LastPass, a password management site Gina has been touting to friends and family for years, reported a security breach in late December 2022. In the wake of this disappointment, Chris and Gina chat about how to keep your information safe when so much of our information is floating around on the internet. They discuss the tradeoffs between convenience and security and why password managers are still a net positive in personal security.
Chris LoSacco: If you are listening to this because you saw us on that list…
Gina Trapani: (Laughing) Welcome.
Chris: Number one, welcome, we’re so glad to have you. Number two, we are horribly unqualified.
Gina: And we are sorry. (Laughs)
Chris: (Laughing) To talk about security issues.
[POSTLIGHT INTRO MUSIC]
Gina: Hello everybody, welcome to the Postlight podcast. I’m Gina Trapani, I’m the CEO of Postlight, and I’m joined by my beloved partner and the president of Postlight, Chris LoSacco. Hey Chris.
Chris: Hey Gina.
Gina: I got this email last week. This happened… so, we’re coming up on tax season, right, in the US here.
Chris: Yeah. Thanks for that reminder, I’m sure the listeners really appreciate that.
Gina: I know, I know. Isn’t that a great way to kick it off?
Chris: Get excited about your taxes!
Gina: Yeah, get excited about your taxes! I don’t know. I get excited about my taxes.
Chris: (Laughing) So do I, that’s the irony.
Gina: Oh no, this is the irony, is that both of us are, like, excited about doing our taxes.
Gina: Like, woo-hoo! Let’s saddle up. Get this right. So I get this email, and this person says “We need your W-9.” I had done a little bit of freelance work.
Gina: “We need your filled-out W-9.” W-9 is an IRS form where you put your name and your address and your social security number and your signature, and she says “Can you just email me back a copy of your W-9?”
Chris: Oh my God. I’m already…
Gina: I know. You’re upset, right? I’m upset.
Chris: My… the hairs on the back of my neck just stood up.
Gina: Every tax season, someone asks me for a document with my social security number…
Chris: In an email! Ugh!
Gina: Via email. Via email. So… (Laughing) For those of you who are not as paranoid…
Gina: …as we are, like, email is not secure.
Gina: It’s like sending a postcard, right?
Gina: It gets sent in the clear, anyone who’s, you know, listening on your network or whatever… it just goes through all kinds of servers. It’s not… anything you send via email, you have to be prepared for it to be kinda published in the New York Times.
Gina: It’s just not that hard. So I never wanna send my social security number, in particular, via email. I don’t even wanna send my signature via email, although I’m… as you all will learn, I’m very paranoid about this stuff. So I go back to this person and I say “Happy to provide this information, can you give me a link to a secure portal at the accountant’s.”
Chris: Mhm. Perfect.
Gina: And so they wrote me back and said “Here’s a link to a secure folder.” So I click on this link and it is a Google Drive folder. A shared Google Drive folder.
Gina: Which they have shared with others.
Chris: Oh, nice!
Gina: And guess what’s in the folder? Someone else’s W-9…
Chris: With their social security number?
Gina: With their name, address, social security number and signature on it. Which I open and look at.
Chris: Oh my God…
Gina: I don’t do anything with it, because I… and then I closed it and immediately erased it from my brain. And I said… no no no. This is not a secure folder.
Chris: (Laughing) You have gravely misunderstood me.
Gina: Yeah, yeah, yeah, right, exactly. And also, this is Google Drive. Google Drive, also, not secure.
Chris: Right! Yeah.
Gina: This is, I need your accountant, he’s doing your tax filings, I would like to upload to their secure portal. They should have a secure portal. So, you know, I bring up this story to say… I am a little bit paranoid. I’m the kind of person that, when we get mail, like junk mail kinda piling up in the kitchen and I go through it, before I recycle it… and you can tell me… you’re gonna, I can see you looking at me…
Chris: Bring it on.
Gina: I will tear off the part that has our home address on it and rip that up separately before I recycle the mail.
