New Research Exposes Password Manager Vulnerabilities in LastPass, Bitwarden & Dashlane

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we're talking about some research that some

folks did into password managers.

A new paper out of Zurich took a look at LastPass, bit Warden and Dashlane.

And they found some pretty significant vulnerabilities

in their core architecture.

Not bad code or sloppy programming, but actually a fundamental design flaw.

I'm still a fan by the way, but you need to understand what these vulnerabilities

are, why they exist, and what you should be doing right now to protect yourself.

We also talk about, uh, pass keys and whether or not they're

actually the answer to this problem.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery ever since.

Uh, I had to tell my boss that there were no backups of the, uh, production

database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with

me a guy that seems to remember my podcast better than Me.

Prasanna Malaiyandi.

How's it going?

Persona.

I'm good.

This is why you keep me around, Curtis,

Well, it's literally the only reason.

There are no other reasons to, to keep you around.

Uh,

I'm like your second brain.

You know how they talk about ai, and AI is gonna be your second

brain or doppelganger and be able to replace you, your digital twin.

That's a

yeah.

Um, I would really like to see you pass as me, sir. I just want to just wanna see.

By the way, there's a bumper sticker for you.

I, I've seen that one before.

Have you seen it?

Okay.

Yes, I

Uh, it says, first of all, I'm a delight and it has a a, a possum.

so for people who may not realize, we also do video.

So if you go to

Yeah.

search for the backup wrapup, you can actually see us and

what Curtis is drinking.

Show people your mug that you got for your birthday.

Uh, it's my mug that I got from my birthday, which is I came, I

saw, I forgot what I was doing.

I went back, I got distracted.

When did I turn 60?

Yeah.

Is this my cup?

What?

What's going on?

I have to pee, by the way, uh, I'm having to read this backwards for

the, for the record on my side.

I have to read this backwards.

I'm not, I'm, I'm able to read.

I just thought that was important to, to distinguish.

Uh, so

So what are we gonna

Ana, once again, we talk a lot on this show about password

managers and I do think, you know, good, better, best, right?

We talk a lot about good, better, best, and we, we, and we, and we say that

you should have a password manager.

And then there's always the, you know, there's always

that one person in the crowd.

It's like, well, what if the bedroom manager get hacked?

You know?

And

that's what they sound like to me.

Uh, and, and, and, and I, you know, and, and with, with, with one

exception, you know what I used to say was I, I, I don't know anyone.

I know plenty of people that got hacked because they didn't have

a password manager, but I didn't know anyone who ever got hacked

because they had a password manager.

Now I know a handful of people because of what happened to

LastPass a couple of years ago.

Was that a couple of years ago?

Was that a year ago?

A couple years ago at this point.

Yeah.

Where, uh, I I, it, it had to do with backups, right?

Where they, where they, they had hard coded the password.

The, uh, you know, they had hard coded a password and that

allowed some people to get in.

And then that, that allowed them access to the encrypted vaults, which they then, um.

Did brute force attacks against, right.

Uh, and they were able to get into some, especially older vaults that

use some older encryption and stuff.

Um, and the, and so I'm still a very, even, even after the, the, the thing

that we're gonna talk about today, I'm still a strong proponent and

I know that, uh, our, our regular guest, uh, my co-author, uh, Dr.

Mike Sailor, co-author of this little book right here, learning ransomware.

Yeah.

Response and recovery.

Um, I know he also is a big fan of password managers.

Um, and as we're going to cover in this episode, the password managers

I think are the best option for the current, like to, to deal with all of

the legacy technology that we have.

Still moving forward.

I think we all agree that fido compliant pass keys are definitely the, the

current best option for the future.

Uh, for, well for now, but it does require change on your part.

And I, I think if you take nothing away from this episode.

Go do passkeys anywhere you can, anywhere it matters.

Um,

But, but, but,

okay.

I don't think pass keys will replace the issue that we are about to talk about

with password managers because you could still use managers that support pass keys.

Uh.

Uh,

as an

yeah,

supports passkey,

but,

so I

but.

but I think though Passkey itself is tied to a device, so that makes it more secure

Yeah.

Yeah.

I, I think that I, that, that, that's the, that's the thing with

passkey that make it different.

So, so I, I'm just, I'm, I'm, I'm even though with your, with your, once

again, giving me the read why I'm wrong.

Um, I'm, I, I stand by, I stand by my original statement.

to make sure it's a clarification pass.

