speaker:need to remember another thing, right?
Speaker:do you know what the worst way to do it is?
Speaker:Um, put it on a sticky note.
Speaker:Put it on a flash drive and throw it in the dump.
Speaker:Yeah.
Speaker:I wonder how that guy's going.
Speaker:That guy that bought the dump, did he buy the dump?
Speaker:I don't know if they actually bought the dump yet or not.
Speaker:For those who don't know, there's a guy who bought a bunch of Bitcoins,
Speaker:had it on a hard drive, the keys, and then basically tossed the drive.
Speaker:So it's sitting in a landfill with something like a couple billion
Speaker:dollars worth of Bitcoin at this point.
Speaker:Yeah.
Speaker:And he's been looking for that hard drive or a flash drive forever.
Speaker:Yeah, I bet.
Speaker:Um, so they stored without an additional, uh, BIP 39, um, pass phrase.
Speaker:They stored their, you know, they stored their, their seed phrase in
Speaker:last pass, their LastPass vault was accessed because of the LastPass hack.
Speaker:I'm assuming they probably then had one of the older encrypted.
Speaker:Uh, vaults, I'm assuming, uh, this is
Speaker:definitely an go ahead,
Speaker:Even if they didn't.
Speaker:Right.
Speaker:I wonder if with, because that article was from a while ago with
Speaker:newer technologies, right?
Speaker:Newer GPUs.
Speaker:I wonder if the timings that we had talked about the 10 years is still applicable
Speaker:Yeah, I don't know.
Speaker:Um,
Speaker:was also a single GPU, right?
Speaker:So if you have a
Speaker:cluster of GPUs.
Speaker:Right.
Speaker:Yeah.
Speaker:Um, but what we do know is based on this article from, um, Krebs on
Speaker:Security from Brian Krebs, that it, it, that the first article was, it
Speaker:appears that people are having their,
Speaker:um, the wallets stolen and, um,
Speaker:the, the latest thing, what's that?
Speaker:I think it was like 30 million, $40 million.
Speaker:Yeah, so the latest thing was what, what happened, uh, the last couple days,
Speaker:So in the last couple days, the feds actually have said that, oh yeah, there
Speaker:was a bunch of cyber heists, I think it was $150 million cryptocurrency heist.
Speaker:And they basically said, yeah, that was actually from the
Speaker:last pass breach that happened.
Speaker:so.
Speaker:I mean this, this is frustrating.
Speaker:Um, it's frustrating because you would think that if you're a crypto person
Speaker:and you know that, that key is the only thing that you can change your crypto,
Speaker:surely you can change your crypto key.
Speaker:because You can't change it because it's almost like a private public key.
Speaker:You basically have to toss it and get another one.
Speaker:I cannot change once it's broadcast.
Speaker:Well, okay, you,
Speaker:could transfer it to
Speaker:you could transfer your money, so why are they not doing that?
Speaker:That's all I'm saying.
Speaker:I'm just saying people that do crypto wallets, I would think would be rather
Speaker:obsessed with, you know, with security.
Speaker:so this $150 million cyber heist that happened last year that the
Speaker:feds were able to recover some money for,
Speaker:it was actually against a co-founder of the cryptocurrency platform called Ripple.
Speaker:I don't, I don't understand this.
Speaker:I mean, I'm, I'm, I'm an amateur at this stuff, and that's the first
Speaker:thing I would do if I stored my, I don't care what last Pass had told me.
Speaker:If I was a LastPass customer and I had stored my seed phrase in
Speaker:LastPass, and they told me that the vault, everything should be fine.
Speaker:I'd be like, screw that.
Speaker:I'm transferring my money to a different
Speaker:vault.
Speaker:Right?
Speaker:A different wallet and, uh, with a much stronger passphrase, you
Speaker:know, all, all, all those things.
Speaker:I, I don't, which is why when, when I read, I, I think it was Brian
Speaker:Krebs article, and he was like, these people know what they're doing.
