Managing Clients and Passwords: Best Practices and Lessons Learned in the Wake of the LastPass Hack
6:35PM Jan 18, +0000
Speakers:
Nathan Ingram
Keywords:
lastpass
password
password manager
client
keeper
security
questions
vault
account
breach
webinar
priority
delete
pass
column
link
duplicates
secret
login
import
Take me just another second or two to get that all done. In the meantime, if you haven't popped up in the chat and say hi, please do that. Got some fun things to share with you today. I think I think there'll be helpful. Maybe you won't have quite the issues that we had as we were dealing with passwords and so forth in our agency work. All right there the captions should be connected correctly. Now. All right, I think that is all the things. I have way too many windows open for it to be healthy right now. We are just I'm about to stop talking to myself and I'm about to start getting things going for the webinar. All right, everybody, hope you're doing well. We got just a little bit less than a minute to go before we get started. I have things to share. Can y'all see that Excel spreadsheet? I'm dragging over? Can y'all see that? The good? It don't see that. Hope you did? Okay, good. Okay, thankfully everything is working. Okay, so glad you're here. We're just about ready to start. If you are just joining us in zoom pop up in the chat, I'm going to drop in the bundle of links that has things in it. Well there we go. So that's the slide bundle. There are links in the slides you might want. There's also a sample client email. That's basically exactly what I sent out to my clients
all right, it is now three minutes after so let's get started shall we?
Well, good afternoon, everybody. Welcome to another Live AI iThemes Training webinar. My name is Nathan Ingram, and I'm the host here at iThemes Training. And today we're talking about managing clients and passwords. All the things that I learned after this last pass debacle that kind of drew our attention away from the holidays at the end of the year and made us think about some things so glad you're here with us. So if you are just joining us in zoom, I would welcome you to open the chat, as over there. Say hello, tell us where you're logging in from today. There's a bunch of links that are there in the chat. If you're watching this on the replay, you can click the Download handout button which is below the video and you can download all these things as well. Also, there'll be a link in the webinar description for the sample client email text. The link for that is also in the slide. So good to go there. All right, so before we get started today, quick reminder if you have questions, please use the q&a. They're in zoom. I'm not going to be watching those during the webinar. I'm going to be talking so we'll we will have some time for q&a at the end. But as always use that q&a In the zoom menu pop that open. You can enter questions there. You can also upvote the questions of others. And that's the order in which we'll take questions at the end. So let's get started talking about this LastPass business. So let me take a quick poll in the chat room. How many of you were using LastPass and you're in the process of doing something about that now, like you're moving away to another password manager or maybe you've already done it? Yeah, okay, good. So that's what we're talking about today. I need to give some disclaimers. Okay, so first of all, I am speaking in this webinar. I'm not speaking for AI themes. I'm not speaking for stellar or liquidweb or any of the associated brands that are associated with AI themes. This is my personal experience and my personal opinion. Okay, so this is me, as a fellow agency owner, a person working with clients doing WordPress things. These are things that I've come to think about and do and so forth. So this is my personal experience and my personal opinions, that does not reflect any recommendation or advice or anything like that. From I iThemes, liquidweb, et cetera, et cetera. Okay, can we all agree to that Everybody good with that? You should research this matter. thoroughly. You should develop your own opinions and actions. What I'm trying to do here in this webinar is maybe save you a little bit of time, because good grief, it is ridiculous having to do all this. Like there is no shortcut to changing 1500 passwords. There's just not so yeah, what a mess. This is. Okay, so let's talk about where we're headed over the next hour and I will do my very best to also leave plenty of time for q&a at the end, although this may. If you're relatively new to I iThemes Training forever. We've had this thing called ish time. So we're supposed to end it to it's going to be two ish today. I just have this feeling we're gonna go long, and I'm fine with that. I can go about 10 or 15 minutes long today. I just want to make sure we get good, good answers for everybody. So what we're going to do first is talk about assessing the situation, answering some common questions about the last pass hack. We did a lot of this in the previous webinar with Kathy Zant. And I believe that is linked somewhere. If not, if one of you kind folks would go into the iThemes Training library and link that webinar for the chat that would be helpful.