Gina: Because it’s New York City, and people go through the recycling bags of all paper…
Chris: Well, you don’t have to go through it, you put it out on the curb and it’s like, the bags are open…
Gina: You put it out on the curb! And my address is just through the white, you know, the transparent bag! And you know, I’ve shared this with friends who have said to me, “That is bananas.” Like, what do you think is gonna happen?
Chris: Oh, I don’t think that’s… yeah.
Gina: “Why, anybody can…” And it’s like, well, you know, there’s credit card offers, and like, you know… I don’t want to…
Chris: Do you have a shredder?
Gina: We do have a shredder.
Gina: Yeah, we do. Yeah, so like, for documents, like tax documents, I would shred.
Gina: But, like, just… I’m talking about, you know, sign up for the Delta Amex, and that kind of thing.
Chris: Okay. Got it got it got it.
Gina: I logged into T-Mobile recently, who’s my cellphone provider, and there’s a big banner across the top that says, like, “Major customer data breach.”
Gina: And I’m like, oh, cool. Let’s look at this. So I click on “Learn more.” And it’s like, “Basic customer information.” Nothing to worry about, ‘kay?
Gina: Not your credit cards! You’re good. Just your name and your phone number and your address.
Chris: Oh my God.
Gina: 37 million customers.
Chris: 37 million?
Gina: 37 million customers, this data is now out in the world. Ugh, it drove me crazy!
Gina: So I’m talking to my wife, and I’m like “I can’t… ugh, I can’t believe this, do we need to get an alarm? Like, what if…” And she’s like, “Is our address really a piece of personal information? Like, private personal information?” She’s like, “Remember back in the ‘80s when we had the White Pages, and everybody’s name and address was just in the white pages?”
Chris: (Laughing) I mean…
Gina: And I do remember that!
Chris: Me too.
Gina: And it just didn’t seem like that big a deal?
Gina: It feels like more of a big deal.
Chris: It does feel like more of a big deal. I mean, part of the reason I feel like it feels like more of a big deal, maybe, is it’s easier to misuse that information somehow?
Chris: Because all information is everywhere now.
Chris: And so, you know, if you rewind 40 years, yes it was printed in a book, but the only people who could get that book were other people in the town.
Gina: (Laughing) Right.
Chris: Like, you know, those White Pages, the phone books were not getting shipped off to…
Gina: Everyone. Across the globe.
Chris: Everyone, all 7 billion, 8 billion people in the world. And now, information is at your fingertips. Every piece of information…
Chris: And all the possible ways it could be misused. Yeah. I totally think it is horrifying that there are these breaches, and they get downplayed like “Well…”
Gina: “Enh, basic information.”
Chris: “No reason to fret.”
Gina: “Not a big deal, just your home address.”
Chris: Right. Even my phone number, I’m like, you know…
Chris: It’s not especially sensitive, per se, but I don’t want people… you know.
Gina: Yeah, yeah.
Chris: …having access to my phone number. And then there’s LastPass.
Gina: Then there’s LastPass.
Chris: You are a LastPass user.
Gina: I’m a big LastPass user, I mean, going back to almost ten years ago now. I was writing about LastPass on Lifehacker. So, LastPass is an allegedly secure…
Chris: (Laughing) Wow.
Gina: (Laughing) …password manager, okay? It’s an app where you save your username and password to all the places. And the idea is like, you should have a different password for every place that you log in to.
Gina: That’s secure. But you can’t remember them. Right?
Chris: Right. So you get what is essentially like a secure digital file cabinet…
Gina: That’s right.
Chris: …to put all of your passwords… and these password managers nowadays can keep track of a lot of things.
Gina: A lot of things. Secure notes and credit cards, payment cards…
Chris: Passport information.
Gina: Passports. Your vaccination card, I keep in LastPass.
Chris: Right. Yep.
Gina: So, before we talk about LastPass let me just disclaim. I am not a security professional. Although, this… the Postlight podcast was listed…
Chris: Last, like, a week.
Gina: …was on like a list of…
Chris and Gina (together): “Best security podcasts.”
