Search
Close this search box.
EPISODE 92
Password Managers

PASSWORD MANAGERS

About this episode

In this short episode, our hosts Jason Dion and Kip Boyle discuss the critically important topic of password managers.

In the beginning, Jason quickly describes password managers, their use cases, and how they work highlighting both the security and convenience aspects of using a password manager.

Then, Kip goes over how to choose a password manager and what criteria you should consider when choosing the best software, emphasizing that attack resistance comes first, and all other criteria comes second to it.

After that, our hosts discuss the different features of different password managers, why they utilize them, and the best ways to make sure you have great security and productivity online.

In the end, Jason makes some notes about paid versus free password managers and VPNs, and discusses the newest trend of passwordless authentication.

What you’ll learn

  • What is a password manager?
  • How do you choose a password manager?
  • What is the difference between free password managers and paid ones?
  • What is passwordless authentication?

Relevant websites for this episode

Episode Transcript

            

Kip Boyle:          
Hi, everybody. Welcome to Your Cyber Path. I’m Kip Boyle, and I’m here with Jason Dion. Today, we’re going to talk about password managers. But what occurs to me right away in on the subject of password managers is as we record this in February of 2023, about six months ago, LastPass was hacked and that happened in August of 2022. I know we at Cyber Risk Opportunities were using LastPass for a while. We got off that actually and migrated to a different password manager. But what about you, Jason? What happened to your team?

Jason Dion:        
Yeah, did you migrate before the hack or after the hack? I’m curious.

Kip Boyle:          
Before.

Jason Dion:       
Okay, cool. We actually did as well. I heard a new CTO back in February of 2022 at my company and his name is David, and when he came in, he’s like, “I really don’t trust LastPass.” He’s heard some things about it that he didn’t like from his previous companies that he worked at and he was like, “I want to get us off of that.” We actually left LastPass. I think you guys went to OnePass. Is that right?

Kip Boyle:          
We went to 1Password.

Jason Dion:        
Yeah, you went to 1Password. For us, we went to Bitwarden and the reason we went to Bitwarden is Bitwarden has a software as a service version just like LastPass and 1Password and all of those. But it also has a self-hosted version so you can own and operate your own and that way you know your data is only on your server. That gives you an additional level of protection.

Now that being said, do you need to go that far? Probably not. My CTO just sometimes is a little paranoid, which I think is good. But he acts more like a chief security officer than a chief technology officer most of the time because he comes from a really strong cyber security background, which is one of the reasons we brought him in. But he’s also a really good developer.

So yeah, when he said, “Hey, I’ve looked at them all, this is the one I want us to go to.” I was like, “Hey, you’re the CTO, let’s do it.” But then … over, I’ll tell you, it’s a pain to move from password manager to another. I don’t know how … you guys, but for me I had to basically go in.

When we moved over, instead of just importing my entire LastPass, I went one by one through my passwords to verify, do I still need this? Do I not still need this? Can I get rid … One of my team needs access to it because one of the big thing I used LastPass or Bitwarden in this case now is be able to share my passwords with my team. If a lot of the services that we use only have one login, they’ll only check individual user account, which is horrible for security as we all know.

But that’s the way a lot of these software service company are. They don’t have a team version. You basically have to sign up with one account and then give everybody the user the password. We have a big long randomly generated 25-character numbers, letters, password and it’s tied to Jason’s email and everybody can go in and fill it and with Bitwarden, they can fill it without even seeing the password. So they don’t know what the password is, but I can share my password.

Kip Boyle:          
I like that aspect of LastPass as well. We had the same experience where LastPass had been, it had been reported in the public news media that they had been injecting trackers into the Android version of their mobile app. My feeling was that that was silly because this is a security tool, not a social media app. To add trackers, all it’s doing is increasing the attack surface and weakening the tool.

And so at that point, I talked with my team and we said we’re not putting up with this. We’re getting out of here. Our migration was actually pretty easy because we just bulk exported the records from LastPass and bulk imported them into 1Password. I didn’t have the time to sit there and go through them like you did. I actually think that’s great password hygiene on your part.

