July 23, 2025 • 34 mins
If you’ve been resistant to using a password manager, or if you want to step up your overall digital security, this episode is for you. Dexter talks to Josh Blackwelder, Deputy Chief Information Security Officer of SentinelOne, about the dangers of having weak passwords (even for accounts you don’t care about), why you definitely should use a password manager, and why you should switch your email account to login by something better than a password: the passkey. We’re here to evangelize the importance of digital security – and keep you from getting hacked. If there’s someone in your life who needs to hear this, share this episode with them.
Useful links:
Check to see if your data’s been leaked: https://haveibeenpwned.com/
Check how strong your passwords are: https://bitwarden.com/password-strength/
Set up Google passkey: https://g.co/passkeys
Got something you’re curious about? Hit us up killswitch@kaleidoscope.nyc, or @dexdigi on IG or Bluesky.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:11):
The genesis of this episode basically is that I've been
having trouble convincing people to be better about their security.
And I have a hypothetical person. We're just gonna call
this person Jeremy. Jeremy told me about how they use
the same password across multiple services, multiple logins, and what's
(00:32):
a big deal? Who would hack little old me? And
I've been trying to explain to Jeremy, Yo, it's not
that simple, and I'm struggling. So here we are.
Speaker 2 (00:43):
Yeah, security is a big problem, and it's pretty complex,
and I think a lot of people are kind of
frustrated with the state of affairs.
Speaker 1 (00:51):
Josh Blackwelder is a deputy Chief Information Security officer at
Sentinel One. He's colleagues with Alex Stamos, who you might
remember from our exit utils episode, the one about the
biggest hack that never happened. And Josh says, I'm not
crazy that it is getting harder and harder to protect
ourselves from hackers, but it's also getting harder to get
normal people to take this stuff seriously.
Speaker 2 (01:14):
If you have to create a password, make it strong,
make it sixteen characters, use a past phrase.
Speaker 3 (01:19):
You know.
Speaker 2 (01:19):
My favorite place to visit is and blah blah with
a bunch of numbers. That's the legacy password sort of mindset.
But depending on how they have their data cracking machines.
They're so powerful now with the advent of the latest
Nvidio processors, it doesn't really matter the length that you choose.
The horsepower is such that eventually they'll get through there
(01:42):
and they'll find your password.
Speaker 1 (01:47):
So yeah, this how to episode is for all the
Jeremies out there that no, they should do something about
their passwords, but it just kind of feels overwhelming, or
maybe somebody sent this to you and this is how
you're finding out that you are the Jeremy in somebody's life.
In that case, welcome to the show. This is not
meant to shame you or anything like that. We're gonna
work through this together. But even if you think you
(02:09):
have a good handle on your passwords and your security
and all that, I think there's still something in here
for you, because as hackers get more sophisticated, the way
we communicate with each other gets more important. From Kaleidoscope
and iHeart podcasts, this is kill Switch.
Speaker 3 (02:27):
I'm Dexter Thomas, I'm goodbye.
Speaker 1 (02:44):
To be online today means having a bunch of digital
accounts and each one has its own password to remember.
It's just part of life now. But it wasn't always
like this.
Speaker 2 (02:56):
You think about the early days of computing, you really
had very few past you didn't have social media accounts,
you didn't have any of that stuff. It was just
like the World Wide Web. It was just this free wonderland, right.
And then as these sort of paid services that had
more personal data started to require more logins, and you know,
the advent of online banking. Now use hundreds of different applications,
(03:19):
and so what you're left with is this sort of
massive sprawl of usernames and passwords.
Speaker 1 (03:26):
There was a time when you only had a handful
of accounts your email, maybe a Facebook, maybe an online
banking account. But now there's Netflix, Amazon, Home Depot, Target Yo.
Even the laundry room in my apartment building tried to
make me set up a password so I could wash
my clothes. It's kind of out of control. And you
used to be able to just remember your passwords, but
(03:49):
there's too many now, so you might be tempted to
just use the same password for everything. It's more convenient.
So in this episode, we're going to try to convince
you to stop doing that and the change your habits
because the old way might feel convenient, but it is
not safe.
Speaker 2 (04:06):
It's just the landscape is too wide. You have too
many passwords at this point, like it's impossible. You can't
make them unique enough and strong enough per site.
Speaker 1 (04:14):
What would be the worst case scenario or a possible
scenario if somebody gets into one of your accounts, because
I'll try to tell somebody, hey, look, if you're using
the same password on your email and your bank or
something like that, this is a problem, and the response is, look, man,
if somebody wants to read my email, whatever, who am I?
(04:34):
Nobody's looking for my email. What would be a nightmare
scenario for somebody getting into even an old forum account
or something they don't even use.
Speaker 2 (04:44):
So depending on if that old forum allows movement into
their Gmail account, their email account access is probably your
worst case scenario is an individual because that's sort of
the reset point for all of the services that you utilize.
