We're gonna get started here in just a little over four minutes from now. I'm just about to get the slides all set up and pardon me, the captioning all set up and going
all right. Glad everybody's here. A lot of folks joining us here. See a lot of new names over in the attendee list. Some of you I know personally, I'm glad you're here. Welcome, everybody. Open the chat. Say hi. Tell us where you're logging in from got folks logging in from around the United States around the world. I'm just seeing quickly Colorado, South Carolina, several from Colorado, Switzerland, Oklahoma. City, French Riviera. Welcome Louis, Georgia, Calgary, Colorado, UK, all across the US and around the world. Welcome, St. Louis, New Hampshire, North Dakota, Canada and Vancouver. Welcome Jean. Wyoming why everybody's here. This is gonna be a great webinar. We're gonna get started in about two and a half minutes from now with Kathy Zant. talking all about this issue with password managers. This has come up over the holidays with LastPass what you need to know what you want to do about it. If you're just joining us, look in the chat. I'm going to share again the link bundle. There it is. You'll see the handout to download the slide deck for today. You can download this as a PDF. Also there is the link to watch the replay. It'll have the chat log as well as the transcript once we wrap up. And finally a link to a webinar that I just scheduled today. It's a free webinar next week talking about the client side of this whole password management issue that I'll be leading so looking forward to that. Melanie, thank you for sharing that. I think blog post I am going to add that to the link bundle. Thank you for doing that. I appreciate that. If you haven't read the iThemes blog posts on this issue. It is very, very good.
Well welcome everybody. If you're just joining us, we've got just a little over a minute before we get started, pop open the chat and say hello, tell us where you're logging in from today. We'd love to welcome you. It's great to see folks logging in from every place every place across the United States around the world Europe thing a lot of Europe, Canada. Welcome everybody. Atlanta. Welcome Elizabeth. Yeah, good to see everybody New Jersey, Texas, British Columbia, Oklahoma. We're just about ready to get started here with Kathy Zant. Talking about the state of password managers. Hey, Ben from Sweden. Welcome. Stephanie from Frankfurt welcome
if you're just popping up in the chat the link bundle is I've just shared that again with all of the things
we're just about ready to get started. If you'd like a transcript, you can pop open the caption button and that we've got that running now working pretty well. So we're three minutes after I'm gonna start the recording officially and let's get this let's get this going Kathy. Well, good afternoon everybody and welcome to another live AI iThemes Training event. My name is Nathan Ingram. I am the host here at iThemes Training and today I'm joined by my friend Kathy Zant. Kathy is the director of marketing for Kadence and I themes and some other things. welcome Kathy, how are you doing today?
All the things having a good time here in 2023 and also spending a lot of time like watching this very interesting news item with with LastPass as I know you have been to Nathan we've been chatting over the past I don't know how long it's just like I can you believe interesting stuff.
It's pretty crazy. And so for those of you that aren't aware Kathy has a deep background in WordPress security Kathy you kind of cut your teeth on fixing hacked sites and just being part of the WordPress security world for a while.
Yeah, yeah, I kind of did that just because I had. Well, I mean, my first entree into security was in the late 90s. And I inherited a web server that I thought you know, the IT person set it up it's secure, right? And I got hacked. And they sent me to security school because I was the marketing lady, right, or the marketing kid back then. And they sent me to, they sent me to security school and I learned how to hack. I learned how to spoof emails and all kinds of fun stuff. And so hacker culture kind of has always been this thing that I had been aware of once you get hacked, you're like a security person. You just bake it into everything that you do. But then you know, yeah, started cleaning hack sites. I estimated I cleaned about 2000 of them during that stint so so yeah, lots of lots of fun. I think it's fun. I think security is a lot of fun. But it also can be super scary. But yeah,
and frustrating, especially when you know, we're not quite sure of some of the details involved. Right. So we got a lot to talk about today. Let me just give a couple of housekeeping notes for those of you that are joining us super happy that you're all here. We got a lot of a lot of folks watching live today. If you're watching this on the replay, you can click the Download handout button and grab the slide deck that you see here. There's also a link to download the transcript and the chat log. If you if we share something in the chat or something comes up that we mentioned, all that whole chat log will be present. For those of you attending live a couple of notes I'm going to drop in just a second. One more time the link bundle that has the slide link, the replay link, and a couple of resources will have the replay of this event up in about an hour after we finished today live. So you can share this out. It's the same link that you used to register for the webinar. So feel free to share that out with anybody. We want this to be as helpful to folks as possible. Second of all, if you're watching live, this is a live webinar. We're actually here. And so if you'd like to ask questions, we encourage that we'll have a time of q&a at the end. Please use the q&a button on the Zoom toolbar. Just open that up and have that open if you'd like also, that gives you the ability to upvote the questions of others. So if people somebody asks a question, you'd like to see the answer to hit the little thumbs up icon that will appear underneath it. And you'll that'll just upload and we'll take our questions in order of upvotes when we get to the end. So that is it. I'm going to disappear and be quiet and let Kathy get into this, this very interesting subject of password managers.