Jason Dion:        
Actually again, basically I was like, I just took one day and it literally took me about eight hours because I had about 400 or 500 passwords I had to go through. But out of those 400 or 500, there’s only about 200 I still needed because a lot of it was stuff we used five years ago in the company, there are things we don’t use anymore for purposes.

Kip Boyle:          
Yeah, no that’s great. Well, today having talked about that, we’re going to come back to LastPass and we’re going to talk about if you’re still using LastPass because I’ve got customers that are still using it and they said to me, they’re like, “We just managed to convince the rest of the organization to use a password manager. It’s completely deployed. We can’t risk our reputation and go back out there and say, ‘Oops, we shouldn’t use that one. Let’s migrate to another one.’ So we need to figure out how to stick with LastPass if we can.'”

And so if you’re in that situation for whatever reason, we’re going to circle back around to this episode and we’re going to talk about what you can do to stick it out with LastPass until you can figure out a time and a place where you can migrate. But in the meantime, let’s back up for a moment and let’s just first make sure everybody knows what is a password manager and why should you use one? What does it look like to you, Jason? How do you explain to somebody like what it is and why they would want one?

Jason Dion:        
The whole reason that we use password managers in cybersecurity and if you’ve ever read Kip’s book, Fire Doesn’t Innovate, you talked about this in there as well. It’s funny you’re asking me because I know you wrote about it. Oh well, yeah. And in there, I thought you had a great example because if you’re talking to a CEO or a CFO, how do you make the case for using a password manager?

Well a password manager is a security tool, right? We all log into our different site, whether it’s locally on our computer or anywhere else on the internet. We always have a username and a password at a minimum. And some also have two-factor authentication with either an authenticator app or a text message code or something like that. But the problem is every site should have a different password. You can use your password on every site. My password for Facebook and Google and Yahoo are all the same and Yahoo gets hacked, guess what? Now you can get into my bank, my Google, my Facebook and all the other stuff, because all that stuff is using the same password.

We always tell the security, use a separate password for your thing. Well, the problem with that is, as we said earlier, I had 500 password, I can’t remember 500 passwords. The old words what we used to tell people was, for password managers were a thing, we’d say, “Hey, if your password is password then create a two or three digit code at the beginning or the end of your password.”

So for instance, if I was going to Google, it might be GO password. If I was going to Yahoo, it’d be YA password, and that way, there’s at least a little difference in those passwords so that people can’t do a little password. But again, it does not secure us having a long strong password for every site.

But if I have a password like XY1258432GQF, I must remember that for each site. With a password manager, you can create a unique password for each site and it keeps it in basically a vault. If you think about a drawer in your area, in your filing cabinet, you just have a piece of paper for every site and each paper has your password written on it.

Now, this is actually a digital password. And so you then collect that and all in one big thing which we call a vault, password vault, and you lock that and encrypt it using one master password. Now instead of trying remember 500 passwords, I can remember one long strong password, which in my case is something like 18 characters with numbers, letters and special characters, and that works great.

And so when I want to log into a website like Facebook or your yourcyberpath.com or whatever, I go to the login screen. I click on the username and it will bring up a little prop saying, “Do you want to fill this in with Bitwarden, LastPass, 1Password” whatever it is. And you say, fill, and it would put in username and password for you without even knowing what that password is. I don’t have to see it each time. And then you hit log in, and you’re logged in.

It’s a really great tool from a convenience perspective, but it’s also a really great tool from a security perspective. The cost on these things is really, really low. There’s lot of great free ones out there as well. Kip, what are your thoughts? I don’t know what I’ve been coming from.

Kip Boyle:          
No, that’s great. I loved the way you laid that out and actually you created this great segue for something that I wanted to point out, which is when I am working with our consulting clients and I’m talking about password managers, I characterize it just as you did, but then I really drive home that last little thing that you said, which is a password manager gives you security but it also gives you convenience.

This is one of those rare things that actually increases your productivity and increases your security at the same time. There are very few things in the security world that will do that. This is really important because there isn’t many things that do that. This is a really great thing for you to pursue with your senior decision-makers so they can see that it is possible to create business value from the money that you spend on cybersecurity.