Then also we're going to just think about what is the strategy look like for changing 8000 passwords that we're all managing, right? And then how do I communicate with my clients about this? And then just a few final thoughts wrap up stuff, just from my own experience. Thank you. All right, Melanie's has the link there if you missed the webinar with Kathy Zant look at the chat. If you're watching this on the replay, pop open the chat there's a link that Melanie just shared at 1:07pm that has the link to the previous webinar, I highly recommend that it's a lay of the land understanding what's going on with LastPass. So let's start out with just assessing the situation and what we know. This is what we know LastPass was breached multiple times. In 2022. More than 30 million user vaults were stolen based on what information is kind of out there. Also, at least some of the LastPass source code was downloaded meaning hackers could stand up their own LastPass environment and do things with it. Also, it's been you know almost a month since LastPass. has said anything else about this, this catastrophic, in my opinion, breach of their security. They haven't talked about it at all. This is the last blog post on December the 22nd. So here's something else that we've come to know after all of this last pass vaults were not fully encrypted. So password was encrypted notes were encrypted, but you can just read in the vault code in plain text, email address associated with account that you are with your LastPass account URL of the site. The username of the site, none of that was encrypted. So if you have LastPass, and your vault is out there, they can read all that information. And you might say, well, big deal. They can't log into my site. There's some other problems that we're going to talk about this also LastPass hashing iterations were significantly weaker than the OWASP recommendations. OWASP is a security group that they set standards for the security industry. They recommend like 310,000 iterations of your password meaning when you put in your password, it hashes it 303 100,100 times or something like that is what they recommend. LastPass his recommendation was 100,000. And if you have an old LastPass account, like me, they never bumped it up. So mine was set at 5000. So woefully woefully unprotected, according to modern security standards, so those are the things we know. And so let's talk about some common questions. And I hear this a lot. I've seen this in Facebook groups who were like, oh, it's not a big deal. tempest in a teapot. I'm not worried about it. Okay, are people making a bigger deal than they should be? No, this is a big deal. In my opinion. Your vault has been stolen. It is a file. It's a physical file that is now out there for ever and odds are someday it could be cracked. Right? So are they making a big deal about it? Well, and some people say, Well, my LastPass password is going to take 3000 years to crack. Okay. How secure is your LastPass password? The best practices for LastPass gave were at least a 12 character complex master password. Great. And if you put that in one of those things of, you know, how long will it take to crack crack my password.com They'll say it takes about 3000 years to crack a 12 hour 12 character complex password. Great. There's a couple of problems with that. That 3000 year total is it's actually zero to 3000. It takes 3000 years to try all the possible character combinations. Chances are they're stumbled on it somewhere in the middle, right? So it's probably less than that number and that by the way, that number is assumed based on whatever metric they used and processing power to decide how long it would take. So just for example, now this doesn't directly apply to today, I found this old graphic I couldn't find anything else about this. That was recent. But this is like 2016 and I found this infographic How long does it take to crack the password security one and yes, I know it's not complicated. And blah, blah, this is an example okay. In the based on the technology and the processing power that was available and given years. So in the year 2000. It was taken three years 10 months, but look processing power is increased 2001 Two years, nine months and keep going. One year one year seven months, six, four, all the way down here by you know, by the time we get down to 2013, three months now down to the time of 2016 Two months processing power increases. So I don't know what metric these generators are using to say it's going to take 3000 years to crack a 12 character complex. Password. But I wonder if they're taking into account like these crypto machines that are generating Bitcoin with graph that with GPUs and not CPUs that are 1000s of times more powerful than they have been in the past. Right? How long is it actually going to take now to crack a 12 character? I don't know. You know, and next year or five years from now, how long is it gonna take to actually crack those with as processing power increases? You might see oh, it's only gonna take like a week to crack that. I mean, I don't know. But the point is, technology is always increasing and that vault is out there forever and there's nothing you can do about it. Like it is what it is. That vault is out. there forever, and there's nothing you can do about it. And I'm just considering you know, is it gonna get cracked tomorrow? Probably not. But one day it probably will. Another thing I've seen and is well just can I just update my Master Password? Well, no, because the vaults were stolen sometime. Between August in December of last year. They won't tell us when updating your Master Password and LastPass affect your live vault now, but that file with the old password, it's already out there. It's encrypted with that password. There's nothing you can do about it. Another thing I've heard is well, you know, sure you know this, you know, LastPass is learning lessons. For this. They're making changes. Should I really switch from last pass now? I mean, look, it's a personal decision. But my questions are, do you believe you can trust LastPass to keep your information secure? This is one of those situations where you had one job, right? You had one job and it was to protect my passwords, and you failed on multiple accounts, in my opinion, to do that. So no, I'm not going to trust LastPass anymore. Can you trust LastPass to keep you informed to make the with the information needed to make decisions? I mean, no, we're on a LastPass anything will you find the perspective of your vault is stolen, it's out there forever, and it's really ultimately a matter of time before somebody can crack that relatively easy. That's my opinion. Do you need to switch from past LastPass? I am. I am. Another question I see is Do I really have to update all my passwords right now? Probably not. So if you're worried about oh my god, it's gonna take me 40 hours to update all that. I get that right. I get that. It's probably not urgent. But it is important, right? not urgent, but important. At some point. Do you believe your vault will never be cracked in the future? If you think that's the case. Then don't worry about updating passwords. I'm of the opinion that at some point, my fault is likely to be compromised, probably not tomorrow or next week or maybe even this whole year. But it needs to be dealt with. It's important. It's not urgent. Does that make sense? Everybody good on that so far? Let me just check in with the chat. All right. Good to go. Make sense. So I'm going to assume that you're on board with me for moving to another password manager. So let's talk about creating a strategy for changing passwords. There's no easy way to do this. Y'all. Here's the thing. Exporting passwords from LastPass into another password manager is easy. You can do that in like five minutes or less LastPass will export a CSV or a JSON file. And most of the larger industry standard, you know big names out there in the password. Management Department, you know, one password Nord nordpass