Gina: So thank you to whoever did that. But I want to talk about it just from, just, a user perspective. So I’ve encouraged my family and my readers and just, like… don’t use the same password everywhere! Use a password manager! I really like LastPass because it autofills for you on all your devices.
Chris: Right. It’s so convenient.
Gina: And it fills in the br… it’s very convenient! It was very secure! It had features like, I can share a vault with my partner, and if I fall off the face of the earth or if I die, I can set up an emergency access where, you know, my brother can request access to my vault, and if I don’t decline it within 48 hours he gets access to the vault. Just good hygiene things, right?
Gina: ‘Cause so much of my life lives online. Love LastPass, have been using it for years, have just invest… you know, all of my stuff is in LastPass. Literally.
Chris: When you say all of your stuff, what… like, do you know the number of entries?
Gina: Off the top it’s gotta be hundreds.
Gina: Yeah. To the point where, like… (Laughs) This is a bit of a dark story. I’ll tell it, though. So I had surgery recently…
Gina: …which involved going under anesthesia, right? So I’m in the cab, and with my wife, and we’re on the way to the hospital.
Chris: Oh boy. Okay.
Gina: And you know, you just…
Chris: You’re runnin’ through all the scenarios…
Gina: Yeah! You gotta run through the scenarios, and I’m literally saying to her in the back of this Lyft, this poor Lyft driver, I’m in the back seat saying to her, “Okay, listen. Okay, so we’re doing this, I just… if I don’t wake up…”
Chris: (Laughing) Oh my God, Gina.
Gina: “Here’s where, I need you to know, okay? So I have these two computers, and you should talk to Chris about this, and that computer’s there, and everything, the documents, the important documents…” And my wife is like, “What?” She’s just…
Chris: You’re on the way to the hospital?
Gina: Yeah, I’m in the… right. Like, I’m in the backseat of the Lyft. But I find myself saying to her, “Listen. Everything that you need, all the bank accounts, all the passwords, everything you need, it’s in LastPass. You know how to get there, right? Like, we have the family vault, the emergency access, and my brother…” I’m like, “So, just… LastPass! Okay?”
Gina: As I go through the list she doesn’t respond, but finally she just looks at me and says, “If it comes to that, I will figure it out.”
Chris: (Laughs) That is the right response.
Gina: She just didn’t want to engage. But, yes. It was an excellent response. But I was saying to her, “LastPass, that’s what you’re going to have to…” (Sighs) And then, on December 22nd…
Chris: We gotta come back to December 22nd, by the way. That date in particular.
Gina: (Laughing) Okay, okay. Yes.
Chris: But keep going.
Gina: On December 22nd, LastPass posts a blog post, a notice of a security incident, right? Three days before the holidays. That they were breached, right? And hackers or intruders pulled down full copies of folks’ password vaults. So we’re just, we’re not security professionals, but let me… so, the way it works is that your vault, the list of all your websites and usernames and passwords, are encrypted.
Gina: Stored on LastPass servers, encrypted. And when they download them to your LastPass client on your device, they get decrypted, right? So in theory, it’s gibberish. Anybody who pulled down data from LastPass’s server, it’s gibberish. It’s encrypted.
Chris: Right. And when you encrypt something, you encrypt it with a key.
Gina: With a key, that’s right.
Chris: And so in theory, if the attackers do not have access to the key, they can’t decrypt the data that they’ve gotten, it’s just random characters to them.
Gina: Right. In theory, right. You can always run a brute force attack, which is basically, you just try every single combination of letters and numbers and characters. And LastPass said this would take a hundred years, more than a hundred years to crack the encryption that is on the vault.
Gina: It still absolutely kills me that there are… that my password vault is out there, just floating around there on the dark web.
Gina: And it comes out through… You know, the LastPass announcement was, “Everyone is mostly safe, you should probably change your passwords but everyone’s mostly safe, your passwords are encrypted. Hundred years.” But others, including competitors like 1Password, were like “But not everything was encrypted, right?” Your IP addresses that you logged in to your LastPass vault in, which is from my phone, from my computer, were not encrypted. The website URLs that you visit and have accounts at, not encrypted. And so it would be really easy to, you know, reconstruct the kind of person… you know, where I’ve traveled, what sites I use.
