There are lessons we can all learn from what happened to last pass and their customers. It’s a complicated story. We do our best to boil it down to the essentials and to the lessons that we can learn from what happened to them. Hope you enjoy the episode.
[00:00:38] W. Curtis Preston: hi, and welcome to Backup Central’s Restore All podcast. I’m your host, w Curtis Preston, aka Mr. Backup. And I have with me, uh, a guy who I think is gonna be. , very excited as he lives vicariously through me over the next few months. my, my electronic enthusiast Prasanna Malaiyandi how’s it going?
[00:01:04] Prasanna Malaiyandi: I’m good, I’m always willing to spend other people’s money, so
or getting people to spend
[00:01:12] W. Curtis Preston: say that. This is like your, your exciting part of watching other people sort of work through their. spend their money.
[00:01:21] Prasanna Malaiyandi: And it’s what makes you happy, right? So it’s like you’re starting a project. No. Well, you’re starting a project for enjoyment, right? I think everything, sorry. Most things in life that you do to improve your life costs money. So, There are some things that don’t, of course, but there are some things where you’re like, yeah, I work.
I earn, I spend a lot of time working and putting in the time. There should be certain things which I should spend money on
[00:01:48] W. Curtis Preston: So I’m probably going to buy what is referred to as an ultra short throw, um, laser tv. And, um, well, they, so in the, in the biz, they’re, they call this a laser tv. I, I don’t know why, but it is a projector, right? It’s a screen and a projector and they’re like, it’s a laser TV cuz it’s lasers, but whatever.
Um, but that’s what everybody calls it, right? Um, but yeah, it’s not gonna be cheap. Right, because I want a ginormous screen. I’m looking at it 120 inch screen. Um, and, uh, I am most likely going to be buying, uh, I’ve already looked. I’m gonna be buying basically last year’s model, what is now last year’s model, because c e s was just a few weeks ago, or actually just last week, I’ve already looked at the reviews of the stuff that people.
In, in ces and I’m like, yeah, I’m not paying for that. Right. Um, look, looking at stuff that’s like double the price of what I’m looking at. I will say the most frustrating part in terms of like looking at reviews and stuff, um, has been the soundbar part, um, is the different levels of it’s, it’s, Like with, with, with the projector, there is hands down, a winner.
Everybody agrees. Bang for the buck. It’s this four movie theater. That’s the, the name of it. It’s actually like a, I think it’s actually We Max that makes it, but they’ve branded it for the US market. The brand is four movie. , that’s the name of the brand and the name of the thing I’m buying is theater. The four movie theater.
It’s a little hokey, but everyone agrees. It li like it, it, it literally universally, everyone agrees. So that’s the easy part. They also generally agree on the screen. Um, you know, a, um, a, what do they call, an ambient light rejecting screen that is designed for u s t projectors. Um, but when we get into the soundbar part, um, first off, they cost way too much.
[00:04:02] Prasanna Malaiyandi: It’s all relative, Curtis.
[00:04:05] W. Curtis Preston: it’s so, it is so relative, right? And you watch these different reviews, you’re like, okay, I think, I think I’ve, I think I’ve zoomed in on it. And then you read, and then you watch a couple of other reviews and they’re like, oh, this one’s crap. This one’s, yeah, well, it’s good, but it sounds a little tweety.
It sounds a little, you know, this and that.
[00:04:23] Prasanna Malaiyandi: so
[00:04:24] W. Curtis Preston: it’s not, it’s speakers, it’s surround speakers are not nearly as good as the Samsung nine 90 T Biggie r. You’re like, all right, lemme go check that one out. And then you, you know, and, um,
[00:04:37] Prasanna Malaiyandi: How far down the rabbit hole did you end up
[00:04:39] W. Curtis Preston: I. Well, I, well, I know this. I don’t want to buy the thing that I saw the guy review.
Well, actually, let me rephrase that. I do want to buy the thing that I saw the guy review from c e s, which is the what, what’s the
[00:04:54] Prasanna Malaiyandi: the, the Nachi Nachi Dragon.
[00:04:57] W. Curtis Preston: nakai? The nachi dragon that he basically said it’s the greatest sound system he is ever seen. Uh, but it’s $3,500, which I. Basically about two x of what I think I’ll probably be spending.