Keys are great, but pass keys does not mean password managers are not required.

Pass keys help alleviate the issue about stolen credentials.

Yes.

Right.

Okay.

Uh, so what are we talking about pana?

What are we, what, what, what started this whole thing?

about your book or coffee cup.

That coffee cup was pretty awesome.

No, but, okay, so today, right?

Like Curtis said, we always talk about password managers.

We've even had, I think he was a researcher from the University of York

Yeah.

I wanna say like three years ago, who actually did an analysis

of various password managers and found six vulnerabilities.

So like password managers are not.

Some magical thing that's like bulletproof and secure all the time, right?

It's constantly being tested and validated to make sure there are no vulnerabilities

that allow exposure of your credentials.

Especially 'cause people put important things in their

password manager, including the password their crypto wallets,

Right.

so,

And as we know from the guy that accidentally threw away his crypto wallet,

uh, that would be really important.

Yes,

to the crypto wallet.

Yeah.

And so recently an article came out from, I think it's been circling

the web, but it was a, I think it's a research institute in Zurich,

Mm-hmm.

Zurich.

I wanna say that, uh.

Looked and came back and was like, Hey, we took three of the most popular

password managers, LastPass, bit Warden and Dashlane, and we analyzed it to figure

out like what vulnerabilities exist.

And they came back with the list of vulnerabilities, which.

They're saying we're not sort of like what people normally

think about when they think like,

Right.

software is exposed.

But it was like fundamental issues in architecture of these password managers,

which could lead to your passwords being compromised and things like that.

Right.

Yeah.

Yeah.

I think that's, and, and, and the issue that they, uh, said as, as I

understand it, basically th this, and they, they said, this isn't,

this isn't a matter of bad coding.

Uh, this was more a fundamental, uh, issue with the concept of.

The, the vault model, right?

Where you've got this, this vault, uh, and, and the, the, the server up there

doesn't ever know your password, right?

The, it only knows the vault, the encrypted vault, right?

Which, let's just talk about how this works, right?

So,

actually talk about that.

yeah, so, so you have, you have a password manager, and then when you authenticate

a new device, because, because.

The whole concept of a password manager.

I have a password manager.

You have a password manager,

yep.

Um, I, I want to be able to use that password manager both on this laptop.

Uh, my other, I have another laptop, which, which is a laptop I like to close.

It's it because it's, it's got an open window on it, so I like to close windows

whenever I can, but I'm, and then, um.

It's, it's my windows.

It's

Your phone.

my windows laptop, my phone, right?

And any other random device that I might need to use, I, I want,

I want to not, I don't want to have to email passwords around.

I don't wanna have to copy and paste between platforms, right?

And so I want to have the same password manager in multiple

places, which means that there does need to be some centralized

communication and we need to be, um.

Sending the passwords baked back and forth.

'cause I'm gonna change the password on my Mac.

And then an hour later, maybe even five minutes later, I might want to, uh, use

that same password on my, um, on my phone,

Yeah.

which means that that password needs to be sent up and then back down to the device,

which means that we're sending passwords around now and, and it means that.

Well, you're sending encrypted versions of the password, right?

Um, and, and it never sees the unencrypted version of your password, which is

really important that it's only,

and how was that done?

it's whi, which.

The how are they able to share this information without them ever seeing

unencrypted version of your passwords?

Yeah, so there's going to be a password that, that only you use on your local

device that is used to unencrypt or decrypt the password on your local device.

And it's going,

and I am awesome.

what?

Is that your

Oh, exit my password is, I'm kind of a big deal.

That's my password.

Um, the, um.

The, you made me lose my train of thought.

So there is, there's a local password that is, uh, sort of your, your password.

You know, it's your, your one password.

In fact, one of the password managers, the name of the password manager is

one password because you just have to remember one password and then

that password is used to locally.

Unencrypt your, um, data, um, and the, and it's gonna unencrypt

that password for that moment.

And it's when, when it's encrypting it, it's going to use a, a

long key as well as some salt.

And again, this is, I. Definitely, I'm gonna say this is de definitely where I

start to get on the, on the edge of my knowledge, but it's going modern password

encryption is going to encrypt it both with your key as well as some salt.

Um, that is gonna make it, uh, super hard for someone without that to decrypt.

because, because, yeah.

Like you said, you don't want anyone to be able to access

even the vendor you're using

Right.

manager to be able to decrypt that password, right?

