Katherine Druckman (10s):
Hey everyone. Welcome back to reality. 2.0, I am Katherine Druckman. Joining me today is Doc Searls as usual. And today we have two special guests, a couple of my favorite people. I know I say that all the time, but really just about them. We have Kyle Rankin and Shawn Powers. Who many of you probably know, because if you have been listening to us for a while, you know that both Shawn Powers and Kyle Rankin were affiliated with Linux Journal, just like Doc and I were, but also you may know both of them from elsewhere on the internet and, and, and we'll let them talk a little bit more about that. But what we're talking about today is some basic security hardening, because I'm going to let Shawn tell you the story, but I'll preface it with saying this, Shawn, if you don't know, if you don't know Shawn, personally, if you only know him from the internet, is one of the nicest people in the whole world.

Katherine Druckman (1m 3s):
And so it makes me a little, it's true. It makes me a little angry when, when bad things happen to really good people. But I suppose the silver lining is that Shawn's going to walk us through some of the things that have happened to him recently, which he will get into so that maybe the rest of us can learn from them. So, Shawn, with that, maybe you could tell us a little bit about an experience you had recently.

Shawn Powers (1m 30s):
Yeah, so it, it started about a week and a half ago. I, I woke up and I had notifications. I'm not crying. Sorry. That was a frog in my throat. I might cry, but I'm not yet. So I woke up with notifications that somebody was trying to get into my Coinbase account. Coinbase is a, is a cryptocurrency online exchange thing. Now I don't have any cryptocurrency anymore. So it wasn't a really big deal, but it was one of those things. You're like, Oh, well, that's sucks, somebody's trying to break into my account. And so I got up and I had a cup of coffee and I came into my office and I didn't have any email. So it took me probably about 45 minutes to realize that something was actually going on, something weird was happening because I had a couple other text messages about like two factor auth requests and stuff.

Shawn Powers (2m 18s):
I'm like, well, what the heck? And so I looked and still no email. Anyway, I won't give you my process of figuring out what went wrong. But somebody had broken into my DreamHost account. DreamHost is my registrar. And also my DNS provider. I've been using them for over a decade, fairly close to like 15 years now because I'm getting old. That actually was disturbing when I thought about that. But I've been using them forever. Somebody had gotten into the account. I don't know how, I don't know if it was a data breach. Maybe I was using the same password. I'm not really, I don't usually use the same password in multiple places, but somehow they got in, they turned on two factor off. I was locked out and then they changed the MX record on my domain, my brainofshawn.com domain that I used for all of my email.

Shawn Powers (3m 1s):
They changed the MX record to their own server and they were getting all of my email. And so you're like, Oh, that sucks. That probably was a bad day. But if you think about it, when you go to a website and you try to log in and you say, I've forgotten my password, how do they start that reset process? They email you a link so that you can reset your password. So now I'm no longer getting those emails from all the online accounts that they were. I mean, they tried, I don't even know all the ones that they tried. Right. Because they were getting the emails. But most of my online accounts, especially those related to finance were, were locked out because they tried and couldn't get in. And it took me, gosh, that was about eight in the morning.

Shawn Powers (3m 43s):
It wasn't until two 30 in the afternoon that I finally got control of my domain back to turn off, you know, to set my MX record back and start getting emails again. They did it about midnight. So I was asleep. Of course, if you're going to do something like that, that's a great time to do it. Great in quotes because it's a mean horrible despicable time to do it. But anyway, so they had, I mean, a long time to do as much damage as they could. I, I mean, I I've, I've lots of stories to tell about it, but the frustrating part for me was with DreamHost, they don't have a telephone number to call. They have no way to contact support except through their online portal, which you access by logging into your account.

Shawn Powers (4m 26s):
Now there is a little link, like I can't get into my account. So you click on that and it sends a generic support ticket into their standard queue that they may or may not get to at some point. So I ended up having to create another account that was actually Petros's idea to create another DreamHost account so that I could log in and use their, their tech support to start the process of trying to get my, my information back. And it was a long process. I'm glad it was difficult to get access to my account, but it was very frustrating as well. I mean, I was going through old credit card records to prove like this date I charged this much and all that stuff to just prove I was who I was.

Shawn Powers (5m 6s):
And eventually I got it back in and straightened out, but I couldn't believe how much of a nightmare it was just to have my registrar taken out into my registrar account taken over. And so that's, that's the beginning of the story. So thoughts, comments, because I'm curious if your responses are things that I've taken care of since or yeah. Anyway, that's, that's my short, crappy last Tuesday story.

Kyle Rankin (5m 33s):
Well, one that's really crappy. Of course it too. Yeah. So I've, I've had a lot of, I've had not experienced experiences with takeovers in the same way, but experiences with issues in DNS, registrars more at a corporate level where everything normally with DNS, it's a set it and forget it thing. You, you think of a domain name to use somebody sometime. It's very common for all of us to have these relationships going back however many years. But in addition to all of that, like the, you don't really think about when you first set up a domain, you're thinking about what's the easiest way to do it.

Kyle Rankin (6m 15s):
You don't look into it. Well do they have 24 seven, like a phone number, an 800 number that I can call or whatever. Right? You don't really think about that. And even at a corporate level, I've, I've in past jobs, I've had situations where someone made a mistake at the, at the registrar level had our domain locked. And then we discovered, Oh wait, we only have nine to five business hour. They only offer nine to five business hour phone support and our entire company's down, you know, things like that. And so we better hurry and get responses back. And at that, at that time, we had another interesting thing, which you probably ran into as well, because in your case, the email didn't work because someone intentionally moved it in this case, what happened was when the domain was, the domain was locked and when it's locked, the same sort of thing where the there's no records.

Kyle Rankin (7m 6s):
So when you're trying to do email support, one of the things, when we were going around telling everyone who was trying to resolve the issue, don't contact them over email or not from our work email, because they won't be able to send one back, you know, that they did anyway. And it turned and like a couple hours later, why aren't they getting back to us? This is really bad. Like, Oh, well, because the email is bouncing, you know, they can't. So yeah, I think one takeaway and it's weird because for personal accounts, it doesn't, it often, usually as a matter you don't think about, do I need full support? Like, I wouldn't necessarily put that as a, as a factor in choosing a registrar, but at the same time when stuff like this happens, it's something that you, when you really need it, you really need it, you know?

Kyle Rankin (7m 51s):
Yeah.