Um, uh, I think I’ve ended up with the Samsung so far mentally where I’m at as the Samsung H W Q nine 90 B, which
[00:05:22] Prasanna Malaiyandi: Is that the one I told you?
[00:05:24] W. Curtis Preston: system. Is it really the one you told me when I started?
[00:05:28] Prasanna Malaiyandi: I think it was.
[00:05:29] W. Curtis Preston: Yeah, that’s interesting. We’ve, we’ve talked about this enough already. Uh, I want to go to something that is, that is
[00:05:37] Prasanna Malaiyandi: this is more fun.
[00:05:37] W. Curtis Preston: to me. Yeah, it is, it is more fun. It is more fun to talk about. But we’re here today to talk about. Password manager. You know, we, we’ve, we’ve spoken about password managers, pr, what do we think of Password managers?
[00:05:55] Prasanna Malaiyandi: They are awesome. Everyone should use a password manager.
[00:05:59] W. Curtis Preston: everyone should use a password manager. You should either use a commercial one, like the one I happen to have.
I happen to have, uh, dash lane, not sponsored. You have like an open source
[00:06:09] Prasanna Malaiyandi: Yeah, I use Key Pass. Yep. I use Key
[00:06:11] W. Curtis Preston: Yeah. Key
[00:06:13] Prasanna Malaiyandi: In fact, didn’t we do an episode where we talked
[00:06:16] W. Curtis Preston: We did, we did an episode where we talked about these different
[00:06:18] Prasanna Malaiyandi: With, yeah, with Chris Haner. Why you need a password manager? Episode 1 68.
[00:06:23] W. Curtis Preston: Yeah. Yeah. So we’re huge fans of password managers and last pass, uh, generally ha, you know, has a good design.
Um, having said that, I think they made some, some really big mistakes. Given the number of companies that have been hacked, will be hacked, especially when we, when we start looking at ransomware, I don’t think that a company should be dinged just because they got hacked.
[00:06:51] Prasanna Malaiyandi: Yep. Yep.
[00:06:52] W. Curtis Preston: do you, do you agree with that?
[00:06:53] Prasanna Malaiyandi: I a hundred percent agree. It’s there. It’s so hard to stay on top of everything, especially given a service you operate. And so there will be zero day exploits and other things that you can’t plan for. Right. And they happen and it’s just how quickly can you jump on top when something like that happens? Right. So we shouldn’t ding ’em just because they may be hacked. Right.
[00:07:16] W. Curtis Preston: Having
[00:07:17] Prasanna Malaiyandi: But but I sets a
[00:07:21] W. Curtis Preston: can d we can ding companies for why they got hacked, right? If you got hacked, right, if your identity got stolen because you painted your social security number on the front of your house,
[00:07:35] Prasanna Malaiyandi: Yeah.
[00:07:35] W. Curtis Preston: an idiot,
[00:07:36] Prasanna Malaiyandi: Or you create an S3 bucket that you left public.
[00:07:40] W. Curtis Preston: if you do something like that, Then, you know, we’re just, we’re just gonna make fun of you, right?
We’re just gonna bring you on. And this is one of those things, you know, the, the, I, I was looking at the Wired article about this, and their headline was basically, I mean, here’s some headlines, right? So, uh, from Mashable Last Pass reveals just how bad that August breach was. It was bad. Um, The, the wired article basically said, it’s time to dump this password manager.
And that’s a strong statement, but I have to say, based on the things that we’re gonna talk about in this episode, uh, again, I, I was already a customer of another, of another company, but it seriously draws into question. Some of their thought processes and, and, and lack of processes.
[00:08:37] Prasanna Malaiyandi: And just for people who aren’t familiar, just think of like all the passwords for all your financial institutions and everything else, right? You’re trusting the keys to the kingdom about you and everything you have access to, to a company, right? Everything’s in a single, centralized place if something happens, if that data is, if that company is breached and the data is stolen, right, there’s all your passwords for everything that’s out there.
[00:09:03] W. Curtis Preston: I’ll just put this right. I’ll just put this right now. If you’re a LastPass customer and your, and the length of your password isn’t good enough, they your, your data’s gone. . Right? And you need to go and change all meaning that your data has now been, it, it, it, it should, you should be assumed. Cuz that’s basically what they told their customers.
