Don't be like LastPass

there are lessons we can all learn from what happened to

last pass and their customers.

It's a complicated story.

We do our best to boil it down to the essentials and to the lessons that we

can learn from what happened to them.

Hope you enjoy the episode.

hi, and welcome to Backup Central's Restore All podcast.

I'm your host, w Curtis Preston, aka Mr.

Backup.

And I have with me, uh, a guy who I think is gonna be.

, very excited as he lives vicariously through me over the next few months.

my, my electronic enthusiast Prasanna Malaiyandi how's it going?

Prasanna,

I'm good, I'm always willing to spend other people's money, so

or getting people to spend

say that.

This is like your, your exciting part of watching other people

sort of work through their.

spend their money.

And it's what makes you happy, right?

So it's like you're starting a project.

No.

Well, you're starting a project for enjoyment, right?

I think everything, sorry.

Most things in life that you do to improve your life costs money.

So, There are some things that don't, of course, but there are some things

where you're like, yeah, I work.

I earn, I spend a lot of time working and putting in the time.

There should be certain things which I should spend money on

So I'm probably going to buy what is referred to as

an ultra short throw, um, laser tv.

And, um, well, they, so in the, in the biz, they're, they call this a laser tv.

I, I don't know why, but it is a projector, right?

It's a screen and a projector and they're like, it's a laser

TV cuz it's lasers, but whatever.

Um, but that's what everybody calls it, right?

Um, but yeah, it's not gonna be cheap.

Right, because I want a ginormous screen.

I'm looking at it 120 inch screen.

Um, and, uh, I am most likely going to be buying, uh, I've already looked.

I'm gonna be buying basically last year's model, what is now last year's

model, because c e s was just a few weeks ago, or actually just last

week, I've already looked at the reviews of the stuff that people.

In, in ces and I'm like, yeah, I'm not paying for that.

Right.

Um, look, looking at stuff that's like double the price of what I'm looking at.

I will say the most frustrating part in terms of like looking at reviews

and stuff, um, has been the soundbar part, um, is the different levels of

it's, it's, Like with, with, with the projector, there is hands down, a winner.

Everybody agrees.

Bang for the buck.

It's this four movie theater.

That's the, the name of it.

It's actually like a, I think it's actually We Max that makes it, but

they've branded it for the US market.

The brand is four movie.

, that's the name of the brand and the name of the thing I'm buying is theater.

The four movie theater.

It's a little hokey, but everyone agrees.

It li like it, it, it literally universally, everyone agrees.

So that's the easy part.

They also generally agree on the screen.

Um, you know, a, um, a, what do they call, an ambient light rejecting screen

that is designed for u s t projectors.

Um, but when we get into the soundbar part, um, first

off, they cost way too much.

Second,

It's all relative, Curtis.

it's so, it is so relative, right?

And you watch these different reviews, you're like, okay, I think, I think

I've, I think I've zoomed in on it.

And then you read, and then you watch a couple of other reviews and

they're like, oh, this one's crap.

This one's, yeah, well, it's good, but it sounds a little tweety.

It sounds a little, you know, this and that.

so

it's not, it's speakers, it's surround speakers

are not nearly as good as the Samsung nine 90 T Biggie r.

You're like, all right, lemme go check that one out.

And then you, you know, and, um,

How far down the rabbit hole did you end up

I.

Well, I, well, I know this.

I don't want to buy the thing that I saw the guy review.

Well, actually, let me rephrase that.

I do want to buy the thing that I saw the guy review from c e

s, which is the what, what's the

the, the Nachi Nachi Dragon.

nakai?

The nachi dragon that he basically said it's the greatest

sound system he is ever seen.

Uh, but it's $3,500, which I.

Basically about two x of what I think I'll probably be spending.

Um, uh, I think I've ended up with the Samsung so far mentally where I'm at

as the Samsung H W Q nine 90 B, which

Is that the one I told you?

system.

Is it really the one you told me when I started?

I think it was.

Yeah, that's interesting.

We've, we've talked about this enough already.

Uh, I want to go to something that is, that is

this is more fun.

to me.

Yeah, it is, it is more fun.

It is more fun to talk about.

But we're here today to talk about.

Password manager.