Once an attacker has access to your Gmail, they can
(05:04):
see your sign ups for all these accounts in different places, right,
so they can quickly search for like what bank you use,
what insurance, you use, what social media, and then they
can see what those usernames are and start targeting those
other services. And even if you use a different password,
you can reset back to that email account and gain
(05:25):
access there. So, in terms of like where you want
to secure your life, the most first is really your email.
Speaker 1 (05:32):
So the point I want to make to my hypothetical
friend Jeremy here is you might think, Hey, a hacker
is not interested in me personally, Who would spend time
hacking me? What could they possibly want from me? And
you're kind of right. Unless you're a high profile person,
hackers aren't looking specifically for you. But let me just
(05:52):
give us scenario here. Let's say you have an old
MySpace account that you have not logged into for years,
and I'm a hacker and I'm on the dark Web,
and I see that someone's leaked a list of three
hundred and sixty million people's account information.
Speaker 2 (06:07):
Cool.
Speaker 1 (06:08):
I can grab that and run a program that would
automatically try to get into each of those people's email accounts.
Let's say that only point zero zero one percent of
those people use the same passwords for MySpace and their
email account, and you are one of them. Now I
have access to your email and boom naga access to
(06:30):
your bank and now, yes, Jeremy, I am looking for
you because you do have something I want money And
this didn't take me much time at all. And that's
just one scenario, and by the way, it is a
real scenario. Back in twenty sixteen, a list of three
hundred and sixty million MySpace username and password combos was leaked.
(06:50):
This was back when a lot of people probably were
using the same passwords for just about everything, and maybe
they still do today. And this is why we use
different paths words for different accounts to limit the damage
in case your data is leaked. And even if your
data wasn't leaked in the MySpace hack, there's a good
chance that's been leaked somewhere else in the past. And
(07:11):
you can see this for yourself. Try this. Open up
a browser and type in haveibenponed dot com? That's have
I been pwned dot com? And type in your email
address to see if your account pops up in any
known hacker lists. You'll probably see your email address pop
up a lot. Mine popped up twenty seven times, so
(07:34):
hopefully that is inspiration to take this stuff seriously, because
even if you think you're not worth hacking, you might
still be an access point for a larger target. Maybe
you're not that interesting. Is the place you work interesting
to somebody? For example, do you work at a small business,
(07:54):
do you work in a government office? Somebody would very
much like to get into your personal computer or your phone,
and then get into your workplace's computer because your workplace
probably has a whole lot more money than you do. Yeah.
Speaker 2 (08:10):
I think people vastly under estate the risk for small
businesses that deal with high volumes of cash, and especially
doctor's offices, dentist's office, orthodontists like These folks typically bring
in a very high amount of revenue and have pretty
low security controls, and the impact of disruption to their
(08:30):
business is so great that they're more inclined to pay
ransom fees. Right right.
Speaker 1 (08:34):
If somebody says, yo, I got all your data, give
me ye, give me one hundred K, give me three
hundred k, they'll just do it.
Speaker 2 (08:40):
Yeah.
Speaker 1 (08:41):
Oh yeah, So what do you do? You don't want
to get hacked, but you don't want to have to
remember a bunch of difficult to remember passwords. This is
where a password manager comes in. So I'm gonna do
something real quick, and you can try this with me
if you want. I'm going to open up a password evaluator.
This is a tool that would tell you how long
it would take for a hacker to guess your password
(09:03):
using a brute force attack. So, for example, let me
just type in the name of my first pet and
my birthday. So it says it would take three seconds
to crack that. Okay, that's bad. Next, I'm just gonna
mash a bunch of random keys. Now it says it
(09:24):
would take centuries to crack. That is way better, very secure,
and that is the kind of password that a password
manager can generate for you automatically. You might be thinking, okay, wait,
how am I going to remember a bunch of random keypresses.
Here's the thing. A password manager will remember it for you.
It sits on your phone or your desktop, and when
(09:46):
you go to any website, it inputs it for you.
You don't have to remember anything. There's a lot of
these apps. There's last Pass, There's one Password. Those have
annual fees, but hey, it's cheaper than getting hacked. There's
also a bit which does the same thing. It's open
source and it's totally free. Or another way is most
browsers like Google Chrome also have versions of this built
(10:09):
in now, and if you use an Apple device, you've
got iCloud keychain. Now. This all sounds easy, and that's
because it is. If you want to start now seriously,
you can just pick one of those services I mentioned.
They're all really good at teaching you how to use them. So,
for example, if your email showed up on that haveibenponed
dot com site, start there, change the password for that
(10:32):
email account, and this app will help you do it.
By the time we're back from the break, you'll be
on your way again. This is easy stuff, but sometimes
when I encourage my friends to do this, I get
a little bit of resistance. So I've spent a lot
of time telling people, hey, look, you should use a
password manager, you should use a pasword manager. And one
(10:54):
of the concerns that I've heard back is they say,
hold on, wait a second. So you're telling me I'm
just gonna make one really great password and inside of
that vault is going to be stored everything that I use, Well,
what if that one gets hacked? And I've always said,
well that ah, that won't happen, but it kind of did.