They basically said, you know, if you’ve got, um, you know, uh, a password that’s that’s not of, of a certain length, then um, it’s gonna be, you know, it’s gonna be easily g where, where are
[00:09:40] Prasanna Malaiyandi: Or, or, or
[00:09:41] W. Curtis Preston: Prasanna, in terms. of the,
of the, um, yeah. What’s, what’s the recommended minimum password length these days?
[00:09:51] Prasanna Malaiyandi: I don’t know. I am actually not sure. I always just figure out like if I’m creating a password, whatever the max password is on a website, and I just use that, right? So for me it always varies, right? I always just err on the side of whatever’s the largest.
[00:10:10] W. Curtis Preston: Here’s the one I was looking for. There’s a chart. Here it is. Yeah, this is it. Okay. Number of characters, assuming that you’re using upper and lowercase and a number, right?
[00:10:28] Prasanna Malaiyandi: Mm-hmm.
[00:10:29] W. Curtis Preston: Uh, I mean, I, I can, can we agree that we should not have any thing measured in months or . So basically the question is, if you have numbers, upper and lowercase nu letters, how long will it take modern, um, computers to do a brute force guess of your password? And today, if you’re a 10 character password, it’s seven months. If you’re an eight character password, it’s one hour. right? If you have an eight character password with numbers, upper and lower case, by the way, if you add symbols to that, it goes from one hour to eight hours.
So an eight character password with all of the stuff that you’re supposed to have in it is guessable in eight hours with modern technology. So I, I would, I like numbers like. 2000 years, a hundred thousand years, right? Um, and that those start appearing around 13 characters, right? Um, according to this, an 18 character password, um, , I like this.
An 18 character password with numbers, upper and lowercase and symbols is seven quadrillion years to guess. So, what I’ve been doing is I’ve set my password length to 20 in dash lane and, uh, and obviously I have to rein that back occasionally when I get to a stupid website.
[00:12:01] Prasanna Malaiyandi: Yeah.
[00:12:03] W. Curtis Preston: Um, yeah, so basically if you, if, if your password, I’m gonna say if your password is under 10 characters, then you need to. Changing all your passwords now, if you’re a last port, if you’re a last pass customers, now we should, we need to talk about why, but I just wanna scare the crap out of
[00:12:22] Prasanna Malaiyandi: I thought there was, I thought there was also another thing that they had mentioned of, maybe we’ll talk about this later, maybe not, that they had used a different crypto algorithm in the beginning. So if you have really old passwords, it would
[00:12:35] W. Curtis Preston: Oh, that’s right.
[00:12:36] Prasanna Malaiyandi: standard than newer passwords.
So even if you have 24 characters or whatever else, if it’s a password that was, I don’t know what the timeframe was for that password or when they did that switch, but if you have an old password, you should probably change it.
[00:12:49] W. Curtis Preston: So let’s talk about what, where this started at.
Um, and that
[00:12:55] Prasanna Malaiyandi: in the day,
[00:12:56] W. Curtis Preston: hack, right? Um, so there,
[00:13:01] Prasanna Malaiyandi: But ju, do you wanna actually talk about it before the August hack?
[00:13:05] W. Curtis Preston: what, what do you mean?
[00:13:07] Prasanna Malaiyandi: Because are you gonna talk specifically about last pass breach that happened in August? Or do you also want to talk about, because before the last pass breach, right, there was the Twilio breach
[00:13:17] W. Curtis Preston: Twi Twilio breach right there. Well, there was Twilio, but you know, as, as, as far as I can tell, what it was was it was the same threat actor that did a bunch of similar attacks that they attacked Twilio. Which that didn’t mean anything to me, cuz to me that was like some, uh, project management stuff. And that’s when I found out that Twilio owned Athie, guess who uses Athie?
Hello? But basically what they did, uh, as far as I can see is they, they used stolen credentials. They got into the network, they were able to bad bypass MFA in some way, and they were able to spend some time in the network. And, uh, last pass. The only credit I’m going to give to last pass is that they were upfront about what happened, right?
So they were, but they weren’t. So they said that they, they had, they had able, they’d been able to steal some source code.
[00:14:16] Prasanna Malaiyandi: Yep.
[00:14:16] W. Curtis Preston: And at first that’s very concerning because the source code could include source code of, of the, the product itself and somehow figure out
[00:14:25] Prasanna Malaiyandi: Like exploits and weakness.