Because you're the only one who knows it, and it should only stay local.

And this is true, even in the case of like when you're using the pa,

the chrome version of the password manager, the vault is stored locally

and you're decrypting locally, right?

Um,

Yeah.

the um, and, and so that the password is never.

The, the unencrypted password is never stored or sent anywhere other

than when you're copying and pasting, uh, or automated pasting into the,

the device that you're logging into.

Um, uh, but, but there is this concept of a vault, right?

And that is a. Think of it as a little mini database that has a, has the

copy of all of your passwords and other interesting information, right?

Like I've got in there, I've got numbers that I seem to need a lot, right?

Like my, my bank account number and, um, uh, my, the federal ID of my LLC, right?

Um, it's not a number.

a notes feel that you

Yeah.

Yeah.

I have a secure notes and um, you know, like I know my social security number,

but I don't know that number because it's a number that I don't use very often.

Right.

Uh, and so important things like that.

Um, and, uh, like personas, pants size for example.

You know, I just, you know, I store that in there just because

I want to know, um, what.

creepy.

Yeah.

So, um, the, um, uh, and so you, you, you, you keep a, a

lot of stuff in there, right?

Um, also I have all my credit cards in there, right?

There's a, there's a, and so that, that allows me, when I am using, um, Amazon

and other apps, it allows me to not to say, no, don't save my credit card.

I'm gonna give you my credit card each time, and it'll just copy and

paste the credit card in there.

And so again, it's, it's.

It's trying to find a balance between security and convenience.

As we know, they are always at Ward.

Why?

Why do we say that?

Because if you make something so difficult to use, even if it's

super secure, no one's gonna use it.

Yeah.

They will have like the old school way where, hey, I need a really long password

and I have to change it every 30 days.

Let me just write it on a sticky note and stick it on my monitor.

Yeah.

I was actually in a business.

The other day.

And there it is, like all the passwords, just on sticky notes on the monitor.

And it just, it hurt my little heart.

Um, it was a business that I was advising and, uh, I advised him to stop that.

I was like, first thing we're gonna talk about is those sticky notes.

Um.

And, and it wasn't even like, like the, the way the person had

their monitor was like sideways.

So like, anybody that comes into their office is gonna see

the sticky notes, you know?

Anyway, um, I digress, but we, oh, we, oh yeah.

So I think about, and, and, and sometimes we air.

Too far, one side or the other.

I can think of a, of a time where I worked with a very large

company, very large company.

Now again, this is going back, it's going back 27 years, and I worked with

a very large company that absolutely everyone listening to this podcast

Would

probably does business with.

Yeah.

And, uh, they, we used to RSH as root from server to server, anywhere.

Yeah.

a password.

Yeah, don't

yeah.

Um, just to, to quote somebody that I know, you and I,

you and I watch on YouTube,

Mm-hmm.

right.

That ain't right.

But the other thing though is you talked about usability versus security.

Mm-hmm.

in your case, I'm sure there are times when you have a password that

you wanna share with your wife,

Yeah.

Well, for the record, we use the same password manager, but.

just

Okay.

but yes.

Right.

You wanna share and so you, how would you do it today?

You either give 'em the password and

Yeah,

down somewhere,

yeah,

you have to email it or text it, or some mechanism which is

yeah,

insecure.

yeah.

Or do you just rely on your password manager, which probably

has a share this password

Yeah.

someone else?

Link.

Yeah, we deci, we decided we were tired of both paying for the same password manager.

We just put all the passwords in there.

That doesn't work if you don't trust your spouse, by the way.

Um, but there, there was something, darn it, there was something that you said that

triggered, um, you were talking about.

usability

Hmm.

Okay.

don't know, but yeah.

Uh, just in general, you know, if you make it so insecure, no.

If you make it so secure.

That is difficult to use, then, then no one's gonna use it.

Right.

Um, and as a result, you, you end up being less secure.

Right.

Yep.

Uh, which is why I'm, I'm more of a fan, uh, of really secure passwords

that are in a password manager versus the, we're gonna force you to

change your password every 30 days.

Right.

Um.

There's nothing wrong with changing your passwords.

The problem is that it, it's just a lot of work for, I don't

know, a little bit of whatever.

Um, so, um, so that, that's why, that's the model that they've come up with, which

is, which is referred to as what, what did they call, what did they call this model?