Dashlane bit, excuse me, BitKeeper bit warden. All of those out there. You know, they will import either the CSV or the JSON that LastPass exports. That's the easy part. But before you do that, it probably makes sense to make a pass through that export that CSV to do a few things like are there any duplicate accounts in there that need to get rid of? Are there old passwords and junk that I don't need anymore in that export? Probably, if you're like me, are there some priority accounts I need to change first? The answer to that question is yes. If you like me had 1800 passwords in LastPass. You know, 100 of those are highly important. They're like banking things, things that you know, like my Amazon password, people could get in there and buy stuff or you know, my bank pass credit card, all those things that are high priority, like I need to mark those somehow to change them first. And then wait a minute. What if I've saved client accounts and they're like, my client gave me access to their Vimeo or their MailChimp or whatever. And I've got their password in there. Well, guess what? I as a business owner need to be diligent about informing my clients that potentially that login is compromised. So I need to do all of that and I need to really the best place to start with that is that CSV export from LastPass. So here's what I'm going to recommend. As a strategy. This is exactly what I did. You know, take you know, do this yourself, modify it, whatever. But I thought through this extensively before I started actually doing the work. So what we need to do first of all is prepare the sheet. And I'm going to suggest that you export LastPass into a CSV that you can open in a spreadsheet app and I'm talking about not in the cloud. Don't use Google Sheets. You do not want your passwords in the cloud, right? Don't put them out here again, do this locally, like with Excel or numbers or whatever, nothing in the cloud. Do this locally. Open up your sheet so also, what you need to do is make a first pass through the sheet now this took me a few hours. And I did this over the holidays, which was no fun is just terrible. But I made my first pass through the sheet and we want to do some things that will help us to sort out some things, pick out some duplicates, and so forth. Now, to make this a little bit easier. Here's what I would recommend. Now this is a sample. Now though, this is like the last pass export. I've got some extra columns in here and I've deleted a bunch of stuff too. And so I'm just going to use this as an example. So the first thing I would suggest that you do is you probably like me, you've got a ton of URLs. If you've been around using this forever. You probably have some with HTTP and some of HTTPS. You have some with www and some without some of them might even contain like app.something.com Look at all of those. And what I did was I just removed all of that. So all I had in the URL was the actual domain name, the login still gonna work. You know, if you're at app.domain.com, your password manager is going to realize that and you can still log in, but what my goal here is to get all the domains in a list that I can sort by and as I'm processing through it, I can see duplicates and chunks of the same domain name, and it's likely that I have the same username and password saved for you know, the five logins I have for Vimeo for some reason because it's app dot Vimeo or vimeo.com, or whatever it was. Does that make sense? So I'm sorting them and I'm removing duplicates on this first pass. Oh, I just lost my spreadsheet. Here it is. Okay, so once I've done that, and I've got I've got the those things, the HTTP sorted out, I've got www and that subdomains removed, I can look at all my domains in the list. Now, what I did was I added three narrow columns on the left, that are for sorting purposes. So I did there's D L for entries I want to delete, there's no T for entries, I want to notify the client and there's PRI entries that are a critical priority to change. So this is what that looks like for me. So what I discovered was it takes a lot more time to go through and delete a row for each of these I want to delete than if I would just put an X right there. I'm just one I'm just going straight down and I'm marking any of these that I either need to notify the client about or they're a top priority, or I need to delete them. I have top notes to match my slides it should say PRI for priority. So just put an X now, what we're going to do later is sort by that column and just delete them all at once. That makes sense. We'll get to that in a minute. So once I get all the columns set up, I'm going to sort that sheet by the URL column, so that my URLs are all together and I can pick out my duplicates and I'm just I'm going to put a you know if it's a duplicate, I'm gonna put an X there and just keep x out all but one of the duplicates as I'm going through in this first pass. All right, now, so what I'm gonna, what I'm doing at this point is I've got everything set up and I'm gonna work my way line by line down the sheet. I'm gonna mark X, put an X or whatever character you want, it doesn't matter. But in each of those columns as appropriate, you if you want to, I thought about doing this at first, like scaling the priorities, like is it priority one, two or three, like super important or, you know, kind of normal or three, who cares? And then what I realized was as I started that process, I was spending too much time thinking about the priority right now. If it's, it's either going to be priority one, and I'm going to mark that or just don't worry about it. It's so it was just an x for me. I mean, do it however you want to but my goal was, I want to get through this sheet marking these things as quickly as possible so that I can get you know junk deleted and stuff imported and my priority passwords reset as quickly as possible. So if you have a duplicate mark one, you know Mark, Mark all of them but one as delete. And it this process, like I say here, it takes forever, and it sucks like there's just no way around it. You know, I got up and left and came back you know, multiple times and just picked up where I left off through this. It took hours to make a pass through that 1800 But once I had it done, I was in a lot better shape. All right. So once I've gone through sorting the entries, I'm going to start to clean up the list. And basically what that looks like is for just getting rid of the deletes first, so I'm going to sort by the Delete column. So just oops, let me get this where I can see all the sort by that one. So that all my delete so let's you know let's let's mark a couple more for delete too. So you know it's going to sort by the deletes. This is basic spreadsheet thing. And I will just go through and delete the ones in one one shot delete all the ones that were checked, delete, right. Now what I also did, and this was helpful because I'm afraid of breaking things I actually created a, a tab for those deleted ones. So I copied the things I was gonna delete and put them in that tab just in case I accidentally miss marked one. And then I on the main tab, I deleted all the deletes. And I'm gonna do my import from that main tab, but just in case I had those delete saved over on this other tab. Does that make sense? Everybody? Are you with me or am I'm not making sense at all. Give me a year or a question. Or Yes, Melanie, you could do it in another sheet, whatever. Okay. All right. Do the