You know, we, we've, we've spoken about password managers, pr, what

do we think of Password managers?

They are awesome.

Everyone should use a password manager.

everyone should use a password manager.

You should either use a commercial one, like the one I happen to have.

I happen to have, uh, dash lane, not sponsored.

You have like an open source

Yeah, I use Key Pass.

Yep.

I use Key

Yeah.

Key

pass.

Yeah.

In fact, didn't we do an episode where we talked

We did, we did an episode where we

talked about these different

With, yeah, with Chris Haner.

Why you need a password manager?

Episode 1 68.

Yeah.

Yeah.

So we're huge fans of password managers and last pass, uh, generally

ha, you know, has a good design.

Um, having said that, I think they made some, some really big mistakes.

Given the number of companies that have been hacked, will be hacked,

especially when we, when we start looking at ransomware, I don't

think that a company should be dinged just because they got hacked.

Yep.

Yep.

do you, do you agree with that?

I a hundred percent agree.

It's there.

It's so hard to stay on top of everything, especially given a service you operate.

And so there will be zero day exploits and other things that you can't plan for.

Right.

And they happen and it's just how quickly can you jump on top

when something like that happens?

Right.

So we shouldn't ding 'em just because they may be hacked.

Right.

Having

But but I sets a

can d we can ding companies for why they got hacked, right?

If you got hacked, right, if your identity got stolen because

you painted your social security number on the front of your house,

Yeah.

an idiot,

Or you create an S3 bucket that you left public.

if you do something like that, Then, you know, we're just,

we're just gonna make fun of you, right?

We're just gonna bring you on.

And this is one of those things, you know, the, the, I, I was looking

at the Wired article about this, and their headline was basically, I

mean, here's some headlines, right?

So, uh, from Mashable Last Pass reveals just how bad that August breach was.

It was bad.

Um, The, the wired article basically said, it's time to dump this password manager.

And that's a strong statement, but I have to say, based on the things

that we're gonna talk about in this episode, uh, again, I, I was already a

customer of another, of another company, but it seriously draws into question.

Some of their thought processes and, and, and lack of processes.

And just for people who aren't familiar, just think of like

all the passwords for all your financial institutions and everything else, right?

You're trusting the keys to the kingdom about you and everything you

have access to, to a company, right?

Everything's in a single, centralized place if something happens, if that data

is, if that company is breached and the data is stolen, right, there's all your

passwords for everything that's out there.

I'll just put this right.

I'll just put this right now.

If you're a LastPass customer and your, and the length of your password isn't

good enough, they your, your data's gone.

. Right?

And you need to go and change all meaning that your data has now been, it, it,

it, it should, you should be assumed.

Cuz that's basically what they told their customers.

They basically said, you know, if you've got, um, you know, uh, a password that's

that's not of, of a certain length, then um, it's gonna be, you know, it's

gonna be easily g where, where are

Or, or, or

Prasanna, in terms.

of the,

of the, um, yeah.

What's, what's the recommended minimum password length these days?

I don't know.

I am actually not sure.

I always just figure out like if I'm creating a password, whatever

the max password is on a website, and I just use that, right?

So for me it always varies, right?

I always just err on the side of whatever's the largest.

Here's the one I was looking for.

There's a chart.

Here it is.

Yeah, this is it.

Okay.

Number of characters, assuming that you're using upper and

lowercase and a number, right?

Mm-hmm.

Uh, I mean, I, I can, can we agree that we should not have any

thing measured in months or . So basically the question is, if you have numbers,

upper and lowercase nu letters, how long will it take modern, um, computers to

do a brute force guess of your password?

And today, if you're a 10 character password, it's seven months.

If you're an eight character password, it's one hour.

right?

If you have an eight character password with numbers, upper and lower case, by

the way, if you add symbols to that, it goes from one hour to eight hours.

So an eight character password with all of the stuff that you're

supposed to have in it is guessable in eight hours with modern technology.

So I, I would, I like numbers like.

2000 years, a hundred thousand years, right?

Um, and that those start appearing around 13 characters, right?

Um, according to this, an 18 character password, um, , I like this.

An 18 character password with numbers, upper and lowercase and symbols is

seven quadrillion years to guess.

So, what I've been doing is I've set my password length to 20 in

dash lane and, uh, and obviously I have to rein that back occasionally

when I get to a stupid website.