Speaker 2 (11:14):
Yeah.
Speaker 1 (11:17):
So this is where my pitch for using a password
manager gets kind of complicated because the one thing that
people were most worried about actually happened. That's after the break. Okay,
(11:38):
maybe I scared you back there, but seriously, the great
thing about password managers is the vault. The vault is
where those passwords like your Netflix, your Instagram, your Amazon,
your laundry room, all those passwords are kept and they're encrypted.
That means even if someone somehow steals that vault, they
can't just read the passwords, not without rypting them first.
(12:01):
Only you have the key to that vault to decrypt it.
And this key can be your fingerprint or your own
single master password to get into it. And this password
can be a really long one, like say, a full
sentence that nobody else would guess. So, for example, if
your password was Gwen Stefani was the number three most
overhyped member of Wu Tang clan, that is factually incorrect,
(12:23):
but it is memorable, and it is a fantastic length
of a password. You only need to remember that one
and even at the rate of a million guesses per second,
that could take trillions of years to crack. If I'm
a hacker, it is not worth it. I'm moving on
and looking for somebody else. Of course, you still don't
want anyone to get a hold of your password vault,
(12:43):
even if it is encrypted. But that's exactly what happened.
In twenty twenty two, a very popular service called last
Pass had a major security breach. Hackers stole customer information
and encrypted password vaults. This is not good.
Speaker 2 (13:00):
Unfortunately, they suffered a breach where one of their senior
engineer laptops was compromised and they were able to extract
data from the customer environment. This data wasn't fully encrypted,
so the vaults were encrypted, but some of the metadata
involved in some of the vaults was not encrypted, like
the customer's email address, and some of the line items
(13:23):
within the vault, like what they had entries for. There
was some metadata associated with that, so they could see
like this person's email address. Oh and by the way,
they have a coinbase entry.
Speaker 1 (13:34):
So Coinbase, if you're not familiar with this, this is
a site where people can buy and also store cryptocurrency.
Oversimplifying a lot here, Just think of it as a
bank where some people keep their bitcoin, and if you
figure out that someone has an accounts in this bank,
well you can imagine where this is going.
Speaker 2 (13:52):
So now you have a lot more information to sort
of triangule your attack and say, like I want to
decrypt this fault and I want to focus my cracking
on this particular vault. And so that's basically what happened.
Speaker 3 (14:04):
I see.
Speaker 1 (14:04):
So basically what hackers were able to obtain wasn't necessarily
passwords itself, but they were able to find Okay, I
can see the email address, and I can tell that
they have an account at such and such bank, and
if they can figure out high profile targets within that,
(14:25):
they can tell oh this email address, I know who
this person is. I think they're rich. Yeah, let me
throw some computing power and figuring out what their password is.
Speaker 2 (14:34):
And they use multiple avenues of attack, So attacking the
vault for you know, did they use a bad password
that's easily cracked, So try to attack the vault, but
also very targeted phishing emails. If you know that they're
at a particular bank, and you also know that they
have all these other accounts, it's very easy to craft
an email saying we noticed a fraudulent attempt at this
(14:55):
service that they had an entry for from this bank,
and now it's looked like a very legitimate email from
the bank, and they're more likely to click and get
fished with that information, Like they send a fake email
from Bank of America saying we had a problem with
your utility payment to this utility.
Speaker 3 (15:12):
Aha.
Speaker 2 (15:13):
Right, so now you're starting to like make it more
likely that the user is possibly going to click.
Speaker 1 (15:19):
So here's what happened. In September of twenty twenty three,
security researchers found that the previous year's last pass breach
led to thirty five million dollars in cryptocurrency being stolen
for more than one hundred and fifty victims. Then in
January of twenty twenty four, it was reported that one
hundred and fifty million dollars in crypto was stolen from
(15:40):
one person, the co founder of a crypto platform, obviously
a very high profile individual. The access point they're hacked
last pass data, And I should say here Josh was
talking about a theoretical extra step that hackers could use
to trick you into giving up your information, like send
you emails at looks like it's from your bank. If
(16:02):
I was a hacker, honestly, that's the route that I
would go. But in these cases the hackers didn't have
to do that. Security researchers found that some of the
people who'd lost the most money didn't get hit with
social engineering attacks. They had used weak master passwords. See now,
when you sign up with last pass or basically any
other password manager, it makes you choose a really complicated
(16:25):
master password. Now, for years, last Pass has recommended a
twelve character minimum password as a default, but if you
were lazy, you could override that and choose a shorter
and simpler one. That made those people more realistic targets
for a brute force attack. How would a hacker get
that main password?
Speaker 2 (16:48):
So because they had the vaults, now you're able to
put that on your own hardware, either at home or
in the cloud, and run millions of cycles against it.
If you're just trying to cycle through twelve sixteen characters
and you got enough horsepower, some of these new machines
are so fast they can get through, especially if you
haven't used a great password.