same loops. Do the same thing with the notify records. Sort by the n o t column, copy those to another list and then delete those out of your main login because those logins aren't going to be valid anymore because your clients are going to hopefully change those but keep them on their own tab or in their own separate sheet so you can refer back to them if you need to. I just don't want to import those into my password manager again when I'm starting fresh. All right. So last of all, same thing for the Priority Records. I'm going to move those to their own sheet delete those out of the column. So at this point, your main tab should only have left all your standard records. They're not priority, they're not notified, they're not going to be deleted like that, or they're already deleted, right? All that's removed. It's just whatever is left. That's going to be your primary import. So that's the first step you're going through and cleaning up this list. Now the next thing I'm going to suggest that you do is change your priority passwords. So priority passwords, your financial institutions. Now here's what I here's what I learned about this. And I tweeted about this in the middle of this process. I want to strangle with my bare hands. The security person at a bank that says no, your password has to only be 18 characters, and it can't contain all the symbols it can just contain these symbols. And oh no, it will send them out some symbols are different allowed than on other sites and it's like Good grief. Do you people want us to use a password manager or not? You're making this harder than it has to be just let us use a password right? It's so freaking annoying. So I had to develop something that was going to allow this to work easier. Because what I wanted to do is go through and change my priority passwords first. Now remember, these are not in the standard list that I'm going to import. And that's because as I go through and change them, I want my new password manager active so that it can save that new password as I'm changing it on the site. I'm going to do those one at a time so that we have to deal with this whole password issue first. So what I'm going to suggest that you do is pre generate your priority passwords, regenerate your priority passwords. So I found it's helpful to have these passwords pre generated you can just copy and paste because and what I've discovered is most all financial sites, even the ones that are finicky about which symbols you can use like you can't use greater than you can't use whatever. I don't know why. I don't know why I legitimately don't know why other than no I don't I don't know why. So, Paul, I tried this with chat GPT and I couldn't make it work. So this is what I ended up with instead, this password generator online website and these are the group of symbols that are allowed is this. So generate as many passwords as you have in your priority list. So let me just get all right. So what I'm going to suggest next is you're going to add a new password column. So rename the password column old and add beside it new so this one is going to be old password. And this one new column is going to be new password. Now these will just say these are our priority. There's here 11 No 10 Priority sites and just pretend these are all priority and I know some of them have not that over here but just pretend these are priority sites. So we're going to paste output from the password generator into that new password column and here's how that's gonna work. This is what that advanced Password Generator looks like. And so I'm gonna go through and do you know, how long do I want those passwords? 30 characters. I want lowercase uppercase and numbers don't check symbols because then it puts all the symbols but characters to include. There's my group of list of allowed frequently allowed symbols. So add those and then the number of passwords to generate. This is going to match how many are in your priority list. So if you have 80 to put 82 in, you know for this list, I had 10 So I would put 10. Now when you hit generate password, it's going to just give you in that text block below all those passwords which you can literally copy out of there, paste it in the first cell here and it'll go straight down and fill up as many lines as you have a priority password. So now you're ready to just go to your password manager and enter that new password which you've generated. Does that make sense? Now you can do it however you want, right? Like you can try it like I mean I struggled trying Okay, I'm gonna try it again. Try to generate a password and hope that and just I got no I'm just gonna pre generate these passwords in that way. I can just copy and paste it into the priority site as I'm changing it. Okay, in Mike Yes. So a lot of the characters they disallow are because some of the main things in programming, and I understand that but it's not consistent from site to site. So I mean, you know, I don't know. It's just complicated. Maybe the password managers need to say generate a password that only contains the safe set of characters or something or somebody needs to agree on what the safe set of characters is because it's just it's frustrating. It's another thing that makes us even harder. All right, so let's go back. And okay, changing our party passwords before you start this. Make sure you have your new whatever your new selected Password Manager is we've chosen keeper and we love it. Turn off last pass. What you don't want here is a battle duel between your two extensions, managing passwords that will drive you batty trust me. Also, you do not want LastPass to save your new password as you're adding these. So turn off LastPass turn on the new browser extension and then go one at a time and change your password on each priority site. And as you change it, save it in your new password manager. Does that make sense to everybody? So at the end of this process, the only thing we now have in our password manager are all our priority sites and they've been changed and they're there and they're good. All right. Now the next thing we're gonna do is we're going to import our other passwords the stuff from the main tab that we've made our pass through and deleted stuff and so forth. Now what I'm gonna this is going to save you a ton of time if you will do this. We're going to make a change here. So there is a I just realized I can't copy directly from this. So what we're gonna do is we're going to make a new column called name to. So right here, this name column is what the in some password managers call that title. It's like the name of the login that it's going to show. I'm going to make another one here that says Name two, because I'm going to do something here so that I can know which of these passwords have changed in which ones I have it. Now remember, the passwords on this list at this point, are not the priorities. They're just our regular passwords, and we're going to import all these into our new password manager. So we're going to use this little spreadsheet formula, which I'm gonna have to type because I forgot to have it where I can copy and paste it catenate change space, close quote, comma H two, just like that. Okay, so what that here's what it is, here's the formula concatenate change h two, you know, j two or j two is the adjacent column with the original name. So in this case, it's h2. And the output look, it says change in the name. This is what you want. Because what's going to happen here is you're going to when you import this, this is going to be the name of the password card, not this changes there. So you know that the next time you go to that site when you're ready to log in, and is this change, oh, I need to change that password. And then when you change it, you delete the word change out of the title or the name of the card. And that way, you know, which of the passwords in your vault that you've changed in which one hasn't? Does that make sense? That's gonna save you a ton, a ton of time later. So from your spreadsheet, now, we're going to export the primary tab as a CSV and import that CSV into your new password manager and be sure when it's going through the mapping process of which column fits what field that you're importing your name to as the title or the name of the new record in your password manager. So now you have some passwords that have changed and others don't. So as you log into sites like I just said, and you go to fill the password in it says change you know, how can you take just an extra minute Annie to go through the password reset process, and then you know I'm done or you can even invest some time and password change for and password change update. Sprints. I'm gonna spend an hour this morning I'm just gonna start at the top and you know, the next 50 changes that are in my list. I'm just going to knock those out over the next hour. So that's this will help you keep track of which passwords have been changed and which ones haven't. Alright, I'm going to pause just for a minute everybody good to go. Does that make sense? Chris is asking, Can I change 50 passwords in an hour? Nope, that was being I was being optimistic. Okay, so let me talk about some frustrations that I've encountered during this process.