Yeah, well, obviously, we've got some news to talk about. And I want to preface all of this by saying if you think that this news item means that you shouldn't use a password manager, you should still use a password manager we'll talk a little bit about that. But first, let's just get into the news. If you were enjoying Christmas, like most people in the United States, at least, you know having a holiday weekend or that break at the end of the year. You might have missed this. So what actually happened LastPass one of the major password managers, I think the impact on customers is 33 million if I'm correct. I should have checked that but it's it's a large number. A lot of people use this. A lot of organizations used LastPass and they disclosed a breach in August initially stating that, you know, some of their dev environment had been exposed. And then we learned a couple days before Christmas the Friday before Christmas break. That that included customer vaults. I don't even know what to say about that. I can tell you that on Christmas morning, as I was making a pie, a lemon meringue pie and it was quite a good pie actually. I'm like, what on who does that? And then I realized I know who does that. People who know that there's something to hide. They always drop something on a Friday when they know that the news media isn't going to cover it. But I dug a little bit deeper and I started looking at some of the things that other people had been poking at with this particular breach. So customer vaults were exposed if they are saying that if you had a nice strong password that you know 12 Plus character randomized not in any other breaches that that you're okay. But then a Reddit user and that links in the show or in the show notes, but it's been doing too many podcasts. That's in the slides. You can go look at that actual Reddit thread. There was a user who actually did some reverse engineering to see actually what was exposed. And they found that 32 out of 38 data points that were in the vaults were actually unencrypted. So they had a format of storing information in both an encrypted and decrypted mode. So things like the URL all of these other things that were were really important were were also exposed and that's on this particular slide right here. So you can see that and I don't want to just read slides, but basically you're seeing some personally identifiable information was in that particular dump that so if the hackers got those vaults, they got encrypted data, but they also saw customer names customer information, the email address, so who owned that main LastPass account if it was like a corporate account, billing information, telephone numbers, IP addresses more importantly, the website URLs, so they know who you are, and they know what websites you're visiting. They know you're using Google Mail or Gmail. They know that you're using maybe that that you're storing Facebook credentials in there, what social media accounts, all of this metadata is like when was that password created and whether it was auto generated by the password manager or if it was something that you had entered? If it was short, maybe all of this information was now readily available, which triangulated you know, they kind of can piece together your usage habits so LastPass did say you know, there is a probability of this attacker brute forcing these passwords, but there's also a risk of fishing. So these are things that we need to watch out for. You can go take a look at that Reddit thread that's in the speaker notes there. So where does that leave us? If you have been using LastPass if you're one of those 33 million customers, I started just seeing recommendations left and right that it's time to not use LastPass. And here's the deal. They didn't get access through a website to go to your LastPass Vault. They didn't get access through an app. They got the actual data, they got the database, they got the core little bundle of all of your information. So if you went to LastPass and changed your password, that's not going to help. If you went to LastPass and set up two factor authentication. That's not going to help. What you need to start doing is changing all of the passwords that are in those vaults. So if you stored any credentials in LastPass, you have to go to your email account your cell phone, service your bank, start with those high priority types of accounts and start changing passwords and setting up two factor authentication. Now, I saw a couple of I did a video on this on YouTube and the comment section got kind of active. And someone said, Well, they've had this information for five months and so I haven't been hacked yet. So so I'm okay. They would have gotten into it already. If they could get into it. And I just had to say, oh, oh, poor user. I'm so sorry to tell you that. That doesn't really matter. Last year, hackers got using a unprotected API point they got email addresses. 200 million of them from Twitter. We are now just learning about that today. So timeframe does not matter. You should just assume that if a breach has happened if someone has gotten gotten access to that vault if that vault hasn't been protected, then you should assume that any information that you had in that vault is, is compromised and it's time to start changing them. Now, obviously, it's important to change email because you can have situations where your email is used as the second factor of authentication. So if somebody is trying to brute force into your account and maybe they get they get the password, maybe your password has been in a breach and they get the password but there's a second factor of authentication if they haven't your email or your cell phone, if you have cell phone service for your for SMS based two factor authentication that could be used. And there have been cases where like sim swaps have happened and people have had accounts compromised. So work through those really important things first, and then work through some of your lesser priority accounts. I have yet to change the password on Sally's catalog and one of my test sites, she's probably going to be last but um, but you know, this is. So this is a quote from someone on Reddit, and that link is there in that show notes. So basically, they're telling us that there is information leading us to believe that if you are a former past, former customer of LastPass, your information is in there as well. So use some of the things like GDPR or the California breach notification, legislation, contact LastPass and tell them you want all of your information deleted. But if you're a former customer so you use passes used last pass a couple of years ago and you're not using them anymore because of this breach happened in August. So you moved in August. Your information could possibly still be there. So you need to act as if if you've ever stored anything in LastPass act as if that's if you want I mean, obviously, security is not a black and white type of thing. It's a continuum. But if your data is that important to you, you should protect your accounts and assume that everything is compromised. So where do you go so if you're using LastPass, it's pretty easy to export data, you just go to Advanced and then there's an export option and that exports everything out of the app to your hard drive in a CSV or comma separated values file and then you can import it into another solution. There are different types of solutions that you could use. There's cloud solutions, and we'll talk about a few of those. And there's also ways of doing this via self hosted solutions. You know, we don't have time to go through demos on all of this stuff. But this is just kind of a high level overview of different different solutions that you can that you can use instead of last pass. As soon as you import that CSV file that you pulled out of last pass into your next Password Manager. It's really important to delete that CSV file. You don't want to leave it on your computer and then for example, you know, maybe your computer has malware or anything can happen. You just don't want that CSV file to get legs. Maybe you zip something up in it accidentally and some zip and then gets out. You just want to make sure that you take care of with that and delete it as soon as you've got it imported into the solution that you choose.