Now, there’s other ways to create business value, but this is a great one because people understand increased productivity. That’s a very clear case of business value. If you read my book that I talk about three other types of business value, I talk about legal risk management, I talk about technical risk management, I talk about increased reliability. And then lastly, I talk about financial returns and in this case, in the form of increased productivity.

A password manager is just one of these little golden children. Why should you use one? Well, I think you did a great job of covering that, but I want to unpack that a little bit more too because it used to be the case 10 years ago. I remember this distinctly. In 2012, I read an article in Wired magazine about a guy named Mat Honan I think was his name. He was completely hacked and they took over his Apple ID, they stole his email accounts, they reset all his passwords and he wrote about this in this really long article. That’s when I finally realized, “Holy crap, the threat has really gotten intense on stealing your digital identity. I’d better up my game and start using a password manager.” That’s when I started doing it.

I don’t even have to do password generation anymore because the password manager will make a unique password for every website, part of the productivity benefit. So that’s why you should really use one is because the threat is so real. If you go to Have I Been Pwned, what do they have over there, Jason, like several billion user ID and password combinations?

Jason Dion:       
Easily. As we’re talking, I’m just going to look it up because I’m curious now. If I go to haveIbeenpwned.com, you can see that it says they have 12.5 billion pwned accounts at this point.

Kip Boyle:          
These are authentication databases that have been stolen from various websites and released on the dark web. And so it’s a good bet that at least one user ID and password that you’ve used in the past is in that database. Guess what? That becomes this massive identity theft gun that criminals can point at a bank or a credit union or wherever and try to impersonate you.

The stakes have been raised and that’s why you should use a password manager. Now, how do you choose a password manager? I’m going to get on my soapbox on this one man, because people do it wrong all the time. They choose their password manager like they choose a word processor or like they choose a game or whether they want to use Teams or whether they want to use Slack or Zoom.

The issue here is that they tend to choose software based on things like, is it open source versus closed source? Does it cost a lot versus does it not cost a lot? What features does it have? Is it easy to use? All that stuff matters when you’re choosing a piece of software to get something done. But none of that matters as much when you’re choosing a piece of software that you’re going to use for security.

Now, a password manager, a VPN, those are two great examples where you don’t want to use any of that stuff as your primary criteria for choosing one. What you have to put number one, and this is difficult, I’ll admit it, is the tool attack resistant? That’s your number one concern. Everything else comes second in my book. What do you think?

Jason Dion:        
Yeah, I definitely agree with that. The other thing that I see people do is they will choose just what’s installed on their computer already. What I mean by that is you’re on Windows, you have Edge, or maybe you’ve installed Chrome and if you’re on Mac, you’ve got Safari, or maybe you’ve installed Chrome because it is number one browser in the world. All of those browsers do have their own built-in password managers. As it’s not what we’re talking about here when we talk about a password manager, I will tell you that one of the things we really recommend is a third-party password manager outside of the browser.

Now the reason for that is that when you’re adding an additional feature to an existing product like password managers inside our browser, Google is trying to do their best to make sure it’s secure for Chrome. Apple is trying to make sure it’s secure for Safari, Microsoft is trying to make sure it’s secure for Edge. But their main purpose in that is to browse the internet in a very effective way.

They’re trying to make it as easy as possible. The way those things are stored is not necessarily as good as a dedicated one individual password manager. I’m a little bit older, Kip is older than I am, so he probably remembered, but the audience is probably young enough, they don’t remember these things. But when I was younger, we used to have VCRs and the DVDs came out and we had these … Usually, you had a TV and a VCR and a DVD. Then they made this combination unit that had it all three and it worked okay, but it didn’t work as good like the DVD player worked, but it didn’t work as good as a standalone DVD player.

It’s the same thing if I look at something like an Xbox, it is purpose-built to play video games. And so it does a really good job of that. Whereas if I take that same game, I have to be very specific about the computer I buy when I’m buying a desktop that will be able to play it. If I just buy an Xbox, I know it’s always going to play. As well as for any games, same way. And that’s really the difference between using a browser-based password manager as an additional feature as opposed to being the core of the product that that’s all this company does and they’re just solely focused on security.