The,

The encrypted vault.

no, there's another one.

It's the, the zero knowledge encryption, right?

The, the zero knowledge encryption model is basically the best way that

they came up of storing and sharing a password between multiple devices.

Uh, but it does have just that concept.

This is what.

I gleaned from the article is that that core concept has

some vulnerabilities in it.

Uh, starting with the idea that there has to be some kind of trust,

uh, because stop, let me back up.

One of the reasons that it has one of the core vulnerabilities is that it needs

to be, and this is a usability issue.

There needs to be a way for you to recover your vault.

We talked about this.

You may remember another previous episode when we had the lady

who, like she said, what do I do?

When I lose everything, hopefully I'll, I'll get a,

I'll get a link to that episode.

That was an interesting discussion.

She's like, what do I do when I lose everything?

And so you do need to go through that exercise.

What is the, what is the exercise that's needed to get

back into your password vault?

If you get locked out of all of your devices, or there's

a fire or something, right?

You need this process because otherwise your life would become a living hell if

you, I, I have like, I'm not kidding.

I have.

500 passwords in my password manager.

I can't imagine what it would be like to recover all of those and authenticate

myself one by one by one by one.

So you need some ability to, um, to recover that.

But that means that when you are in this vulnerable position, you

need to trust the um, this server.

Yeah.

the vendor, well, you need to trust an i an an, an entity.

It may or may not be the you, you need to trust a vendor, but the point is you're

trusting an entity that you can't see.

Yes.

Right?

And so they, what, what I saw was them exploiting that core vulnerability.

It's like, it, it's a core design flaw, right.

That I don't, and I, and I think the point was there's really no way around it.

Right.

unless you basically say, I'm never going to allow a password

reset from the server side,

Which would be a no starter, uh, which would be a non-starter for most people.

Right.

why

Because they wouldn't,

so, so.

I'm just saying from a commercial viability.

I know.

So lemme go back.

One of the things that we say, one of the things that we say

is that if you have like, um.

If you, uh, let me, let me, what's the phrase I'm looking for here?

Um,

um, oh, so if, for example, you have a backup encryption and if

you lose the key, your vendor says, oh, we'll just, uh, fix it for you.

That's not a good answer.

Yes.

That's kind of, that's kind of what you're talking about is, is that there, um, that

Now, I don't wanna say backdoor, it's too harsh,

Yeah.

Well,

but.

I think backdoor is, is fine.

Right.

Um, all right.

I got a story.

Um, I was consulting, this is like, I don't know, five

companies go and we had a, um.

We got an, we got an email from a former employee.

It was a consulting company.

It was a former consultant that used to work for our company.

And the client was like financial trading firm, you know, wall Street type company.

And, uh, he emailed us and said, Hey, um, the firewall on, um, empty squat,

uh, company was throwing up some errors and so I logged in and fixed them.

I'm sorry, what?

He had a back door that he had left open so he could help us out.

We're like, uh, okay, uh, let us work on the offboarding process.

But the, so you, you want, I'd say this is definitely a difference between

the commercial password management type concept and encryption management

concept and a consumer grade.

yeah.

Password manager.

but I agree with all that.

In fact, I think in that prior.

Podcast episode,

Mm-hmm.

we actually recommended the person to go look to see if recovery keys are

supported, that they can generate and mail it to someone across the country.

Yes.

That's exactly what we, what we, uh, talked about.

Right.

and so that's one mechanism.

I think though, even though you just mentioned Curtis

consumer versus like enterprise

Mm-hmm.

from security, all of like, even if you look at the vulnerabilities they talk

about, that's even available for org or it's even possible in organizations too

Mm-hmm.

of sort of the auto enrollment and the fact that you have.

A administrator in an organization who might need to reset the passwords

Right.

their employee forgets.

Right, right.

Right.

And that I think is still exploitable, and it's not necessarily

Yeah.

Well, well,

like the issues of dealing with an organization, right?

well, the,

users are gonna forget things.

They go on

yeah.

they come back, they forget.

Yeah.

I can't get in.

And so there's this level of security that they need to be able to build in because.

They need that password reset functionality.

I guess what I'm trying to understand is what they, so, so as

I understand what they did was they impersonated the server, right?

So.

Um, what that would allow them to, if they impersonated the server.

Again, this is what we were saying, you need to trust this entity and

so you're reaching out to reset your vault, to reset the password of your

vault or to, or not to reset the password, but to recover your vault.