Speaker:You know, he's like, these are not amateurs.
Speaker:These people know what they're doing.
Speaker:And I'm, I don't know.
Speaker:I, I know, and I know it's just like blaming the victim or whatever, but
Speaker:first off, I mean, this isn't what this episode is about.
Speaker:But, but I mean, we're, we're 28 minutes in.
Speaker:It's still what the episode is about.
Speaker:But I mean, if you're a crypto person, I don't know.
Speaker:I would, I would be looking at BIP 39.
Speaker:I would be looking how to enact out on a new wallet, and I would be transferring
Speaker:everything I have into that new wallet.
Speaker:I would be doing that right now.
Speaker:Um, and if you, and I'd be doing it sooner than that if I was in the LastPass
Speaker:hack, but that's just me.
Speaker:So there was a security reach researcher, let me see if, what was his name?
Speaker:Zach, uh, XBT is what he goes by.
Speaker:He's a blockchain security researcher and he basically said over the last
Speaker:many months there have been several six figure heists from cryptocurrencies.
Speaker:Mm.
Speaker:So
Speaker:it's not, it's just that this $150 billion one is like the
Speaker:big
Speaker:just, yeah, it, it, yeah, it got it, got it.
Speaker:Got news, right,
Speaker:and it
Speaker:yeah, and they were saying that all the other six figure people,
Speaker:they hadn't seen like the similar high, uh, similar patterns that had
Speaker:happened in other crypto heists.
Speaker:Like I know we've talked in the past about like sim swapping,
Speaker:right?
Speaker:In order to get your phone number and then they're able to unlock
Speaker:your account, all the rest of that.
Speaker:But none of those happened to these people.
Speaker:They're like, yeah, we didn't expect anything.
Speaker:And then all of a sudden our wallets were drained.
Speaker:This is not helping my lack of interest in cryptocurrency
Speaker:anyway.
Speaker:All right, so I. So here's the thing.
Speaker:All of this was caused because someone, a, BA, a bunch of people
Speaker:used the wrong password manager.
Speaker:So let's, let's just talk about some of the things that we would
Speaker:look for in a password manager.
Speaker:And the first thing I want to talk about is, is how do you figure out
Speaker:that there u the, the strength of, of encryption that they're using
Speaker:to store your encrypted passwords?
Speaker:So a lot of this should be public information,
Speaker:right?
Speaker:Most of the password managers talk about different options, what you
Speaker:can do, um, what algorithms they use.
Speaker:Um, one thing to look for is things like how many iterations.
Speaker:Right,
Speaker:which is basically taking the thing that you give them and running it
Speaker:through their encryption algorithm.
Speaker:Many times,
Speaker:the more times, the more iterations the better, because
Speaker:then it makes it harder to crack.
Speaker:It
Speaker:takes a lot longer.
Speaker:Right, So, um.
Speaker:That, that, that, that would be one of the first things I would do.
Speaker:If, if I was, if, if I was concerned about security and I was looking into a password
Speaker:manager, I would ask that question,
Speaker:how do you protect the vault itself?
Speaker:What do you do to, you know, protect that fault?
Speaker:So that would be one of the first things I would do is I would ask
Speaker:them how they protect the vault.
Speaker:Um, there are some, there are some, um.
Speaker:What do you call it?
Speaker:Um, table stakes features, things like, obviously the idea
Speaker:of automatically detecting and saving new passwords automatically
Speaker:auto-filling those passwords where you have, you know, where you have it.
Speaker:Um, and, and by the way, there's a bunch of, there's a bunch of, I'm looking
Speaker:at a particular post and there's a bunch of features that are listed.
Speaker:I'm only gonna do the ones that are just focusing on security.
Speaker:Um, I would.
Speaker:I would be very wary of a password manager at this point
Speaker:that doesn't support pass keys.
Speaker:Right.
Speaker:Um, the, um, what do you think about, uh, MFA with password managers?