Number one. All know most slides have various password reset processes and they're all different and you have to find those and it takes time. Like where where is it located? Is it under Account? Is it under profile is under security? I mean, lord knows where is it? I don't know. I gotta find where do I go to change my password? And then there's a thing we talked about, like which special characters and how long can the password be? You know, I I ran into one of my financial institutions that said your password can only contain these characters and it can only be 18 characters long. I'm like why I mean, why really, and I'd sent him an email. And I was probably not nice about it because I was frustrated at that point. But you know, maybe they need to have, you know, the strongly worded email. And also I've discovered that roughly It takes two to four minutes to change a password. That's about 50 hours of constant work to change 1000 passwords. There's no easy way to do this, y'all. There's just no easy way to do this. So it's frustrating, and it's not like I didn't have you know, I was just sitting around with nothing else to do anyway. So, yeah, those of you that are noticing that I'm a bit animated. This because this is touching on some some frustration that I have that's deep seated about this whole stinking process. So anyway, Delia, how about hiring a va va to change our passwords? I don't know about that. Um, I don't know about that. I would not recommend that. Anyway, okay. So that's the strategy. Is that helpful? Is there anything about that? Strategy? That doesn't make sense? All right. Let me hit a couple of questions that have been asked Stacy says the slides you're showing of your sample spreadsheet. So Stacy, that wasn't a slide. That was like an actual window right there. And it's not it's not a slide so it's not in the slides. But that's why I just did a live demo. So you can go back and rewatch if you need to. Let's see. Devin. I'm going to answer that question. Amelia, what about placing credit cards? I still use my all my five cards and curious about security and yes, so anything that was in LastPass anything, payment cards, secure notes. It's all I mean, if they crack your Master Password, it's all gone. So the way that I'm dealing with credit cards is the way I'm dealing with passwords. Is it urgent? No. Is it important? Yes. Have I canceled my credit cards yet? No, because that's going to create some additional work that I don't have time to deal with right now. Will I probably in the next three to six weeks? Yes. And get new credit cards. But like I had a secure note in my LastPass account that had both of my daughter's social security numbers in there. I mean, that's gone. It's out there. There's nothing I can do about that. And it really annoys me. So yeah, I mean after anyway, so at some point, I will cancel the credit cards, but then I've got all the subscriptions I have and things on that card like it's just yeah, that's another thing. Okay, let me keep moving on here. Let's talk about the client side of this. How do we talk to clients about the LastPass breach? And we'll just start with the question should I notify my affected clients and by this I mean are you as a have you as a business or as a you know, whatever have you saved a client login they gave you to access something that they own, like their Vimeo account, their Zapier account, their MailChimp or Constant Contact or their hosting account, whatever. Have you saved the clients password not by the way, not one of these situations where they've delegated you access to their GoDaddy account, or they delegated you access to their MailChimp account. That's the better way to do this. But you actually have the clients login. Yes, in my opinion, you should 100% notify the client because you put them at risk like not intentionally but you made the decision to store that password in the Password Manager and that password manager has gotten compromised. So yes, in my opinion, you should reach out to your nugget. I'm not a lawyer. I'm not speaking for iPhones or liquidweb. Right. It does, in my opinion, as a business owner and I'm just trying to do the right thing by my clients. Yes, I think we should let the client know. If you had a client password saved, it could be at risk. I notified all my clients about the password and they were grateful for the alert. So here's the text of the email. It is in let me give you the slide and link bundle in the chat again. The sample client email is this Google Doc which is right here. And it basically says I'm just going to read it because why not? name dear name. I'm contacting you today to let you know that some of your passwords may have been compromised in the recent hack of the LastPass. One of the leading password management platforms for many years we've used LastPass to securely store passwords for our business in December LastPass informed its customers the password vaults of all their customers were stolen by hackers who penetrated their security in a sophisticated attack. In the course of our work with you we use LastPass to save passwords to some of your accounts which are listed below. Heading big bold heading. Have your passwords been compromised. Your passwords which are downloaded in LastPass breach were encrypted with our secure 12 character master password insert your character there are password met the best practice criteria set by LastPass and could take up to 3000 years to crack. We have no reason to believe at this time your passwords are compromised. However, our LastPass Vault could be compromised at some point in the future if our master password is cracked. So what do you need to do now? We recommend that you immediately reset all the passwords to the accounts that are listed below as the best practice all your passwords should be complex and only used on a single site. Number two, if you were using LastPass as well, which many of our clients were all the accounts in your vault had been stolen like ours have. We're being beginning the slow process of resetting all our passwords in our vault and we recommend that you do the same. We also recommend switching to a different password manager like insert your favorite Password Manager here as part of that process, your accounts that are potentially vulnerable and just list the client accounts that showed up as you sorted through your passwords. And brilliant web works. We follow industry standard practices, best practices keep your data safe, the catastrophic last past breaches rock the tech world and affected more than 30 million users worldwide. That just saying like we're not dumb and you know we're not alone in this. We will continue to monitor the situation and keep you informed if any other information that affects you comes to light. Should you have questions about our handling of your data or questions about this breach or what you should do in response please feel free to contact me directly sincerely yours blah, blah, blah. So feel free to copy and paste that thing and use it tweak it for you. Use that email, let your clients know about this. So a couple of things to note about that email. Number one, the tone is serious, but it's not alarmist. It's like oh my god the world it's you know the world's not coming to an end. But it is serious and you should do something about it. The purpose is informational. But their next steps are clear. And we've got things worded in headlines because some people scan and they don't read etc. And the client is invited to reach out for questions. Does that make sense? So that's the way I did it. And I recommend that to you and