Yeah.

Um, yeah, so basically if you, if, if your password,

I'm gonna say if your password is under 10 characters, then you need to.

Changing all your passwords now, if you're a last port, if you're a

last pass customers, now we should, we need to talk about why, but I

just wanna scare the crap out of

you

I thought there was, I thought there was also another

thing that they had mentioned of, maybe we'll talk about this later, maybe

not, that they had used a different crypto algorithm in the beginning.

So if you have really old passwords, it would

Oh, that's right.

standard than newer passwords.

So even if you have 24 characters or whatever else, if it's a password that

was, I don't know what the timeframe was for that password or when they did

that switch, but if you have an old password, you should probably change it.

So let's talk about what, where this started at.

Um, and that

in the day,

hack, right?

Um, so there,

But ju, do you wanna actually talk about

it before the August hack?

what, what do you mean?

Because are you gonna talk specifically about last

pass breach that happened in August?

Or do you also want to talk about, because before the last pass breach,

right, there was the Twilio breach

Twi Twilio breach right there.

Well, there was Twilio, but you know, as, as, as far as I can tell, what

it was was it was the same threat actor that did a bunch of similar

attacks that they attacked Twilio.

Which that didn't mean anything to me, cuz to me that was like

some, uh, project management stuff.

And that's when I found out that Twilio owned Athie, guess who uses Athie?

Hello?

But basically what they did, uh, as far as I can see is they,

they used stolen credentials.

They got into the network, they were able to bad bypass MFA in

some way, and they were able to spend some time in the network.

And, uh, last pass.

The only credit I'm going to give to last pass is that they were

upfront about what happened, right?

So they were, but they weren't.

So they said that they, they had, they had able, they'd been

able to steal some source code.

Yep.

And at first that's very concerning because the source code

could include source code of, of the, the product itself and somehow figure out

Like exploits and weakness.

Right?

But the source code that we now know what, again, this is all at everything

I'm saying in this podcast is it appears, what it looks like they did was they

stole the source code of a script.

that was being used for backup.

Which, uh, what do you think?

I think Prasanna about a company that's a 200 million company

that's doing backups with a script.

And what was in this script?

Mind you, what was in the script?

Credentials.

So hard coded credentials.

So what do you think?

Yeah, so, so the, so a, they shouldn't have been doing that.

That's ridiculous.

But I will give them credit for one aspect.

Right.

I know a lot of times, and maybe you should throw out

our disclaimer here, right?

But I know a lot of times we talk about, um, actually, why

don't you do the disclaimer.

All right.

So, uh, Prasanna and I work for different companies.

This is not, uh, an official podcast of either company.

He works for Zoom, I work for Druva.

And we're just a couple of dudes, gibber Javen about our opinions about stuff.

And these do not necessarily reflect the opinions of our respective employers.

And, uh, if you wanna join the conversation, this one or any other

conversation, you feel free to reach out.

W Curtis Preston gmail or WC Preston on Twitter.

And, uh, I, I might get a, I might get a new Twitter name.

I hear they're, they're auctioning them off.

I

might, you know, a couple, couple million dollars and I'll,

I'll buy a Twitter name, but,

Elon Musk,

I don't think that one's available.

Um, the, uh,

So, so,

sure to rate us and subscribe and all that stuff.

Yeah.

So go ahead.

So going back, so.

I hundred percent agree with you that they should never, like, no one should

be hard coding credentials into a script.

That is ridiculous.

However,

one, no one should be

a 200 million company should not be doing shell scripts

Yes.

Well, let me, let me get to

Okay.

Sorry, I interrupted you.

yeah.

So yes, there are cases where you want to use automated tools or, uh, a

service out there or a backup product to actually do it properly because

no one wants to focus on backups.

Everyone's gonna do a poor job if they build it themselves because it

never gets a focus on the business.

A hundred percent agree.

However, I will say that there might be certain cases, right?

I don't know what their infrastructure looks like, right?

There might be cases where there is no standalone tool that can satisfy the

needs of what they have right there.

Maybe it's a very, very small percentage.

Maybe they never looked, but I'm just giving them the benefit of the

doubt and saying maybe it didn't work for their environment, and therefore

someone went and wrote a shell script.