[00:14:27] W. Curtis Preston: Right? But the source code that we now know what, again, this is all at everything I’m saying in this podcast is it appears, what it looks like they did was they stole the source code of a script. that was being used for backup. Which, uh, what do you think? I think Prasanna about a company that’s a 200 million company that’s doing backups with a script.
And what was in this script? Mind you, what was in the script? Credentials. So hard coded credentials. So what do you think?
[00:15:14] Prasanna Malaiyandi: Yeah, so, so the, so a, they shouldn’t have been doing that. That’s ridiculous. But I will give them credit for one aspect. Right. I know a lot of times, and maybe you should throw out our disclaimer here, right? But I know a lot of times we talk about, um, actually, why don’t you do the disclaimer.
[00:15:35] W. Curtis Preston: All right. So, uh, Prasanna and I work for different companies. This is not, uh, an official podcast of either company. He works for Zoom, I work for Druva. And we’re just a couple of dudes, gibber Javen about our opinions about stuff. And these do not necessarily reflect the opinions of our respective employers.
And, uh, if you wanna join the conversation, this one or any other conversation, you feel free to reach out. W Curtis Preston gmail or WC Preston on Twitter. And, uh, I, I might get a, I might get a new Twitter name. I hear they’re, they’re auctioning them off. I
might, you know, a couple, couple million dollars and I’ll, I’ll buy a Twitter name, but,
[00:16:12] Prasanna Malaiyandi: Elon Musk,
[00:16:15] W. Curtis Preston: I don’t think that one’s available.
Um, the, uh,
[00:16:20] Prasanna Malaiyandi: So, so,
[00:16:21] W. Curtis Preston: sure to rate us and subscribe and all that stuff. Yeah. So go ahead.
[00:16:24] Prasanna Malaiyandi: So going back, so. I hundred percent agree with you that they should never, like, no one should be hard coding credentials into a script. That is ridiculous. However,
[00:16:36] W. Curtis Preston: one, no one should be
a 200 million company should not be doing shell scripts
[00:16:42] Prasanna Malaiyandi: Yes. Well, let me, let me get to
[00:16:44] W. Curtis Preston: Okay. Sorry, I interrupted you.
[00:16:46] Prasanna Malaiyandi: yeah. So yes, there are cases where you want to use automated tools or, uh, a service out there or a backup product to actually do it properly because no one wants to focus on backups.
Everyone’s gonna do a poor job if they build it themselves because it never gets a focus on the business. A hundred percent agree. However, I will say that there might be certain cases, right? I don’t know what their infrastructure looks like, right? There might be cases where there is no standalone tool that can satisfy the needs of what they have right there.
Maybe it’s a very, very small percentage. Maybe they never looked, but I’m just giving them the benefit of the doubt and saying maybe it didn’t work for their environment, and therefore someone went and wrote a shell script. That’s all I have
[00:17:32] W. Curtis Preston: not buying that. I’m not buying that be because the, the problem, the, the, the, the area, like I can see that of like maybe they’re using Neo 4k and nobody has a tool to back up Neo 4k. And so they’ve got a shell script to back up NEO 4k.
I’ll give them that, but that’s not where, where the, where the, where the problem was apparently in actually when it copied to the cloud. There’s a thousand companies, uh, that if you’re running, they’re most likely running Linux or something right.
[00:18:04] Prasanna Malaiyandi: uh, oury.net. Remember we had
[00:18:08] W. Curtis Preston: There, there’s a bunch of companies and stuff that could do this without hard coding your stuff.
So ba So I think, I think it’s bad that a 200 million company was using a shell script. It’s super bad that they were using, um, hard coded credentials in that script . And then, um, and
[00:18:28] Prasanna Malaiyandi: You know what’s funny? You know what’s funny? Wait. But before you get to that, they’re a password manager company That is hard coding passwords, , you know? Isn’t that a little ironic?
[00:18:43] W. Curtis Preston: That unlike most of the things in the song, isn’t it ironic, uh, is actually ironic. That is very ironic, right? Um, a password management company that didn’t. . Yeah. That’s not, that’s not good. Yeah. And by the way, what ended up happening is why you don’t hardcode passwords in, uh, and, and, and they use the word token somewhere, you know, it’s slightly different than a password, but whatever.