you have a template that you can follow if you would like it. Okay, wrapping up here with a few final thoughts based on my experience. Okay. I really realized we were not doing some things very well. We need to tighten up our data storage practices. Don't save client passwords unless it's necessary, y'all. You know, it is really easy for everybody watching webinars like this, to look at a presenter like myself and think oh, this you know, he got it. He didn't make any mistakes. He's got it all together everything is just perfect. And trust me that is not the case. I found client accounts people that I haven't worked with in 810 years. We're still saved in LastPass because my LastPass goes back that far. It goes back forever. And like that should have been when they no longer were a client. We should have cleaned that stuff up and I didn't do it. I just didn't do it. And this is really opened my eyes to the fact that Good grief, we need to tighten up our data storage practices. So number one, don't save the client password unless it's absolutely necessary, and then only keep it for as long as you absolutely need it. Number two, take advantage of the delegate access function that most big websites have these days for Google Analytics and for like MailChimp and Constant Contact and other things, your GoDaddy for domains in Google Domains all these most of these shops now have a delegate access so you never get have to see the clients password and you only have to maintain your own. So use that. And the last thing is when you're onboarding a client, like if they if they leave your management service or whatever, in your onboarding checklist, and yes, you should have a checklist. Put in there, go through there and delete your passwords. If you've saved their password, delete their password as part of your onboarding process. And that's going to help out a lot. I wasn't doing that for a long time. And I had a lot of, you know, old client passwords in there. Now, by the way, what did I do about those client passwords that were 10 years old? I'll be honest with you, I tried to log in with them. And if they didn't log in, then I just deleted them. I did not inform those clients because there was nothing at risk in that client's username and password. Even if it gets cracked. It doesn't matter because that password username password combination doesn't work anymore. Another thing
I haven't written this yet this email yet, but I probably will in the next couple of weeks. We really need to be alerting our clients about what I think is the imminent threat of very, very clever social engineering hacks and phishing. Because here's what's going to happen. The immediate threat about this LastPass deal is not necessarily the encrypted data in the vault. It's the fact that they know your name. They know your email address, they know your username and the URLs of all the stuff you log into. So they can say oh, Beth Livingston there in the chat. You log into Facebook with this user ID and email and you log into Trello with this username and email, and oh, I'm sure we're gonna send you this really official looking email. Dear Beth, we at Facebook have made this new thing where you can connect your Trello wouldn't it be great to connect here's your and you can connect your Trello with username blank to your Facebook account. With email blank. Just click here to do it. And you click there and it opens up a thing and you log in with your you put in your Facebook credentials. Boom. Here's your Trello credentials, boom, and now they've got everything. That's what they can do with this today. Because none of that stuff was encrypted. So that is the imminent threat of the LastPass breach. And it burns me to no end that LastPass left that data unsecure and so that that could happen, it just, I mean, in my opinion, it's completely inexcusable for a so called security company to do that. It's just It blows my mind to think that they did that. And so we have to educate our clients and there's going to be victims of this and phishing attacks. It's going to be a nightmare. I think in the in the coming months. I expect we'll see a huge increase in very sophisticated believable phishing attacks in the near future. I haven't figured out how to talk to my clients about this yet but I need to because it's really going to be a deal. All right, what about those situations where that you told the client that they need to change their password now they got this new password, how are they going to get it to you? Oh, they're going to email it to you? No, don't have them email you their new password, obviously, because then it's an email an email is forever. So we use this really neat tool and there's other ones out there, by the way that are similar to this, but we like one time secret.com It is an open source project by a reliable person. The code is out there on GitHub. So if you're a you know, if you're a geek, you can get in there and figure out how to deploy this on your own server if you want to. But basically, it works like this. You put in any kind of secret content so you could you know, website username password, and then they encrypt it with a word or a phrase is difficult to guess. You can drop down how long this thing lives. Is it you know, one hour to 30 days, and then you create a secret link. And then all they have to do is send you that secret link and maybe text you the password or something like that. So it's in two different places. And so you go to the secret link, you enter the passphrase then you can view that information once. So this is a secure way to send a one time secret like this, and we've used this for a long time with our clients. It works really well. Daddy's mentioned in quick forget.com That's another one like they're they're basically saying I'm not sure if that one's open source. But, you know, I like the fact that it's open source and you know, maybe when we don't have anything to do, we could deploy this you know, we might deploy this on our own server. Probably not but you know, it's the one thing that we've we've moved to the keeper Password Manager for our agency and keeper built into it is a one time secret function like this to send it to somebody. It wouldn't work in this situation for a client to provide it back to us. But keeper actually includes a function like this to send somebody a one time secret, which is pretty cool. Okay, so that's one time secret. It is and like Debbie said, what was the other one? You just mentioned quick forget.com There's a bunch of them out there like this. You can just Google like send a one time secret whatever and there's several of these that are like that. I just make sure you read the about and make sure they're not weird. They check out soon do they need to be keeper users to pay me to send them a one time secret? No, no, it goes just like this one due to an email and they can it just goes into the keeper infrastructure for them to view that secrets pretty cool. Okay, the next thing is check your LastPass iterations. I mentioned this in the last webinar, but and I talked about it earlier today. The OWASP recommendations for the number of times when you enter in a password that is hashed or basically run through their algorithm to fully obscure the password OWASP the security conventions folks recommend more than 300,000 iterations my last pass iterations were set at 5000 5000 because when I started my account, that was the standard that LastPass set. It literally took me two or three minutes to bump that up to an acceptable level. I just put a million because why not? All I had to do was repeated a master password