Chris: This is the thing. IP addresses imply location. You can derive a rough location from an IP address.
Gina: Yeah! You can derive location, exactly. Exactly. And, you know, it might be like… there was also some question about, would it really take a hundred years? It’d probably take, it might take less than that. And at any point, any sort of encryption scheme can get cracked.
Chris: Right, right.
Gina: Like, this has happened, you know, in the past.
Chris: That’s why they keep getting better and better encryption schemes.
Gina: They keep getting better and better. Exactly. Exactly. (Laughs)
Chris: It’s just…
Gina: In conclusion, I have a lot of passwords to change.
Chris: (Laughing) But let’s… so, first of all, can we rewind to December 22nd for a second?
Chris: The fact that this announcement comes out three days before the Christmas break. I mean, that week, we all know, that week is like…
Gina: This is how you bury news.
Chris: This is how you bury news! Everyone’s shutting down for the week, everyone’s wind… doing their last little bits of things for work and, you know, they’re mostly checked out. Nobody’s checking Twitter or their Feedly, they’re like… they’re getting ready to go on vacation, or stressing out about their family coming over. Like, it is not the most tuned-in moment for an audience. And for this to come out… I mean, listen, benefit of the doubt, I understand things happen when they happen. But like… December 22nd felt…
Gina: There’s no way they were not burying this headline. And let’s talk about why they’re burying this headline. Because LastPass has one job, which is to keep your passwords secure, and they failed.
Chris: (Laughing) Right, right.
Gina: Let’s just say, like, they had to come out and say “These attackers got full copies of your vaults.”
Gina: This wasn’t a little thing. This wasn’t T-Mobile being like “Well, you know, it was just addresses and names.” (Laughs) It’s your keys to your whole life, if you use it the way that they intend, LastPass intends for you to use it, this password manager.
Chris: Okay. So now, but… so, here’s my question to you. Are you saying, then, that password managers are a bad thing? Because if you, you know, if you lose your vault, you’ve lost everything.
Gina: I… I’m not saying that. I think, I mean, we use a password manager at Postlight, 1Password. I think that password managers are a net net, still a win.
Gina: Because they force you to use different passwords everywhere, and not like your pet’s name or your birthday. And, yeah. I mean that’s really it, right? I mean back in the day you had one password that you used everywhere, right? And this is… I mean, your master password or your vault password then becomes your one password. (Laughs)
Chris: Right, I mean…
Gina: So you have to know that, right?
Gina: But I think that ultimately, with all things security, there is a… you know, there’s a trade-off, right? There’s convenience over privacy and security.
Gina: And even by deciding to use a cloud-based password manager, I was deciding to store sensitive information in the cloud, right? Which is just this abstract, I mean, you know, they tell me it’s secure. I don’t know who has access to their servers? I don’t know who has maybe cracked this encryption but hasn’t shared it with the world, so we don’t even know that they’ve cracked it yet.
Gina: I’m sort of trusting. But I was… I’m doing that because every day I log into a dozen websites and apps and things, and I just, like… I need to be able to do that relatively easily, right?
Gina: And I don’t want to keep it in, you know, my mother-in-law keeps a book. Like, a little notebook of passwords.
Chris: Yeah, I’m not surprised! Yeah.
Gina: I mean, that’s totally reasonable. You know, I don’t want to do the post-it on my monitor, and I don’t want to use the same password everywhere. So it’s this constant, like, security versus convenience sort of trade-off. It’s like putting an alarm on your house. You can have, you know, if you’ve ever walked into somebody’s house and it’s like “Oh wait, hold on,” it’s beeping, and they have to pop in the code…
Gina: I house-sat for someone once and the police came. It was a nightmare. (Laughs) You know, because the more security you have in front, the more you sort of have to deal with the implications of that.
