Why don’t you have a password manager already? Our guest this week, Chris Hayner, blogger at hayner.net and host of the Chaos Lever podcast, wrote a great blog called Yes, you need a password manager. “Yes, You Do Need A Password Manager, Brett. Yes You Do!” Both Prasanna and Curtis DO have password managers, so he’s preaching to the choir. But if you’d like to hear the argument for why you need one, and arguments against many of the usual excuses for not having one, then this is the episode you need. And, as usual, we have a little fun along the way.
Transcript
[00:00:34] W. Curtis Preston: Hi and welcome to backup Central’s Restore it All podcast. I’m your host w Curtis Preston, AKA Mr. Backup and I have with me, my carpet demolition expert, Prasanna Malaiyandi
[00:00:46] Prasanna Malaiyandi: it going, Curtis,
[00:00:48] W. Curtis Preston: It’s um,
[00:00:49] Prasanna Malaiyandi: so I have to say first, congratulations on being done with one room,
[00:00:53] W. Curtis Preston: one room out of six.
[00:00:55] Prasanna Malaiyandi: that’s it’s progress, right? It’s progress. They say the first one’s the hardest. And then the rest go faster. Right?
[00:01:02] W. Curtis Preston: Well, in my case, the first one is absolutely the hardest cuz it’s the entryway and it’s got like this rounded entryway and a lot of funky angles and everything. Everything else is a rectangle, like a normal house, but the front room was absolutely the hardest. And of course I did it as the first.
Um, so yeah, but, but, and then I ripped up a bunch more carpet last night and uh, so, uh,
[00:01:25] Prasanna Malaiyandi: the kids who eat broccoli first, and then they eat all the yummy stuff after. Right. You get done with the bad stuff in the beginning and then everything else
[00:01:32] W. Curtis Preston: Exactly. Yeah. So, um, but do you have any further advice for me from your, your YouTube pals
[00:01:41] Prasanna Malaiyandi: for in terms of carpet repair or pulling up or anything else like that? No, not really.
[00:01:47] W. Curtis Preston: Okay.
[00:01:48] Prasanna Malaiyandi: Yeah, I got, I got nothing for you other, other than make sure your floors are flat. Make sure you don’t work backwards or no, actually, I guess you have to work backwards this
[00:01:57] W. Curtis Preston: I have to work backwards in this one room, the one room I have
[00:02:00] Prasanna Malaiyandi: And okay. The only thing I will say is take breaks.
[00:02:04] W. Curtis Preston: Oh trust me. That’s happening. I do. Yeah. Cuz I’m freaking old. And, and now that now that my doctor has informed me that I have bursitis on my knees, it just, who the hell? Like why, why did I get this idea of laying down my own flooring anyway, uh, you know, definitely falls into the category of I’m too old for this shit,
[00:02:28] Prasanna Malaiyandi: And, and just, don’t go asking a flooring person how much it would’ve taken to install it. Okay.
[00:02:35] W. Curtis Preston: I already know, I have a quote this time. I know, I know how much I’m saving. yeah. But, but at this point I am like really
[00:02:45] Prasanna Malaiyandi: It’s all good Curtis.
[00:02:46] W. Curtis Preston: Yeah. Uh, well, let’s bring out our guest. He has been in it for over 20 years with an MBA from Temple University where he also managed infrastructure. He was in presales for several years and is now a lecturer in computer science at Montgomery county community college. You can read his blog@hayner.net.
Welcome to the podcast, Chris Hayner.
[00:03:09] Chris Hayner: How’s everybody doing today.
[00:03:11] W. Curtis Preston: Well, you know,
[00:03:12] Prasanna Malaiyandi: I’m doing well. I dunno about
[00:03:14] W. Curtis Preston: putting an ice bag on my knee, I’m doing great.
[00:03:17] Chris Hayner: Yeah. I feel like we should put out the it stuff to side and talk about this flooring situation. Some more.
[00:03:22] W. Curtis Preston: Yeah, luxury, luxury vinyl planking. That’s what I’m all about. Um, replacing, uh, like carpet, tile and, uh, the, what do they call it? The laminate and the diner and the dining room. Like, so with one solid thing. Yeah. Anyway, it’s, uh, it’s a, it’s a fun project. I feel a bit, a lot more fun if it was like, I Don. 10 15 years ago.
[00:03:48] Chris Hayner: It was somebody else’s knees.
[00:03:49] W. Curtis Preston: if I was doing this with my 40 year old body instead of my 55 year old body, but, uh, yeah. Anyway, so, uh, I, I know we brought you on, um, I don’t remember how I came upon your, uh, your article, but we brought you on because you know, I read this article that speaks to something that I believe in, like I could have written the article just as much as you had.
And that was this idea of, I, I think the title was, yes, you do need a password manager. Does that sound about right?
[00:04:25] Chris Hayner: Yes, Brett, you do need a password manager. Yes, you do.
[00:04:30] W. Curtis Preston: Yes, you, do you think you don’t? For the record Prasanna and I both have password managers, actually. I think Prasanna has two don’t you Prasanna.
[00:04:38] Prasanna Malaiyandi: just have the one.
[00:04:40] W. Curtis Preston: Oh, I thought you had the, I thought you had one for work and one for,
[00:04:43] Prasanna Malaiyandi: Nope. Yeah. So for home I have my own, but I took a different approach than you Curtis. I don’t use a service.
[00:04:52] Chris Hayner: So you host your own
[00:04:54] Prasanna Malaiyandi: Yeah.
[00:04:55] W. Curtis Preston: I’m a da, I’m a Dashlane person. Uh, I don’t know what you’re using there, Chris.
[00:05:00] Chris Hayner: I have been last pass for the past couple of years, although, and one of the things that actually got me to think about this article that ended up being posted a few months ago was my renewal is coming up. So I was kind of exploring some of the other options in the marketplace and there’s a lot,
[00:05:17] W. Curtis Preston: Yeah,
[00:05:17] Chris Hayner: um, you know, I, I did a quick check and I wanna say I got to around 40 different pot, uh, different password manager, softwares that exist.