Alright, so password solutions lots of people have been talking about bit Warden bit Warden is open source and it is it's free. And if you want to pay for the for the version that is paid and has some additional features like storing your two factor authentication, time based two factor authentication code within bit warden. That's one of their premium features if you want to do that $10 A year wow, I don't think I can't even get a burrito for $10 anymore. i That's like a pretty good deal. So even the paid version and if you want support from them, that kind of thing. The paid version is still just an amazing deal. So I've really liked bit Warden for that. But the user interface you know, it's it's kind of simple. They've got the little light disk thing for saving and for some people the user interface can be a little bit daunting. But it's open source and they're audited. But it's still you know, it's a cloud based solution. But there is an option for self hosting, which I started looking into. But I don't want to manage another Linux server. I've I've paid my dues with that. And so I'm opting for the cloud solution. Am I going to put everything in it? Probably not. My crypto passwords are not going in it. My bank passwords are not going at it. I have undisclosed solutions for all of that. But for my Gmail, things like that things that I want to be able to you know, like access on my phone if I'm out and about and I need to get into something. I'm going to use the cloud version. So you have to decide you know, on that continuum of security, what's right for you what's going to be secure enough to keep hackers out and to make their life difficult, but easy enough for you to use, but not so easy that hackers can use it so it's like you know, the the most secure computer is encased in cement and buried on a remote desert island six feet underground and nobody can access it. Is that the kind of security you want. I'm not exactly usable. So you have to decide you know, super secure and unusable versus overly insecure and completely usable and where do you exist? Where does that data that that particular password, like your bank account, different than a test site client accounts different than you know, your kids school log in that you need to have those types of things you have to look at each data point each thing that you're storing in your password password manager and decide how do I need to secure this particular account. So bit Warden, great. If you can't make a decision about what to use this one is the easiest one to get started with. Probably but you're going to probably suffer with just some usability. It's not the prettiest interface. It's okay. Next up one password. One Password is one that I've been using for quite a while. They don't have a free option. They do have a zero knowledge architecture. And they're secured by two factors. They're secured by the master password similar to what you've had with LastPass. But they also have something called a secret key. And when you sign up for their account, they're gonna give you a PDF that you print out and you're supposed to like lock in a safe somewhere and you store your secret key on that. So those two factors of of authentication need to be stored and used in order to access your vault. So that secret key is like this long string of numbers and letters with dashes and you'll never use that you'll just use your Master Password to log in this aes 256 bit encryption, which they say is uncrackable. I have never heard of a case where it has been used or has been crashed. So it's very good encryption. They also have something really cool called travel mode, which is kind of cool. So let's say you're going out of the country and you want access to your email and maybe your cell phone provider and some things that you need while you're traveling but you don't want your bank account information accessible. So you want to put it on travel mode and just have certain things accessible that's one of their benefits. They have watchtower, which is integrated with have I been poned which is a breach notification service. Also something I would suggest that you sign up for to make sure that if you're, if your email, it makes sure your email is ever in a breach. And I'll just say if your email hasn't been in a breach, then are you really human my emails have all been in breaches. Yeah, okay. That's great. It's great to know okay, look, my Twitter account has been in a breach whatever like that. It's good to know and good to monitor because those types of things then maybe you want to change that password know exactly what that breach entailed. So Watchtower is good for letting you know if something has been in a breach letting you know if a password is showing up in a dumped database of passwords, that of course hackers will take that database and tie it to one of their scripts and then go brute force something. They also have really good enterprise tools. That makes it very easy for you to share or restrict access. So you can have a vault of like, I work with a marketing team. And so we have Twitter and Instagram and all of these external accounts that we have to manage. And we have to share those passwords. So we have a vault for specific things and we can revoke access to vaults and change passwords. You know, if someone's leaving that kind of thing, and it just allows you to kind of manage those shared resources. They only have email support. So that is one password. Again, this is they've never been hacked. There's been I somebody posted in the Kadence group that they had been hacked, but I have never seen an instance where one password has had a breach or a hack. Um, here's another one on nordpass. Now this company reached out to me after I did some videos on YouTube and said, Hey, you should take a look at Nord pass and would you recommend it and I'm like, I will take a look at it. And I started taking a look at it. And they do have a free option. They also have that zero knowledge architecture. They have a different encryption method. It's called X ChaCha 20. And this is relatively new encryption algorithm. And it's faster and it works better on mobile phones and it is still uncrackable. So they compare it with the 256 aes 256 encryption, which is an older and still very secure so x ChaCha 20 is just newer, more modern. And they also have data breach monitoring. Similar to that Watchtower, that one password has, um, it's less expensive than one password and they also have a business type of account as well as a personal account. So if you have or if you're helping to manage credentials, like if you're an IT professional, and you have to help like an organization of 200 people manage their credentials, they have an account that allows you to do that or if you just you know, want to manage your kids and make sure that they're practicing good password, password hygiene as well. You know, the business account might be something that that you can use there. I think these guys are cool because they are adding pass keys in early 2023. And I have asked them to notify me as soon as they do. Because of course i Team security also has passed keys and innovator in the WordPress space and pass keys if you haven't been to any of our some or any of our webinars. lately. Pass keys are the next level of authentication. There's no username, there's no password there are public and private keys, the same way that Bitcoin like has public keys and private keys the same way that PGP if you've ever emailed using PGP has a public key and a private key. This type of encryption and this type of security has been just the de facto standard. And this is what is rolling out Google Apple Microsoft Pay Pal. I think kayak has added it as well and I'm very very excited. Of what pass keys are going to do because pass keys are going to kill the password. But we're still going to have to secure those pass keys somehow. And I was just talking to someone earlier this week. And they have a Windows machine and a windows and a Mac machine and they had to do something on the Mac while all of their past keys were on Windows. And so like how do you do that kind of thing. This this nordpass solution with pass keys is going to help be help people be able to move pass keys around and have that same passkey accessible on multiple devices. Another cool thing with nordpass is that they're privacy centered to the same people who do Nord VPN. So they're based in Panama and they don't have jurisdiction where they are required by law to disclose customer information. So that's kind of cool. Even if you're not like trying to hide from a government is still a cool feature because the fact that they're allowing that kind of privacy or or programming for that kind of privacy, it ensures that all customer data is private, encrypted, end to end encryption, all of that fun stuff. And if you're interested in looking at them more, there are some links in the speaker notes. Whether you're doing business or you're doing just a personal account, you can click on the Kathy Zant links and go take a look they have on that they're giving us an offer so that if you want to do something with a discount, I think the personal one is like two years and a free month and then the business one is three free months. So to get started and take a look at that. So nordpass I'm really glad they contacted me because I'm pretty impressed with some of the stuff they're doing. And Nathan you told me about keeper and you actually sent me a password using keeper and I was wondering if you could jump on and kind of talk about some of your experiences with keeper because they sound like they're doing some amazing stuff, too. Yeah, for