Kip Boyle:          
I love that. Again, a great segue to a point that I want to make, which is you really want to focus on something that’s attack resistant. And so how do you do that? Well, knowing that this password manager is purpose-built is one way to do that, right? Because the livelihood of everybody who works, at 1Password for example, depends on them getting it right. If they don’t get it right and everybody leaves them because they lose confidence, their company’s gone. They have nothing else to fall back on.

And so they have great incentive to do good engineering and to be responsive. And that’s another thing that I look for. How responsive are they to reports of public vulnerabilities? I can go to the CDE databases and I can type in the name of the password manager that I’m thinking about getting and I can see records of all the publicly released flaws and exploits. I can also see when were those patched, were they even patched?

Some of them aren’t even patched, and they’ve been on record for years. If you see that, that’s not a good sign. You want to make sure that when something bad does happen, because LastPass is the latest in a password manager that’s been attacked, they’re not the first, they won’t be the last. But what you want to see is how responsive are they? How fast are they? I don’t think LastPass has a very good record in this, right? They got hacked in August, but they didn’t talk about it until November, December. That’s not good.

There are ways that you can evaluate the attack resistance of a piece of software. You can do a little bit of research, go to the right places. Don’t go to PC Magazine and get their recommendation because they’re focused on usability and cost as the primary selection criteria. You don’t want to do that, avoid that. When it comes to VPNs, by the way, most free VPNs are absolute trash when it comes to protecting your data. They don’t protect your data hardly at all. They’re badly engineered, they’re selling your browsing history to other people. And the only thing most consumer VPNs are good for is evading copyright protection because I want to watch a show on Netflix that’s released in the UK and not in the US. And so I’m going to spoof my IP address so that I can get in there.

It’s fine for that, but I would never use it for anything super critical in terms of security. If I was an organizer of civil disobedience working in a repressive regime like Myanmar, hell no. I wouldn’t trust that thing to-

Jason Dion:        
I agree with you there. I just want to point out, this isn’t a loopback/test episode. As I said, Kip and I both left LastPass before this hack even happened. The reason we’re talking about this is it just brings up a good discussion around this idea of password managers to help me figure out what are the best password managers to choose, why you should choose them and that kind of thing.

But there are still a lot of people that are on LastPass and are we saying you should immediately get off LastPass? Well, not necessarily, right? LastPass is a pretty decent tool and it’s better than a browser password manager, so better than nothing. But it’s not the best. And that’s kind of our opinion on that.

Let’s talk about, you had mentioned … Let’s say you’re working with an organization, you’re consulting with them. They say, “Hey, we’re on LastPass. We’ve deployed to all 5,000 of our users.” I’d be like, “[inaudible] it’d be a year to get them off because I got to go through training and teach them how to install it and all that kind of stuff again. It’s a big deal.” Now this hack happened, what are the things I need to do as a company to protect myself?

Kip Boyle:          
Yeah. Well it’s funny you should ask me that because guess what, that’s exactly what happened to me recently, is I had a good customer who came to me, he said almost exactly what you said. He said, “Look, I’ll pull the plug on this if you think it’s that bad, but I hope you can figure out a way to keep us on this thing for now because I don’t have it on my roadmap to get off this thing anytime soon. We’ve got all these other priorities, I’d really rather not do it. So what do you think?”

Well, here’s what I came up with. The first thing I said was, “I would like you to go back and remind everybody that they need to use a strong, unique master passphrase for their LastPass account, and they shouldn’t reuse that master password or passphrase anywhere else.” I said that’s the first thing because we can control that. We can’t control how the product is engineered, we can’t control how the product is managed, but we can control that.

That’s part of the shared responsibility model for cloud computing. I mean philosophically, that’s just how we have to deal with all cloud-based computing. Then I said, “And specifically, ask your people prior to August 2022, were you using a weak password as your master password? Was it a duplicate? Did you use it somewhere else? Did it have eight or fewer characters? If that’s true, then I think your password vault is at risk because they’ve got a copy of it and they can take it offline and they can brute force it with no MFA, because MFA is not enforced at the vault level. It’s enforced at the service level.

I said, so you got to get a good master password and if you think your vault is in jeopardy because you used a bad one, I need you to do what Jason just described, which is I need you to go through every password that you have in that vault and then you to change it because the copy you are using is your online copy, which is still available to you and you can change your passwords in there and that will leave the offline version that was stolen, stale and useless.