Some of them everyone’s absolutely heard of. Right. Everybody’s heard of Dashlane. Everybody’s heard one password. Um, hopefully everybody’s heard of last pass. You know, those are like the main players, but then there’s a lot of little bit players. Bit warden is an open source. One that’s pretty popular that you can also host your own with.
And one of the things I think that makes it helpful is it’s not that difficult to build these types of products. It’s difficult to build them though with a feature set and a security reliability that people are going to be confident in.
[00:06:02] W. Curtis Preston: Yeah. Let’s start, with why do we need a password manager? Right. Let’s just, let’s just start there. I mean, basically the whole purpose of your article, because there, you know, there are people we run into ’em and they’re like, well, I don’t, you know, I, you know, we, we should talk about like, why we need one and then we should talk about the, like the objection of, well, well, I feel that that puts all my stuff in one place that makes it easier to hack.
Right. I’m worried that someone will get in and then they’ll have my entire world. Uh, I think that’s a valid concern. I just, I. I think that that any of the decent products have addressed that concern. Uh, and then, and then I think we can talk about like, um, basically, like you talked about the features, the features and function, like the ones that I, that I like a lot from Dashlane that, that made me choose it, some of which are now available in other products.
Um, and, um, I think that would round us out. So let’s talk about, let’s talk about first, Chris, you know, what it, why. Why
[00:07:01] Chris Hayner: Just why just.
[00:07:03] W. Curtis Preston: that’s just why
[00:07:04] Chris Hayner: Um, so the biggest reason is you are being required to get a username and password and log into pretty much every website that exists in the world. Now we can set aside whether that is necessary or advisable, but we have to do it. And if you don’t use a password manager, what you end up doing inevitably is using the same password over and over and over again.
[00:07:29] W. Curtis Preston: Right.
[00:07:30] Chris Hayner: The trouble. There is a lot of the times when a website gets breached, that username and password combination becomes immediately available to anybody who wants to pay for it. And I’ve actually looked into this and it is really, really sad in terms of how much a hacker has to pay for a valid username and password combination.
It starts out at less than one 10th of 1% per person. And it goes down to $0 because about a week after a breach, that information is publicly available.
[00:07:59] W. Curtis Preston: Right. Wow.
[00:08:01] Chris Hayner: Publicly available to
[00:08:02] W. Curtis Preston: Oh, I see. I see two, two people that know where to go.
[00:08:05] Chris Hayner: Yeah.
[00:08:06] W. Curtis Preston: Right. The I’m I’m assuming this is a dark web
[00:08:09] Chris Hayner: That’s the one. Yeah.
[00:08:10] W. Curtis Preston: Right, it seems now that I’ve had a password manager for forever, but I know there was a time when I knew that I shouldn’t use, um, The same password everywhere, but I didn’t wanna use a password manager and I didn’t wanna just use a spreadsheet.
So I had this, you know,
[00:08:27] Prasanna Malaiyandi: System.
[00:08:28] W. Curtis Preston: out it’s, it’s not that uncommon, but I had a system where I did use the same password everywhere. Well, just the places it mattered. Right. Like, but okay. Let me rephrase if it was a site that it didn’t matter. I had the same password everywhere. Like who cared if somebody got my, you know, login credentials to.
Whatever, what to what? Not to yo, not to yo no, but yeah, anything that I thought mattered, I had a separate password that was semi complex. And then I had a string that I would put on. I would append to that. That was unique to each site. So I just had to remember that string for each site. I don’t think I’m completely alone in that, in that idea.
Um, but at some point. I got the idea of trying a password manager and honestly, it’s so much easier. Right? It’s so much easier than, than the alternatives. I mean, Prasanna you, how, how long have you been doing this?
[00:09:28] Prasanna Malaiyandi: using a password manager. I wanna say the last eight years or so, or eight or 10.
[00:09:32] W. Curtis Preston: Yeah.
[00:09:33] Prasanna Malaiyandi: Yeah. And I agree. It’s easy. I don’t have to remember it. Um, and like you said, you can make those passwords more secure. Cause I’m the type who always runs into here’s the max number of characters, website supports, right.
Because I’m always like 32 characters plus special characters plus everything. Right. Throw the kitchen sink at it because I’m like, I don’t need to remember it.
[00:09:58] W. Curtis Preston: Yeah, that’s a Chris. That’s something that comes up pretty regularly on here is, is we talk about, we use these password managers and then we, we have these giant passwords and then we get a site that says like, oh, you can only have 16 characters in your password. And, and you can’t have these special characters.
Right.
[00:10:17] Prasanna Malaiyandi: can’t be repeating characters or things like that. That always bugs me too.
[00:10:23] Chris Hayner: Right. They’re basically putting together a recipe for an insecure password,
[00:10:26] Prasanna Malaiyandi: Yeah.
[00:10:27] W. Curtis Preston: Yeah.
[00:10:27] Chris Hayner: which is another reason to be really, let’s just say paranoid about the username and password combination, not being able to. get into more than one website,
[00:10:36] Prasanna Malaiyandi: Yeah, I, I actually wanna make a comment about that. Something you just brought up, Chris, a lot of people think password managers are just for creating random passwords, but you could also use it to create random usernames, which actually help secure you in addition to just having a random password,
[00:10:52] Chris Hayner: Yeah. You’re I mean, That is, that’s a very good point. And, and especially around Prasannal security, there’s no reason that you need to have the same username all over the internet. So if you’re logging into a site that you don’t necessarily care for, or don’t care about that much, you know, like a good example would be the website, uh, called newsr, which is just a news aggregation site.
They don’t need to know who I really am. They just wanna know where to send their newsletter. Right. So my username doesn’t have to be associated with me as closely. So then if there’s an, an incident and a user or that like gets breached, then the breach doesn’t associate with me directly because I didn’t use the same username.