sure. And if you're watching, I've dropped all those notes in the chat those links. The downloadable slides or PDFs Kassovitz Kathy's they don't have your speaker notes, but I'm dropping those links in the chat for folks. Great. Yeah, so we did a pretty, pretty good test and look at a lot of different password managers because like if I haven't been password managers, I want to do it once and never again. And so we we've landed on keeper and hat tip to Debbie Campbell who's there in the chat Debbie actually suggested that we take a look at this. And I like it a lot. For a few reasons. So first, it has the security that you'd expect you know zero knowledge master password. One of the things that they do a little bit different though is that even beyond the the master password locking the vault, individual vault items are further encrypted. So once you get the vault unlocked, then each individual item itself is encrypted. So there's one other little extra level it does have a local and online mode. They have this is really cool. They have a proprietary Dark Web scanner, which it's not like the have I been poned it's like Have I been poned plus plus. So they're like they're checking through their proprietary system to see if you have any passwords involved in breaches. Really easy to share folders and vaults. The one one thing that I really liked and what Kathy just mentioned is the one time share link so right from your little browser drop down for example, I want to share this new password for this account I set with somebody well, you can click right there, and it'll generate a link a destructive link that you can set how long it's going to be alive, you know, an hour a day, a week, a month, whatever. You can send that link and once it's accessed, it's dead, but it's a secure way to send a password to somebody from right there in the UI which is pretty cool. They have similar secured messaging secured documents. We really like the custom record types. So like we have some Amazon accounts where you have you know that all these little you know the the customer field and the key and the this and that so we can create a custom record type for AWS logins that has those special fields baked in already. They also one thing that I don't like I haven't seen this on any other manager, they have a really cool password reset wizard. So it's watching and it knows that hey, I'm on a Reset Password sequence and it will step you through that process. But what it does different is it remembers your old password just like me if you've gone through that process and something didn't work. You can replace back in the vault your old password just in case. So you know instead of doing like I've done in the past and pop up in a browser tab and paste your old password there just in case yeah it remembers all of that right. So I really really liked this this solution. It's what I've gone with.
Nice, that sounds really great. You know, the thing with password managers is you know, we're all going to move towards this password list future it's it's coming obviously, the fact that there are so many password managers people are are seeing that there's a problem with passwords and passwords will eventually not be completely replaced. Obviously I think there's still going to be some legacy systems and things where you need a password, but for the most part we're going to be moving towards past keys. And this is just kind of a bandaid on on a very, very big problem. So there's tons of different solutions. And I just took a look at some of the q&a and we'll talk about some of those at the end of this. We're getting to the end of this. I wanted to make sure we left a lot of room for for questions because I know a lot of people are worried about this. But yeah, there's so many different options. And you just have to find out what's going to work for you. Now for the Uber paranoid. Talk to a lot of people who are like, I don't trust any of these cloud services, and I feel you I have been in that position as well. I was kind of late to the whole password thing and kind of was brought into it kicking and screaming. I did not want to put any of my passwords in the cloud. But like I said that continuum. I'm like, I've got too much to do. I don't want to have to worry about this and this is my little proprietary way of storing all of my passwords, ultimately the right answer, not all the time. Sometimes it is so key pass has been talked about a lot in terms of something that you host yourself and I know people who use this, if you miss the 1990s and maybe like Windows 90, that's the interface is a little, little old school. But it's again, another great open source method of storing your passwords not on the cloud. Bit Warden is another solution that you can use to store your passwords and manage your own server. If you're into that. They've got instructions on their site. I did include that in the speaker notes bit Warden installing on on premise Linux is what they call it. So if you're into that and you'd like that kind of thing. Go for it. It's easy to do. So apparently if you're if you're Intel, the Linux stuff i i know enough Linux to be dangerous and for danger to myself and others, as I've often joked, but it's completely doable. And if you want to manage that you can but then again, you're managing it, you're in charge of the security for it so you better make sure that it's like something that you're okay managing I know plenty of people that's cool for them. Yeah, so we just I jumped ahead a little bit. I just talked about how the password is broken and we are we are in a transitory period. So how do we manage things now knowing what we know? There's different strategies. So obviously, if you're using passwords, you need to have them random, long and unique for each individual site. Each asset needs to have a unique password. Make sure you sign up for have I been poned to make sure that you have breached detection somewhere somehow, whether you're using it with your password manager, or if you're doing self hosted everything or not using a password manager at all. Make sure that you're least watching for your credentials to show up on the dark web and if something shows up, change the password. Um, another thing that someone recommended and something that last pass wasn't doing is this, this whole PBK DF two which is just an encryption thing, and you want to make sure that the iteration according to OWASP recommendations is 310,000 iteration threshold. When you get started with bit Warden, it's going to set it at about 100,000. You want to up that if you're being very secure. Now one of the things that someone has that I saw on a news article, or someone told me that anyway I did verify that a news article older versions of LastPass had that PBK DF to set very low, so even lower than that 100,000 So you want to make sure that if you had if you've been using LastPass for a very long time. Just know that you're not as secure as more recent user. So it just kind of adds just I don't know just little more fuel to the fire in terms of you need to ensure that your credentials are changed if you had anything in LastPass. I highly recommend phishing training. If you have not ever gone through any kind of understanding of how to identify phishing. Spear Phishing is very targeted phishing