It’s a password. What happened was we go back to the August breach. What it, what it looks like happened is they crawled the network. They were able to grab some source code. Remember that source code included the script. The script happened to have credentials to log into the cloud service where they copy their backups.
[00:19:30] Prasanna Malaiyandi: Oh.
[00:19:31] W. Curtis Preston: And so guess what? They, that’s what happened is they lo it’s the, the, the hackers logged into the cloud service that they use for backups and they exfiltrated the data, right?
[00:19:45] Prasanna Malaiyandi: what was in these backups,
[00:19:48] W. Curtis Preston: Well, nothing important.
Really lucky Prasanna. Luckily, it was nothing important. It was just everything it was. It was the customer database, meaning like who are they? Where do they live? You know, how do they pay? What address they live in, all that kind of stuff. But it was also the actual vault, the actual, the crown jewels, the usernames and passwords.
Now they are saying that with some caveats that we already talked about a little bit. They are saying that they, um, that they’re there. That is, that that part is encrypted. Right? So the, the chance is that someone, Would be able to steal your password, your username and password by decrypting your, because the, the, the encryption algorithm is, it’s a hashing mechanism that uses your password as part of the key.
Right? Uh, it’s,
[00:20:47] Prasanna Malaiyandi: Like
[00:20:48] W. Curtis Preston: I don’t know if it’s Yeah. Like the master password. Right. Um, and, um, And so in order to decrypt it, someone would have to guess your master password. The, um, and that’s why we’re going back to the beginning. The question is, how big is your master password? And also, apparently in the instructions that they sent to customers.
Again, I’m gonna, I’m gonna give th this is the only nice thing I’m gonna say. At least they were open with their customers as to. Uh, how things went, right. Very different, for example, than the, uh, Rackspace hack, right? The Rackspace hack. They, they have said very little, even though they’ve concluded their investigation, they’ve said very little, uh, and they’ve said some things that I don’t think they can back up, whereas last pass really laid it out there.
they’re like, here’s what happened. Here’s where they got in, they got in, here’s what they have. And by the way, if you, if you got a, if your, if your master password is the size or if you’ve done stuff, you know, a certain timeframe, if you, if you are a last pass customer and you haven’t taken a look at that, uh, you really should , you really should look at that message.
[00:21:59] Prasanna Malaiyandi: clarification question, Curtis, is did they say that both the username and the password were encrypted in the vault, or was it just.
[00:22:08] W. Curtis Preston: So yeah, the username, the, um, uh, what there, the only thing I remember that was not encrypted in the vault was the URL that that particular password is for. Um, so, so which, which, again, this is, this is why I was like, it is just a number of things where it calls into question.
The, the decisions of the company. Why, why
leave that one field? Yeah.
Um, I think we have some theories, right? We have some, because they wanted it unencrypted. I think it there they had a reason, right? We can theorize it doesn’t really matter, but I think the reason, the only reason to leave a field like that unencrypted is you had, you had use of that field,
[00:23:11] Prasanna Malaiyandi: So here’s, I have two questions for you actually. One comment. One question. So the comment is, like you mentioned earlier, I think we should at least not congratulate last pass, but at least say that they’ve done a good job being transparent. Right? We’ve seen so many other breaches
where no information has come out, right?
So I know we’re harping on them right now, right? And giving them a bad time. But it’s not because of what they’ve done after the breach. It’s what happened before the breach. I think that’s what we’re concerned about on this.
[00:23:46] W. Curtis Preston: Yeah. And, and by the way, I, I need to go back to an earlier thought that I, it came to me and it, it left. And, you know, you know, that happens sometimes. The problem with a hard coded, uh, you know, credential like that is exactly what happened. That someone who wasn’t supposed to see the code will see the code and will then use that. do something bad, right? To access stuff they’re not supposed to access. And, um, that’s exactly what happened here. Which again, I’m gonna go back to another, I don’t think it was a decision, but when you get hacked, like they got hacked and you know that a threat actor was roaming around in your, in your computing environment for a few days, undetected. What should be, what should you do next? What should you do? Immediately
[00:24:47] Prasanna Malaiyandi: Well, a, you should probably take
[00:24:48] W. Curtis Preston: beside, we already talked about notification. Yeah. Take everything down. Look around.