And in fact, you can use a password manager to save a whole Prasanna, so you can create a fake name for yourself and just have that auto fill as well.
[00:11:43] Prasanna Malaiyandi: And also going one step further. Some sites also require like security questions. I remember we had a guest Curtis. I don’t know if you remember Zoe, right? Who talked about how the fact that she uses, like the security question, she creates some randomly she’s like, you don’t need to know my birthday or the city I was born in, as long as I remember.
And you can also use a password manager, some of them to store that additional information as well. So like you said, Chris, you have an entire new Prasanna created for.
[00:12:09] Chris Hayner: Yeah. And I think that’s a great point, cuz it also comes into password. Management. It doesn’t have to be in a password manager itself, but the idea that you are managing your information, that’s a great rule for people, no matter what do not ever answer those security questions, honestly, you know, what was the city that you grew up in?
Sorry, I was born on one twenty three anywhere street, and I dare you to prove different.
[00:12:33] W. Curtis Preston: Right. As long as you answer them the same way on the front end and the back end doesn’t really matter what you put there.
[00:12:40] Chris Hayner: exactly. And that’s another great use case for a password manager to keep that information for you.
[00:12:46] W. Curtis Preston: Yeah. The only thing that, and I, I agree with everything you just said, the only thing that stinks about that is that that’s not auto fillable. Right. Um, you’re gonna put that in the notes for your password manager in most cases,
[00:13:00] Chris Hayner: Yeah. That’s I mean, that does bring up, uh, a challenge because it depends on the password manager, whether or not they have an ability to natively store, additional information or custom fields.
[00:13:10] W. Curtis Preston: Right.
[00:13:11] Chris Hayner: And how is the website built? Because nothing drives me up the wall faster than when a website puts in JavaScript that blocks a password manager from auto.
[00:13:21] W. Curtis Preston: Yes.
[00:13:22] Chris Hayner: That seems so unnecessary,
[00:13:25] W. Curtis Preston: There are, there are even some that won’t allow you to paste, like even manually paste the password.
[00:13:30] Chris Hayner: right?
[00:13:31] W. Curtis Preston: That’s when I get that’s, when I get like, it’s one thing where, you know, if it won’t auto fill it, but then you’re like, okay, fine. It’s one of these sites where I have to copy and paste it and then you go to copy and paste it and it’s like, Nope, here’s what I, here’s what I think we should do, Chris.
I think we should start a website, like a website shaming website. Where, you know, we list companies that, that do stupid stuff like this. Like they, they, they have fewer than, you know, they, they have limitations on the size of the password. They have limitations on the number of characters we can put in, um, and the, you know, all that kind of stuff.
And, um, you know, and, and they can’t, and they won’t allow us to auto fill or copy and paste. I think we should.
[00:14:14] Chris Hayner: I like
[00:14:15] W. Curtis Preston: yeah, think we should do a little password shaming dot.
[00:14:19] Chris Hayner: Oh, there was, there was already a robust traffic in, um, pass, not password shaming, but S3 bucket malfeasance, shaming,
[00:14:28] W. Curtis Preston: Oh, nice. Yes. Yes, exactly.
[00:14:30] Chris Hayner: sadly ha still happens.
[00:14:34] W. Curtis Preston: Well, you know, what, if, if it still happens like with new stuff, then you deserve what you get. Because, because AWS makes it really, really hard to make an open bucket now. Right. It used to be the default. Um, if you create an open bucket now you really meant to do it, which means you deserve, you deserve everything that’s coming to you.
[00:14:55] Chris Hayner: Yeah. You had to click through giant flashing banners that say, don’t do this ever.
[00:14:59] W. Curtis Preston: right.
[00:15:00] Chris Hayner: And yet here we are. Someone is still doing it.
[00:15:04] W. Curtis Preston: Yeah.
[00:15:06] Prasanna Malaiyandi: moving on to sort of the password managers itself, I’m sure a lot of people are like, Hey, Google Chrome or safari or Mac has key chain. Right. Why can’t I just use that. Why do I need, like what you were talking about Chris, like a dash lane, a one password last pass, etc.
[00:15:25] Chris Hayner: right. So that comes out to very simply the preference that you’re gonna have. Do you want to use something all within one infrastructure? Or do you want to use something that is independent of that infrastructure? So there’s a, there’s a big difference. For example, between using the password manager, that’s built into Chrome and the password manager that’s built into apple, right?
Because the coverage is very different, but. For example, in a Chrome environment, you can have a Chrome account and you can save passwords and share them across securely, assuming you trust Google of course, across different installations of that browser. So it’s the same exact concept in the sense that wherever you try to log in, as long as you log in with your valid username and password, you get all of your passwords along with you. But there.
[00:16:14] W. Curtis Preston: let me, let me just append to your comment. All of the passwords associated with that Chrome profile.
[00:16:20] Chris Hayner: right.
[00:16:21] W. Curtis Preston: Because I use two Chrome profiles constantly. So that’s an important point.
[00:16:26] Prasanna Malaiyandi: But it
[00:16:27] Chris Hayner: that’s, that’s a great point because it to, it speaks immediately to the limitation of doing it this way. The one thing about it that you, that is true is that it is, uh, simple, straightforward. You don’t have another product to manage. You don’t have another product in many cases to pay for, because most.
Professional password managers that we’re gonna talk about are not free. They might have some type of free tier, but it’s usually deeply limiting,
[00:16:49] Prasanna Malaiyandi: Yeah, but just to the Chrome example, isn’t it a little bit of a chicken or egg problem, because you still need to remember the password to how to log into Chrome right. Into your Chrome account, right before you can get access to the rest of your password. So
[00:17:03] Chris Hayner: Which is
[00:17:04] W. Curtis Preston: I mean, but that’s the same as a password manager, right? You need to remember that password, right? I will say. Again, this is something that comes up regular on the pasta on, on the podcast. Something is always better than nothing. Right? Not using any password manager at all. Like we’re not arguing. You have to use Dashlane or last password, one pass, right? We’re we’re just arguing.