and that's the risk with this last past breach. Is someone taking a look and saying, oh, this person had PayPal. All right, and here's their email address. I'm going to send them a very targeted, your PayPal account needs immediate attention. Your funds have been drained something that is underscoring like this time sensitive pressure of OH my gosh, drop everything I need to go change my password immediately. And not paying attention to the fact that you're being directed to Net Pay Pal when you click the link in that email, and you've typed in your old password and you type in a new password and you think you're changing your password but they just got your old password for sure. So making sure that you go through some kind of phishing training and there's plenty of YouTube videos on this. I'm planning a YouTube video pretty soon on phishing. But but be really fish aware. Gmail is really great at throwing those things into spam. But if somebody spear phishing you, those things don't often end up in spam. And so it's really good to just be phishing aware. Two factor authentication and anything and everything. According to Verizon data breach thing that they do every year. I think it was less than two. I think it was like 27% definitely less than 30% of people actually use two factor authentication. And I get it, it's a pain. It adds that extra step. It's also adding extra steps for hackers. So that again, you're on that security continuum, and we're going to somewhat of a stressor kind of moment right now. So maybe you want to move that continuum. Over to being a little more computer buried in on a remote island. Not quite that far. But you know what I'm saying we want to be a little more resistant to these types of attacks that could be coming. All right. double blind password strategy. I used to do this. I didn't know how to name I just learned that. So this strategy is something that you can do. So let's say you have a password, a very long password in your password manager. And then you keep four characters in your head. So the password manager for each individual site has a unique password. And so I just, you know, did a random generator and that's what came out the VJZ K blah, blah. And so you generate a long password, but the actual password that's going in the site is that plus the name of my new puppy Milo with the ELB also capitalized, and I put all of that together. I've not done this anywhere. So if a hacker sees this, and you're like, Oh, I'm just gonna go brute force Kathy with this password. I haven't used this at all, and Milo won't be my forte character in my head phrase. But this way if your password manager is ever breached, all of those passwords don't really work without that thing that's in your head. So decide something that you're always going to remember probably like not your PIN for your debit card or whatever, but something that you're always going to remember that nobody else is going to guess. And really, hackers are persistent. But if something's not working to a certain point, they just move on to, you know, Larry down the street, who's not even using a password manager and it's his kids names, so you know what I mean? So it's there, they're gonna give up and go on to a easier target if you put up enough hurdles and so this is just a strategy that puts up some hurdles and makes it much harder if somebody does guess the password if somebody if that password is ever exposed in any way. That password is still not the password. Managing client passwords and I know Nathan, you're going to do you're going to do an entire seminar on this.
When you stop working with the client, or, I mean, this works for employees as well when you are onboarding new employees, or onboarding a new client have a way of at least keeping a log of what credentials have been shared. What credentials have been like setting up a new employee like they have an email address, you want to log that that exists? When you start working with a client that you have access to their social media, those types of things. Keep a log when you're onboarding so that when you are off boarding, you can clean things up and make sure that there's you know, no liability and that everybody stays secure. Also, with employees, it's really important if you get a disgruntled employee that for example, you off board, this disgruntled employee, they weren't working out for whatever and they're still kind of mad about it. And they still have access to your Instagram account or something like that and they post something that you don't want posted on your Instagram account. You want to make sure that you protect against, you know, disgruntled employees, those types of things after you know, they have been fired. Clients talking to them about this and basically sharing like as many details as you can, so they get sort of the full spectrum of a security incident. So it's not scary to them, that you know, this is something that's happened and this is something that you know, we're living in an era of breaches, if you look at the homepage of have I been poned it's, it's extensive, and we're into like the billions in terms of number of credentials that maybe even the trillions, I can't remember, but there's a lot of credentials that have been exposed. So being able to like textures and knowledge that you're sharing with your customers that positions you as an expert, and as of service to your customer without frightening them. You want to be able to talk to them about this. And you know, they may be impacted maybe they were using LastPass and you want to make sure that they understand that all of their credentials could be impacted as well. So it's just really important to like, so much about security is is good communication. Being able to identify what stakeholders need to have information and making sure that they're informed in as much detail as they need to know like, what happened, how quickly do we need to respond to these types of things. It's all about communication. So if you use that information, in a way that is of service to your clients, it just it positions you as the security expert in it. I mean, what's what are these relationships about? They are so much about trust, and if you show that you're your customers that you're someone to trust in a situation like this because I'm not gonna say this is the last time that password managers got it. Maybe it is who knows, but this isn't the last breach that's going to happen. And when breaches happen and we're affected, clients are going to want to know who to turn to let that be you it ends up building your business and building trust with your customers. So I want to just talk a little bit I already talked about past keys, but I'm gonna underscore this again, because this is so important. It's based on a standard called the web Austen standard. And it has a public private key pair if you've ever used PGP or if you're into crypto, or if you ever used SSH keys works very similarly there's a public key that you generate and that's what you can even put a PGP public key on your website and say use this key to send me information. And then that private key that you never share with anyone is something that you can use to decrypt that and pass keys works that way, but you don't have to like know the key you don't have to know a password. You don't have to know anything, your systems end up managing all of that for you. It's really good to understand you know the basics of how it works, because that helps you educate your customers and educate educate your clients about this new future of authentication that is coming. I think security is the only major WordPress security plugin that has passed keys or ice theme security Pro I should say it's in the pro version. This is innovative. It's very, very new. Apple Google kayak Pay Pal, Nord nordpass These are some of the companies that are bringing past keys to the consumer. This is something that you should get. Get aware of understand how it works. We've got plenty of videos on the iThemes Training that'll show you how it works with Timothy Jacobs, the lead developer and you can use this as another way to really position yourself as security aware to your customers. We only have 20 minutes left and I'm going to skip a demo because I know Timothy's got tons of that and at our I iThemes Training sites and I'm going to really leave this open for for questions because I know we've got quite a few. I want to make sure everybody gets their questions answered.