Chris: That’s right. There’s a convenience trade-off that you’re making to some extent.
Gina: Yeah, exactly. I think what worries me is that, I think most people don’t realize, you know, what can happen.
Gina: It’s funny, I was having this conversation with my wife and she was like “Think about all the people who have our address. Every delivery person, anybody who’s done any work on our place. You can’t really live in a world…” So I was like, let’s think this through. How could we fuzz our password, like, realistically, right?
Chris: What do you mean, how could we fuzz our password?
Gina: I mean, sorry, our address. How could we not share our address with the world?
Chris: Oh, I see.
Gina: It’s really difficult, right?
Chris: It’s really difficult. Yeah.
Gina: Like, you could get a private mailbox and not take any deliveries, or use a different name. This is what celebrities do, right? They use different names and stuff. But it’s just not, it’s not realistic.
Chris: Right. I mean, you would… the pendulum would swing completely away from convenience, because you have to jump through… and look, I’m sure for some people it does make sense that they have to jump through all the hoops. Because the privacy…
Gina: Right. They’re a target, or…
Chris: Exactly. It really is worth it. But for most of us, it’s not worth it. Like it makes more sense to just pay the security price, so to speak, to have the convenience of just having some level of our information out there.
Gina: Yeah. I mean this, I guess, is my… I’ve come to this sort of sad, defeated conclusion a little bit. Which is like… our information’s out there, that’s just kinda what it is, and you have to operate with that in mind. Kinda like COVID. COVID’s just a part of our lives now, and we’re never really going to go back to a time when it wasn’t, and just… this is what it is. And you have to do your best to protect yourself…
Gina: …in reasonable ways. Like, I freeze on my credit report, for example. And this is really easy. Some people use these, like, LifeLock or identity theft things. Some people are really into that. I have family members who do that. I’ve never been into that.
Chris: Yeah, I’ve never tried that.
Gina: But you can go onto Experian and TransUnion and Equifax, and within five minutes you can say, like, I wanna freeze my file. It’s actually good ‘cause you get to look at your stuff. So you avoid that scenario, which is when someone…
Chris: What does it mean “freeze your file,” though? I don’t understand.
Gina: It means that if anyone tries to apply for a credit card, or a line, or a loan in your name it’ll bounce…
Chris: Aah, got it.
Gina: They’ll do a pull on your credit and they won’t be able to do it, ‘cause it’s frozen.
Chris: Okay. I mean… that’s helpful.
Gina: Which is nice, yeah. But it doesn’t solve for the, like, creepy person is across the street watching my child leave for school in the morning.
Chris: I know.
Gina: That’s, like… my wife is like “Okay, you’re getting a little…” I’m like, am I though? Like, this is, you know, this is a thing that can happen. That’s the kind of stuff I worry about. The credit card thing… Identity theft is a huge pain in the ass to deal with, but I would deal with it, you know?
Chris: Right. Yeah. A lot of companies now exist to help you… not just prevent it but also if – hopefully it doesn’t, but if it happens – to figure out how to unwind everything.
Gina: Right. Yep. Yep.
Chris: Because it has unfortunately become more prevalent, as more and more information is out there. There’s also, there’s a social engineering aspect to this too, right?
Chris: That is very hard to protect against.
Chris: Because if you’ve got people who can… there’s a great book, “Ghost in the Wires” I think was the title?
Gina: Mm. Mhm.
Chris: About this very accomplished hacker, and most of the technical achievements that he was able to do started with some kind of social engineering.
Chris: Calling customer service and saying “I’m John Smith and I forgot my X Y or Z, and can you please give me, you know, the last four digits of my social,” (Laughs) Or something. You know, these crazy things which you don’t think would work, but a very talented person who can talk to people, get information out of people, you’d be amazed at what you can derive.
Chris: And that, again, it’s very hard to protect against that unless you’re taking extreme measures, right? And that’s where that convenience trade-off, where that again comes into play.