Speaker 1 (17:10):
This truly was a nightmare scenario. Now, last Past says
that they've updated their security measures and changed the data
encryption process to protect users from a future breach. And
there is one major change that we can all see.
Last year. Last Past forced all of their users, even
their day one customers, to update their master password to
(17:30):
something that is at least twelve characters. You cannot override this.
You are being forced to be more secure. This is
a good thing. But this incident, if you're hearing about it,
I understand if it maybe turns you while from using
a password manager. Maybe it makes you want to go
back to just trying to remember your passwords, or using
the same one or multiple sites, or writing it down
(17:50):
in your notesapp. Please do not do that. Security experts,
including Josh Will all still recommend a password manager over
any of those options I just mentioned. I mean, would
you person at this point, is Last Past something you
suggest to people?
Speaker 2 (18:07):
Of course?
Speaker 1 (18:07):
Yeah? Really? Even despite that, Yeah.
Speaker 2 (18:10):
They're a business that's you know, there to service their clients,
and they're going to rotate very quickly to a more
secure posture. They're going to fix the wholes, they're going
to scrub all the things that they're offering and make
sure that they're secure. So yeah, it's probably a great
time to use the service at this point, some people
just never feel comfortable with that. And there's other alternatives
(18:31):
as well. You know, there's one password, and there's the
free alternative on your phone, the password manager built into
the iOS.
Speaker 1 (18:38):
Yeah. Well, for people who you speak to just in
personal life, are there certain ones that you recommend over others.
Speaker 2 (18:47):
I personally prefer the built in one to the iPhone
for myself. I know a lot of folks really like
one password, and that's a very popular one in the
commercial environments as well. But you know, largely this concept
of like creating a sixteen character password has been surpassed
(19:08):
by this technology called passkey, which aims to remove the
need to keep track of these passwords and they're also
stored in a very safe way within your digital devices.
Speaker 1 (19:23):
So yes, password managers are still recommended. I use one,
but the security community has started to move on to
something that is more secure passkeys.
Speaker 2 (19:34):
Pastkey is a technology that was invented by a consortium
of folks Apple, Google, Microsoft, Amazon. They all sort of
came together and said, you know, this password world is terrible.
How do we solve this properly for businesses and consumers.
Speaker 1 (19:56):
You might have seen this option before when you were
logging into Amazon or Google. It basically removes the need
for a password altogether, so you can sign it with
face ID or a fingerprint or a pin on a device.
It kind of takes a while to wrap your head around,
but it's pretty simple. If you're to explain this to
a five year old, how to pass keys work.
Speaker 2 (20:17):
For a five year old, I would say I would
tear a piece of paper in half in like a
unique way, and I would say, I'm gonna put this
one somewhere in the house, and I'm not going to
show you this other one, but I'm gonna hide this
one on the vault. And if you find that public
one in the house and you bring it back to
(20:38):
me and it matches mine, I'll give you an ice cream.
And that's like kind of a simple way to describe
it in not so much accurate terms.
Speaker 1 (20:47):
But you know, that's an interesting, actually way to put it,
because I've seen the comparison of passwords to pass keys
as something you need versus something you have.
Speaker 2 (21:02):
Yeah, And I think you're right there because it does
involve those two components. And so when on your phone
you want to enable a pass key for say Netflix,
it will give them that torn side of the piece
of paper, the public side, and then within your phone
it will put in the secure enclave the private portion.
(21:23):
And that secure enclave on your phone is a separate
chip from the main processor on your iPhone chip, and
it actually runs its own boot process in its own
operating system, and so the kernel of the iPhone cannot
access the secure enclave directly.
Speaker 1 (21:43):
So it's kind of like having a separate place where
you keep all these torn pieces of paper exactly for
very specific things. Okay, you know what I actually feel
like I'm doing. What you're saying here is so a password.
Somebody could guess my password conceivably, even if it's a
really long one, given enough time. I'm in a powerful
enough computer, they can run a bunch of numbers and
(22:03):
eventually figure out that my password is Fido one two three.
For those listening, my password is not Fidle one two three.
Please do not try that. But nobody will ever be
able to rip a piece of paper in precisely the
correct way that when if I go up to the vault,
they put together and they match perfectly exactly. That can
(22:25):
never happen.
Speaker 2 (22:26):
The other thing is that the operating system will not
allow the papers to be compared. Then tell it validates
my face. So a friend could come and bring you
the piece of paper. And in order to unlock the
vault to even do the comparison, the operating system prompts
(22:46):
for your bio, and the comparison is only made inside
the vault and then signed and sent out, So the
other side of the torn paper never comes out.
Speaker 1 (22:55):
Okay, all right, so nobody else gets to see it.
So it's like we're stretching the metaphor, but let's keep going.