That's all I have

not buying that.

I'm not buying that be because the, the problem, the, the, the,

the area, like I can see that of like maybe they're using Neo 4k and

nobody has a tool to back up Neo 4k.

And so they've got a shell script to back up NEO 4k.

I'll give them that, but that's not where, where the, where the,

where the problem was apparently in actually when it copied to the cloud.

There's a thousand companies, uh, that if you're running, they're most likely

running Linux or something right.

Somewhere.

uh, oury.net.

Remember we had

There, there's a bunch of companies and stuff that could

do this without hard coding your stuff.

So ba So I think, I think it's bad that a 200 million company

was using a shell script.

It's super bad that they were using, um, hard coded credentials

in that script . And then, um, and

Prasanna Malaiyandi:

You know what's funny?

Prasanna Malaiyandi:

You know what's funny?

Prasanna Malaiyandi:

Wait.

Prasanna Malaiyandi:

But before you get to that, they're a password manager company That is

Prasanna Malaiyandi:

hard coding passwords, , you know?

Prasanna Malaiyandi:

Isn't that a little ironic?

That unlike most of the things in the song, isn't

it ironic, uh, is actually ironic.

That is very ironic, right?

Um, a password management company that didn't.

. Yeah.

That's not, that's not good.

Yeah.

And by the way, what ended up happening is why you don't hardcode passwords

in, uh, and, and, and they use the word token somewhere, you know, it's slightly

different than a password, but whatever.

It's a password.

What happened was we go back to the August breach.

What it, what it looks like happened is they crawled the network.

They were able to grab some source code.

Remember that source code included the script.

The script happened to have credentials to log into the cloud

service where they copy their backups.

Oh.

And so guess what?

They, that's what happened is they lo it's the, the, the hackers logged into the

cloud service that they use for backups and they exfiltrated the data, right?

what was in these backups,

W. Curtis Preston:

Well, nothing important.

W. Curtis Preston:

Really lucky Prasanna.

W. Curtis Preston:

Luckily, it was nothing important.

W. Curtis Preston:

It was just everything it was.

W. Curtis Preston:

It was the customer database, meaning like who are they?

W. Curtis Preston:

Where do they live?

W. Curtis Preston:

You know, how do they pay?

W. Curtis Preston:

What address they live in, all that kind of stuff.

W. Curtis Preston:

But it was also the actual vault, the actual, the crown jewels,

W. Curtis Preston:

the usernames and passwords.

W. Curtis Preston:

Now they are saying that with some caveats that we already talked about a little bit.

W. Curtis Preston:

They are saying that they, um, that they're there.

W. Curtis Preston:

That is, that that part is encrypted.

W. Curtis Preston:

Right?

W. Curtis Preston:

So the, the chance is that someone, Would be able to steal your password, your

W. Curtis Preston:

username and password by decrypting your, because the, the, the encryption algorithm

W. Curtis Preston:

is, it's a hashing mechanism that uses your password as part of the key.

W. Curtis Preston:

Right?

W. Curtis Preston:

Uh, it's,

Like

I don't know if it's Yeah.

Like the master password.

Right.

Um, and, um, And so in order to decrypt it, someone would have

to guess your master password.

The, um, and that's why we're going back to the beginning.

The question is, how big is your master password?

And also, apparently in the instructions that they sent to customers.

Again, I'm gonna, I'm gonna give th this is the only nice thing I'm gonna say.

At least they were open with their customers as to.

Uh, how things went, right.

Very different, for example, than the, uh, Rackspace hack, right?

The Rackspace hack.

They, they have said very little, even though they've concluded their

investigation, they've said very little, uh, and they've said some things that

I don't think they can back up, whereas last pass really laid it out there.

they're like, here's what happened.

Here's where they got in, they got in, here's what they have.

And by the way, if you, if you got a, if your, if your master password is the

size or if you've done stuff, you know, a certain timeframe, if you, if you are a

last pass customer and you haven't taken a look at that, uh, you really should

, you really should look at that message.

clarification question, Curtis, is did they say that

both the username and the password were encrypted in the vault, or was it just.

So yeah, the username, the, um, uh, what there,

the only thing I remember that was not encrypted in the vault was the URL

that that particular password is for.