Absolutely. So we have a bunch of questions stacked up and if you have a question that you have not asked yet, please pop up in the q&a in zoom and ask your question there. Also take a minute just to scan the questions that had been entered. And if you like that question, hit a thumbs up and we'll take the questions in the order of up votes. Now. One thing I did see pass through in the chatter as a question is regarding copying things out of the chat, Zoom webinars for whatever reason, don't allow that. I don't know why. But they don't that's why we make the chat log available afterwards on the replay page, so you'll be able to get all those things now or just click the links now and save them that way. Okay, so first question that Kathy is from Paul. If you had credit cards in your LastPass Vault, would you cancel the cards and get a new
one? I know lots of people who are I haven't I had one one password or one credit card that stored in there and now it's just I get like emails anytime it's used. So I'm not too worried about that right now. But you know, you have to obviously with every single data point, you have to decide what's critically important to you, about you, Nathan,
I am planning to cancel my credit my card and I'm treating this like everything else. Like this is not an urgent thing like oh my god, they're gonna access all my things tomorrow. It's for me, I'm approaching this like, okay, my data. It's like I had a safe in my house that was stolen. They don't know the passwords yet. But at some point in the future, they're going to sit there and figure out enough things right. And like they, my password was 12 characters long, which says 3000 years. Great. That's a court Well, it's actually zero to 3000 years. To try all those combinations at today's computer power. But, you know, five years from now advances in GPU technology and so forth. It might take it down to a month at some point, right? So you have to consider that data is gone. It's out there. It's you know, my girls social security numbers are in a secret note, like I've lost a lot of stuff out there. It's not urgent. I don't think people are accessing it today. But yeah, it's it's gonna have to be changed and dealt with. This might be Can I just mention one other thing here? I don't want to take over here Kathy but there's, there's something I learned it's really important in this and you know, I was I've been a LastPass user forever like many of you possibly have and one of the things you mentioned, Kathy was the OWASP iterations. Number and that's super important. Oh, wah. And by the way, what this is, is how many times they run your password or whatever through the encryption algorithm to make sure it's like really secure and they recommend three 310,000 iterations. Right. Last Pass today recommends 100,100 For some reason, but here's the thing. They start when LastPass started, they recommended one iteration. And if you started day one with LastPass, that setting never changed. So all your passwords are encrypted with one, I went back and looked at mine and I was set to 5000 that is, you know, not even 1% of what it should be with the number of iterations. And so basically, they have really mistreated me I would say as a loyal LastPass customer, I believe would have been a simple email to say just go in here and you go to Account Settings, Show Advanced Settings at the bottom, hit Security, and then go to password iterations. It took me literally two or three minutes yesterday to go through that process and change my iterations to a million. It was no problem at all, but they didn't let us know. So you've got all this stuff out there. You have to treat it in my opinion as though it's gone at some point. But, you know, not tomorrow, but maybe next year. Who knows?
Exactly. Yeah. I mean, a lot of people are like, Oh, it's you know, it's secured with you know, all of these security with AES 256. And that's never been cracked and that a lot of people have said that I'm raising an alarm bell and I'm like, it's a continuum, right. And it's also it's not zero, yet. You're not completely and totally protected. Your risk is is not zero. So where do you fall? You know, if, if you're a celebrity or politician or somebody who that's really high profile and they come across your name in the last pass, which maybe your your risk is closer to 100% then you know, we're not celebrities yet, right.
So, and the other thing you have to factor into this is that in the process of these multiple invasion, or what am I after exploits of LastPass the hackers stole all of last passive source code, so they can stand up a full identical LastPass environment in their situation, but these passwords in there and just hammer on them without like, they don't have to hammer on LastPass at all, they can set up their whole identical LastPass system. It's it's not great. It's a serious situation. It
really is. And, you know, this the other thing that I saw in some of these articles about this is that it looks like this came from a single devs account being breached. Was it a phishing email was he Spearfish he or she spear fished? Who knows? Was it were they socially engineered? Somehow? We haven't gotten all of the details and LastPass has been questioned by a number of media outlets like wired, who had repeated requests for more information about this breach that were not answered. It just underscores how important just being very safe, hyper aware of your cybersecurity, for phishing for breaches for any kind of breach notification on passwords, your your risk is never going to be zero. Might not be 100% But you're in there somewhere. 50% We just don't know at this point. So where are you going to assume that your risk is?
Yeah. Okay. Let's get back to questions here. Sorry. I didn't mean to derail. That's great. Information. Yeah. Yes. And by the way, folks, I'm going to be talking a lot more about that in next week's webinar is I'm going to be talking through the process we use to switch over and inform clients and you know, how do you deal with this, you know, bringing in thing importing a list or not at all that I'm going to talk through, basically, all the lessons that we learned in this process next Wednesday. Dave's got a great question here. What about alternate storage platforms like Google Chrome store passwords, Apple passkey keychain What about?
Can you trust those? Um, the thing that I've always had an issue with and I use, there's plenty of sites that I use the browser's password for and I'm just like, you know, I don't care right. The thing is, how secure is your computer? How secure is your browser? If you get malware, let's say you download an extension into Chrome and you've got chrome passwords, and you download an extension and they had malware or had some kind of problem. Your How secure is that? And I haven't researched all the browser storage things, but it's in the same boat. And I don't trust that. That's doesn't mean I don't use it. It just means for my I don't have my email passwords stored in the browser. At least you know, not the big one. I have so many email accounts and there's might be a few that I'm storing in the browser because I don't really care. You know, that's those are for just like newsletters and stuff. Oh, great. Everybody knows what newsletters I read. I don't care. Right. So what each piece of each credential pair is something that you're going to have to make a determination about. So make your life easy. Don't go like crazy making your life hard, but make sure that the most important things that you don't want anybody to get access to ever or secured. Make that hard.
Good. Okay, question. Next hear from Edie. Kathy, what do you think about Dashlane and RoboForm? Any any ideas on those?
I have seen RoboForm recommended numerous times to me and I have not yet had a chance to take a look at it so I really can't speak to it. I'd go check out like reviews on Trustpilot and things like that. Same thing for Dashlane. I've heard it and heard it mentioned a number of times, but some of the things I can look at.