And so you have to reach out to this entity.

You have to trust it to a certain amount, and you give it your password.

In order to au or you give it your recovery key in order to

authenticate yourself, and then what?

And, and then it can do what it does.

But my point, the point is that it could then take that recovery key and recover

your vault without you, I guess is the idea of what, what, what they talked

about here, the core, that core concept.

And like in the organization case, you could auto-enroll.

It's not just your own password that gets used right as the encryption, but also

the organization because they need to be able to access that recovery key as well.

And so now you have two sources that can access your key and it's no

longer, I would say it's still zero.

What did you call it?

Zero encryption?

No.

Zero knowledge encryption.

ZKE.

encryption, but it's someone in your organization who has that knowledge,

not the server or the vendor.

What would be interesting, I know that what they did, the, the, the research

is they reached out to the password managers as good researchers should do,

reach out to the password managers to allow them to try to address these core,

um, the, again, this core vulnerability.

Right?

And again, it's a very, it's kind of an edge case.

Because it, it only, you know, the, the thing that we talked about, it only would

work if you're, if you're trying to, uh, reset, you know, you're trying to recover

your password manager and they were able to impersonate the server at that moment.

So it's, I I still, I think it's a very edge case, right?

Um,

Yeah.

but.

I, I know that the password managers in question said that they were working on,

on, uh, addressing these vulnerabilities.

It'd be interesting to see what they have done

Yeah,

that end.

that was kind of like one category of vulnerabilities.

I think another was sort of just the nature of encrypted vaults,

Mm-hmm.

because unlike file which then gets encrypted with a single key.

What they're doing is they're sort of having entries and fields within

those entries that may get encrypted in different ways, and they're not just

sort of going through and encrypting

Yeah, it's like, it's like, it's like row level encryption in a database, if

you will, which then you've got metadata that's above that, which is not encrypted.

Right.

may or may not be encrypted.

And

Yeah.

I.

there, it looks like, from what I could tell, there's no strong verification

that you're not able to switch around fields within your encrypted

vault to be able to expose things.

So I think in one example, they talked about taking.

Uh, your username and password and moving the cipher text those particular

fields into a different field

Mm-hmm.

URL,

Mm-hmm.

could then expose part of your password potentially, uh,

depending on the password manager.

so it, and there's no check to say, is the vault still the

same as what it was initially?

Right.

And again, these, these are features that they could add, right?

The, that's the kind of thing where they could add that feature.

And maybe that's what, and again, it would be interesting

to see how they've responded.

Um.

And, uh, you know, at least one.

I I, you know, as I've said before, I am not a fan of ASPA based on multiple

issues that have happened in the past.

Um, that, that it, to me, it just doesn't seem like they put the, the

right emphasis on, again, usability versus, um, versus security.

Uh, I don't think that they, they, they appear to not put the right

emphasis on, uh, the security part.

one big takeaway I had from the paper though,

Sure.

you caught it, but, they, so they looked at three password managers,

Uhhuh.

Bit warden, LastPass, and Dashlane,

Yeah.

right?

Do you know what the number of users are across these three products?

What, what,

There are 60 million users and 23% of the market,

and what's your point with that?

which

that

that

more or less?

million people

Yeah.

using password managers, sorry, 200 a quarter

Oh,

are using password managers.

oh, that's in.

Interesting.

I never even, so, okay, so you took the the, they said that these three were this

many and then that's 25% of the market.

And then you extrapolated that to mean that there's a quarter of a billion people

that are using password managers, which means that the vast majority of people in

the world are not using password managers.

know we always ask that question, right?

How many

Yeah.

are using password managers?

So it could maybe, it might be a little off, but it shouldn't be

like a magnitude off, you know?

Right, right.

That is, that is actually a really interesting, um, yeah, I like that.

Um, I wonder how many people are, I think, I think the vast majority of

people, like we're gonna say non nerds.

Non-security focused people, they probably just use Chrome.

Right.

They probably just use the saved passwords in Chrome or Edge or Firefox or whatever.

Right.

So also a number on that too.

Okay.

Google and Apple's built-in password managers account for 55% of the market?

Of the 250 million.

Yes.

Okay.

depressing.

So they're counting those as password managers,

Yes.

huh?

Because I don't really count.

I mean, it's, again, that's the good, better, best.

It's better than nothing, but not much better.