It's like there's somebody inside the vault. Yeah, you know,
in order to even get to the vault, I got
to prove that it's me via fingerprint or you know,
face scan or something like that. And then somebody who
lives inside the vault. For some reason, I don't know why,
but in this metaphor, somebody lives inside the vault. I
(23:16):
put the piece of paper inside the vault. The little
guy inside the vault says, man, these two things match.
Speaker 2 (23:21):
Yeah. He puts a stamp on the on the paper,
sends it back, and then somebody sees the stamp and said, oh, yeah,
this really was legit.
Speaker 1 (23:31):
Okay, but there is a downside to using pass keys?
What if you lose your device? That's after the break.
So okay, let's come back to reality a little bit.
What happens if I lose my piece of paper? See
(23:52):
with a password, even if it's a bad password, If
I remember it, I remember it. But in this metaphor
that that torn piece of paper might be my actual phone, right, Yeah?
What happens if I lose my phone or even break
my phone? Oh I dropped my phone into the toilet.
I can't read my email anymore, or I can't access
(24:13):
my bank. You might start wishing you just use passwords.
Speaker 2 (24:17):
Yeah, So the smart folks involved in this consortium have
figured out ways to sort of operationalize this exact problem.
People lose their phones all the time. It has all
your pass keys on it. How do we restore this madness?
And in the last few years, people have moved to
a concept called zero knowledge encryption, which is they can
(24:38):
handle your super sensitive data without having to know what
the data is. So since the last past attack, now
last Past can even unencrypt your data. It's entirely encrypted
in their system. They can't recover it, they can't see it,
they can't see any of the metadata, same with one password,
and this is much safer for them and us because
(25:00):
if attackers know that there's nothing of value within one
password or last pass they're less likely to attack these
vendors as well. This same concept applies to the Apple
iCloud keychain. So Apple has a way in which the
secure enclave can encrypt its data, send it into iCloud,
(25:22):
and then be decrypted by another secure enclave once it's authorized.
When you lose your Apple device, you have to prove
that this new device is indeed you through validating on
an old device or another trusted device, and then once
you have that authentication established the iCloud as this is
(25:44):
your new device, then that secure enclave can unencrypt that
pass key and utilize it again.
Speaker 1 (25:52):
All right, So let's be real here. This is a
downside with passkeys. It can get complicated if you lose
any of your devices, and if you happen to lose
your phone and you don't have access to another device,
like say a laptop, that you can use to sink
your pass keys again, then you might have to wait
to get a new phone before you can access your email.
Not exactly an ideal situation. But Josh and pretty much
(26:14):
any security expert you talk to is going to say
that the occasional inconvenience is still worth it given the
added security that past keys can give you. So I
think somebody might be listening to this and thinking this
sounds like a pain. All this stuff sounds like a pain.
You know, we're talking about Jeremy here, right, Jeremy is
just yo.
Speaker 3 (26:34):
Man.
Speaker 1 (26:34):
Look, I do my little shopping, I do my little email.
You know, I pop on Instagram, maybe TikTok every once
in a while. That's it. Nobody's looking for me, and
this past key thing sounds like a pain. Password managers,
maybe you could twist my arm make me do this.
(26:54):
What would you say would be the one thing that
you're confident you could convince somebody to do.
Speaker 2 (27:00):
Let me walk you through how to enable your past
key on your Gmail account. It'll take it up five minutes,
and it's going to make your life way more secure.
Speaker 1 (27:09):
So your recommendation would be, first thing past key on
your email account?
Speaker 2 (27:16):
Correct?
Speaker 1 (27:17):
Okay, that one simple thing.
Speaker 2 (27:18):
Yeah, It's incredibly important to do, and it's a safety
net for all your other accounts that are going to
password reset to your email.
Speaker 1 (27:26):
And you say that's five minutes.
Speaker 2 (27:28):
Yeah, So you're just going to go into your Google account.
You're going to click on I think it's your security settings.
It'll have your sort of authentication methods there, and you
can start to just set up past key and it'll
prompt you on your device, ask you for your face
ID or your touch depending on what device you're using,
and then it's sort of seamless being real.
Speaker 1 (27:51):
Here. Before I did this interview, none of us a
kill switch. We're using pass keys. Neither me nor our
producers were using this. But we decided, all right, maybe
we better try this ourselves. And I'll be honest, it
took a little bit for me to understand it. But
once it's set up, you really don't have to think
about it again. And look, if you have a Gmail account,
(28:11):
I can walk you through the whole thing right now
while you're listening. So you can do this on your
computer or on your phone. So here we go. Take
out your phone, get out your computer. Let's go. First thing,
open up a browser and go to this address g
dot co slash passkeys. It's g dot co slash passkeys.
(28:34):
So this is Google's official page. You'll need to be
signed into your Google account already. If you're not, it'll
just tell you to sign in. Once you're in, you'll
see a screen that talks about passkeys, and there should
be a blue button that says use passkey or create passkey.
Tap or click that button, and your device will then
ask you how you want to create your passkey. You
(28:54):
could use a device pen, your fingerprint, your face ID,
say yes, follow the instructions, and boom, you're done. That's it.