You need a password manager. If you wanna live in the one that’s free with, with Chrome. And again, I don’t know anything about the security of how that is managed. I, I have that concern still better than nothing, I think. Um, right.
[00:17:44] Chris Hayner: And to their credit, a lot of the major browsers can do this and they do it a lot better now than they used to do it. Um, when password management first came out in internet Explorer, it was saved basically in encoded, but in plain text on your computer.
[00:17:59] W. Curtis Preston: right.
[00:17:59] Chris Hayner: So that’s.
[00:18:01] W. Curtis Preston: the first, the first step in, you know, Dashlane I remember was sucking all the passwords outta my browser that I had in my browser, which meant that they were stored in plain text
[00:18:10] Chris Hayner: And exactly how did they do that? Yeah.
[00:18:14] W. Curtis Preston: they do that
[00:18:16] Chris Hayner: Um, but yeah, I mean the Chrome ones are better. Everything these days is at least at rest encrypted AEs 2 56. It’s not really a problem with any major browser that you can think of. Everybody has their favorites. We’ve been talking about Chrome, but Firefox does it too. Uh, edge does it too. And then with Microsoft and apple, it gets a little bit more confusing because you can do it at an operating system level.
Right. So depending on the applications you’re using, you can also use, um, uh, what is it called in, in windows? I don’t actually use windows all that often, but I know they have a similar built in like key chain
[00:18:52] W. Curtis Preston: It’s called not key chain.
[00:18:54] Chris Hayner: yeah, something like that key bucket. Um, but that’s where the third party tools really have some value.
So you immediately have to manage two different things. For example, when you install last pass, you install an application that reaches out to all your browsers plugs in and to that connection, an actual third party plugin. So if you’re on Chrome, you log in right. Click fill password. If you’re in internet Explorer, same thing you can’t have that kind of spread if you’re just using the Chrome password manager.
[00:19:27] W. Curtis Preston: And also mobile and. Um, like I, I have Dashlane installed on my phone, so I get all this stuff on my phone as well.
[00:19:35] Prasanna Malaiyandi: But I believe though, if you’re using like an iPhone plus a Mac, right. And an iPad, right. I think with apples now they have an iCloud key chain. That’ll sort of sync everything now across assuming that you’re using the same iCloud account across all your devices.
[00:19:50] Chris Hayner: Yeah, that’s correct.
[00:19:52] W. Curtis Preston: Yeah. And I don’t, I don’t know anything about that. Right. I haven’t tried to use that. I mean, once I, once I went down the Dashlane.
[00:20:00] Prasanna Malaiyandi: There’s no,
[00:20:01] W. Curtis Preston: I was pretty and I’m paying like 39 bucks a year or something like that. Uh, and it comes with some like dark web monitoring or whatever, which, which is, I don’t know, which is just depressing.
They’re like, Hey, your email address showed up over here now. Um, right. And you’re, you know, and I’m like, oh, okay. All right. When I see my fake birthday showed up over in this other place. Cause I use a fake birthday just like we were talking about, I don’t use my real birthday unless I’m dealing with like a bank or,
[00:20:30] Chris Hayner: Right.
[00:20:30] W. Curtis Preston: that sort of thing.
Right.
[00:20:32] Chris Hayner: Yeah. Just because a website is asking for your honest information, as long as you’re not, like you’re saying a bank is a great case where you’re gonna want to be honest, but, uh, sorry. target.com. I was born in 1923 and I dare you to prove me different.
[00:20:48] W. Curtis Preston: Um, but by the, just, just how many, uh, we could have a little contest, cuz I think I might win. How many passwords do you have in your password manager?
[00:20:58] Chris Hayner: oh, that’s a great question. Um, I looked at this before and it was somewhere in the four to 500 range.
[00:21:04] W. Curtis Preston: Yeah, I win. I have about double that, but, but okay. But again, I share the password manager with my wife, right. So
[00:21:14] Chris Hayner: Ah, interesting thumb on the scales. I feel there,
[00:21:18] W. Curtis Preston: what’s that.
[00:21:18] Chris Hayner: it says a little bit of a thumb on the scales having more than one person.
[00:21:21] W. Curtis Preston: It is, it is. Yeah. I, I, but I think I’m more than I’m more, I’m definitely more than half of that, of that. Uh, so I think I might win, even if I go through it, but I don’t even wanna look and I wanna look at 800 accounts. start doing, start doing accounting of that. Um, but let’s talk about, so we, we we’ve talked about some of the alternatives.
I, I, I don’t think. Just not having anything, is it, I mean, there are people and I’ve seen it. There are people that use spreadsheet as password manager
[00:21:53] Prasanna Malaiyandi: Or use their heads. I used to do that.
[00:21:55] W. Curtis Preston: I, there was a guy, there was a guy that I interacted with on Reddit. That was just like, it’s not that hard to remember a unique password for every website.
And I’m like, are you serious? Like.
[00:22:10] Prasanna Malaiyandi: you’re only at five websites that they visit, right.
[00:22:14] W. Curtis Preston: and well, and he, and I, I argued with that. He’s like, no, I have, you know, and he gave some number, there was a significant number and I’m like, really like
[00:22:22] Chris Hayner: Yeah. And I think that comes back to what you, what you said at the top, which is one way to get around using the same password everywhere is to come up with some kind of a mental algorithm that takes into consideration the website that you’re using, for example. So my, my algorithm could be, uh, I hate the Nike store.com.