So and again, this is something I'm gonna be talking about next week, but like how do you choose a password manager? What makes sense? Some of the questions I would immediately ask are, you know, how is your data encrypted is the whole dataset encrypted not just certain fields? You know, those are the sorts of questions you want to get into to see you know, you don't want to trade one you know, the devil you know, for the devil you don't right so it is though I used RoboForm for ever before I got a Mac me I moved to LastPass when I moved to Mac because Mac didn't have a RoboForm version 8 million years ago when I did that. And it's just another you know, it's been around forever. So cool. Edie, hopefully that helps. Shannon, what order should I proceed in? Should I change all the passwords in LastPass and export to keeper or whatever you choose, or export everything over to keep a what do you recommend as a process?
What I did is exported everything over myself and then went through high priority things. I'm not done yet. But high priority things that were in LastPass I just changed those as after I imported and then deleted that CSV file. So and even if you're still on LastPass and you're like okay, well, I'm just gonna write this one out. I don't think LastPass is gonna spy this. There's gonna be class action lawsuits and just the way they've handled this breach, dumping everything out right before Christmas weekend. I don't think they're going to survive my prediction.
Yeah. It's it's going to be interesting to be sure. Yeah. And so, again, this is something I'm going to talk through next week, the whole but for I don't, as a principal. I don't want to put any of my new passwords back into LastPass. Because I've lost complete trust in that platform. And, you know, even if I delete that vault later, like, is it really deleted? Like, did it delete delete, or is it just like, whatever? I don't know, you know, is it in a backup environment?
Sure, because of GDPR and I think California and Nevada there's consumer protection for for data protection, right? So use those types of things and pressure them to make sure that everything is deleted, because from what I've seen, former customers, former customers, you moved off of LastPass and you shut down the account, your data was still being held. There, and that that's problematic. So if you are a former customer, you need to contact LastPass and make sure that everything's deleted just wiping out your vault and cleaning it out. Not necessarily true. You should contact them and say I am a former customer, or I'm still a customer and I want my information everything that you have on me deleted. I don't trust you anymore. And you have a legal right to say that.
All right, Paul is up next. If and when passkey has become the norm can they be shared like we do now with some password managers.
So the way nordpass is going to going to work is that nordpass is going to hold the passkey in in a vault. And so you can use it across multiple devices. But paths keys are really designed to be a unique identifier for you. It's your you don't want to really share your private private keys. So if for example, you have a Twitter account, and it's just like the company Twitter account, and there's a passkey associated with that, it's going to have to be some methodology of being able to have individualized past keys to ensure that you're logging into those types of things. And honestly, if you're if you're managing things like that, I would use another system like second layer type of thing like a buffer or something like that. So that there's one password that say the owner of the account has or one pass key that the owner of the account has the CEO of the company and they're the one that that holds that particular pass key. And then they can grant access via buffer to be able to post to other accounts. So that type of thing. That would be the protocol I would recommend.
Yeah, good. Tanya just posted in the chat. She'd been using RoboForm for about five years. Just check the security encryption, count it was set to 5000 So she upped it to 310,000 That's yeah, whatever password manager you're using Check PASS
because it maps Yeah, I think a bit Warden I saw it defaulted to like 100,000 Something so I would still recommend. I saw somebody bumped it up to a million. I was like wow, really super secure. How long does that take? I mean, we haven't tested that myself. But that takes some iteration and takes time. So you know, again, that continuum.
That's I put a million in my lap when I did this change yesterday. I put a million in there and it took about three minutes. Oh did it Wow. All right. John is asking what is LastPass doing to get their act together?
I'm not seeing again, it was very interesting to me that wired reached out to them for comment to just say, you know, was this all of your customers Was this some of your customers and they did not answer so I don't know if they've answered since actually, I don't think they have I did a search this morning on any additional news articles, um, to see if anything new had come out about this breach and I'm not seeing any updates really, it's just kind of like local news is now picking this up. Whereas the main tech news because you know, it's kind of old news so nothing new. I don't think they're I really honestly my personal and this is, you know, not a, I predict that they're not going to be in business much longer. I would not rely on them. Yeah.
Okay, this is a great Greg, I love this question. What do you tell clients? To keep all their passwords in a Word document? Stop. I mean, I will say this for years. I tried to get my mother on a password manager and the last time I went over, she goes, here's my password manager and it's like a book you know, with like pages and they were all complex, unique passwords. I'll give her that. And you're not going to hack my mom's notebook? Yeah, yeah.
Very, very true. Yeah. I mean, I see those notebooks and people like laugh about them all the time of like, how are you going to yellow you know what? That's that's not going to get stolen in a breach. So I just let them let them you know, I mean, if it's not online, and they're not storing it in like a Word document or a Google Doc or something like that. All of these things kind of paying me so many things. I sat at a word camp with someone and she wanted me to help her with with her WordPress site. And as she typed, she tells me her password. And she's like, what's the password I use for everything? And it was like her dog and some numbers and I was just like, oh my gosh, please don't please don't and why did you tell me I don't want to know go change it.
That's That's my password. My favorite passwords. Yeah,
yes. And back in the day, I worked in a data center in the 90s where I had that server, that guy that got breached and the network password. At that time, I'm certain it's not anymore. It was a major, major corporations. The password for the network that we all shared was Flowbee you know the vacuum cleaner that does your hair, like back in the 90s that was the network password. Awesome. Don't use that password for any
password. Okay, Stacy does two FA protect us from someone logging into our account I cannot log into many websites without to FA
Yeah, so if you have a password that was in a breach, with any, any provider, let's say you're reusing passwords even and that password ends up in a breach. If you have two factor authentication, using time based two factor authentication with Google Authenticator, or Authy, or one of the other authenticator applications where unless they have that code or access to your device, they can't log in without that to have a code. So definitely use to have a wherever you can, especially for those really important accounts where you keep your money, where you keep your email because email can be used as a second factor of authentication, your cell phone provider, if you're using SMS as a second factor of authentication, use two FA wherever you can test sites, you know, do you really care. But again, that continuum if it's important to you, secure it. Make it hard.