and then it had to re encrypt the vault which took was like a minute or two and it was done. But LastPass never told me this. I didn't know this was a thing. I've been a paying customer for like 10 years and they never told me this. So you know, thank you very much for that for being a loyal customer. But anyway, to check yours if you're a LastPass user and if you're a similar if you have another password manager, just make sure it's gonna have a similar place where you can check this. But if you're a LastPass user, go to your vault, go to Account Settings, click Show advanced settings, which is a button at the bottom and then scroll under the Security heading you'll see password iterations and yeah, so make sure it's at least 300,000 there and do that now. You know monitors what's not going to hurt. So I did. All right. The last thing I'll talk about is this thank God pass keys are coming. Pass keys are going to replace passwords. It may take a year or two for them to become popular and used enough but even really by later this year, many financial institutions will have already started using these the latest version of the Apple OS and then iOS support this already. And most new password most major password managers today are talking about how they're going to support past keys. Bit Warden does not have any articles which is weird. But there's articles there for some of the other popular password managers just Google yours and find out what it's doing about past keys. nordpass also does I forgot to put them on that list. I just forgot doesn't say anything about nordpass Yes and Kathy Kathy Zant loves nordpass Like that's her thing now. And she talked about past keys and nordpass on her video on her YouTube channel just the other day. So pass keys are coming. It's going to it's passwordless login. It's gonna make things a lot easier. So thankfully, I think, you know, one of these days we're gonna have to we're not gonna have to deal with this junk anymore. That's gonna be nice. All right, how about this when you're ready to break up with LastPass finally, deleting your vault is a relatively simple process. It is explained here in their help docs. And you know, what I would say is, here's the thing, there's something else that we learned in the last pass breach, and that is that LastPass retain the vaults, even if people that weren't customers anymore. So five years ago you were a LastPass customer chances are your fault may have gotten exploited even though you're not their customer anymore. If you didn't go through and purge and do all the things whatever they even some creepy it's a past customer information was lost in the in the in the hack. They weren't specific about that. So you know, again, it's another thing they're being very opaque about so we don't know how to respond, but you just have to assume that your vote was taken, even if you're a previous LastPass customer. So what you can do is go through the GDPR privacy process at this link to insist that they remove all of your customer information. And that's what I would do. So that is it. That is my take on managing clients and passwords in the middle of this garbage revenue to deal with. And there you go. So, let us pivot to some questions, shall we? If you have a question that you haven't asked yet, please put it in the zoom q&a and take a minute just as kind of scan those questions and if there's one that you want to see answered, hit the thumbs up button to upload that and I'm about to start taking questions in the order of up votes. So we will start with awesome Paul. Paul asks With keeper can passwords be shared without the recipient seeing it? Like LastPass would do? I don't know what you're asking there. Paul. Can passwords be shared without the recipient seeing it like in other words, if you are sharing it with somebody, they're going to have to accept it into their vault or it's gonna show up in their shared area. You want to clarify in the chat, Paul? I can share credentials. Oh, and they can't see the password. That's a good question, Paul. I'm not sure the answer to that.
I don't know the answer that question. I know LastPass could do that where it wouldn't share it wouldn't show the password. That's honestly not something we use very much so internally so that's not a feature that I compared between password managers. I'm gonna guess they did because they have everything else. Ah, Stacy, how do we know what iterations our password was set at? So just follow the directions on that last a couple slides ago where I talked about that. If you're in LastPass. Next question, Charlie. Any new updates on a possible class action lawsuit against LastPass? Paul, Charlie I remember I can't think of where or when that I remember as I was doing some initial reading about this, that a lawsuit has been filed already. Somewhere I can't remember where or what or if you just Google last, you know last past class action lawsuit 2022. You'll find it out there. There. I do remember reading about each one. Oh, Paul shared the link above. Yeah. So there's at least one out there. There's going to be more. There's just going to be more. Another question from Charlie, would it be better to keep your LastPass account active as a free account, but a new master password and no account? So in case of a legal action against LastPass you can prove that you did have a LastPass account? I don't know I mean, you could there's nothing wrong with that idea. You're not gonna Well, there's nothing that's gonna put you at risk about that idea. But here's the thing, look. With a class action lawsuit Do you honestly expect to get anything out of it? Like you're gonna get 10 bucks, that's what you're gonna get. That is what you're gonna get is not 10 bucks, probably out of this whole deal. And the lawyers are gonna make the millions. But you know, ultimately, this is a punitive action against LastPass so I'm honestly I'm not worried about any remuneration from last pass on this beyond. They better when I cancel my account, they better refund me the difference from this year, or as much as they'll refund me. I haven't got gone down that route yet. But yeah, anyway, yeah. Sue with 30 million potential people. $10 each. Yeah, add those numbers up. That's what $300 million. This is. This is why I am. I said in the last webinar, I'll be shocked. Again, my opinion. I know nothing other than what I've read in my own personal opinion, but I'm going to be shocked. If LastPass survives this. I just can't. I just can't imagine. Okay, ah, keep Cheryl ye keeper. How did you decide on which manager to use? Great question. So we bounced around a couple of things. We were really down to about three different password managers. We tried bit Warden for a bit. No pun intended. We tried. I have tried one password in the past and also keeper and I just for whatever reason I don't like one password. It's just it's a personal preference. There's nothing about IT security or how it works or anything. I just I don't like it. It's quirky to me and I don't know why I just didn't like it bitwarden was way worse than for me. I didn't like it at all like it was really kludgy. It had some issues. We settled on keeper because it supported duo two factor which we like that's just a personal preference. It also has a lot more features. I'm going to tell you what the killer feature of keeper is though. The killer feature of keeper is their password reset wizard. And what this does is keeper kind of watches in the background and if it if it you know intelligently detects oh you're trying to change your password for the site. Here's what it does is is so cool