I hate adidas.com. You know, I recognize that these are different passwords. , but they’re the same in the sense that the algorithm is very easy to figure out once a password gets broken. So even know each password is
[00:22:57] W. Curtis Preston: yeah, all, but the, the problem there is all, all, again, all that somebody has to do is hack one of those passwords. Right. And then it’s not that hard to figure out others again, it just depends on it’s still again, that’s still better than nothing. That’s still better than using the exact same password.
Every. But
[00:23:18] Prasanna Malaiyandi: even with unique passwords or even whatever the algorithm is, right. Even if it’s something more complex, that’s still so much like mental loads you have just to remember that stuff. It’s like, why would you want to take that on with everything else in the world you could be doing with that mental capacity?
You know, it’s just, why do you wanna clutter your brain?
[00:23:35] Chris Hayner: Right. Let’s make life easier. Let’s do that instead.
[00:23:39] W. Curtis Preston: the Sherlock Holmes, um, philosophy, right? The cuz he has this thing, that’s like, he doesn’t want to put anything in his brain that isn’t useful for everything. Right. So, um, so I, I guess the only. Um, I’ll call it valid concern, cuz it, I, I think it’s a concern that needs to be addressed is, well, I’m worried that if I use a password manager, all of my passwords will be in the same place.
And then someone will be able to not hack just one account, but my entire life, um, you know, what do we say to that?
[00:24:17] Chris Hayner: so the first thing to pay attention to with the provider that you’re using is where does the encryption happen? If the encryption happens on your machine with your key. And then the only thing that the provider saves is the encrypted content. It doesn’t matter if last pass gots hacked, for example, And that’s a significant concern, cuz like we talked about older versions that were directly on the desktop weren’t encrypted at all.
So it’s definitely a possibility, uh, but what
[00:24:45] W. Curtis Preston: last pass was hacked, right?
[00:24:47] Chris Hayner: they were hacked, but they did not lose individual account information in the sense of passwords. They lost other information, but the passwords themselves were secure.
[00:24:58] W. Curtis Preston: Okay.
Okay
[00:25:01] Chris Hayner: But you’re right in the sense that you now have really a master account, for lack of a better word, that needs to be secured in a different way. You can’t have your password for your password manager in your password manager. That’s not gonna work, but really what you, yeah. So what you need to do there is come up with a password that is really secure and again, unique, but that you can trust your memory.
However, you should still double protect that account with multifactor authentication. Um, and a lot of almost all of these providers make that an, uh, a possibility. So even if somebody does steal your master password to your password manager, they can’t log in without that six digit code.
[00:25:42] W. Curtis Preston: Right, right. I know with mine, it, you know, it pops up. I actually have to go to my phone, um, and authenticate, like if I log into a new browser, uh, I, I have to go to my phone and authenticate that in the Dashlane app itself. Um, which, which I, I like that. I prefer that to, let’s say an SMS.
[00:26:04] Prasanna Malaiyandi: What happens though, if you forget your master password, right.
[00:26:09] Chris Hayner: You’re well, again,
[00:26:11] W. Curtis Preston: that just.
[00:26:12] Chris Hayner: I mean, it’s, that’s a really good question because for example, if you have an apple account and you’re enabled on iCloud, your stuff is encrypted in action, and I’m sorry. In motion and at rest, however, it’s the master encryption of apple in iCloud, which means that if you lose your apple password, apple can unlock it for you.
[00:26:35] Prasanna Malaiyandi: Yep.
[00:26:36] Chris Hayner: A lot of these providers don’t do that by design. So it’s security versus convenience, which is a common Seesaw that we find. But generally, if you forget and are locked out of your, like, I keep coming back to last pass, cuz it’s the one I know the best their answer is.
[00:26:54] W. Curtis Preston: This is the way it’s designed to
[00:26:55] Prasanna Malaiyandi: they give you an option? Like I know Facebook, for instance, with their passwords, you could have like another person’s account who you trust, who they could reach out to, or here’s a recovery password that you can print out and store in a safe location just in case like a one time password.
[00:27:10] Chris Hayner: Right. Some of them do do that and they also have sort of a, a dead man switch option that you can put in place as well. We’re starting to get into like enterprise level features though. When you talk about that type of thing. Cause another thing that exists, if you’re a business, you can create an organization and then you can kind of have here’s the engineering master password.
Here’s the sales master password, et cetera, all the way across your company. And then because you’re one layer down now, your it department has the ability. If you enable it to say, uh, Steve forgot his password, please reset it.
[00:27:45] Prasanna Malaiyandi: Gotcha.
[00:27:47] W. Curtis Preston: Yeah. Uh, for a while, my wife and I had, we, we both had Dashlane and, uh, I had my Dashlane password in her account and she had hers in mind, but then we realized, why are we both paying $39 a year? For what is essentially the same service, you know, and as long, as long as I, and neither of us had accounts that we didn’t want the other one to be able to log into.
Right. So that, you know, that that works. But, um, the. Uh, yeah, generally speaking. And I know by the way that, um, let me throw out our, our disclaimer, uh, Prasanna and I work for different companies. He works for zoom. I work for Druva. And the opinions that you hear are, um, ours, and this is not an official podcast of either company.
Uh, and I say that, you know, one, I just wanted to mention, you know, at Druva. Up until just recently. Um, this was the way Druva worked because we do our encryption using the password and it’s a, it’s a, a envelope encryption system. And it wasn’t that long ago that I was talking with a customer who had done this, where he had changed his Druva password. And it’s. The only alternative was to basically just start over. Right. Because there was because we by design, didn’t allow you to reset your password because we couldn’t figure out a way up until recently to do that without allowing someone in Druva to also be able to reset your password.
Right. Cause you it’s a brain. So, um, So we figured it, we figured out a way, uh, thanks of course, to another new service by our, our lovely partner, AWS. right. Thanks. Thanks to them. We were able to figure this out. So now you’re actually able to reset the, the password. Uh, it do, it does trigger up, you know, MFA and all that kind of stuff.