If you were following along, you're maybe already done now.
Also extra credit, do this same process on another device,
just as backup.
Speaker 2 (29:12):
It can be very problematic if you don't have any
backup devices anywhere, because Apple to get that device back
online it needs a previously trusted device to sort of
help you through that.
Speaker 1 (29:25):
So I have this old phone from I think twenty nineteen,
has got a crack screen, rundown battery, the speaker doesn't
work right. I can't use it as a phone anymore,
but it's perfect as a backup. I created another pass
key on this device. So if I'm out somewhere and
I lose my phone or it breaks or it gets stolen,
I know that I got a backup back at the house,
(29:45):
and it's not going to take me a whole bunch
of time to get back up and running. You know,
it occurs to me that I feel like and this
is honestly part of not only this episode, but part
of this podcast, part of the show in general. Is
it a lot of cybersecurity and a lot of technology.
Really isn't even about the computers anymore. I suppose it
(30:06):
never was. It's about people, you know, It's about relationships
to people, how we speak to each other. And I
think you know, some of us who are who are
kind of good at technology, we can look at people
and say, hey, why aren't you doing this very simple
technological thing. Why aren't you doing it? But a lot
of the security stuff is actually having a personal conversation
(30:27):
with somebody and saying, hey, I care about you. Yeah,
I know you think you're not going to get hacked,
but let's let's get beyond that.
Speaker 2 (30:37):
Yeah. And I think I think one of the problems
with the Consortium on Past Key is that the marketing
and education has been very poor. Right, there hasn't been
sort of this outreach to the public on hey, folks,
this is the most revolutionary thing in passwords. You should
(30:57):
be adopting these things. Paskys are are game changing, but
most people haven't even heard of them, and so I
think it's it's unfortunate that the educational campaign hasn't sort
of matched the technology capabilities, because you know, people really
are getting a like several levels increase in security and
(31:18):
it's available to them, but most folks don't understand that
it even didn't exists, and so we.
Speaker 1 (31:23):
Got to be out here like weird evangelists telling everybody
to use it. Yeah, so yes, thank you for letting
us evangelize to you. This is a cause that I
care a lot about. I really don't want to hear
about any kill switch listeners getting hacked. So if you
were a Jeremy, I hope you've decided to join us
here in the light, or if you have a Jeremy
in your life, seriously send this to them hopefully they
(31:46):
join us as well. And also, if your literal name
is Jeremy, this is probably a very disorienting episode and
for that I apologize. But yo, for real, I still
think password managers are great again. I use one. My
mother uses a password manager. By the way, Mom, thank
you for not getting mad at me for yelling at
you until you finally started using one. I appreciate it,
(32:09):
but for real, my mom can do this, so can you.
Now this does not mean you will be bulletproof. Password
managers and passkeys do not prevent you from scams or
fishing or anything like that. That's a whole other episode.
But this is a great start because, look, one of
the points of this show of kill Switch is that
the future does not have to be scary. Things are
(32:29):
scary when you are so overwhelmed that you don't know
what to do and you feel like there's nothing you
can do, But there is something you can do here,
and it really does feel kind of cool to take
back some control for yourself. It's cool to be vigilant,
but you don't have to be scared. And I will
(32:54):
cut out with the diet tribe there. Thank you once
again so much for listening to kill Switch for Real.
Let us know what you think and if there's something
you want us to cover or some questions you might have,
you can hit us up at kill Switch at Kaleidoscope
dot NYC. You can also follow us on Instagram at
kill switch pod or my personal account dex Digi that's
(33:15):
d e X d I g I on Instagram or
blue Sky And for real, first priority, set up that
past key, set up your password manager. But after you've
done that, while you got your phone out, you know,
make sure to leave us a review because it helps
other people find the show, which in turn helps us
keep doing our thing. And this thing is hosted by
(33:36):
me Dexter Thomas is produced by Sena Ozaki, Darluck Potts
and Kate Osbourne. Our theme song is by me and
Kyle Murdoch, and Kyle also mixes the show from Kaleidoscope.
Our executive producers are Ozro Lashin, Mangesh Hajigadur and Kate Osbourne.
From iHeart, our executive producers are Katrina Norville and Nikki e. Tour.
(33:58):
Catch on in the next one
Speaker 3 (34:10):
By
The genesis of this episode basically is that I've been
having trouble convincing people to be better about their security.
And I have a hypothetical person. We're just gonna call
this person Jeremy. Jeremy told me about how they use
the same password across multiple services, multiple logins, and what's
(00:32):
a big deal? Who would hack little old me? And
I've been trying to explain to Jeremy, Yo, it's not
that simple, and I'm struggling. So here we are.
Speaker 2 (00:43):
Yeah, security is a big problem, and it's pretty complex,
and I think a lot of people are kind of
frustrated with the state of affairs.