Um, so, so which, which, again, this is, this is why I was like,

it is just a number of things where it calls into question.

The, the decisions of the company.

Why, why

leave that one field?

Yeah.

Um, I think we have some theories, right?

We have some, because they wanted it unencrypted.

I think it there they had a reason, right?

We can theorize it doesn't really matter, but I think the reason, the only reason

to leave a field like that unencrypted is you had, you had use of that field,

Yep.

It would be interesting to look at their privacy policy.

It would be an interesting to look

at their privacy policy.

I bet a lot of people are looking at their privacy policy.

If I was a last pass customer, I don't know what I'd be thinking right now.

So here's, I have two questions for you actually.

One comment.

One question.

So the comment is, like you mentioned earlier, I think we should at

least not congratulate last pass, but at least say that they've

done a good job being transparent.

Right?

We've seen so many other breaches

where no information has come out, right?

So I know we're harping on them right now, right?

And giving them a bad time.

But it's not because of what they've done after the breach.

It's what happened before the breach.

I think that's what we're concerned about on this.

Yeah.

And, and by the way, I, I need to go back to an earlier thought that

I, it came to me and it, it left.

And, you know, you know, that happens sometimes.

The problem with a hard coded, uh, you know, credential like

that is exactly what happened.

That someone who wasn't supposed to see the code will see the

code and will then use that.

do something bad, right?

To access stuff they're not supposed to access.

And, um, that's exactly what happened here.

Which again, I'm gonna go back to another, I don't think it was a decision, but

when you get hacked, like they got hacked and you know that a threat actor was

roaming around in your, in your computing environment for a few days, undetected.

What should be, what should you do next?

What should you do?

Immediately

Well, a, you should probably take

beside, we already talked about notification.

Yeah.

Take everything down.

Look around.

yeah.

Take everything down, look around, rotate all your passwords,

There you

go.

That's, that's what I was reaching

for.

But, but the problem is when you've just got a hard-coded thing sitting in a shell,

, you're not necessarily gonna think about

Well, and I, that's the thing is if they had known it was

hard coded, like if they had tools to scan and look for passwords, right.

They would never have let that happen.

It looks like it slipped under the cracks.

Right.

And someone hard coded it just to get it out the door and

no one went back and fixed.

And this goes to a point you were bringing up earlier.

At this point, right?

If you can't focus on your backups and make it better, you're probably better

off finding an automated tool or a product to fill that gap because they care about

these things and they will make sure that you are doing things in the right way.

Right?

And so you're less likely to end up with these issues.

Yeah.

And, and, and I know that not every company.

I mean, let's go back.

Go back to, go back to 30 years ago, right?

Uh, we are coming up like any day now.

It's gonna be 30 years for me in the IT industry.

And I was using Shell, I was at a 35 billion company and

I was using shell scripts.

I was, I was running dump, of course, back then, the idea of commercial backup tools.

So much a thing.

Arcserve Arc Serve was about the only one.

. It was Arcserve and there was Bud Tool.

I don't know if you've been around long enough to

I've heard about Bud Tool.

I never used it, but yet

and Alexandria.

That was which, which, which, you know who owns, you know who owned that.

Hm.

They've been on the podcast.

Do you know who's owned that spec?

Spectra Logic owned Alexandria back in the day, they decided

to sort of focus on hardware.

I'm, I'm not saying that these things don't happen, but I will say that.

You know, that was a different time.

And basically, and even then I knew not to hardcode, username and passwords,

but the way the way backups worked back then was everything ran as root.

Right?

You, you created a script as root you Hadron that ran things as root.

and then because it ran its root and because you had R s H enabled

Yep.

we didn't, we didn't have

could do anything and

had RSSH enabled.

Rssh enabled without a password.

So from, from a central, right.

As long as you were root, you're root here, you're root over there.

That was, you know, back in the day, um, we had a script that would go

around and do our dumps and things like

that.

Um, and, um, We also had an RFS mounted tape drive.

I think we brought, I, I

Prasanna Malaiyandi:

well, you talked about us.

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

Yep,

yeah.

RFS was remote file service, like predecessor to nfs, and,

but you could mount a tape drive.

It was kind of cool anyway, clearly it wasn't that cool

because it didn't , it didn't last,

but,

Yeah.