Right. But so it, so you, you don’t think that the concern of, of having everything all in one place is a well you’re, you’re saying it’s a valid concern. But it just means you need to look into the way the, the, the products are built. Right,
[00:30:00] Chris Hayner: Exactly. It’s a concern that you have a number of options in the marketplace as to how you manage it. You know, one of the other concerns that people have that is similar to this is, well, what happens if last pass goes out of business?
[00:30:13] W. Curtis Preston: right.
[00:30:14] Chris Hayner: That those passwords can be as secure as they want, but if they go out of business and all of a sudden I can’t use them anymore, then I might be 500 passwords into a big problem.
Uh, and this is an argument that is often made and support of self-hosting your own solution. So a lot of the ones that we’ve been talking about live in the cloud, they’re a service, you log into a website, username password, the whole nine. You can do all this stuff for yourself for $0. If you’d like, or you can even have it’s the best.
It’s the best price out there. Isn’t it. $0. I’ll take 10.
[00:30:51] W. Curtis Preston: Yeah. I, I, I think, again, this, this falls into the category of, I mean, if Dashlane, I’ll just say Dashlane, if Dashlane started going out of business, we would get some kind of notification. It wouldn’t be like, okay, boom, Dashlane is outta
[00:31:06] Prasanna Malaiyandi: I don’t know
though, I Curtis, but how many times have we talked to companies though that have basically been like, something happened to my environment and the next day the business is gone. Right? So
[00:31:18] W. Curtis Preston: Yeah. Okay. It’s a possibility. I just don’t think it’s a,
[00:31:21] Prasanna Malaiyandi: on Mr. Backup saying that that’s not an issue, not a concern.
[00:31:26] W. Curtis Preston: it’s not a concern for me outside. I mean, I’m because basically if, if, if dash lane, if they, if there was any hint of financial instability, boom, I’m making a, I’m making a, an export real quick. right.
[00:31:42] Chris Hayner: Yeah. And.
[00:31:42] W. Curtis Preston: can then import that to another.
[00:31:44] Chris Hayner: And that’s exactly what you can do for yourself is periodically take an export, encrypt that export, keep it someplace safe. Um, and that
[00:31:55] W. Curtis Preston: drive.
[00:31:58] Chris Hayner: well, if you encrypt it, then we’ll agree now. Another way that companies are solving that along the lines of the enterprise level type of tools.
Uh, one that comes to mind is keeper, which has actually been around for a while, but they’ve only started making waves over the last year or two in the enterprise space. They have an option where you can enable local only. Password management, which effectively means yes, they have a copy of it up in the cloud and you can update and refresh whenever you want to, but you can say I’m gonna be offline for a week.
I want my password manager to still work and it will still work. So the services kind of neat in that way, where you can download onto your machine, have it actively running and functioning. And if their website or their business went out of business, you would still be ok.
[00:32:47] Prasanna Malaiyandi: Yeah.
Yeah
[00:32:48] Chris Hayner: So that’s, that’s a keeper thing that not every single provider has.
And again, we’re talking about enterprise space with some of this stuff, but it’s an interesting solution.
[00:32:58] W. Curtis Preston: Yeah, it is. So I want to hear, I want to hear about what you do Prasanna.
[00:33:03] Prasanna Malaiyandi: What do I do? So , so I use key pass, which is a free open source tool as
[00:33:09] W. Curtis Preston: Mm-hmm
[00:33:09] Prasanna Malaiyandi: for a password manager. And I create passwords on my desktop. um, I don’t do browser integrations. Call me old school. I still copy and
paste it from key pass. Yep. Right. Um, and then that’s how I use it on my laptop. And then what I do is I actually have a mobile version of key pass installed on my phone and I manually sync the password file back and forth from my desktop.
So my desktop is always the primary copy and I never make changes on my mobile phone for my.
[00:33:46] W. Curtis Preston: Do you have, you have a backup of that?
[00:33:48] Prasanna Malaiyandi: Yes, I do have a backup.
[00:33:50] W. Curtis Preston: okay.
[00:33:50] Prasanna Malaiyandi: Yep. I do
[00:33:51] Chris Hayner: He actually, he hosted on his S3 bucket.
[00:33:53] Prasanna Malaiyandi: Yeah. Yeah. It’s wide open for everyone, but because there’s a master password,
[00:33:58] W. Curtis Preston: Yeah. Yeah. Um,
[00:34:02] Prasanna Malaiyandi: like you said, I don’t make changes on my phone. Right. So I don’t have to worry about the syncing problem. Going back to it. And so it’s always just any changes happen on the laptop and then periodically pushed to the phone.
And on the phone side, they’ve done great things like now it integrates with like apples password managers or features. So you can go to website, you can say, Hey, by the way, there’s username, password, click the password. As it automatically loads the password from the mobile side as well.
[00:34:29] W. Curtis Preston: Yeah. I mean, that sounds interesting for me. I, you know, I, I, I think, I think I’ve gotten used to the features and functionality that I get, you know, on Dashlane too much to, I mean, when you start talking about copying and pasting, when I have to copy and paste a password, I get pissed off. Right. It’s just way too much, way too much effort.
Um, the, uh, I love, I mean, what happens to me is that. Dashlane the way Dashlane now works. Is it only, it, it, on the desktop, it only runs in the browser, right? So you, you have to, when you log in, uh, a new time, like right now, I’m looking up and I can see that Dashlane is deactivated at the moment. It’s a little, the little D is orange instead of green.
So I know if I went to a website right now to log in. I would have to go log into Dashlane first, but as soon as I come back to the website, my password’s already there. It’s already auto filled and I just have to click submit. It’s just, I don’t
[00:35:26] Prasanna Malaiyandi: no. And I think that’s a big thing that these password managers help with is you don’t want, especially in security, right? You don’t want things to be cumbersome in order for people to be. You want to be as seamless as possible, looking at Dashlane and all these other services. I think that’s one of the biggest values they add, right.