Speaker:I, I definitely, yeah, I was, I was actually surprised you
Speaker:talked about passkey before MFA.
Speaker:Um, well, you know, it's like that's the, that's the new thing, right?
Speaker:Um, but the, the, the idea that, again, this is your password manager.
Speaker:This is everything, right?
Speaker:And so if somebody gets a hold of your key and figures out your key.
Speaker:Uh, being able to, um, make sure that they're not able to directly
Speaker:log into your, to your account is, um, I, I would think table stakes.
Speaker:What do you,
Speaker:wouldn't you agree?
Speaker:Oh yeah, for sure.
Speaker:And yeah, whatever the mechanism is that you use to do that.
Speaker:But please do not use SMS or, uh, email
Speaker:OTA or
Speaker:to codes, because yeah, those are not
Speaker:Yeah.
Speaker:Yeah.
Speaker:Well, what would we use instead?
Speaker:Persona,
Speaker:you don't want me?
Speaker:ISMS.
Speaker:That's what everybody uses.
Speaker:What do you want me to use instead?
Speaker:you can use an authenticator app.
Speaker:Take your pick of whichever one you want.
Speaker:You could also use like UB keys and other things like that,
Speaker:Yeah,
Speaker:I li I like the Authenticator app because essentially it's free, right?
Speaker:They all also known as OTP or one-time password generators.
Speaker:Uh, so Google Authenticator is probably the most common.
Speaker:Uh, I happen to like hy uh, A-U-T-H-Y, uh, also free.
Speaker:I. Um, and basically that, that's so much better than, um, there
Speaker:are commercial versions of these that, that are more expensive.
Speaker:That, that, the big thing with those, uh, that I found because I, I I, like, for
Speaker:example, my, my bank requires me to use the semantic one-time password generator.
Speaker:The big difference between that and um, uh, authe and Google Authenticator.
Speaker:Is that they generate a new key every 30 seconds,
Speaker:but it's doing it every 30 seconds.
Speaker:Like, uh, like every 30 seconds on the 32nd thing, right?
Speaker:According to like the
Speaker:atomic clock somewhere.
Speaker:Uh, whereas like with semantic, when I pull it up, it generates a new.
Speaker:Pass code at that
Speaker:moment, and you have 30 seconds from that moment.
Speaker:So that's what you get from a commercial one versus the the free one.
Speaker:Um, yeah, you, you've gotta use that.
Speaker:Right?
Speaker:Um, and so please, please, please don't use SMS or email as
Speaker:your, as your second method of authentication.
Speaker:Um, the, um, what about the inclusion of biometrics?
Speaker:It's a great way.
Speaker:Well, I consider that almost an MFA, right?
Speaker:It.
Speaker:Well, it is.
Speaker:Yeah.
Speaker:Right.
Speaker:Um, I like this concept where there, what, what, and I remember going through
Speaker:this back in the day and that was they would pull in all the passwords
Speaker:that are stored in like my browser.
Speaker:Uh, and then, and then, you know, just.
Speaker:Figure them out.
Speaker:And then they would look at them and they would say, Hey,
Speaker:let's do a password health check
Speaker:on these passwords, right?
Speaker:So that you can go fix them.
Speaker:Um, and I, and also that did not give me the greatest sense of security,
Speaker:the fact that they were able to just suck the passwords out of my browser.
Speaker:But I, I'm assuming that means that it's authentic
Speaker:because I'm in the browser and they're authenticating to the browser.
Speaker:I don't know for sure.
Speaker:But, um, the next thing is, um, automatic generation of new passwords.
Speaker:Um, right.
Speaker:so here's my question.
Speaker:I know we talk a lot about password managers.
Speaker:I know we're
Speaker:talking here about like passwords of like websites and things like that,
Speaker:yeah,
Speaker:and I know we did an episode a couple, maybe three weeks ago,
Speaker:four weeks ago, about pass keys.
Speaker:Does pass keys just solve all of this?
Speaker:PAs keys.