Well, I should also caveat this by saying that, um, these are

coming from two different surveys

Mm-hmm.

So the Google and Apple one is coming from a survey of a thousand U US consumers.

Right versus the other one is coming from the actual 60 million number we talked

about earlier is coming from a different set of studies surveys, so it may not

be apples to apples to compare them,

Or apple apples to Androids.

yes, apples to androids if you wish.

Um.

But it still at least gives you some relative numbers,

Yeah, so I, I think, again, I think that the takeaway from this episode, I would,

you know what, I would reach out to your, if you, if your password manager, well,

you know, if your password manager is on this or not, I would reach out to them and

say, Hey, what do you think about this?

You know, what's your response to this article?

What are you doing to address this core sort of fundamental question, right?

Um.

be surprised if the other password managers who are not part of this initial

investigation are already publishing some FAQ or something in response.

Yeah, I wouldn't be surprised.

Yeah, agreed.

Um, the, uh.

That would be one thing to do is to contact your password manager, especially

if it's one of these three to say, Hey, it says that you're working on stuff.

What are you working on?

Right.

Uh, I know I use one of the three, so, uh, I, I'm gonna reach out to them.

I haven't, the article just came out a couple days ago.

Um, and uh, and I happen to see it on, on LinkedIn.

And, uh, I will, again, I will reiterate kind of what I said in the beginning.

One, I'm still a fan of password managers.

I still think it's better than the alternative.

Um, and I do think that it is really just a stop gap, right?

Like if we go back to, if we go back, it's kind of like target side deduplication.

If I will, if I can, if I must, if I, whatever.

So.

believe you.

So target side deduplication is stupid.

Right?

And I, and I know that, you know that there's some giant companies

that, that, that make a lot of money on target side Deduplication what?

Do, what, what, what's target side?

Deduplication persona.

Target side ddu is where you send the data over and in the storage system

you figure out what all the ddu, uh, what all the duplicates are, and then

you ddu it down before writing it to,

Right.

So you're de-duping at the target as opposed to de-duping at the source.

Right.

And it's dumb, but, but I'm saying it's dumb.

And I'll say why it's dumb.

I and I stand by the statement.

Um, because again, it's, it's, I think this is very, I think this is very, um.

This really is a great parallel here because it's dumb, but it's still

better than what we had before, right?

So it's, why do I say it's dumb?

It's dumb because your backup software is still pretending like it's writing to tape

for God's sakes, and it's sending full backups and, and full file incrementals.

And we're sending all of that across the, the land.

And then we're gonna do the magic on the other end.

We're getting, all we're getting is.

We're getting storage efficiency, we're getting no network efficiency.

Right.

Um, if you, if you could switch to source side deduplication, you get

both storage and network efficiency, uh, and also less work on the client.

Hang on.

Lemme I'll, I'll finish.

I'm, I'll bring it home.

I'll bring it home, but it does require.

An architectural change, right?

It does require you to change out your backup software, or it

requires your backup software to make a major architectural change.

That's why I'm saying it's a great parallel to here,

Yeah.

I think that PAs keys are definitely better, but we're still in the

early phases of adoption of PASIs.

I know I'm still in the early phases of PA passkey adoption, and I still find

it kind of weird and annoying because.

The, it is d it is tied to the device.

So it's like, you know, do I want to do this passkey?

Uh, I can only do the passkey on my phone or the passkey on my, on my Mac.

I can't, I can't share them

log in

'cause they're tied to the device.

The passkey is tied to the device by design.

Right.

Um,

you, does it, does your da, your password manager support

pass keys for the same account?

um,

same

yeah.

Well, but it's, but they're stored locally, you know what I mean?

Um,

stored in, is encrypted.

yeah.

I don't even, I don't even know.

This is what I'm saying.

We're still in the early phases of, we're still in the early phase.

I'm trying to go to Pasky when I can, but also.

Here.

So here I, I'll tell you, I'll tell you, I'll tell you where

passkey are driving me crazy.

And that's logging into QuickBooks.

Okay?

QuickBooks says, Hey, do you wanna log in with a passkey or do you wanna

log in with that stupid old password?

And, um, MFA and I go, I wanna log in with a passkey.

And it goes, great.

What's your PAs key?

And I go, here's my PAs key.

And it says, Hey, what's your MFA?

And I'm like, damn it.

Like,

that's the whole reason I went with the PAs key.

You know?

Right.