Shawn Powers (7m 51s):
Also pay attention to what 24 seven support means because DreamHost has 24 seven support. Once you log into their portal, I cannot believe how stupid it was not to have that phone support or any option at all. In fact, they, once I signed up, they have the, they have an option to pay $15 to have somebody call you, which is cool. Except I got a response saying, I'm sorry, we can't do security things over the phone. Great. So what is it that I would be paying for over the phone support, but yeah. Getting the account compromised now, thankfully it was already locked. I already had my domains locked. So they couldn't like transfer them out, which would have been a nightmare if they were like, the registrar was, you know, transferred somewhere else because that is a lengthy lengthy process.

Shawn Powers (8m 37s):
They just changed my MX records so that the email went elsewhere. But simple things like, like two factor or multi-factor auth. When I started with DreamHost, there was no such thing as multifactor auth. Right. I mean, it just, wasn't a thing. Nobody had invented that idea. And so now DreamHost does have that, but they were not diligent about telling their existing clients, Hey, you should turn on two factor auth because I wish that I would have thought about it. But you said it's a set it and forget it sort of thing. I set it, I didn't even, I never think about my registrar, my DNS setting, unless I need to add a DNS record. So yeah. Yeah, that was, that was extremely frustrating.

Shawn Powers (9m 19s):
So now, you know, that, that's one of the takeaways, you know, if there's a bullet point takeaway at the end of this podcast, that's one of the bullet points, two factor auth or multifactor auth everywhere that you can, because if somebody has your email and that's a scary power, we'll go ahead.

Katherine Druckman (9m 38s):
Well, I was getting probably you're about to say the same thing, but going back and checking your accounts, doing a basic security audit every X amount of time, just to make sure you know, that all of your accounts, especially your very valuable accounts, like we were talking about, you know, having your Netflix account info, compromise, like, okay, fine. So somebody's got to watch movies for free. Hopefully they didn't get any, anything more, but, but your domain registrar is a huge,

Shawn Powers (10m 3s):
Yeah, there are some things that are huge like that.

Kyle Rankin (10m 7s):
And for long lived accounts like this security practices and security hygiene changes over time, what's considered common versus what's considered, you know, going above and beyond. So like you said, 10, 15 years ago, not only was it not common to have to have 2fa, most places just didn't even have it as an option. So you couldn't have even done it if you want it. Now it's considered fairly standard. And the same thing goes for what passwords people pick. I'm sure. All of us, if we were to choose a password today, it would be a much stronger password than one that we picked for an account 15 years ago.

Shawn Powers (10m 40s):
Yeah. And well, and that's another whole show, right? Like what makes a good password? Because I have humans can't know. I mean, there's one, well, see, I just agree. I can say like a long phrase or something like that. Yeah. Yeah. You can, if you can't type it in with short-term memory, then I, I think that you're likely to not have it. Like I owe so much to say password managers are awesome and I use password managers and I have actually for a long time used password managers. But if my passwords are all 36 characters of random string of things in a place where I can't copy and paste, I'll be honest.

Shawn Powers (11m 23s):
I'm probably not gonna kind of use that. I'm going to, I have long words with some, you know, characters and or numbers in there, but length is a big deal. And, but that's, that's, like I said, that's a whole 'nother show about password strength. But anyway, I have it

Kyle Rankin (11m 39s):
10 minutes. I have like a 10 minute ignite talk or maybe it's a five minute ignite talk that summarizes a 50 minute talk. That just sort of says what I think about it. So if anyone wants to know what I

Shawn Powers (11m 48s):
Think about, is there a one minute,

Katherine Druckman (11m 51s):
So you want to give it right now? I mean, we've got five minutes, my

Kyle Rankin (11m 54s):
One, a minute ignite talk of my five minute talk of my 50 minutes basically just comes as one of them. Yeah. I mean, the takeaway with passwords for me this in summary is that most password policy that people were taught the last 20 years were based off of not thinking about users at all and how users will, will respond to advice. But instead thinking about the odds of if of a combination of letters and numbers being put into a computer and being brute forced, which doesn't matter if the user's going to just put all of the upper case letters at the beginning, pick a dictionary word and put two numbers at the end. It doesn't, you know, so because no one considered the, how users would interpret that advice, they made bad policy, users obeyed that policy, but still pick bad passwords.

Kyle Rankin (12m 45s):
Then get blamed when the passwords were compromised, even though it wasn't their fault. So the takeaway beyond that is the best passwords today are when you can't remember, but you have to have passwords that you can remember so that you can unlock a password manager that contains the passwords you can't remember. So I use a password manager to remember random passwords that don't, you know, for any random websites. So I can have a unique password per site because having a unique, memorable password for every site is really hard to ask people to do, but having a, so put those in a password manager and make them random and generic. And also every website has different conflicting password policies.

Kyle Rankin (13m 28s):
So you'll find yourself fighting their policy because they want uppercase and other people don't and all of that silliness. So use a password manager for most of your websites, but then a couple of things need a good password. You have to memorize the password to get into your password manager. You have to memorize the password to get into your computer, to get into your password manager usually. And so for those, I like using a long, memorable phrase. I don't care about uppercase lowercase or any of that stuff. The longer, the better when I had to hat implement a password policy for my, for a past company, a credit card company for us and our, our customers to use it was 12 characters, minimum, no complexity requirement.

Kyle Rankin (14m 12s):
So it can be whatever you want, as long as it's at least 12 characters. Now you can still pick a bad password with 12 characters, but by setting that as the minimum, one, it stopped people from reusing passwords, we had actually got complaints from people who said, but I already have a really good password I use for all my financial accounts. And so I was like, that's proof it's working. That's how you can tell our password policy is working. So, and they said, yeah, but it's only eight characters. So in any case, yeah. So if you do that and encourage people to say 12 is the minimum, but please pick a longer one. I encourage you to use a phrase. Yeah. There are of course ways that people can potentially crack

Shawn Powers (14m 52s):
Certain phrases and there's some prior art for that, but it's still less likely in particular for things like your password manager or your computer versus an online account. So that's my now four or five minute summary for how I feel about it is, is if you have to do a memorable one, make it phrases, we all can remember a couple of phrases. If you want to do dice ware things, which are you real dice that have that correspond to words, and you have a truly random, that's very strong, but you could also just do song lyrics that, you know, take a song that you know, and cut out some middle section of it and just type it, you know, and muscle memory will take over eventually. And you won't have to think about it. Yeah.

Katherine Druckman (15m 31s):
I actually like to use a combination of dice ware, and not because I don't actually want to sit there and roll dice, but you can also, you can kind of pick a string of, let's say six to eight unrelated nonsensical words to make your own little funny song out, you know? So there are ways to get some pretty, pretty strong passwords that you can remember, in my opinion, I like the dice ware approach though,

Shawn Powers (15m 53s):
You know, correct. Horse battery stapler, right. I mean, that's the XKCD version of this conversation and in two seconds, but yeah, so two-factor auth multi multifactor auth, sorry to get off of the password thing. But that was just day one of my issues. Right? I mean, so after I got back in and I, and I got my email back then I had to change passwords for hundreds of sites. You, you don't believe how many passwords and how many sites you log into until you're tasked with, okay. Change all of your passwords, what a nightmare. And I'll be honest as I'm going through them. I'm like, okay, my Adagio Tea account may be compromised.