Speaker:PAs keys do solve all of this.
Speaker:Um.
Speaker:the how do you get to your actual password manager?
Speaker:Yeah.
Speaker:Um, but again, but not everything
Speaker:supports PAs keys yet.
Speaker:Right.
Speaker:PAs keys does make this much, much easier.
Speaker:Right.
Speaker:Having said that, I. If you're going to use a
Speaker:password use as long as, because again, a 15 character password and a 40 character
Speaker:password takes the same level of effort for the password manager to put it in.
Speaker:And so use as long as a password as your password manager will allow you to create
Speaker:and the website will allow you to put in.
Speaker:Um,
Speaker:me.
Speaker:When the website is like the max
Speaker:password length is 16 characters, and you're like, oh,
Speaker:Yeah.
Speaker:Or, or the, the worst, in my opinion, actually worse than that
Speaker:is when they tell you that the,
Speaker:some of the characters that you used are not allowed
Speaker:and you're like, ah.
Speaker:Yeah.
Speaker:Um, but yeah, that, that should be, that should be, uh, a feature.
Speaker:And when you're creating those passwords that you should be able
Speaker:to like, uh, 'cause some, some websites again, won't take special
Speaker:characters, which is crazy, but, um, you know, you can turn that on there.
Speaker:There's also where there's a feature in Dashlane, I don't know
Speaker:if you've seen this, but there's a feature in Dashlane where they
Speaker:will purposefully use lookalike.
Speaker:Letters next to each other, or, or, you know,
Speaker:to, to, to further confuse, uh, things.
Speaker:Um, but yeah, that, that's, um, um, and then of course, obviously the big thing
Speaker:you're looking, you know, everybody should have syncing across multiple devices.
Speaker:Um, I'm just looking at
Speaker:different things.
Speaker:What,
Speaker:eh,
Speaker:what.
Speaker:sinking
Speaker:I am saying for a commercial password manager, why would you, I
Speaker:mean, that's, that's table stakes.
Speaker:yeah.
Speaker:Yes.
Speaker:Sorry, I do not use a commercial password manager.
Speaker:Yes.
Speaker:I know you're a little, you're a little weird
Speaker:in so many ways, but, um, I. Yeah, I do.
Speaker:And I sync it across my, you know, my multiple devices.
Speaker:Um, and my wife and I actually share, you know, we, because it's
Speaker:like, I don't know, whatever it is, like 80 bucks a year or whatever.
Speaker:Um, so we, I realized why are we, you know, why are we paying for this twice?
Speaker:So
Speaker:we now we just have
Speaker:everything.
Speaker:But what the, what's that?
Speaker:you just need one vault.
Speaker:Yeah, I just need one fault and, um, what it does mean is my, my dash
Speaker:lane account is ginormous in terms of the number of passwords are there.
Speaker:Um.
Speaker:I, I do think, you know, read the website, read the stuff that
Speaker:they do to secure your password.
Speaker:Uh, most of these things that we talked about are going to be table
Speaker:stakes for any, uh, password manager.
Speaker:Do you remember the OnePass?
Speaker:Was it last, uh, one password?
Speaker:Yeah.
Speaker:What about it?
Speaker:That was the one where they didn't encrypt all the data in the vaults.
Speaker:Yeah.
Speaker:Yeah.
Speaker:They, they, um, I mean the
Speaker:stuff, yeah, the stuff that they used, luckily the stuff that they used
Speaker:wasn't stuff that would directly impact your security, but more indirectly.
Speaker:Right.
Speaker:It was stuff that, it was like personal information that could
Speaker:be used to then further, uh, yeah.
Speaker:that was great too.
Speaker:Yeah.
Speaker:So that's a good, that's a good, another good question to ask.
Speaker:Thanks for bringing that up, is.
Speaker:Is all of my personal data, uh, encrypted or just the, the passwords.
Speaker:Right.
Speaker:Um, now of course you're not gonna be able to check that, but
Speaker:You know what I do wonder?