[00:24:53] Prasanna Malaiyandi: yeah. Take everything down, look around, rotate all your passwords,
[00:24:57] W. Curtis Preston: There you
go. That’s, that’s what I was reaching
for. But, but the problem is when you’ve just got a hard-coded thing sitting in a shell, , you’re not necessarily gonna think about
[00:25:10] Prasanna Malaiyandi: Well, and I, that’s the thing is if they had known it was hard coded, like if they had tools to scan and look for passwords, right. They would never have let that happen. It looks like it slipped under the cracks. Right. And someone hard coded it just to get it out the door and no one went back and fixed.
And this goes to a point you were bringing up earlier. At this point, right? If you can’t focus on your backups and make it better, you’re probably better off finding an automated tool or a product to fill that gap because they care about these things and they will make sure that you are doing things in the right way.
Right? And so you’re less likely to end up with these issues.
[00:25:50] W. Curtis Preston: Yeah. And, and, and I know that not every company. I mean, let’s go back. Go back to, go back to 30 years ago, right? Uh, we are coming up like any day now. It’s gonna be 30 years for me in the IT industry. And I was using Shell, I was at a 35 billion company and I was using shell scripts. I was, I was running dump, of course, back then, the idea of commercial backup tools.
So much a thing. Arcserve Arc Serve was about the only one. . It was Arcserve and there was Bud Tool. I don’t know if you’ve been around long enough to
[00:26:30] Prasanna Malaiyandi: I’ve heard about Bud Tool. I never used it, but yet
[00:26:34] W. Curtis Preston: and Alexandria. That was which, which, which, you know who owns, you know who owned that.
[00:26:41] Prasanna Malaiyandi: Hm.
[00:26:41] W. Curtis Preston: They’ve been on the podcast. Do you know who’s owned that spec? Spectra Logic owned Alexandria back in the day, they decided to sort of focus on hardware. I’m, I’m not saying that these things don’t happen, but I will say that. You know, that was a different time. And basically, and even then I knew not to hardcode, username and passwords, but the way the way backups worked back then was everything ran as root.
Right? You, you created a script as root you Hadron that ran things as root. and then because it ran its root and because you had R s H enabled
[00:27:25] Prasanna Malaiyandi: Yep.
[00:27:26] W. Curtis Preston: we didn’t, we didn’t have
[00:27:27] Prasanna Malaiyandi: could do anything and
[00:27:28] W. Curtis Preston: had RSSH enabled. Rssh enabled without a password. So from, from a central, right. As long as you were root, you’re root here, you’re root over there.
That was, you know, back in the day, um, we had a script that would go around and do our dumps and things like
that. Um, and, um, We also had an RFS mounted tape drive. I think we brought, I, I
[00:27:53] Prasanna Malaiyandi: well, you talked about us. Yeah.
[00:27:54] W. Curtis Preston: yeah. RFS was remote file service, like predecessor to nfs, and, but you could mount a tape drive.
It was kind of cool anyway, clearly it wasn’t that cool because it didn’t , it didn’t last,
[00:28:08] Prasanna Malaiyandi: Yeah.
[00:28:08] W. Curtis Preston: Yeah, so I, I understand you’re a small company, um, and, and you can’t get any budget for backups. I, I understand. I, I just, I would like to think that if that’s where you work, if, if you can’t get any money for backups, I think that you should take a stance, and I think that you should say, we need a commercial backup.
Right. Um, I, I do th I and I do strongly believe in, in a SaaS based tool. Not because I work for Druva, but because I’ve been that way for a long time. Right. The idea of. Having somebody who’s focused on it and does nothing but that and you have a complete service. Um, you know, and the cloud is a beautiful thing for that.
We have so much bandwidth these days that, you know, deduplication has enabled this. I mean, it’s just been so many things that have been, that have made cloud a cloud SaaS backup service like my, my employer, happens to offer, um, for me. It, it, it is the best backup option for most companies. There’s caveats, right?
Uh, most of the companies like mine, there’s not a lot of them, but they don’t tend to do like the older Unix platforms, right? Um, they don’t tend to do as many database products. They tend to focus on virtualization and the. . Right. Uh, and I’ll, I’ll say something that I say often is, if you’ve got 10 petabytes of data and a T1 line, Hmm.