and it makes this changing password process so much easier. So like when you're on your profile page and it's got old password, new password password reset that those boxes, Keeper pops up and it says hey, it looks like you're trying to change your password. Would you like some help with that? Yes. And it says okay, click the box where it's your old password, and it fills your old password. Next, okay, click the box where it's your new password and in the Confirm you go boom, boom and it puts a new generated passwords there. And then you hit next and it goes okay, save it and you go on the website and it saves it and keeper says Did it work? And you say yes. And then you go log in again and it says, you know, did it work and or if it didn't work, do you want me to revert the old password? It is the coolest thing ever. I don't think any of the other password managers do that. But it is so great. It is it makes changing passwords so much easier. So anyway, yeah, it's very cool. By the way, I'm going to share a link if you like keeper and you want to get it there's a link to grab it in the chat. Okay, next up is Devon. My question is what is the best secure way to collect client passwords during onboarding? Great question. So Devin, I would use the one time secret for you know what, if a client is using LastPass I think part of my conversation is going to be Did you know they got hacked maybe you should import to another password manager and so forth. But yeah, something like a one time secret. And they can paste like it's a text box. It's a text area. So they can paste in multiple passwords in that in that single one time secret. Like that. I sue at the GDPR link. LLP doesn't seem to be an option. I thought it was there. That's the link they give in their documentation. It's probably so probably I think that GDPR link Sue is for go to proper, which is the parent company of LastPass it's probably an information deletion thing from all of go to I'm gonna guess. But I have to look further into that. Bin LastPass only has phone support on their normal plans. No emails really strange Yeah, I don't know where that is weird. Cheryl, is there a way to keep or to vet keepers security other than you can read their website and talk about their security practices and so forth. You know, this is really the bigger question is, am I trading the devil I know for the devil. I don't. I mean, I don't know. I asked this that. Here's the thing. I signed up for a free trial of keeper and I moved into the business plan just to test it and I had a guy reached out to me immediately. And when I talked to him, I asked him he scheduled a call with me. I talked through all of my questions about this and starting to here's one thing we do this a little different even if your password even if your vault gets compromised. Even if your Master Password gets cracked we still have we each have the passwords themselves are individually encrypted. So you have to unencrypt every password in the vault individually. So I don't like that. I like that a lot. But the you know, Keeper's security page talks about multiple outside agencies that test their security and blah, blah, blah. But I mean, you know, it's a company talking about themselves. So how do you know I don't know ultimately, the answer to all of this is going to be passed keys at some point in the future, but for now. Yeah. Ben, I'll agree with you that Keeper's support is outstanding. I have I've liked it a lot. Paul, is the keeper business account better than the keeper family account? It depends on what you need. So if you have a team and you want to do on like it have a consistent flow, business makes some sense. It's also a lot more expensive. It's a five user minimum on their business plan. So it's like $120 a year although they bumped me up to keep her enterprise which has a lot of features I don't need that gave it to me. At the keeper business price was like 140 $50 a year. I still haven't decided if I'm going to keep the business level or go with the family level, which is like 60 I mean, honestly, it's the I don't care about paying that extra difference as long as it works. So you know I'm still making that decision
Oh, you know what, thank you Debbie for mentioning that. That's another reason I like keeper is that it has custom record types. So within like you can say this is a login This is a credit card. It has yet been 14 predefined record types that have specific custom fields. But for example, we set up a custom record type for an Amazon I am account that has all those extra secret keys and blah, blah, blah. And so we just set all those up in a card. And so it's there so this when we go to save that information it's got all the fields for it already before we were just dumping that stuff in the note of the password field which works but now it has its own little fields and I like that Charlie, do you think that keepers breach Watch has any value? I do. I do. I think it's better than like Have I been poned because keepers actually they're doing it themselves. It's a proprietary scan. They're hashing, hashing hashing back and forth to obfuscate things. But they are actually scanning for the password itself. And not just any use not the username password combination. So it's a little it's gonna be a little more powerful I think. So breach watch. Yeah, it's an extra license. So they rolled that into my account for me at that they gave me enterprise and breach watch at the cost of business. Like 140 $50 or something like that. So it was I mean, I think that's probably where I'm gonna end up. No, like, they didn't know who I was. And I'm not anybody. I just asked for it. Like when I talk to them, I just say hey, and you Hey, you gave this person that deal. Would you give it to me? Did you do that? Okay, so that's my take on that has been helpful. I, you know, I'm venting a little bit. It's been kind of cathartic for me to get some more of this frustration out. I'm a little bit frustrated as you can tell about this whole deal. Okay, any last questions before we wrap up? Oh, there's one from Ben. Is there any way to keep family type logins from LastPass when you export to keeper so yeah, you can put so in the export innkeepers import process, you can read the docs, but you can create a column that's like a folder name and you can even have you know folders with subfolders and when you import it, it'll just create those folders for you automatically if you have like family folder or whatever. Yeah. That's the easiest way to do it. All right, everybody, that's gonna wrap it up for us today. We are back with office hours tomorrow one o'clock here on iThemes Training. Let me also just quickly mention that due next week, next Wednesday, one week from today. We have this great webinar with Timothy Jacobs, the lead developer of IBM Security, talking about the new feature of I think security, which is I would think I would consider it an upgrade to google recaptcha, a privacy focused and much more user centric capture process in H captcha and Cloudflare turnstyle which are going to be integrated into iThemes Security. I'm not sure if that's live yet. It's it's it's very soon if it's not live yet. But Timothy is going to come on and talk about that and how to use turnstile and H CAPTCHA in I think security. It's going to make it a lot better. Much more user friendly. Alright, so if you haven't registered for that, let me just drop that link quickly in the chat. Needs to be the right link. There we go. All right. And for those of you members, I'll see you tomorrow on office hours here on I iThemes Training, where we go further together