Speaker:So in the LastPass, the cyber wallet heist that were going on,
Speaker:mm-hmm.
Speaker:they said most people had stored their key, the seed key
Speaker:Yeah.
Speaker:the secret notes field
Speaker:of the entry.
Speaker:I wonder if how they had created these vaults, if the attackers were able to
Speaker:find, what are all the vaults where people had written something in the
Speaker:secure notes, secure notes field,
Speaker:Oh, I see what you're saying.
Speaker:To narrow down those that they,
Speaker:Yeah.
Speaker:yeah.
Speaker:Yeah, I, I have stuff in there too.
Speaker:I have like, um, I have like a, I have a note that says like, important numbers
Speaker:and it's like my driver's license number and, you know, the stuff that I keep
Speaker:getting asked for and I don't necessarily wanna pull up my wallet for Yeah.
Speaker:Um, the, the phone number to be able to swat, um, uh, persona's,
Speaker:house, you know, stuff like that.
Speaker:Um.
Speaker:I hope, I hope that's helpful to people.
Speaker:Um, you know, it's when, whenever you see a big thing like this, it,
Speaker:it's a chance for you to reconsider whatever it is that you're doing,
Speaker:right?
Speaker:And, um, uh, if you've, if you've had a password manager for a while, maybe it's
Speaker:time to, you know, find out, you know, did have they upgraded their password?
Speaker:Do you need to do something to, to make your password more secure?
Speaker:Um, it's hard, it's easy to pick apart something in hindsight, right?
Speaker:It's harder to figure it out, uh, moving forward.
Speaker:But I still think even, even with LastPass, generally you are better
Speaker:off having a password manager.
Speaker:You are much better off having a password manager and or pasky, right?
Speaker:Um, I, you know, it's funny that you mentioned now, now that I
Speaker:understand what Pasky are and how they work, I'm not actually sure what.
Speaker:What role Dashlane pays plays in when I store a passkey in Dashlane,
Speaker:Just to store your PA key because if someone
Speaker:gets your PA key, they get access to your account.
Speaker:Right, so basically,
Speaker:so, so it's taking the role that like.
Speaker:The, the key chain takes in.
Speaker:Okay.
Speaker:Alright.
Speaker:So it becomes again the, the encrypted place where I store the encrypted.
Speaker:Yeah.
Speaker:Okay.
Speaker:Alright, makes sense.
Speaker:Um, so, you know, I've done past keys on a handful of my accounts whenever I
Speaker:see it now that I, now that I understand what it is and now that it actually
Speaker:makes my life easier, not harder.
Speaker:Um, so I've just got like, I don't know, 500 more accounts to go.
Speaker:Uh, simple.
Speaker:Yeah.
Speaker:All right.
Speaker:Well thanks for the chat again, persona.
Speaker:Now I'm super excited to hear how the planning goes, so send me pics.
Speaker:I knew that you would say that.
Speaker:I know I love watching your face, but I was like, he doesn't know
Speaker:what it is that I'm about to say.
Speaker:All right.
Speaker:Well, thank you to our listeners.
Speaker:Uh, you are why we do this.
Speaker:Uh, you know, be sure to check us out on YouTube.
Speaker:Um, you know, we're available on YouTube.
Speaker:We're available on, you know, wherever you get your podcasts.
Speaker:And subscribe if you like us.
Speaker:Subscribe.
Speaker:If you don't, well, I don't know.
Speaker:Go, go find something else to do.
Speaker:Uh, that is a wrap.
Speaker:The backup wrap up is written, recorded and produced by me w Curtis Preston.
Speaker:If you need backup or Dr. Consulting content generation or expert witness
Speaker:work, check out backup central.com.
Speaker:You can also find links from my O'Reilly Books on the same website.
Speaker:Remember, this is an independent podcast and any opinions that you
Speaker:hear are those of the speaker.
Speaker:And not necessarily an employer.
Speaker:Thanks for listening.