Shawn Powers (16m 36s):
I don't care. I just went into like, I mean, if they went to my Adagio tea.com website and tried to hack in, I guess that's fine. I gave up after a while because there's so many. So I think there should be an easier way to, you know, this is where the, the open or whatever, where you had like one password that authenticated you elsewhere, that there were some nice features of that because you could change one password and you, you know, it changed it for all the different sites. But anyway, that that's another whole thing. It was, it was a process, but it got worse this week. So do you want to hear like the next thing where it got worse?

Doc Searls (17m 18s):
Oh please.

Katherine Druckman (17m 19s):
Oh, yes. I'm so sorry. But yes,

Shawn Powers (17m 21s):
That always makes a good story. Yeah. So if you thought that was a bad day for me, it was, but it got worse because this week I noticed that my Evernote account had a random login from actually two, one from Germany, one from Paraguay. Now I haven't left my house much in the past year and a half. So I was pretty sure it wasn't me that was there. And I'm like, Oh, that sucks. And I, I know that's one of the passwords that I changed last week. So I'm not, I don't even know what I did, to be honest. It was probably an already logged in thing. And when I changed the password, I didn't go to a thing where it says like a disconnect all already, you know, connected apps or whatever.

Shawn Powers (18m 5s):
That's probably why when I changed the password, it didn't keep the people out. So I'm like, okay, Evernote is compromised. So let's look. And while Evernote allows you to encrypt things, and I have some things in there that I'm like, Oh crap. I mean, yeah, it's encrypted. And I hope that that password wasn't compromised, but, But I Have not always been the smartest of people. And I've been an Evernote user for a very long time. So years ago when my kids were young, I put a PDF Of my tax return in Evernote so that I would be able to access it quickly.

Shawn Powers (18m 46s):
And there's no way to encrypt the PDF files in Evernote. And is this all my fault? Yes, it absolutely is. But I'm a tech guy making these, these mistakes. Right? And so now this week I actually took days off work because now I have to go through and like freeze our credit on all of our social security numbers for not only myself and my wife, but this is old. All my kids' social security numbers are in my tax return. And so now I am going my adult children, they're all in their twenties now, but I'm contacting them saying, Hey guys, I'm gonna, I'm going to lock your, your credit accounts. And I'm gonna show you how to go in and unfree or freeze them.

Shawn Powers (19m 26s):
And then I'll show you how to unfreeze them if you need to sign up for an online account. But this is because it was compromised and everybody should have their, their credit frozen. If you guys don't have your, your credit accounts through like the three different bureaus frozen, you should do that anyway. There's no reason not to freeze your credit, even if you haven't been compromised. But anyway, so that's, that's what I'm doing now. And I'm looking through like, what else is there? There's another thing there are you familiar with rclone, the program, rclone, it's an open source way to access, like cloud-based storage and stuff. I use rclone and I pay for Google drive for unlimited storage. And when you set up an rclone share, there's this huge string.

Shawn Powers (20m 9s):
It's a key pair thing. Guess who put that into Evernote? Because I didn't want to lose it. It's a big hunk of text. And that one, I didn't encrypt for some reason, because I'm an idiot again, my fault, but it still happened. And so now I have to figure out how to one, get the app, like to authenticate with new secrets and all that stuff for the Google app that I had to set up to use rclone. But also all of my files are encrypted and the key is now released. So now I have to figure it. So how am I going to unencrypt? And reencrypt terabytes of files that are on G drive.

Shawn Powers (20m 50s):
That's I still have yet to do that. I mean, I'm sorry to say, I still haven't figured out even how to go about doing that, but I have to do all that. Okay.

Katherine Druckman (21m 1s):
I have to say you're inspiring me to do a lot of things this weekend, and I'm sure that will be next weekend for the people listening. But yeah, I anticipate some busy weekends out there.

Doc Searls (21m 15s):
What other things are there like Evernote than that people might have. I mean, somebody listened to me saying, Oh, I don't have Evernote, but,

Shawn Powers (21m 21s):
Well, Microsoft has a one note. I think one note there's, I mean,

Doc Searls (21m 28s):
I'd be honest. I know the guys that made did Evernote in the first place, Patrick offs, but I, I never used it. So tell it, tell us what it does and what the vulnerability of using something like that is.

Shawn Powers (21m 39s):
Well, Evernote is a, it's an app that syncs in the cloud to keep notes. You can also keep files, but they can't be encrypted. It's basically just a bunch of your, your text notes, synced in the cloud. There are other features. That's all I use is just, it was like a way to sync notes in between apps and web browser and all the different things I use. And you can, you can copy some text and encrypt it. I'm not positive that encryption is top-notch as far as safety with encryption goes, but

Doc Searls (22m 11s):
It's Apple and Microsoft have similar things.

Shawn Powers (22m 14s):
I'm sure. I mean, with Apple, it's probably like the notes.

Doc Searls (22m 17s):
Yeah. The notes app. What else? Oh, reminders. That's another one. And of course the Apple cloud, which I guess is fairly secure. I've never understood that. Quite honestly, I'm paying for it and I've never understood it because I don't know what's there and what's not. And why, and, and the rest of it, you know, there's a few questions. I'll just, I wrote them down over here. What do you know why you may have been singled out? Did you have anything you can report to anybody about this, other than what we're doing now, it's interesting, somebody who breaks into your house and you know, and steals a bunch of your stuff and it's a police matter, but what do we have here?

Doc Searls (22m 58s):
Yes.

Shawn Powers (22m 58s):
So, so no, there's, there's nobody to report this to the, all of the IP addresses that I noticed. So my Firefox account was one that was compromised. I don't really use Firefox all that much, but they used it because if you get your somebodies Firefox account, their, their passwords are not encrypted at all in the Firefox sync thing. And maybe, maybe they are now, but of course not for, you know, when I started using Firefox sync, when it first came out, because I'm a such a trend setting, new technology user. But anyway, no, I didn't, I don't use it. So there really weren't passwords in there for me, but they compromised that and they changed the language in Firefox to Spanish.

Shawn Powers (23m 43s):
So whoever it was as a Spanish speaking person, also my dream host account was switched to Spanish language. But the IP address that hit the, those two things were in were from Hong Kong. Now I know somebody said, Oh, it was probably a VPN, but I don't, who would ha who would VPN into Hong Kong to attack something that doesn't make any sense to me, usually it's the opposite. Somebody in Hong Kong will VPN out because, you know, they have the great firewall there. So there was a, an, a Hong Kong IP address. Then also, like I said, Paraguay and Germany. So yeah. Who knows and why it was targeted. I have some suspicions.