And so, and so, like it's, and, and maybe that's just an implementation thing on

the, in the, on the fact of, of Intuit.

Um, and, uh, just take my money, take my, they get, they get too much of my money.

That's what I think is Intuit gets too much of my money.

But, um.

And so I, I, I keep getting little, little implementation issues like that.

And it, and it's, it's different per app.

It's different per device.

And I think if I am having challenges and concerns and confusion,

then you know, Joe Jane user,

imagine my parents using it.

I can't.

Yeah.

I can't imagine.

Yeah.

Um, I can't imagine Lily using it, for example.

As smart as she is, she's brilliant.

Uh, that's my granddaughter.

For those who don't, she's, she's 12 and she's amazing.

And she's, as I like to say, she's officially entered the, that's

what you're wearing, phase of life.

Um, but yeah, so we're still in that early sort of growing pain stage of that.

But I guess what I'm saying is perhaps this is, this gives you yet

another reason why you should look into, uh, implementing PAs keys.

Start with like the most vulnerable things first, right?

Things like QuickBooks, things like, um, you know, your bank, what was that?

Amazon.

Yeah, Amazon.

Yeah, Amazon.

Yeah.

I mean, yeah, if you could log into Amazon and Costco.

In my life, you could wreak havoc.

I'm just saying you could, you know, next thing I know, there's

4,700 packages going to Wichita.

Um, and um, at some point, hopefully Amazon would be like, Hey, Curtis,

you got a new friend in Wichita.

I, I'd like to think that they would do that, but I

Yeah.

don't know.

But yeah, so I, I definitely think you should, you should look into doing it at

the really important things like banking.

Online shopping, um, you know, bookkeeping,

Yeah.

uh, and again, personas, pants, size,

any, what are any other takeaways for you from this?

Um,

No, I agree.

I think password managers are still valuable just because like

everything, you're always gonna find vulnerabilities over time.

No matter what the system is, right,

yeah.

be exposed.

It's just how quickly people react.

It doesn't mean stop using pass, uh, password managers.

Right, right,

You should still continue to use it because like you said, it's better

than whatever else was there before.

It may not be as good as what's coming in the future, but that's not mature yet.

right.

And uh, yeah, it'll just be, I wonder how many years we're gonna continue to have

to do the, like, at what point do some.

Sites say, sorry, but you have to use a passkey.

Right.

So I think, for example, I think like, uh, USAA, that's a credit union

that I, that I belong to, right?

They, um, a couple years ago they were like, we no longer do passwords.

We now do username and pin plus.

An MFA token that is generated by the semantic.

We use the semantic, um, you know, uh, VIP, the the semantic VIP software, right?

Uh, which is really just an MFA, uh, token.

And so you need the PIN plus the, which I think is pretty secure, right?

So you don't really, all you have to remember is that p the pin, but.

imagine now every single app or website you visit requires a separate MFA

Oh yeah.

No, I'm not, I'm definitely not a fan of the fact that I have to use the, the

other one, the IIUI use authe, right?

Uh, we talked about this.

I use Authe as my MFA for most things, and I do that over Google

Authenticator because, uh, being able to, again, security versus usability.

I like that I can, that the, that vault I can recover, uh, with a password.

But, um, and of course I have that password in my password manager.

Uh, catch 22 situation there.

Yeah, it, it is.

By the way, do you remember the lesson of inception?

It's all a dream.

No.

The technical, there's a technical lesson from inception, an IT

level to lesson from inception.

If you run a VM inside a vm, inside a vm, it's really slow.

The, the downside to the free MFA, uh, software is that it's not time

synchronized with, with the, the well it is, but it, it, it's a every 30 seconds.

It's, whereas like with the, with the semantic VIP, the 30 seconds

starts the moment you start the app, whereas, uh, these, the, the

free ones, it's just, it's just a.

Literally at, at every 30 seconds, install on the atomic clock.

They're on the atomic clock, you're on the atomic clock, and they just know

when the 30, so you're, if you start it up, you'll get the timer Anyway.

If you don't know what I'm talking about, you just gotta

go use one of the MFA things.

But, uh, but I will say this, if you're not using MFA or pass keys

on anything that matters, then you are just asking for a world to hurt.

Um, you know, uh.

Bad.

Bad, bad, bad.

Okay.

Well, it's been fun.

Persona,

Always is

what's your size?

72.

It's not

All right.

That is a wrap.