Speaker 1 (00:51):
Josh Blackwelder is a deputy Chief Information Security officer at
Sentinel One. He's colleagues with Alex Stamos, who you might
remember from our exit utils episode, the one about the
biggest hack that never happened. And Josh says, I'm not
crazy that it is getting harder and harder to protect
ourselves from hackers, but it's also getting harder to get
normal people to take this stuff seriously.
Speaker 2 (01:14):
If you have to create a password, make it strong,
make it sixteen characters, use a past phrase.
Speaker 3 (01:19):
You know.
Speaker 2 (01:19):
My favorite place to visit is and blah blah with
a bunch of numbers. That's the legacy password sort of mindset.
But depending on how they have their data cracking machines.
They're so powerful now with the advent of the latest
Nvidio processors, it doesn't really matter the length that you choose.
The horsepower is such that eventually they'll get through there
(01:42):
and they'll find your password.
Speaker 1 (01:47):
So yeah, this how to episode is for all the
Jeremies out there that no, they should do something about
their passwords, but it just kind of feels overwhelming, or
maybe somebody sent this to you and this is how
you're finding out that you are the Jeremy in somebody's life.
In that case, welcome to the show. This is not
meant to shame you or anything like that. We're gonna
work through this together. But even if you think you
(02:09):
have a good handle on your passwords and your security
and all that, I think there's still something in here
for you, because as hackers get more sophisticated, the way
we communicate with each other gets more important. From Kaleidoscope
and iHeart podcasts, this is kill Switch.
Speaker 3 (02:27):
I'm Dexter Thomas, I'm goodbye.
Speaker 1 (02:44):
To be online today means having a bunch of digital
accounts and each one has its own password to remember.
It's just part of life now. But it wasn't always
like this.
Speaker 2 (02:56):
You think about the early days of computing, you really
had very few past you didn't have social media accounts,
you didn't have any of that stuff. It was just
like the World Wide Web. It was just this free wonderland, right.
And then as these sort of paid services that had
more personal data started to require more logins, and you know,
the advent of online banking. Now use hundreds of different applications,
(03:19):
and so what you're left with is this sort of
massive sprawl of usernames and passwords.
Speaker 1 (03:26):
There was a time when you only had a handful
of accounts your email, maybe a Facebook, maybe an online
banking account. But now there's Netflix, Amazon, Home Depot, Target Yo.
Even the laundry room in my apartment building tried to
make me set up a password so I could wash
my clothes. It's kind of out of control. And you
used to be able to just remember your passwords, but
(03:49):
there's too many now, so you might be tempted to
just use the same password for everything. It's more convenient.
So in this episode, we're going to try to convince
you to stop doing that and the change your habits
because the old way might feel convenient, but it is
not safe.
Speaker 2 (04:06):
It's just the landscape is too wide. You have too
many passwords at this point, like it's impossible. You can't
make them unique enough and strong enough per site.
Speaker 1 (04:14):
What would be the worst case scenario or a possible
scenario if somebody gets into one of your accounts, because
I'll try to tell somebody, hey, look, if you're using
the same password on your email and your bank or
something like that, this is a problem, and the response is, look, man,
if somebody wants to read my email, whatever, who am I?
(04:34):
Nobody's looking for my email. What would be a nightmare
scenario for somebody getting into even an old forum account
or something they don't even use.
Speaker 2 (04:44):
So depending on if that old forum allows movement into
their Gmail account, their email account access is probably your
worst case scenario is an individual because that's sort of
the reset point for all of the services that you utilize.
Once an attacker has access to your Gmail, they can
(05:04):
see your sign ups for all these accounts in different places, right,
so they can quickly search for like what bank you use,
what insurance, you use, what social media, and then they
can see what those usernames are and start targeting those
other services. And even if you use a different password,
you can reset back to that email account and gain
(05:25):
access there. So, in terms of like where you want
to secure your life, the most first is really your email.
Speaker 1 (05:32):
So the point I want to make to my hypothetical
friend Jeremy here is you might think, Hey, a hacker
is not interested in me personally, Who would spend time
hacking me? What could they possibly want from me? And
you're kind of right. Unless you're a high profile person,
hackers aren't looking specifically for you. But let me just
(05:52):
give us scenario here. Let's say you have an old
MySpace account that you have not logged into for years,
and I'm a hacker and I'm on the dark Web,
and I see that someone's leaked a list of three
hundred and sixty million people's account information.
Speaker 2 (06:07):
Cool.
Speaker 1 (06:08):
I can grab that and run a program that would
automatically try to get into each of those people's email accounts.
Let's say that only point zero zero one percent of
those people use the same passwords for MySpace and their
email account, and you are one of them. Now I
have access to your email and boom naga access to
(06:30):
your bank and now, yes, Jeremy, I am looking for
you because you do have something I want money And
this didn't take me much time at all. And that's
just one scenario, and by the way, it is a
real scenario. Back in twenty sixteen, a list of three
hundred and sixty million MySpace username and password combos was leaked.