That ain’t gonna work. Right. , you need some
[00:29:45] Prasanna Malaiyandi: but I’m guessing, just given last pass, right, they probably like how they’ve scaled out, right? The number of users on their platform. Right. They’re probably familiar with a lot of these sort of challenges anyway. Right. It’s just they sort of stopped at, and so I’m even wondering like, they focused on production, right?
Making sure everything was up and was good to go there. They probably have some form of high availability and disaster recovery, hopefully. Right? But who knows? And then it’s just sort of, some people, like you said, forget about that arc or the backup side of things and recovery. And then I even wonder if there probably don’t even consider anything around archive either, right?
If I just think about the life.
[00:30:28] W. Curtis Preston: Yeah. I, I, I, um, I just think it’s a matter of not prioritizing backup, which I is a, is a historical problem.
[00:30:39] Prasanna Malaiyandi: Yeah,
[00:30:39] W. Curtis Preston: and I guess I’m just saying, I’m speaking to the, I’m speaking to the person that understands the value of backup and recovery, and that is our target listener, right? Our target audience is somebody who understands the value of, of, of backup, right?
So I’m saying if you’re at a company that doesn’t understand the value of backup, I think it’s time to, to make a stand.
[00:31:00] Prasanna Malaiyandi: Yep.
[00:31:00] W. Curtis Preston: Get it in writing that you recommend they do something else.
[00:31:04] Prasanna Malaiyandi: and I think because typically it’s an IT function, right? Who worries about backup, but this is where I think you go get champions who can help support your cause, like people in security because it’s relevant for security folks as well. Or if you look at legal and compliance or other folks in the organization, right, to help support you and push to get things.
[00:31:26] W. Curtis Preston: Yeah. And use this story. Right. Use this story of what happens when you grow your own backup system and then reach out to, you know, a number of companies. Reach out to me. I’ll, I’ll put you in touch with the right people. Um,
[00:31:45] Prasanna Malaiyandi: It’s,
[00:31:45] W. Curtis Preston: don’t talk opinion. He’ll just, he’ll just make a meeting.
[00:31:50] Prasanna Malaiyandi: so it’s interesting. I was just thinking about this a lot of times on the engineering side and product side, we always talk about tech debt, right? Things I wish I could have done, but I couldn’t do because I had to get the product out the door. So I took some shortcuts and we’ll fix it later and sometimes didn’t ever get fixed.
Right? I think we haven’t really talked about like the IT side of tech. Right, which like this could be, right? It’s like, Hey, I needed to get backup done for that initial release, for instance, just to get things out the door and it’s tech debt. I never had the chance to go back and fix it, do it right?
Because there’s never enough time, there’s never enough budget, right? There’s all these other priorities. So
[00:32:28] W. Curtis Preston: One of my favorite phrases, it’s never time to do it. Right. Always time to do it over, right? Um,
[00:32:35] Prasanna Malaiyandi: until you get to a fire drill like this,
[00:32:38] W. Curtis Preston: Yeah. So, yeah, so, so use this story. So that’s what I, I, so I, I, I tell you what, I, I, I would have a hard time continuing to justify being a LastPass customer. You do what you want. Maybe they have features that you like, and maybe you feel that they’ve learned their lesson, whatever.
I don’t know. Last pass, it made me, it made me think about the length and the complexity of my dash lane password. Um, so I got, I got, I changed it I was like, I, uh, and my wife and I share the password manager, right? So I had to, I had to explain my new super long password.
It’s relatively simple to remember, right? I went with the sort of the battery horse stable method rather than the XYZ nine,
[00:33:29] Prasanna Malaiyandi: was it basically u U s t p a l r one 20 d r a g o n.
[00:33:42] W. Curtis Preston: Yeah, that’s exactly what it was. Um, yes. Um, that’s what be my, my password should be four movie theater, Samsung nine 90 B. Actually, you know, the, the, the Vizio model numbers. So, so that was one of the things I was looking at. The Soundbars, the VIO model numbers are all like UX 95 3 70. Right. And the, the people that review ’em, they’re just like, what is
What is this? You know? Um, that could be, that could be a good password, I’m just saying. Um, but it’s not long enough. So, yeah, so I, I so, so, so, so that’s the other thing. So I think you should. I think you should seriously reconsider your last best situation. I think you should also look at, take this, take this opportunity to upgrade your backup scripts, your up your backup system.