Yeah, so I, I understand you're a small

company, um, and, and you can't get any budget for backups.

I, I understand.

I, I just, I would like to think that if that's where you work, if, if

you can't get any money for backups, I think that you should take a

stance, and I think that you should say, we need a commercial backup.

Right.

Um, I, I do th I and I do strongly believe in, in a SaaS based tool.

Not because I work for Druva, but because I've been that way for a long time.

Right.

The idea of.

Having somebody who's focused on it and does nothing but that

and you have a complete service.

Um, you know, and the cloud is a beautiful thing for that.

We have so much bandwidth these days that, you know, deduplication has enabled this.

I mean, it's just been so many things that have been, that have made cloud a

cloud SaaS backup service like my, my employer, happens to offer, um, for me.

It, it, it is the best backup option for most companies.

There's caveats, right?

Uh, most of the companies like mine, there's not a lot of them,

but they don't tend to do like the older Unix platforms, right?

Um, they don't tend to do as many database products.

They tend to focus on virtualization and the.

. Right.

Uh, and I'll, I'll say something that I say often is, if you've got 10

petabytes of data and a T1 line, Hmm.

That ain't gonna work.

Right.

, you need some

but I'm guessing, just given last pass, right, they probably

like how they've scaled out, right?

The number of users on their platform.

Right.

They're probably familiar with a lot of these sort of challenges anyway.

Right.

It's just they sort of stopped at, and so I'm even wondering like,

they focused on production, right?

Making sure everything was up and was good to go there.

They probably have some form of high availability and

disaster recovery, hopefully.

Right?

But who knows?

And then it's just sort of, some people, like you said, forget about that arc or

the backup side of things and recovery.

And then I even wonder if there probably don't even consider anything

around archive either, right?

If I just think about the life.

Yeah.

I, I, I, um, I just think it's a matter of not prioritizing backup,

which I is a, is a historical problem.

Yeah,

and I guess I'm just saying, I'm speaking to the, I'm

speaking to the person that understands the value of backup and recovery, and

that is our target listener, right?

Our target audience is somebody who understands the value

of, of, of backup, right?

So I'm saying if you're at a company that doesn't understand the value of backup,

I think it's time to, to make a stand.

Yep.

Get it in writing that you recommend they do something else.

and I think because typically it's an IT function, right?

Who worries about backup, but this is where I think you go get champions

who can help support your cause, like people in security because it's

relevant for security folks as well.

Or if you look at legal and compliance or other folks in the organization, right, to

help support you and push to get things.

Yeah.

And use this story.

Right.

Use this story of what happens when you grow your own backup system and then reach

out to, you know, a number of companies.

Reach out to me.

I'll, I'll put you in touch with the right people.

Um,

It's,

don't talk opinion.

He'll just, he'll just make a meeting.

so it's interesting.

I was just thinking about this a lot of times on the engineering

side and product side, we always talk about tech debt, right?

Things I wish I could have done, but I couldn't do because I had

to get the product out the door.

So I took some shortcuts and we'll fix it later and sometimes didn't ever get fixed.

Right?

I think we haven't really talked about like the IT side of tech.

Right, which like this could be, right?

It's like, Hey, I needed to get backup done for that initial release,

for instance, just to get things out the door and it's tech debt.

I never had the chance to go back and fix it, do it right?

Because there's never enough time, there's never enough budget, right?

There's all these other priorities.

So

One of my favorite phrases, it's never time to do it.

Right.

Always time to do it over, right?

Um,

until you get to a fire drill like this,

Yeah.

So, yeah, so, so use this story.

So that's what I, I, so I, I, I tell you what, I, I, I would

have a hard time continuing to justify being a LastPass customer.

You do what you want.

Maybe they have features that you like, and maybe you feel that they've

learned their lesson, whatever.

I don't know.

Last pass, it made me, it made me think about the length and the

complexity of my dash lane password.

Um, so I got, I got, I changed it I was like, I, uh, and my wife and I

share the password manager, right?

So I had to, I had to explain my new super long password.

It's relatively simple to remember, right?

I went with the sort of the battery horse stable method rather than the XYZ nine,

Q five,

was it basically u U s t p a l r one 20 d r a g o n.