So, that’s a way to deprecate the situation there with somebody having a copy of your vault in an offline situation. So that was the first step. What do you think about that as a first step?

Jason Dion:        
I think those are all really good first steps. I will tell you as a former IT director, when I send that email and say, “Hey everybody, go change your password,” most people won’t do it. Most support licensees are busy, whatever it is, they’re just not going to do it. If I send that email out to a thousand people, I might get 500 that actually changed it. Listen, the other 500 director, I got to chase out.

I know when we were using LastPass on the organizational level, if you are doing it as an individual, this doesn’t apply. Everything you said is perfect. But if you’re doing this as a company level like your client, you can go into your organizational vault as the director of your organization and tell everybody that next time they use LastPass, their password will be changed. Just like when you do with Windows, if you get hack with Windows, you say, “Yeah everybody, the next time you log in, your password is no longer valid. Rethink your password, you cannot come in.”

That will force everybody to create a new log strong password. It won’t necessarily make them do … Well actually, you can’t because in LastPass, you can set how long the password needs to be and how complicated it needs to be. So I as an organizational leader can say everyone needs to change their password in the next login. The password now needs to be 20 characters long, uppercase, lowercase, special characters, et cetera.

Some password managers, I don’t remember if the LastPass has this, but some do allow you to have a master password with MFA as well, which if you can do that, I definitely would recommend that too.

Kip Boyle:          
Yeah, absolutely. That’s a great point. The idea that you can force the password reset and that you can keep them from choosing weak passwords in the future by setting the password requirements, that’s fantastic. Then we absolutely said as a second step, “Hey, you need to turn on MFA. You need to require that for everybody. If you haven’t already, get that multifactor authentication going.”

Then the other thing that we said was make sure that you are regularly checking for updates because we’re using browser plugins, we’re using a mobile app, which is it’s one of the things that made LastPass really great. It’s cross-platform. It works on mobile. It works on desktop, tablets. It works in any web browser, so you can take your password vault anywhere you want to go.

That’s one of the issues I had with using Apple’s Password Manager, which I actually think is pretty good from an engineering and attack resistant pass point of view, but it’s not cross-platform. If I want to be off of an iOS or a macOS device, I’m stuck. That was not good for me because I’m on multiple platforms. So that was a unique requirement that I had. Most people seem to have that issue. But if you can just stay on iOS and macOS, then the built-in password manager is probably fine.

Jason Dion:        
The one thing I will say on that is that LastPass is not the only one that has cross-platform. I think 1Password that you’re using now. I know Bitwarden is because I have people have Android, Windows, Linux, everything. I’m a Mac guy, all my stuff is Mac, iPads, iPhones. A lot of people on my team are Windows because they prefer that, or Android or Linux. It works with all them with Bitwarden. Again, one of those things that there’s a Chrome extension, so as long as you have Chrome, you can use it on any of these and there’s apps for iOS and Android as well.

Kip Boyle:          
That’s great. So that’s what caused us to be on 1Password. That’s what caused you to choose Bitwarden. Now, let’s talk about that for a second by the way because you chose Bitwarden, I chose 1Password and my team did. But we both came from the same place. I think it might be interesting to spend a moment to talk about why did we go in two completely different directions when we started at the same place. I’ll go first.

The reason why we chose 1Password is because not only is it attack resistant, but we liked that it was in the cloud. We read the whitepaper about how they secured, how they built it. They used open design principles and so they revealed how they actually designed the security and we liked that. We liked that they did open design. By the way, open design is when you can publish how you built something and that does not weaken the security of the thing.

Public key encryption algorithms like AES is a great example of something where everybody knows how AES works, but that doesn’t mean that it’s weak because you know how it works. And so we liked 1Password because there’s cross-platform. They used open design principles and quite frankly, it looks good. I mean, it’s well. The user interface is well-designed and anyway, there’s lots of other reasons but that’s why we went there. Why did you guys go to Bitwarden?