Shawn Powers (24m 23s):
I'm not a super public figure, but slightly public. Right. I mean, and also I've written a lot about cryptocurrency and with the current boom in cryptocurrency, people are thinking, Oh, Shawn Powers, he's written a lot about crypto. He's probably loaded. Yeah. Spoiler alert. I'm not. So, and I say that not only because it makes sense, but also because every online account I have that related to cryptocurrency, those were immediately like every, they did everything they could to get into them. Now, thankfully, all of those accounts were protected with multi-factor auth by default. Most of those places force you to thank goodness. But also even if they would've gotten in, again, I don't have crypto anymore.

Shawn Powers (25m 4s):
I sold it like Bitcoin at like a buck a piece. So yeah, joke's on them, I guess. And that explains it.

Kyle Rankin (25m 12s):
Maybe why some of your cloud of file accounts were accessed to not simply to get credentials, but also in case you had wallets or other things, and, you know, some people are, are bad about sharing that sort of thing and syncing having it synced up a lot of different places instead of having it be offline.

Shawn Powers (25m 28s):
Exactly. Like, especially once the, once the wallets were like 12 words, you know, to like the seed phrase or whatever to rebuild your wallet was just a bunch of words. Copy and paste that into Evernote. Sure. That makes perfect sense. Right. And I'll be honest. I did have it. Wasn't a cryptocurrency that I have any, you know, the wallet was empty. I did have one of those in my Evernote account. It was encrypted, but still, I'm not sure that that encryption is strong or, you know, trustworthy anyway. So yeah, I I'll be honest. I was shocked how violated and helpless. I felt that morning when it happened. I could not get my own emails back and nobody could help me. It was, it was a horrible experience that I really hope that people will hear this and think, Oh, that was terrible.

Shawn Powers (26m 12s):
And Sean, he's a pretty smart guy. And if that happened to him, I really should do things like turn on multifactor. Often every account that I can make sure my registrar and DNS stuff is protected, lock my domains, all of those things, because it's shockingly easy to get your whole world messed up. Well,

Kyle Rankin (26m 34s):
And in particular, because of how without multi-factor authentication, how authentication would it boils down to is it's either someone guessing a password or your email, you know, most sites have a, I forgot my password. So if you look through authentication workflows that all boils back down to, like, you've already said this, but it boils down to, can someone click a link and then if they, if they can access your email account, either through the more complicated way that happened to you, or just by guessing the password to the Gmail or whatever, then they can reset things and get access to a lot of different things. You know, it's, it becomes, it becomes the replacement and multifactor among other things helps protect you against that too.

Kyle Rankin (27m 14s):
So even if someone's doing that workflow to reset a password, most sites are good about if you have multifactor enabled you can't just use the reset password, email workflow to turn it off, you have to do something else

Shawn Powers (27m 27s):
For sure. And that's, I mean, people probably don't realize the significance of having a different password for every account you mentioned earlier, like, Oh, but I have a really good password, right? I think a lot of people use slight variations on one or two passwords. And the problem is if one site gets compromised, I mean, you hear about data breaches every day, and that's the significance of a data breach. If you are using the same login and password for multiple sites, if one site gets breached, they will try that login and password on every site they can think of. And if you're using the same password, boom, they're going to get in without any hacking at all. They're just going to use the password that they found from another data breach. So having different passwords on every site is, is vital.

Kyle Rankin (28m 10s):
Well, and, and you, you touched on something else which is to not make it based on a formula. You know, if you, if you say, well, my password's technically different, but it's all based on some sort of like, basically if someone knows one or two of your passwords, can they then figure out what the rest are? If the answer is yes, then do something different. This was a, they did a study on this years ago, like 10 years ago that I pointed that I point to sometimes when people are talking about old bad password policies, like for example, password rotation is a policy that I absolutely hate forcing people to change their password every month, every three months, whatever it is. And that's because among other reasons, besides the fact that it encourages you to pick a bad password, typically because you pick what'll happen is you'll pick a really good one the first time, then it'll expire.

Kyle Rankin (28m 56s):
And you're like, but I, I just remembered that when my muscle memory set up, you know what, I'm not going to, I'm going to pick a simpler, I'm going to pick something simpler this time because I have to keep picking new passwords every, every month or so. So, but they also found that if they did a study where if they looked at they had a sense of what a previous password was, they could predict, I think it was within like 80% of the remaining passwords for users. If they knew one of the passwords they used and they were on a rotation, they could guess what the next password was going to be within like 80% odds. So yeah, for all of those reasons, you have to, it truly has to be different in unique.

Kyle Rankin (29m 38s):
Yeah.

Shawn Powers (29m 39s):
And I used to, I used to be a proponent of user use a formula. So you can figure out your password on every site. You know, this is before password managers were a thing. Now it's important not to do that for exactly that reason that you just, you know, because it's important. Another thing. And I just, I, so I got a text message while you were talking and that reminded me, so one of the potential multifactor authentication things is getting a text message, right? I mean, that's, you know, like you'll, you'll log in and they'll say, we're going to text you a code, enter the code that you get via text, right. I mean, that's, that's a real common form of multi-factor authentication. This is something that happened to me a couple of years ago. And actually it changed the policy at CBT nuggets. My employer who pays for my phone, what happened is somebody called into Verizon and told them that they were me and that they, but they lost their phone and they have a new phone and they need to get it.

Shawn Powers (30m 31s):
And they had, they had some of my security questions, apparently, I guess, I don't know. Later on I found out that they, they answered everything that Verizon asked them. They answered correctly. Like probably it was like things like my birthday or something that could be publicly figured out or something like that. Anyway, the person, the operator at Verizon felt that it was hinky. And just, even though they answered all the questions correctly, did not let them have my phone service. Right. They just disabled my SIM card completely. So thankfully whoever that operator was used, their, you know, trusted their gut and just said, no, this doesn't feel right.

Shawn Powers (31m 11s):
And just disabled my account. And because what happens, of course, they were planning to use that, to gain two factor authentication access, probably two Bitcoin accounts, you know, or whatever, because that's kind of the big thing everybody tries to steal. So another thing, so I've talked about two factor off on, on a lot of accounts using different passwords. Another one is with your phone, contact, your cell phone provider, whoever that is, and make sure that it's very difficult to transfer your service right now at CBT nuggets. My employer, there are only two people in the whole company who can make any changes to accounts and they have to have a special code words to do it. And it like takes time to do and stuff, because for that exact reason, somebody could hijack your phone number and suddenly are you with your phone number, getting your text messages, including to factor off messages to your phone.