Yeah, that's exactly what it was.

Um, yes.

Um, that's what be my, my password should be four movie theater, Samsung nine 90 B.

Actually, you know, the, the, the Vizio model numbers.

So, so that was one of the things I was looking at.

The Soundbars, the VIO model numbers are all like UX 95 3 70.

Right.

And the, the people that review 'em, they're just like, what is

What is this?

You know?

Um, that could be, that could be a good password, I'm just saying.

Um, but it's not long enough.

So, yeah, so I, I so, so, so, so that's the other thing.

So I think you should.

I think you should seriously reconsider your last best situation.

I think you should also look at, take this, take this opportunity

to upgrade your backup scripts, your up your backup system.

Look at a commercial backup system uses as a justification so you

to do what you probably want been wanting to do all along.

And then finally, uh, I guess I think it'll be finally, is take

a look at your master password.

Uh, you know, look at that table, um, that says, you know, uh, cuz basically

if your password, if your password manager is, um, you know, is guessable

in something measured in weeks or months or less than that, that's not good man.

Yeah.

You know?

And I think the other thing to mention is two things, right?

We always talk about this enable two factor authentication or

mfa where you can in addition,

you.

right?

Um, and then the other thing is even if you are using a password manager, if your

password is like 10 years old, right?

You probably do want to change it at some point, even though you're using a

password manager, it's totally random.

right.

You do probably want to change it every once in a while.

I'm guilty of this.

I've actually started going through and changing passwords, but I

realize, yeah, I haven't cycled some of these in a while, even though

they're all randomly generated, but

Have I have I told you how many passwords I have?

yes, you did.

It's, it's several hundred

I thought, I thought in the podcast episode we

did with Chris I think you both had a significant number of passwords.

, let's put it like that.

Yeah, I think the only way I was able to do this,

because it doesn't list, doesn't show me in here like a number.

I had to, I had to actually export it and then, and then count the number of lines

in the file and then delete the file.

Oh, Curtis.

Um, it's a lot.

I guess what I'm saying is it would take me a month to

update all my passwords, right?

Oh, but you know, by the way, Dashlane used used to have this really cool change

your password for you feature, and it worked at a lot of the popular websites.

They, they've abandoned that feature.

They said it was too hard to, to keep it updated.

Um, and.

Yeah.

Can you think of anything else we should be talking about

regarding this last pass thing?

No.

Uh, I, I, one thing came to mind is, is if your company has

been the subject of some kind of hack of any kind, perhaps you should roam

around and look for scripts with, uh, you first change all your regular passwords.

And then roll around to see if you've got scripts with authentication crap in 'em.

Or the other thing is change your passwords and then like

if you're using aws, look at CloudWatch.

It'll log when authentication failures happen.

And now you can at least point yourself in the right direction of

being like, Hey, I didn't know that.

And I'm assuming that the other providers have something

similar.

Right.

Um, it's

Yeah.

And hopefully you do have some form, form of auditing enabled in your

systems to at least log failures

and

and by the way, that that's how uh, LastPass discovered was going on is they

had some stuff that was watching, right?

And they're like, we noticed some unusual activity in our account.

And, um, turns out somebody downloaded the backups of our stuff.

Ugh.

It's killing me, man.

Just killing me.

This is just a, just a really, uh, anyway, all right, well, um, on that

note, I hope that you're watching this on 120 inch screen If you,

if you're one of those who, if you only listen, you should check out

the, the, the, the video version we have over@backupcentral.com.

You get to see our, our beautiful faces and, and this and this.

The camera is in the wide shot.

Is my book in the wide shot?

Yeah Yeah it is.

Okay.

My book's in the wide shot.

So you can see a, the, the book is whoop.

There, there there is.

It's closer than it or than it normally is because I'm sitting in

the middle of the room because I'm, I, I thought I was gonna get baseboards

today and turns out I, I didn't.

Um, so all, everything, everything is in the middle of my.

It's, and I, and I've got like, literally, I have nowhere to move.

Like, regardless of which way I move, there's, there's something around me.

Well, hopefully you'll value back to normal soon, Curtis.

Hopefully.

Hopefully.

All right, well thanks for, uh, listening folks.

And remember, remember to subscribe so that you can restore it all.