Gina: Yeah. Definitely. It’s funny that you said that. Another ridiculous thing that I do, which always makes customer service representatives laugh, I always just make up… these security questions are a joke.
Gina: Like, your mother’s maiden name, or like…
Chris: Well, everybody can, like…
Gina: Or your favorite teacher, your pets’ names. Like, people can figure this out. It doesn’t take that much to be like, where did this person go to school? Or did you hear something on a podcast, you know…
Chris: Yeah. No. (Laughs) You could Google for it!
Gina: You could go look for it. Exactly, exactly. So this is another thing I use a password manager for, I don’t know if it’s going to be LastPass going forward, but… (Laughs) Is storing these security questions and the answers.
Chris: Yep. Yep.
Gina: I always make up just ridiculous…
Chris: I do this too.
Gina: You do this too? I’m like, “favorite place to vacation,” I’m like “Mars.” (Laughs) And, like, the person cracks up, because I just… yeah. I just… you know, I don’t want this to be a guessable answer.
Chris: Well, one of the…. so I use 1Password as my password manager. One of the cool things that 1Password does is you can generate a passphrase, basically. Like, a random string of words. So if I need something that I can use with a human being, I will generate a passphrase. And oftentimes it’s nonsense, right?
Chris: It’s like, “Purple elephant umbrella.” But that is something that I can say out loud to people and they’ll get it.
Gina: That’s a nice feature, because sometimes I’ll have to think of… that’s really nice. Like, just give me a speakable phrase that I can say to a human being…
Chris: Give me a speakable phrase. Right.
Gina: …who’s checking that I am who I say I am, you know?
Chris: Exactly. But if I have to answer security questions in text, I will often just generate a new password. Like a new random string of 24 or 32 characters.
Chris: And put that as my security question, because it’s… it’s infinitely more… not infinitely. But it is many times secure than, you know, using a strong password but then having this easily identifiable information.
Chris: That allows you to get in through the back door.
Gina: Yeah. The people that I worry about is the folks who are targets for the kind of social engineering… like, my older relatives. Very easy for someone to call and say “I see that you have this credit card,” because, you know, my older relatives, they still get paper statements…
Chris: Oh yeah.
Gina: And I’m calling to see… it’s just so easy to target folks who are not as paranoid/savvy, or just not thinking about it. You know? This is why people get conned out of money and have their lives ruined by this kind of stuff.
Chris: Yeah. Totally. I still think, you know, if you compare… not all password managers are created equal, right?
Chris: And I do think there’s this security versus convenience trade-off that you have to think about with each one. I mean, Apple built it into the OS, right? iCloud keychain…
Gina: That’s right.
Chris: If you’re in Safari, it will generate a random password for you, and then it’ll save it, and it will be available on all your devices if you’re using Safari.
Chris: If you’re using their browser. Chrome has the same thing.
Gina: Right. Chrome has the same thing, right. And you have to be signed into your Google account, or signed into your iCloud account, in order to have access to those things, right?
Gina: The irony of a password manager is it’s trying to solve the problem of you having one password for everything and being easily guessable, but it makes all your passwords rely on a single password. I mean, the last password, right?
Gina: The master password, or the iCloud account, or the Google account. In retrospect, when Chrome started saving passwords, I remember writing about this and being like “Don’t give Google more of your information, they already have so much of your information. Spread it around a little bit. This isn’t a…”
Chris: Right. Spread it around.
Gina: Spread it around. So, you know, LastPass or 1Password, which I may switch over to now that this is all going on… you know, 1Password took the opportunity, they’re a competitor, but they took the opportunity to sort of pounce on the LastPass announcement and just tear it to pieces, and say “Look at all the things they don’t encrypt that they should have encrypted, and this hundred years is kinda, that’s not… and they minimized this! December 22nd!” They called them out, as you would expect that they would.
Chris: As you would expect, yeah.
Gina: The other thing that a password manager does for me is it makes me not change my passwords very often, you know what I mean? Do you change your passwords every year or two years? You know how some corporate systems require a password change after a certain amount of time?