Jason Dion:        
All the exact same reasons you just mentioned apply as well to Bitwarden. The big difference is where they host the data. So Bitwarden, using their cloud-based version, they have servers in the US, they have servers in Europe. If you have European people, that’s good for them because they have GDPR requirements as well. Then what really sold us on that was the ability that if we want to, we can host it ourself using the Bitwarden Enterprise, so we can put up our own server. We control the data. It’s no longer in the cloud. It’s on our own private servers in the cloud using a private cloud infrastructure that gives us additional security.

I would tell you that honestly right now, we’re still using the software as a servers version. We played with the enterprise version. We decided that there wasn’t enough security benefit at this stage in the game for our company to move that because then we have to maintain the server and do all the patching and do all the stuff. We really like the fact we have the option of doing that but we’re not doing it yet.

Really, they’re fairly equivalent. If you look at 1Password and Bitwarden, you’re going to find the features are pretty much the same. If you look at all three of these, LastPass, 1Password and Bitwarden, all three of these have very similar feature sets and very similar user interfaces, very similar price points. Most of them are going to be somewhere between $3 and $6 per month per user. If you go to an enterprise license, you can usually get it down a little bit more somewhere like $3 to $4 per user.

Some of them have family plans. If you’re doing this for your house, for instance when I was on LastPass, I had a family plan and it gave you six accounts for $48 a year, I think it was. It was like four bucks a month. I got me, I had one, my wife had one, and my two kids had one and we were all in the same client. We got past six then we had to start, because I was actually using that for my company at first and after we got more than six employees, I had to upgrade to the larger version.

But as far as software, these are relatively low cost tools. We’re talking maybe 12, 15 bucks a year per user, generally.

Kip Boyle:          
I think that’s reasonable. I know some people can’t even afford that, but they still want the protection of a password manager. And so as long as you’re paying attention to its attack resistance and you want to use a free password manager, I think that’s okay. But I think once you get to a point where you can’t afford to pay for something, I think you should that you’re going to get better protection depending on what you choose.

Another thing I want to say about password managers, and I love that you brought up this feature of being able to have a personal vault along with your work vault, this is really important for estate planning. What I mean by that is these days, we have passwords for everything, bank accounts, retirement accounts, all kinds of stuff. If I die on the way home tonight, then how’s my spouse going to get into all these accounts?

How do I make it easy for her? The easiest way I can think of is just put everything in a vault, make sure she has access to it, and then that way if anything happens to me either permanently or temporarily, maybe I’m in a coma, maybe I’m not dead, but I still can’t do anything, right? Think about your estate planning, think about your emergency action plan.

I like 1Password because they actually will let you print something out, a piece of paper with a get out of jail free code that she can type in and get in to get all those passwords. There’s different ways you can do it, but I put that in our little fire box along with our other important papers like birth certificates and whatnot. That gives me huge peace of mind, I don’t know. It sounds like you’re focused on that too, right?

Jason Dion:      
Yeah, most definitely. I’ve been doing that for years. Before password managers were a thing, once a year I would go in and I had a piece of paper that literally I used a handwritten piece of paper and wrote down all my accounts, my bank, my username, my password, my bank, my user, my password for all my stuff that was important. We kept a copy of it with our will and my power of attorney that if I was in a coma, my wife could take over.

The one caveat I would say is if you’re going through marriage troubles or you don’t necessarily trust your spouse, or you don’t have a spouse and you’re like a single person and your brother or sister, or [inaudible] the executor of your estate. You still want to have this information, but you may not want to give it to them until you pass. What I mean by that is you could put it with your will and that can be in your fire box, it can be in a saving deposit box, it can be at your lawyer’s office, whatever it is. And once you’re just to update your passwords every six months, whenever you’re updating it. Then you can basically say, “Okay, upon my death, give this to my executor.” And now they’ve access to all your accounts to be able take care of that.

The other thing you can do is you can basically create a thing like 1Password or whatever, put all your passwords in there, write down the master password, and now you only have one you have to do. Then actually, this is kind of what we did in the military when we were locking up our safe for top secret information. We would know what the code is, but then we had a safe with all the cards, with the passwords or the codes written down in a different safe.

If somebody forgot the combination to a safe, we wouldn’t have to drill the lock, we would go over to the other one. It was a two-factor lock, so we had like Kip and Jason had to open this and then we would get out the thing with the card and go, “Okay, here’s the password. Now we can reset the lock and start over.” They’re like master backup that we’re doing in the cyber world too.