Shawn Powers (32m 3s):
So, anyway, that was one more thing that happened to me like a year and a half ago or two years ago.

Kyle Rankin (32m 7s):
Yeah. When, when I was in charge of security at a credit card startup, one of the things that I was responsible for was coming up with all of the call center workflows for re authentic how to authenticate somebody. And it's surprisingly challenging to do well. It's really easy to do it badly, but it's really challenging to do well because there's all of these different edge cases and scenarios where people will legitimately lose a thing and you have some method of their authentication. You have to figure out you gracefully fall back to that, from that to something else in a way that a legitimate person could still get access to their account, but an illegitimate person couldn't fake it.

Kyle Rankin (32m 50s):
And it's really tricky, not just with two factor authentication, but one of the things that we we opted for in addition to other things, as part of the workflow was always notify all of the existing contact methods that a thing happened. So if something significant happened, for example, say one big one was, you know, what, if someone decided to change their mailing address, that's a totally legitimate thing that happens. But it's also for credit cards is something that someone can do for fraud. And so our approach was okay, well, if someone does fully authenticate and seems like they're the right person, even then, when, if they want to change something critical, like their mailing address, then we still send in a actual letter to the old address saying that it happens.

Kyle Rankin (33m 35s):
And the reason is is that then if it were fraudulent, they at least have a heads up that it happened. The same thing. We would send the notification to email to the email account. And if someone changes their email account, we'd send them a notification that both the old and the new and, you know, things like that, the factor in. But yeah, in terms of two factor authentication, SMS is definitely better than nothing. Sometimes in the security community. You'll see a lot of people dump on SMS for two factor authentication because there are ways around it, like you've mentioned, but it's still generally speaking better than not having any second factor.

Shawn Powers (34m 11s):
Definitely. Yeah. One more thing you have to compromise, even if it is compromisable, it's one more thing to compromise.

Kyle Rankin (34m 17s):
Yeah. And, and the other thing is now there's a lot of services are offering multiple different choices for how you can do your second factor. And so in, at the moment, probably I would rank the order is the most secure. If they offer it is something called U2 F, which is you, you get a special little security USB dongle that supports this, this protocol there, these days, they're relatively inexpensive. I want to save 10 or $15

Shawn Powers (34m 43s):
For one of these. It looks

Kyle Rankin (34m 45s):
Like it's like a YubiKey, the YubiKeys, some YubiKey support this as well. But so that's the most secure because what happens is you log in using a computer and they say, plug in this device, you plug it in. And the authentication happens between the remote server and the key itself. So that's the most secure. The second most secure is probably a traditional interest, six digit code thing where you could use a YubiKey or you could use something else. But the reason that's slightly less is that somebody could then sit in the middle essentially and say, Hey, could you, I'm on the phone to enter in, tell me your six digit code or pop up a screen that has you type it in.

Kyle Rankin (35m 26s):
So that could be potentially faked. And then it falls back to things like the, like SMS entering the six digit code from SMS or whatever.

Shawn Powers (35m 36s):
Yeah. So I, I, I'm a big fan of the six digit code with like off your Google authenticator or whatever, you know, the 30 seconds to before, you know, refreshes one of the things about that though. And I'm setting up my family with I'm bad in that my kids probably don't use password managers for their online accounts. And again, they grew up when that wasn't an issue. So I'm sure that any tech savvy person now will teach their kids how to do things well, but anyway, so now I'm going to go and show them how to do all that. And one of the things with the six digit code is it can be a real pain if you lose your phone or, you know, learning how to back that up.

Shawn Powers (36m 18s):
It was really vital for me. And what I really, really liked myself. I have two phones, one doesn't even have service. It's a, it's a Google five phone that I have paused in case I want to go somewhere that, you know, I need that Google fi service. And so, but I use that so that I have the, the six digit thing on more than one device in case I lose a device, I still have it, but also password protect those things because by default, there's no password protection on them. You just like somebody grabbed your phone, hit the app. Oh, look, there it is. That's disturbing. And yeah, so Offy is pretty easy to back up to multiple devices. They actually stored in the cloud, but it's, it has to be encrypted and nothing can be un-encrypted in the cloud.

Shawn Powers (37m 1s):
If you forget your password, you're screwed, but at least there's a place that as long as you know, that password for offi, you can get it on another device. You know, if, if you lose your device, Google authenticator, isn't quite as great. I think it's an older technology, Google authenticator that uses the six digit thing. It's the same sort of thing, but they're way that you back it up as you take a picture of the QR code from one phone to another, which is something. But yeah, I, yeah,

Doc Searls (37m 29s):
So, so I, I have a question about password managers because I won't say the password manager that I use, but it, they decided that having an app was a bug and that a feature they needed was to move the entire thing, that wasn't an app onto a browser. So now they're entirely in a browser, meaning that I have to go from one tab to another or one window to another in the browser in order to use their service, which I, it certainly is a value subtract, but I don't know if that actually is a value to try it is, is having, I'm actually thinking of getting rid of them.

Doc Searls (38m 9s):
And so, and I don't mind mentioning brand names. You guys want to, I just don't want to crap at anybody, but crap. I think what's a credible way. Yeah. Well, I'd rather hear who's good and why, but this one decided that, you know, you don't need an app anymore, you know, so, and I don't even know what they have on the phone.

Shawn Powers (38m 30s):
I do have thoughts on that because I, so I use last pass on, you know, I've always used last pass. I, it's not the best, you know, even wrote an article about password managers, actually Linux journal, before it closed down and, and last pass wasn't necessarily my top pick, but I used it and I liked it enough that switching wasn't worth it for me. But I, one of the things I like about last pass is that there is an app and it integrates really well with the mobile operating system. And that may sound like a weakness, but there's also the human factor, right? If it's a pain in the butt to do people, aren't going to do it. You know, when I, I have to show my twenty-something girls how to use a password manager.

Shawn Powers (39m 10s):
And if it's something where they have to open up a browser with multiple tabs on their mobile device and copy and paste between something while they're logging in, they're not going to do it. So the integration that LastPass has, I really like it. And this isn't a plug for last pass. It's just what I use. But their integration is one of the things that I actually really do like about it.

Doc Searls (39m 30s):
What does it say? I mean, it's interesting to me that I feel with an app that that is actually more mine than the browser and that it's independent of the browser. The suddenly having it as a tab in the browser doesn't seem independent anymore. And that's pure perception on my part. I'm sure the back end of the thing is no different actually, but it's, it's, it's weird, but I, yeah, when I'm using, by the way, it's not last pass. So you're using two last passes out of four, 50% of our people are on that. What about you?