Look at a commercial backup system uses as a justification so you to do what you probably want been wanting to do all along. And then finally, uh, I guess I think it’ll be finally, is take a look at your master password. Uh, you know, look at that table, um, that says, you know, uh, cuz basically if your password, if your password manager is, um, you know, is guessable in something measured in weeks or months or less than that, that’s not good man.
[00:35:13] Prasanna Malaiyandi: Yeah.
[00:35:13] W. Curtis Preston: You know?
[00:35:15] Prasanna Malaiyandi: And I think the other thing to mention is two things, right? We always talk about this enable two factor authentication or mfa where you can in addition,
[00:35:25] W. Curtis Preston: you.
[00:35:25] Prasanna Malaiyandi: right? Um, and then the other thing is even if you are using a password manager, if your password is like 10 years old, right? You probably do want to change it at some point, even though you’re using a password manager, it’s totally random. right. You do probably want to change it every once in a while. I’m guilty of this. I’ve actually started going through and changing passwords, but I realize, yeah, I haven’t cycled some of these in a while, even though they’re all randomly generated, but
[00:35:54] W. Curtis Preston: Have I have I told you how many passwords I have?
[00:35:58] Prasanna Malaiyandi: yes, you did.
[00:36:00] W. Curtis Preston: It’s, it’s several hundred
[00:36:03] Prasanna Malaiyandi: I thought, I thought in the podcast episode we did with Chris I think you both had a significant number of passwords. , let’s put it like that.
[00:36:12] W. Curtis Preston: Yeah, I think the only way I was able to do this, because it doesn’t list, doesn’t show me in here like a number. I had to, I had to actually export it and then, and then count the number of lines in the file and then delete the file.
[00:36:30] Prasanna Malaiyandi: Oh, Curtis.
[00:36:32] W. Curtis Preston: Um, it’s a lot. I guess what I’m saying is it would take me a month to update all my passwords, right? Oh, but you know, by the way, Dashlane used used to have this really cool change your password for you feature, and it worked at a lot of the popular websites. They, they’ve abandoned that feature. They said it was too hard to, to keep it updated.
Um, and. Yeah. Can you think of anything else we should be talking about regarding this last pass thing?
[00:37:00] Prasanna Malaiyandi: No.
[00:37:03] W. Curtis Preston: Uh, I, I, one thing came to mind is, is if your company has been the subject of some kind of hack of any kind, perhaps you should roam around and look for scripts with, uh, you first change all your regular passwords.
And then roll around to see if you’ve got scripts with authentication crap in ’em.
[00:37:26] Prasanna Malaiyandi: Or the other thing is change your passwords and then like if you’re using aws, look at CloudWatch. It’ll log when authentication failures happen. And now you can at least point yourself in the right direction of being like, Hey, I didn’t know that.
[00:37:39] W. Curtis Preston: And I’m assuming that the other providers have something
similar. Right. Um, it’s
[00:37:46] Prasanna Malaiyandi: Yeah. And hopefully you do have some form, form of auditing enabled in your systems to at least log failures
[00:37:53] W. Curtis Preston: and
and by the way, that that’s how uh, LastPass discovered was going on is they had some stuff that was watching, right? And they’re like, we noticed some unusual activity in our account. And, um, turns out somebody downloaded the backups of our stuff. Ugh. It’s killing me, man. Just killing me. This is just a, just a really, uh, anyway, all right, well, um, on that note, I hope that you’re watching this on 120 inch screen If you,
if you’re one of those who, if you only listen, you should check out the, the, the, the video version we have email@example.com. You get to see our, our beautiful faces and, and this and this. The camera is in the wide shot. Is my book in the wide shot?
Yeah Yeah it is. Okay. My book’s in the wide shot.
So you can see a, the, the book is whoop. There, there there is. It’s closer than it or than it normally is because I’m sitting in the middle of the room because I’m, I, I thought I was gonna get baseboards today and turns out I, I didn’t. Um, so all, everything, everything is in the middle of my. It’s, and I, and I’ve got like, literally, I have nowhere to move.
Like, regardless of which way I move, there’s, there’s something around me.
[00:39:16] Prasanna Malaiyandi: Well, hopefully you’ll value back to normal soon, Curtis.
[00:39:20] W. Curtis Preston: Hopefully. Hopefully. All right, well thanks for, uh, listening folks. And remember, remember to subscribe so that you can restore it all.
Join the discussion