Chris: Yeah, I mean, for those I do. Obviously.
Gina: It’s almost a false sense of security, in a way.
Chris: I think what most people do, and I have certainly done, is you just change one character, or you add an exclamation point, or you, you know, do the… (Laughs)
Chris: I remember I had one particular service where I had, like, five exclamation points at the end of my password, because every time it would prompt me to change, I would just add an exclamation point.
Gina: (Laughing) You would just add another one. Yeah. Yeah, yeah.
Chris: Which is not super-secure, obviously. I don’t change… again, 1Password has a great feature, which is that it will tell you the age of your credentials.
Gina: The age, yes. Yeah.
Chris: And so, I think quote-unquote “proper hygiene” would be every six months, or a year or something, on some regular cadence, you say I’m gonna go in…
Gina: And, like, update this.
Chris: Update this.
Gina: Especially for the big ones.
Chris: Yeah. For a lot of the things, again, because the benefit of using a password manager is that your passwords become site-specific. So, it’s less of a concern for me if any one particular… if there’s a breach on Hulu, my Hulu account…
Chris: …the rest of my life is protected, because they can’t then log into my bank, because…
Gina: Right. Because the passwords are the same.
Chris: Because they have my Hulu password. So I think it’s the same kind of thing, where as long as the vault itself, right? This is what’s so potentially damaging about this LastPass thing, is the vault itself is out there.
Gina: The vault, wholesale.
Chris: And yes, it’s encrypted, but it’s like… ugh. Just feels gross. As long as the vault is secure…
Chris: …you know, most of your sites are okay.
Gina: I saw this one tech writer, I’ll have to dig up the article and we’ll link it in the show notes, but they were basically like “Here’s what I do to be really…” You know, you can’t trust these cloud services. Right? Because here’s the thing. LastPass’s servers are a huge target.
Gina: Huge target! Just like these celebrity, like, iCloud breaches…
Chris: Oh, yeah.
Gina: …like, they get personal photos or whatever. It becomes a huge target, right?
Gina: And so this writer was like, “Well, you know, what I do is you can keep a local…” There’s this open source app called KeePass. There’s a version of it for Mac OS 10 which is KeePass X. You can keep a… and it’s just a local encrypted vault. So same idea, you know, it stores it locally, encrypted, but this writer was saying “Keep a KeePass vault and then just sync it through dropbox or drive or something.” Because no one is gonna go through your Drive looking for your KeePass vault.
Chris: I mean…
Gina: When they go to the LastPass servers, they know they’re gonna get a vault full of passwords, you know?
Chris: Right, right.
Gina: And my immediate reaction was just, like… that is gonna be such a pain, right?
Chris: Such a pain.
Gina: Because, like, on my phone or my tablet, on my everything, the LastPass just sort of autofills things that… you know, and it’s gotten really good at detecting “Oh, you’re in this app now, and you need these passwords.” Whereas in that setup, you have to download it, open it, copy, paste…
Chris: This is… yes.
Gina: Which is, like, a dozen actions to log into a website. Repeated, you know, multiple times a week, just so I can feel better about not being on… it just doesn’t make sense. This is the trade-off.
Chris: This is the trade-off. I am right there with you. I want to have some measure of security, right? But I don’t want to… I mean, it’s all the time. It’s like, dozens of times a day where we are logging into things.
Gina: Dozens of times a day. That’s right.
Chris: And it’s just not worth it, frankly, to get… I don’t know what the percentage is. 10? 20? percent more secure?
Gina: More security over time, that a breach that might happen every 10… oh, I don’t know, 5 years? 3 years? I don’t know.
Gina: It feels like breaches keep comin’. (Laughs)
Chris: That’s true. But yeah. I mean, the fact that this is so… I mean, these extent… that’s the killer feature of a LastPass or a 1Password, is that they make it so easy to just… you know, once you’re in your vault, you’re in.
Gina: You’re in, yeah.