Kyle Rankin (40m 5s):
She's a local, a local password manager that doesn't, that doesn't have cloud support and then go through the pain of synchronizing things. If I need to between multiple devices, which I tend to not, I don't create new accounts all the times.

Doc Searls (40m 19s):
Is it a branded one or is it one of your, your own or of some kind or what's the,

Kyle Rankin (40m 25s):
It's just like a, it's a Linux-based I've, I've hopped around from the client side. A couple of times, the backend is this little local file that's in, what's called the key pass database. And there's a lot of different front ends now that support this backend. Because if you want to, it's been very popular for a long time. So when people create new clients, they allow you to import that, but I've been using some form of a front end client behind this key pass database for a long time. What I like about it is it's it doesn't do some of the, probably some of the autumn automated things that a lot of others do in terms of automatically filling in forms and that sort of thing. Although there are some clients have plug-ins that integrate with Firefox that let you do that, I guess.

Kyle Rankin (41m 9s):
But what I like about it is that I, I like the password generation feature that it has most, almost all the clients have some means of where you plug in whatever the, the dumb password policy is that a website requires. And it generates a random password that matches that policy for you. And you can just copy and paste it in. The other thing I liked about it is that it, I have a client already that works with it on my leap and five phone. So I was able to just have the same file, both on my phone and on my laptop and everywhere else. And it all just sort of works.

Katherine Druckman (41m 43s):
Yeah. And once you achieve total convergence, it doesn't matter. You don't need to sync around the cloud, right. You have one device to rule them all and it's all there, right?

Kyle Rankin (41m 50s):
Oh man. I've so this is, this will be for some future posts, but I've just spent a full week doing full convergence personally, with a laptop dock and my phone and it is the future, but that's, that's, that'll be for some future social convergence is what exactly that. So what I did, I have a, like a laptop doc, which just has a screen, a keyboard and a mouse and a battery, you know, and some USB plugs, it doesn't have any Intel, any CPU's really of its own or Ram or anything. And I dock my phone into it. And my phone now uses that bigger screen, the physical keyboard and the physical mouse, but all of the files and the resources are being used from the phone itself.

Kyle Rankin (42m 32s):
And it charges the phone while it's using it. So the last, this last week I've been using that instead of my personal laptop, as a test to see, could this replace what I did on my personal laptop. And

Katherine Druckman (42m 43s):
You remember there was a, I can't remember the name of it, but back when you, you know, the device or you a pop your phone into it, and it was that exact thing, it never took off

Kyle Rankin (42m 53s):
Matrix. Yeah. The Motorola Atriox had a laptop. I had a droid for phone and I even had a Linux journal article where I talk about some of that stuff. And then I followed it up more recently on tourism site with where I referenced the old Lynch journal article. And I talk about why that old, that approach failed in the past because it was making a phone screen bigger. Yeah. So you just get these phone apps that are bigger and kind of lame instead of making desktop apps smaller. So yeah, when I, when I, again, it wasn't, I didn't want to do this about this, but it did come up and now I'm using it all the time. But yeah, basically when I dock it Firefox is desktop Firefox. So when I move it on the big screen, it's just, it's just Firefox.

Kyle Rankin (43m 33s):
When I move another app from my phone, I drag it over. You can drag it over with a mouse or with the keyboard when you move it to the big screen, it morphs and changes into the full desktop version of the thing. And

Katherine Druckman (43m 46s):
It's super cool. Very cool. Very good. Actually, I should plug, we have a, we had a whole episode about this, where Kyle talks about it in detail, although I'm sure it could be updated because it was back in September. It was episode 38. I just looked it up on digital convergence. But, but yeah. Now it's, you know, now there's been progress the name of the phone that did that. I could not remember the name of it.

Kyle Rankin (44m 8s):
Yeah. There have been. So yeah, it didn't last very long. The, the, a tricks in the laptop docs, and then it, then everyone discovered you could cook up other like raspberry pies to it. And then all of the discontinued laptop docs were all sold out in like a couple of weeks, you know, you could get them really cheap because no one wanted them until then. Yeah, that's fine.

Katherine Druckman (44m 28s):
So, so let's talk a little bit. Can we, I, we've kind of, we've gone over a few things that people could do, but is there, is there anything that we can sort of remind people to do in terms of further steps they can take just to protect themselves at a very basic level, because we talk about a lot, you know, like don't know this guy. Yeah. Oh, it's so sad, but no, I mean, seriously though. I mean, we, you know, we, we just, our last episode that, that came out today, we talked about how you see, I, I feel like you have to be a cybersecurity expert these days should not just get screwed, but even people with tech skills like legitimate tech skills, or, you know, you can still get completely owned.

Katherine Druckman (45m 17s):
So, so like, you know, in that case, what hope is there for the, if everybody else? So I just wonder if, you know, we could kind of turn this into as much as possible, a learning experience for

Kyle Rankin (45m 28s):
The big one. For me, I'm a, I'm a tech guy. I consider myself a tech. I'm not the best, but you know, I'm, I'm tech savvy looking back at old accounts and things that you did in the past and make sure that they're up to date things like, you know, make sure your registrar, if it supports two factor off, turn it on, make sure you're not using the same password. Other places doing the right thing from here forward. Isn't enough because crappy did in the past, like saving a tax return in Evernote when like 2003 will bite you in the butt at some point, potentially. So I think doing a, a look back at all of your existing accounts, even though you maybe don't log into often, that's a really smart thing to do well.

Kyle Rankin (46m 12s):
And also sometimes these old, these old accounts that you, you maybe never have even used it for years and years, sometimes those sites get hacked themselves and their databases get dumped in. And depending on how old the account is, it may be your account may have existed in the days before people commonly encrypted passwords and they're in the servers database. And so often it'll happen. This old site gets hacked and then everyone's passwords that discovers are in plain text, or they're just using a hashing algorithm. That's easy to crack. And so they're effectively in plain text and then everyone then takes that password and then assumes rightly that a lot of people probably use that on a lot of other sites and then they float around.

Kyle Rankin (46m 57s):
And then the other thing that happens is they end up in shared password cracking databases that everyone that's really into password cracking scene shares because they're all known good. What's more valuable than knowing these are actual passwords that were used in the wild. So they combine them with all the others in case there's any, any new passwords to be discovered then, and then use that whenever they're brute forcing things. Hmm.

Katherine Druckman (47m 19s):
Or use it in a sextortion email. Sorry, that was a, that's a little bit of a tangent, but I think every, I dunno if, if all everyone here got those emails, but a while back, I think, I know at least everybody at Linux journal got these emails that, and one of the, the tactics they use to make you think that you've been hacked, which you haven't necessarily is to include a previously hacked password. So some, some old password that you've used at some point in your life that's gotten out. And one of the, you know, many data breaches will show up in these, these threatening emails that say like, you know, w we have all of your data, we have, you know, this, that, and the other thing that they, of course don't have.