Is the fact that yes, it is very simple to still get access to your websites or whatever else it is while being secure.
[00:35:52] W. Curtis Preston: Yeah. And, and in the case, I, again, I want to hear about last pass, but I know in the case of dash, so Dashlane has gotten where it was really rinky-dink was on the phone. When I first got Dashlane. Dashlane was at best a thing I could copy and paste passwords into, into a website on the phone right now it’s really integrated with the, with the website.
Generally speaking again, as long as I’m on, you know, a supporter browser on there, it, it just automatically fills in the password, you know, the username and password, and it also integrates with, um, face ID. If I wanted to, you can turn that feature on and off. So all I have to do is look at, literally look at the website and then just magic happens.
Right. Um, I do have to click the, there’s a, the word password
[00:36:38] Prasanna Malaiyandi: That’s the same thing. I. Yep.
[00:36:40] W. Curtis Preston: Yeah, yeah. I have to click password. Um, but, but then it, but then it, uh, it, it either makes me log in with my password or used face ID to, to integrate with that. Right. Um, and I, uh, I also recently found out that and I, and I was happy about this is that it, it, it now supports password history.
Right. So, um, because again, that, by the way that customer, that the Juva story that I told we were actually able to get him logged in because his password manager had password history. So he logged in, he was able to, um, Forget exactly how, how it worked, but he was able to use that password history feature to be able to log in.
Um, but, um, the, yeah, I love the password history feature. I love the, you know, the fact that I can use it to also, it, I don’t use this much, but it has the ability to automatically reset passwords on a lot of popular websites. So you can just go into Dashlane and just say reset my Facebook password. And it just does it cuz that’s the other thing. Changing your password on a regular website is, is way too much pain. Right. Um, and so automating that I think is, I think is good. What about last pass? Like how did you end up, you know, at last pass, cuz you’ve had it for a while now as well.
[00:38:04] Chris Hayner: yeah, I’ve had it for a while and I ended up going with them. They were the first password manager that I actually paid. Um, and I ended up going with them for the very reasonable logical and well thought out reason that I had a coupon. Um, and I found myself in the same situation that, that you just described, which is I am now used to last pass.
I am used to its quirks and eccentricities. I know how to do what I need to do with it with a minimum of fuss.
[00:38:34] W. Curtis Preston: right.
[00:38:34] Chris Hayner: So I’ve had it for the, the past five years, uh, on regular price. So they got their value out of that coupon, I’ll say. and overall, I feel like it’s solid. Um, I don’t think that it’s mobile presence is great.
I think it’s fine. Uh, I also think that doing things on the phone is super complicated. Um, I’ve never reliably had at work in terms of auto-filling the password on the. Sometimes it works. Sometimes it doesn’t depends on the, the page. It depends on the time. It depends on the, the cycle of the moon.
[00:39:08] W. Curtis Preston: Well, well, I have to say dashlane’s pretty, pretty good there. Um, it works. I’m gonna say about 80, 80% of the time. And when it doesn’t work, it’s the website. It’s not
[00:39:17] Chris Hayner: Right? Yeah. And I. I think that speaks to dash Lane’s goals as a company. Um, they actually, a few days ago, I wanna say their CTO did an interview, an AMA on Reddit, uh, which was quite good. And basically what he was saying and talking about was like touting all these new advancements. And it really feels to me like they’re going hard after the consumer level market.
And what that means is getting away from some of the enterprise features like, you know, the password sharing or, or the running offline things that a regular user is not gonna necessarily be that concerned about. And in favor of let’s build an absolutely rock solid cellphone service.
[00:40:00] W. Curtis Preston: right.
[00:40:01] Chris Hayner: Other companies are just like, listen, we’ve got 750 features.
I mean, we’re working on that one, but we got all these other ones too. And that was one of the things that he said in this interview is they discontinued the application that it gets installed on the desktop tactically. They said, there’s too many products. We have to focus on what customers want and need.
And this is not one of them.
[00:40:21] Prasanna Malaiyandi: Yeah. And if you think about it, a lot of people these days, they like, I don’t know about you guys, but I use my mobile phone probably 80% of the time. Like I’m rarely ever on my laptop. And it’s just like how I do things these days. Cuz it’s always on me.
[00:40:34] W. Curtis Preston: Yeah. Yeah, absolutely. Uh, my only criticism and again, it is something I’m they’ll probably add is they don’t yet have MFA. As part of their things that they manage. I know some other password managers will manage both your password and your MFA token. Um, so I use, I use authy for that.
[00:40:55] Chris Hayner: Yeah, that you might wanna check, uh, check your terms and conditions that might have actually changed this week. He specifically talked about the two FA options that can be built into dash land if you want to use them.
[00:41:07] W. Curtis Preston: Okay. All right. I will do that, Chris.
[00:41:12] Chris Hayner: Um, and actually, incidentally, I’m curious what, what you both think about using a multifactor authentication from a password management company.
[00:41:21] W. Curtis Preston: Whether or not that that violates sort of the,
The
[00:41:25] Chris Hayner: separation of, yeah.
[00:41:26] W. Curtis Preston: Yeah. I I’ve gone back and forth on that. I, I, I, I, I’ve gone back and forth on that. Let’s just say I, I, I was considering changing it because of that. And then I had the same thought that you did of like, you know, maybe I shouldn’t, I don’t know.
[00:41:41] Prasanna Malaiyandi: I, I think the, I think the one thing to consider is like with the MFA, I would say a password manager is probably better than SMS based, two factor authentication,
[00:41:52] Chris Hayner: Right.
[00:41:53] W. Curtis Preston: Yeah.
[00:41:53] Prasanna Malaiyandi: and some of the other forms of two factor authentication, is it as good as a standalone app? Probably not, but in order to make it seamless and easy for the user, I think that trade off may be acceptable, especially for the consumer side.