Chris: You’re using… I mean, if it’s built in to iOS, so you’ve got that set. If you’re in Chrome or Safari, or I have a Windows machine that also has my 1Password, so it’s like…
Gina: Mm, right. So it’s just all there.
Chris: It’s all there!
Gina: And it’s synced, and it’s seamless.
Chris: Exactly. And I feel like that’s the right balance for me, is, I want the convenience. Even though, if that means I have to accept the fact that I’m not jumping through all the hoops to keep my data, you know, as secure as I can make it.
Gina: Right, right.
Gina: This is kind of a depressing one.
Gina: I don’t have a… (Laughs) You can tell, I’m feeling very deflated about this.
Gina: There’s a couple things here. There’s an acceptance that our information is out there.
Gina: And the trade-off of having the convenience of the internet and all these… you know, access to all these tools is that you’re vulnerable, and you’re subject to every company that you deal with and every organization that you deal with, to their… their weakest bit of security is also yours. Like, you take it on.
Chris: You take it on.
Gina: When you sign up for one of these services, when you’re… I mean, that’s just kind of the trade-off. Like, am I gonna cancel… am I not gonna have a cellphone? No, right?
Gina: Like, I want the convenience of a cellphone, and the trade-off is that I’m gonna hand over some of my information. And then, you know, I think there’s just the things that you can do to protect yourself, right? Like, change your passwords regularly, you can freeze your credit file, you can use non-guessable… I mean, there’s just kind of basic hygiene things. I don’t know. Maybe we should have an actual security expert on the show.
Chris: That’s not a bad idea.
Gina: To tell us, you know… give me therapy about this LastPass thing.
Chris and Gina: (Laughing)
Gina: It just kills me that I’ve recommended this thing and this happened.
Chris: I know. I know. I know. Now you’re gonna have to pick your new thing and go evangelize that.
Gina: Evangelize that. Maybe I’ll switch to 1Password. Do you… would you recommend 1Password?
Chris: I think 1Password’s great. It’s been fantastic. And now that I’ve said this on the podcast…
Gina: Something’s gonna happen.
Chris: I’m sure that they’re going to have a breach in about a month.
Gina: I mean, 1Password was an independent company, right? And then Apple acquired them?
Chris: They took investment.
Gina: From Apple.
Chris: I don’t think it was from Apple.
Gina: It wasn’t from Apple! Okay. For some reason I thought that they were, like, affiliated.
Chris: No, I think it was… like, a collection of VCs.
Chris: And it was a giant… they want to go after the enterprise. They want to expand password management within organizations. Which makes sense. I mean, it’s a real…
Gina: It’s a real thing.
Chris: It’s a real thing. And arguably it’s worse, because the…
Gina: The surface area and the impact… (Laughs)
Chris: Exactly. And it’s so prevalent that people are just shuttling passwords around, right? And you leave companies and join new ones all the time. Information is critical.
Gina: That’s right. That’s right.
Chris: But yeah. I think they raised, like, hundreds of millions of dollars to go after this problem.
Gina: I mean, the enterprise problem is a huge one. When someone Slacks me I’m like “Nope, please delete that.”
Gina: Do not email passwords, do not Slack them. This is the link, the secure link.
Gina: The secure link to get the thing. And then you’ve gotta change them.
Chris: That’s right.
Gina: Yeah. (Sigh)
Chris: Maybe what we want people to take away is, use a password manager, don’t send your social security number in email…
Chris: And if you have a… if you have a thought on improving security, or if you just have anything you wanna talk through with us…
Gina: You should reach out!
Chris: Reach out.
Gina: Hello@postlight.com. All my fellow LastPass customers and users…
Chris: (Laughing) If you wanna commiserate…
Gina: (Laughing) Send me the note, please!
Chris: …Reach out to Gina. Hello@postlight.com.
Gina: It’s so depressing. I hate… (Laughing)
Chris: Thanks everyone.
Gina: Thanks Chris.
Chris: Thanks Gina. Talk to you soon.
Gina: Talk to you later.
[POSTLIGHT OUTRO MUSIC]