Katherine Druckman (48m 3s):
And, but here's to prove it, you know, we also have this password and you go, Oh my God, they have my password. You know? Cause it's, it's a, it's something that you've used in the past, but hopefully if you're like me, you can recognize it as something that you've sent changed a long time ago, because you didn't know any better back then. And it was like six digits. And anyway, so yeah, so the, you know, the people can use that kind of old leaked information against you in all sorts of weird and creative ways.

Kyle Rankin (48m 30s):
I'm wondering if do, do you guys see a world in the future where we don't have to screw with passwords, passwords and logins? There's a lot of effort being put into making a world like that. There's there are many people in the security industry that have for many years talked about passwords, being dead and wanting to replay, get rid of passwords altogether, because mostly because of the problems in the past with policy. But to me, if we're talking about the main, the two strongest ways that we have to authenticate our something, you know, and something you have with something you are being pretty lame usually. And even though that's becoming incredibly common, but I, to me, that's always like the third choice after you do the first two, is this something you are, so we're talking like your signature or your fingerprint or your face or things like that.

Kyle Rankin (49m 21s):
It's better than nothing but not as good as the other two. So if we're saying now we don't want to do the something, you know, then we're just left with something you have, or maybe augmented by something you are. So that means everyone's carrying around a little, like a little USB dongle or something or something, some physical object you have to have to prove that you are, who you say you are. That by itself is, is okay. But I don't, I still think that there's a place for something that's in your memory that can be kept secret at least to the, at least until everyone can wear a hat that reads what's in your memory.

Kyle Rankin (50m 2s):
Once that happens, then maybe not. But until then, I still think that there's a place for having a secret that only, you know, that stored in your brain instead of on an object removing one of a multiuse from multi-factor off feels like a step backwards, I guess. And yeah, that's Kyle fed up much more eloquently, but getting rid of passwords is, is cutting off something that has value. I think when, and there's not a great replacement for that in and of itself,

Doc Searls (50m 31s):
The SSI self-sovereign internet world, which I've hung around and actually wrote a piece about it. This is going to go in a magazine called the reboot, you know, week or two people in it, not everybody in it, but people in a claim that when you break everything down to verifiable credentials, I have a verifiable credential that I have an account here and I can present the verifiable credentials from a wallet that's independent of any device and is itself secure and do it in a minimum, in a, in a minimized way. It isn't so much about logins and passwords, but going through the world in a way where you're only revealing what deeds needs to be known. And in many cases is anonymous or to Donovan.

Doc Searls (51m 13s):
You don't need, you know, here in the physical world, we don't, we are, in fact, we're not, we're known to be human. You walk into the, you know, my example is you walk into the coffee shop, you know, your name is Mike and the guy in front of you in the line calls himself, Mike to the barista, make him a different name, but they don't need to know your actual name. Right. And, and there the, we go around not being identified most of the time. I think it has a lot of promise. It's also still fairly early, but there's a lot of development going on in it. And it's all over the place. It's not exactly coordinated. So it just sort of bears watching

Kyle Rankin (51m 47s):
In a lot of those cases, you're still like, that's him, that's a something you have, I think, credential where what you have is some file or hash or key that's stored on either an object or on your file system or on your phone or something, right. Secure enclave or, or whatever it is.

Doc Searls (52m 8s):
And you have to back it up with something, you know,

Kyle Rankin (52m 11s):
To me like, it's, it's strongest. If you have all three, if you can only have two, I would, I still like to lead with something, you know, followed by something you have and then have the something you are at the, at the end, if you want to add an extra extra thing. I mean, the problem is the buyer with biometrics is they're not secret, right? The entire security is based on the idea of how hard it might be for someone else to mimic it. And most of them it's, it's not necessarily that difficult to make a copy.

Katherine Druckman (52m 39s):
And you also have legal issues too. I mean, if, if you can be compelled in court to give up a fingerprint or, or, you know, compelled to unlock a device with your face, then that seems like it's less secure. I mean, it's, it's basically is your face.

Doc Searls (52m 55s):
You have or something, you know, I'm going clear on something. You are

Katherine Druckman (53m 1s):
All the something you are, you know, methods I think are problematic for certain people, depends on where in the world you live and, and, and you know who you're trying to protect yourself from, but, but there are a lot of questions, you know, about being compelled. You cannot be compelled, I believe still to give up a password, but you can be compelled to give up a fingerprint or to, to allow somebody to use your face, to unlock something. So it's my

Kyle Rankin (53m 26s):
Understanding,

Shawn Powers (53m 27s):
My last weird bit of, of thought here, maybe it's advice, maybe it's bad advice, but it's something that I'm doing is, you know, Kyle mentioned having one password that you can remember for unlocking the rest of your passwords that you shouldn't be able to remember, and that's really wise, but that one password as I get older, I find sometimes I forget the craziest things, right? Like a password that I've, that I've typed in a thousand times, all of a sudden I'll be like, I, I don't re I don't remember my password. And I don't think that I'm necessarily going senile, but sometimes we just have those moments. So while it seems like against everything that I've ever told anybody in my life, I'm to the point now where I am physically writing on paper, a password and putting it in a safe and a physical safe, because that happens.

Shawn Powers (54m 14s):
And also I'm somebody who got into a car accident and lost his memory. So I mean, it, it, a lot of crap has happened to me. I just want to say is I realized that now, but yeah. So it seems an antithetical to everything. Fireproof safe, fireproof safe. Yeah. Outside my house burned down. Yeah. So it's funny that you say that, but yeah. Fireproof safe is something that I'm actually ordering this week as part of my Holy crap, what happened to me thing. So yeah. Fireproof safe to write down and it hurts to see a password written down. I don't know about you guys, but if I see a password written down that causes me physical pain.

Doc Searls (54m 54s):
Yeah. I have 15 of them that I'm looking at right now. Cause I put them on a sticky. And just because this, because my password is, here's the thing, my password managers, auto auto generating thing doesn't work. So I write them down, put them there and I keep them there long enough. So that I've used it a couple of times that I go away and also they're getting rid of the password manager. So it's like, it's a, it's a stop gap, but you're right. I mean, it's the wrong thing, but they're there.

Kyle Rankin (55m 21s):
I mean, I, I'm an advocate for, for those passwords that you must remember that are complicated, but in particular ones that are complicated that you don't have to recall often, you know, there's some things, for example, unlocking my, like logging into my computer, I have a long password, but I type it in every single day. So even if I forget it, my fingers don't like my muscle memory knows what it is, but there are also things that you only have to recall when you need to recover something and that may never happen or may happen every three years or something. And then, then those, you definitely should write down if not the password, then some sort of hint or some sort of some sort of way to jog your memory to what it is at the very least.