Charlie just said his password was stolen and now I have to change my dog's name. Charlie, that was the comment of the hour. Thank you, sir. That's all good one. Very. Okay. So in Stacy, by the way, I'm not sure if the point of your question was does it protect you in your in the last past scenario and in that case, it doesn't. Even if your LastPass account had two FA on it, it doesn't matter they've stolen like the zip file of all your vault that doesn't require two FA so is there a class action lawsuit against LastPass? We can join.
I don't know if it's been started, but I predicted that there will be one and even if you go to the Reddit threads, and there's an actual subreddit for LastPass and I've seen people say that they have pressed LastPass for refunds and that you had to press really hard but people are getting refunds and stuff so I don't think this company is going to survive. I think there will be they have a parent company, you know it's owned by some other entity. So I believe that there is going to be a class action lawsuit and who knows you'll get a coupon if if you're part of it or something. You know, the lawyers always win with those things.
Yeah, for sure. Okay, here's a great question from Charlie if bit Warden is open source, which it is. I would think this is not a good idea. Why is it a good idea for a password manager to be open source? Great question.
Very great question. As we've learned with WordPress being open source, the security community has access to the source code, which is a great thing. And they also get audited often. So the fact that bit Warden is open source and that they are being audited, that the security community can take a look at things and look for vulnerabilities and report them and disclose those responsibly means that we're all safer. And it's one of the reasons why WordPress security has really matured is that there are so many security researchers looking at plugins and looking at themes and looking at WordPress core and making sure that open source software packages are more secure because sunlight is the greatest disinfectant and it is the greatest security tool
Yeah, very good. I'm gonna because we're at time I'm going to scan down the list here and pick out just a few more questions. We still have 11 open questions. Quick recommendations for Sue Kathy on. What would you use for small business and family?
If you're not, you know, there's no budget I would just bid ordinance fine. Any of the other free options if I would just bid orden if you don't have a budget, but if you really, really want to stay secure, I would go with maybe one of the other paid options that have some of those extra features, but I'm pretty I know so many people are using bit Warden are really happy with it and it's open source too. So yeah, we
tested bit Warden pretty well and ultimately went with for us keeper because of some additional features we liked but it was really great. I mean it was easy to use, especially for free.
That's great. Yeah, and I'm really happy with um, I'm gonna go with nordpass Because I'm really happy with some of the future. The future things are going to be adding with like past keys and I'm really interested in learning more. See more done with this new encryption methodology. algorithm. So I'm going nordpass For me, but yeah, there's tons of different options out there.
When I'm saying I'll take the most expensive one, please.
Please take my money.
Melanie would like to know if you're aware of any of the password managers support Touch ID
Yeah, I nordpass is used. I use Touch ID to log into nordpass and face ID on my phone. So yeah, they're using biometrics. Yeah, pretty sure.
Yeah, even bit Warden will ask me to use Touch ID on my Mac and yep. And yeah, most of them are doing that especially on phones now. That's hardly pure poorly temp sneeze there. Kelly, this is great question from Kelly. Do I have to be a resident of California to call and ask them to delete my information?
I don't think so. I mean, if you want to take him to court and sue them, I think that's where you jurisdiction needs to be. But I would just press them they they have to have data deletion required if they want to do business in the State of California, or in the UK, or in Europe, or GDP or GDPR is in effect they have to have data deletion options available to customers. It's just if they want to do business, they have to have that available. So just use it push them.
Okay, so Karen has a weird question in the chat if they cut off my finger can they use it for touch ID
oh I don't know. Does it shrivel up I don't think CSI CSI CSI edition.
Yeah, it wasn't a question. I posed it as a question. Okay. Let's see. What do you do the things like VPNs and YubiKey provide additional protection Kathy Charlie would like to know
you bet he's pretty cool. I'm going to lose it so I don't use my phone I'm not going to use I just don't know I don't maybe it's having kids and teen I've just a physical device. I'm scared of losing it and having problems. But I know tons of people who are devs who are really into security and they love the YubiKey thing. So use it if you want to. What was the other thing? Is you
deleted it YubiKey and VPN.
Oh, VPNs VPNs are just your computer is talking to that computer that's talking to that computer. So it's just kind of an intermediary. I don't think it's necessarily going to add security it's going to add an IP address that gets tracked by the end result computer. It also um I'd be worried about breaking end to end encryption going through I mean, I know for Nord VPN has privacy concerns and you know everybody loves it because of that. But I don't know that it adds any protection necessarily add few station more like it.
Alright, so a lot of questions. Stacked up here, but we're a bit over time. Most of these things I'm going to cover in next week's webinar which you're looking at the information for there on the screen, talking about all this from a more of a work in process and systems internally and dealing with your clients. I'm going to share in that webinar next week, the process we took in choosing and moving to a new password manager. Some of the key features you might want to consider how to inform clients about potential password compromised. I'm going to give you the wording of the emails since my clients and then best practices for ongoing managing of client data. I've made some I've been thinking through and making some changes on maybe not retaining like I found Kathy I found myself emailing customers that we hadn't done business with in five years because we still had a last pass for them because we just forgot to delete that entry and we off boarded, you know, so like there's some things that need to change. And so I want to be talking about all that. That is next Wednesday, a week from tomorrow, one o'clock Central here on iThemes Training. Cathy wrap us up give us some final thoughts to consider.
Security is about empowerment. Security is about you taking charge of your data and making good decisions is not something to be afraid of. So yes, this happened. Don't be fearful be empowered.
Yeah, that's great, great wet spots. And thanks, everybody for hanging out with us, Kathy, great information. Great questions from everybody here as well. That's gonna wrap it up for us today. Again, next Wednesday. We'll pick this subject up again at the link that I just dropped in the chat. The replay of this will be available to share in about an hour or so at the link that's also there in the chat and I will see you back here next time on iThemes Training where we go further together.