[00:42:10] Chris Hayner: I think that’s the correct answer. And it kind of also goes along with the theme that we’ve been having here, which is there’s multiple levels of security. It’s up to you to determine how much is right for your use case. As long as the answer is not no security. We’re in a much better place.
[00:42:30] W. Curtis Preston: Yeah. I, I, I think now that I’m thinking back, and, and again, we, we should just investigate this. Well, we’ll see what, we’ll see what they’ve done. Like I would still want. Like if it’s not, if I don’t still have to reach for my phone, that’s not really MFA. Right. If I don’t have to reach for a second device, something that I own, if it’s just the password manager’s gonna manage my MFA, that’s not really MFA. Right. Um,
[00:42:54] Prasanna Malaiyandi: but, but what if it’s your password manager plus using your face ID on your
[00:43:00] W. Curtis Preston: no, I’m, as long as I have to reach for my phone, that’s what I’m saying. As long as I have to have my phone on my.
[00:43:06] Prasanna Malaiyandi: but so say you’re logging in from your phone into a website.
[00:43:10] W. Curtis Preston: That’s I’m fine with that. That’s I’m, I’m fine with that. What I’m saying is, is when I’m on a browser and then if the browser version of Dashlane will manage both my password and my MFA token, that’s everything all in one place. And that could potentially be cuz then if somebody’s got my master password, then they’re in, there’s no multi.
[00:43:30] Prasanna Malaiyandi: Specifically about that Curtis, about the browser. I think one thing you could do, and I think I know Okta does, this is even on your laptop. Uh, if you use Okta and you log in, it has the ability to ask for your touch ID to verify that that is you. So it’s not that it’s automatic, right?
It’s just, you don’t need to
[00:43:49] W. Curtis Preston: Oh. Oh, okay. I see what you’re
[00:43:51] Prasanna Malaiyandi: push a button or something else. It’s still using another factor. It’s just
[00:43:54] W. Curtis Preston: something that I own could be my finger.
[00:43:58] Prasanna Malaiyandi: Exactly.
[00:43:59] W. Curtis Preston: All right, Chris. Well, Hey, you know, this, this was, this was like three guys in the same choir, all singing the same song. Right? We were all We
[00:44:07] Chris Hayner: I was thinking about that.
[00:44:08] W. Curtis Preston: same page there. Uh,
[00:44:10] Chris Hayner: The title of the episode could probably just be, yes, I.
[00:44:14] W. Curtis Preston: Yes. Yes. I agree. What is interesting is that we’ve chosen three approaches, right? I’ve got dash lane. You’ve got last pass and he’s got, what is it?
Key pass
key pass. Yeah. Which is a self-hosted, uh, thing. Um, but just do it, man. Like, I, I don’t know. It it’s so, and the thing I think it’s like, it’s like, I, I, I’m gonna liken it to virtualization again. And that is like, like you don’t get virtualization, try it right. Once you’ve tried what it’s like to, to be virtual, then you’re like, why did I ever use har you know, uh, raw metal, right?
Or bare metal once you’ve seen what it’s like to log into websites via a password manager. You’re like, how did I ever not do this? Right. I,
[00:45:03] Prasanna Malaiyandi: Yeah.
[00:45:04] W. Curtis Preston: it is just so much easier and so much more secure, uh, than, than anything that you’re gonna do on yourself. Um, whether you cell phone, I’m not counting you, you know, I’m saying, you know what I mean?
Like, like, like anything else, like spreadsheet or a normal person doing it by themselves. So.
[00:45:22] Chris Hayner: Right. Yeah. What I often tell people is if you’re skeptical, just do it for one or two websites,
[00:45:28] W. Curtis Preston: Yeah,
[00:45:28] Chris Hayner: because then if you don’t like it, no harm, no foul. You un install and you move on. But just see what it’s like, do something, you know, do something like cover your Facebook or go with something more secure, cover your banking account.
You know, you probably have a vested interest in keeping that password as complex as possible.
[00:45:47] W. Curtis Preston: right.
[00:45:48] Chris Hayner: Feels like a great place to, to practice.
[00:45:51] W. Curtis Preston: Yeah. Agreed. And, and I know, I don’t know. Um, I know Dashlane again, I haven’t checked in a while, but Dashlane, it used to be free as long as you only did it on one device. Um, that was, that was their, that was their free version,
[00:46:04] Chris Hayner: They also lock you down to 50 passwords at the moment,
[00:46:08] W. Curtis Preston: oh, okay.
[00:46:08] Chris Hayner: which, you know, like I said, they’re going to, uh, pretty much an all pay unless you host your own. Uh, you’re gonna end up paying something yearly. But for right now, dash Lane’s got their monthly, uh, special 29 99 for the whole year unlimited access to all of their features.
[00:46:26] W. Curtis Preston: right.
[00:46:27] Chris Hayner: you know, to, to use a very, uh, tortured metaphor. It’s like five cups of coffee.
[00:46:34] Prasanna Malaiyandi: Yeah. It’s like, what is
your security worth?
[00:46:37] Chris Hayner: Yeah.
[00:46:37] W. Curtis Preston: up coffee though, Chris, so, you know, um, anyway, well, thanks Chris so much for, uh, for coming on
[00:46:44] Chris Hayner: Yeah. It’s been a pleasure.
[00:46:46] W. Curtis Preston: and thanks Prasanna for, for film. I, you know, I’ve never actually really asked you what the, what you were doing. So I’m glad to, I’m glad to finally hear
[00:46:54] Prasanna Malaiyandi: no, I, yeah, I don’t talk about it a lot, but yeah, no, I know. You’re I know you like to talk about your password manager a lot, but
[00:47:02] W. Curtis Preston: You want a little bit of security by obscurity.
[00:47:04] Prasanna Malaiyandi: yeah, exactly.
[00:47:06] W. Curtis Preston: right. Well, Hey folks, get a password manager. Will ya? And thanks for listening. And remember to subscribe so that you can restore it all.