Kyle Rankin (56m 5s):
So I, I will share my own embarrassing security stories about this. So a couple of years ago, I, I started work at purism and I'm in charge of I'm chief security officers. So I'm taking all of the best security precautions and that involved, that includes using smart cards to store my GPG keys. So I create a brand new, secure GPG, key offline. I transfer it to, I make backups onto USB drives multiple in case one fails. I then copied the smart cards. I copied the key, the secret key to a smart card.

Kyle Rankin (56m 46s):
And I only use my keys to decrypt encrypt all of that youth from a smart card. I put the USB keys, it's in an it's in a file system. That's encrypted. And I put it in a safe, very secure. And like this isn't a very important password. This is all of my peers and credentials are all based on this new GPG key. So I'm going to pick a really good brand new, long password. And I'm going to encrypt that backup with that because what if someone were to break in and to a safe and steal my stuff and they need to be able to get into that. Okay. No problem. So it's stored in the safe two, two years ago by maybe a year and a half goes by and I go on a trip and somewhere along the trip, I lose my YubiKey.

Kyle Rankin (57m 32s):
That happens to have that key, like, well, that's, that happens. That's fine. It's inconvenient. But it happens. Now, all I need to do is go get one of my two backups. One of the two USB drives will work just fine. And so I get it. And I slotted in and I started trying to decrypt it and like, wait, what was the past race? What was the past phrase? And I swear to you, I went through every possible thing I could have ever thought of. I spent a couple of weeks cause it's very important key. Obviously I spent weeks, I would take a break and then come back to it and just try it. I had a text file full of all these different iterations in case I tried to be clever and mix the thing up or do something, you know?

Kyle Rankin (58m 13s):
And I just went through every possible thing. I still, I didn't throw away the, the, I still have those drives just in case I ever think about it. But I eventually had to abandon that key, the key that all of my peers and Sophie, now, everyone that's listening to this can look through, cause this is all public record, right? Because if you look on key servers, you can see when people change their keys, you can see which key it is. You can see that I stopped using it at a certain point. And you can see at a certain point, I had to generate a brand new key, sends an email to everyone saying, hi guy in charge of security here. I'm really bad at security. Here's my new GPG key that now you need to trust and I'm going to be now using, going forward to sign everything.

Kyle Rankin (58m 53s):
So, so what did I do differently now? Well, I pick a password and now I have made a note somewhere to jog my memory in the future for what that password is. Because again, I'm only recalling. I will only ever recall it. If I have a big problem, you know, a big, like some sort of disaster, key recovery kind of thing. So that fucks man. But I totally see it happening right now. Yeah. Now I'm thinking

Shawn Powers (59m 22s):
Too safe. So one of my farm and one of my house,

Katherine Druckman (59m 25s):
But don't forget the combination to the

Shawn Powers (59m 26s):
Safe, the passphrase for the each USB key you can do with the other one. I was like, I know we're running out of time, but I got to tell my quick story about sticky notes doc, because he said sticky notes. So I was the technology director at a school district in my twenties, and I just discovered password complexity. And it was going to change the world because if everybody had to have a complex password, there would never be the possibility of people cracking passwords again. Right. It was just brilliant. So I enforced it, I turned it on. And then the next week I went up to central office where all of the paychecks are created.

Shawn Powers (1h 0m 7s):
And like the superintendent's office was all of the secretaries. Every single secretary had the sticky note with their complex password, stuck to the monitor and they were facing, I mean, they were facing when people walk in because it's like, the secretary is like, Oh, this is what you're looking at on the, on the monitor. And so right there was their password. And that was the day where I realized that complex passwords are not the answer.

Katherine Druckman (1h 0m 33s):
Yeah. That is a life lesson right there. So you were right. We are actually running out of time. I do have one last question. I mean, I think just one and that is the backup codes, like recovery codes. A lot of Google accounts will have them last pass. You know, it's a series series of a list of, of numbers or something. Now I have a whole ritual and weird thing that I have that I do to deal with them. But I'm wondering what, what is the best practice for dealing with recovery codes?

Kyle Rankin (1h 1m 4s):
I would, I do with them one, I think it's important to make them because you need a way to recover accounts and when you get in these weird situations. So I think it's smart to have them yes.

Katherine Druckman (1h 1m 14s):
First step.

Kyle Rankin (1h 1m 16s):
So step one, I would, if a place offers them, I would generate them and use them. What I do is I, I have a notes field in my password manager for those accounts for that account. And I put it in the notes. And so I just had, I do the same thing with security questions because I hate security questions. So if someone gives me a security question, nine times out of 10, I will generate a new password and paste it into the security question field, and then store that password in my password manager for the security question. Okay. Sometimes it just, so it's easy to read off if I ever have to, I'd make it a little bit easier, but, but I don't like security questions because they ask you things that you can find out on the internet about someone.

Kyle Rankin (1h 1m 56s):
So instead I've, I hack that by changing it to something that you couldn't find look up. Cause it's something I just made up

Katherine Druckman (1h 2m 3s):
Smart. I actually, I do, I do make a lot of use of the notes feature in my password manager. So that makes me feel good that you've endorsed that approach.

Shawn Powers (1h 2m 13s):
LA last pass. They do have a really nice notes feature to

Katherine Druckman (1h 2m 18s):
A lot of things. I,

Kyle Rankin (1h 2m 20s):
I'm also a fan of printing those things out and putting them in the safe that I'm going to buy this week for the same reason.

Katherine Druckman (1h 2m 27s):
Yep. I like that approach

Kyle Rankin (1h 2m 29s):
For GPG key. The same thing goes for GPG keys. There's that's another common thing that they'd recommend that you do is actually print out the private primary key for GPG printed on a piece of paper or two, and then put it in a safe or a safe deposit box or because it would take less, even though it'd be a long time, it would take less than the two weeks of guessing, right. To type thing. And <inaudible>,

Katherine Druckman (1h 2m 56s):
And here's the thing you should definitely not do is take a screenshot of it and put it in Evernote. Don't do that.

Kyle Rankin (1h 3m 2s):
That, that loops pretty well.

Katherine Druckman (1h 3m 5s):
Well, thanks. Y'all thanks for joining us. I think, I think that that people will have learned quite a bit from this and I think it's really helpful and I'm really sorry that this happened to you, but if we can get the smallest amount of silver lining, I think, well, I'm not going to say it was worth it. Cause it was absolutely not, but at least it's something. Yeah. It could have been worse. Thanks. Y'all for joining us, everyone for listening.