Kip Boyle:          
Yep. Cool. Okay. Well, I’ve covered everything I wanted to cover about password managers. I appreciate the opportunity to get up on my soapbox and talk about how important attack resistance is when you choose one. I appreciate it. Any final words, Jason?

Jason Dion:       
Yeah, I just have two quick ones. One, we talked about cost and you had mentioned free. There are a lot of these password managers that do have them free, including real password managers that have paid plans and free plan. Generally the difference is if you’re on a paid plan, you get team access and you could share it across family members and stuff like that. Whereas if you do a free plan, you just get a vault for you, which is fine but it is a little bit more feature limited. It’s not any less secure, but it does have less features.

You can always try this out with a free plan. The reason they give you a free plan is you could try it and go, “You know what? I like this, let me pay for the version that’s two bucks a month because I think it’s worth.” So that’s just an upsell opportunity for them. But again, even the basic version is really good as opposed to when we’re talking about VPNs, never use a free VPN because really you’re the fraud to that point.

The second thing I wanted to mention is hopefully in the next 24 months or so, we’re no longer going to need passwords at all. There’s a big trend coming down the road with passwordless authentication. A lot of it is being done ready now using things like magic links. When you go to a website and you try to log in, it will shoot you a one-time link to your email or your text message, you click on that and that logs you in, but it’s only good for two minutes once you ask for it or something like that.

What right now is being worked on by Google and Apple together, they’re actually teaming up on this, is a form of passwordless authentication with our smartphone that would basically act as a login device for us across all of our platforms that would no longer require any passwords. It’s much more secure and much more convenient.

And so once we get out of this password thing, I’m very curious to see what 1Password and Bitwarden and LastPass does as we move into this passwordless authentication world, because that’s going to just basically decimate their business model because their whole business model is based on password. Let me just see how this changes over the next 24 months or so.

Yeah, this is just something I want to point out and we’ll probably talk more about passwordless authentication at a future show because that’s a new concept that I think people need to be aware of.

Kip Boyle:          
Yeah, but please moderate your expectations on passwordless. It’s going to take a while for everybody to get on board that train. I remember when multifactor authentication for websites first were rolled out, it took three or four years before you could get MFA everywhere you wanted it. And so people have to opt in. It’s going to take a while, but I think it could be really good.

But I’ll say this, it’s going to make you controlling your smartphone and your email account even more important than ever before, because if somebody steals it, you’re in trouble because your whole identity is tied to that stuff. It kind of is already, but it’s just going to get more intense.

Jason Dion:        
Well, there’s so many websites that leave you SSL in with your Google account or your Facebook account. If somebody gets my Google account, they can get into 90% of my websites because all of them allow you to sign in with Google, right? It’s a passwordless list type authentication because once you logged in once, you’re now single signing across everywhere else.

But yeah, so that being said, I want to thank everybody for joining us again for another episode of Your Cyber Path. We hope you enjoyed it. We hope you learned something and we hope we got you something you can put into use today in your own world to be able to secure your own self and your company. If you want to keep yourself up to date with all things cyber, I know when this LastPass attack came out six months ago, Kip actually wrote about it in his mentor notes.

I recommend you sign up for his mentor notes. They come out once every other week just like the podcast. When they come out, it’s usually about 500 to a thousand words. It’s fairly short, easily digestible. It’s directly from Kip to you with all the information that he’s putting out that week. Usually, it does not relate to the episode that we’re talking about.

For instance, this week you’re not going to get a mentor note on password managers because we’re talking about it on the podcast. He’s going to talk about something else. It’s additional content for you that is free for you to get. You can sign up at yourcyberpath.com. Right on the front page, just type in your email address. You’ll get an email, click on the link in there to verify that that is your email so we make sure we’re sending it to you because you requested it. Then from then on, you’ll be getting those emails once every two weeks.

So that’s all I got. Thanks, and we’ll see you next time.

Kip Boyle:          
See you next time everybody.

 

Headshot of Kip BoyleYOUR HOST:

    Kip Boyle
      Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

    Jason Dion
      Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!