(06:50):
This was back when a lot of people probably were
using the same passwords for just about everything, and maybe
they still do today. And this is why we use
different paths words for different accounts to limit the damage
in case your data is leaked. And even if your
data wasn't leaked in the MySpace hack, there's a good
chance that's been leaked somewhere else in the past. And
(07:11):
you can see this for yourself. Try this. Open up
a browser and type in haveibenponed dot com? That's have
I been pwned dot com? And type in your email
address to see if your account pops up in any
known hacker lists. You'll probably see your email address pop
up a lot. Mine popped up twenty seven times, so
(07:34):
hopefully that is inspiration to take this stuff seriously, because
even if you think you're not worth hacking, you might
still be an access point for a larger target. Maybe
you're not that interesting. Is the place you work interesting
to somebody? For example, do you work at a small business,
(07:54):
do you work in a government office? Somebody would very
much like to get into your personal computer or your phone,
and then get into your workplace's computer because your workplace
probably has a whole lot more money than you do. Yeah.
Speaker 2 (08:10):
I think people vastly under estate the risk for small
businesses that deal with high volumes of cash, and especially
doctor's offices, dentist's office, orthodontists like These folks typically bring
in a very high amount of revenue and have pretty
low security controls, and the impact of disruption to their
(08:30):
business is so great that they're more inclined to pay
ransom fees. Right right.
Speaker 1 (08:34):
If somebody says, yo, I got all your data, give
me ye, give me one hundred K, give me three
hundred k, they'll just do it.
Speaker 2 (08:40):
Yeah.
Speaker 1 (08:41):
Oh yeah, So what do you do? You don't want
to get hacked, but you don't want to have to
remember a bunch of difficult to remember passwords. This is
where a password manager comes in. So I'm gonna do
something real quick, and you can try this with me
if you want. I'm going to open up a password evaluator.
This is a tool that would tell you how long
it would take for a hacker to guess your password
(09:03):
using a brute force attack. So, for example, let me
just type in the name of my first pet and
my birthday. So it says it would take three seconds
to crack that. Okay, that's bad. Next, I'm just gonna
mash a bunch of random keys. Now it says it
(09:24):
would take centuries to crack. That is way better, very secure,
and that is the kind of password that a password
manager can generate for you automatically. You might be thinking, okay, wait,
how am I going to remember a bunch of random keypresses.
Here's the thing. A password manager will remember it for you.
It sits on your phone or your desktop, and when
(09:46):
you go to any website, it inputs it for you.
You don't have to remember anything. There's a lot of
these apps. There's last Pass, There's one Password. Those have
annual fees, but hey, it's cheaper than getting hacked. There's
also a bit which does the same thing. It's open
source and it's totally free. Or another way is most
browsers like Google Chrome also have versions of this built
(10:09):
in now, and if you use an Apple device, you've
got iCloud keychain. Now. This all sounds easy, and that's
because it is. If you want to start now seriously,
you can just pick one of those services I mentioned.
They're all really good at teaching you how to use them. So,
for example, if your email showed up on that haveibenponed
dot com site, start there, change the password for that
(10:32):
email account, and this app will help you do it.
By the time we're back from the break, you'll be
on your way again. This is easy stuff, but sometimes
when I encourage my friends to do this, I get
a little bit of resistance. So I've spent a lot
of time telling people, hey, look, you should use a
password manager, you should use a pasword manager. And one
(10:54):
of the concerns that I've heard back is they say,
hold on, wait a second. So you're telling me I'm
just gonna make one really great password and inside of
that vault is going to be stored everything that I use, Well,
what if that one gets hacked? And I've always said,
well that ah, that won't happen, but it kind of did.
Speaker 2 (11:14):
Yeah.
Speaker 1 (11:17):
So this is where my pitch for using a password
manager gets kind of complicated because the one thing that
people were most worried about actually happened. That's after the break. Okay,
(11:38):
maybe I scared you back there, but seriously, the great
thing about password managers is the vault. The vault is
where those passwords like your Netflix, your Instagram, your Amazon,
your laundry room, all those passwords are kept and they're encrypted.
That means even if someone somehow steals that vault, they
can't just read the passwords, not without rypting them first.
(12:01):
Only you have the key to that vault to decrypt it.
And this key can be your fingerprint or your own
single master password to get into it. And this password
can be a really long one, like say, a full
sentence that nobody else would guess. So, for example, if
your password was Gwen Stefani was the number three most
overhyped member of Wu Tang clan, that is factually incorrect,
(12:23):
but it is memorable, and it is a fantastic length
of a password. You only need to remember that one
and even at the rate of a million guesses per second,
that could take trillions of years to crack. If I'm
a hacker, it is not worth it. I'm moving on
and looking for somebody else. Of course, you still don't
want anyone to get a hold of your password vault,
(12:43):
even if it is encrypted. But that's exactly what happened.
In twenty twenty two, a very popular service called last
Pass had a major security breach. Hackers stole customer information
and encrypted password vaults. This is not good.
Speaker 2 (13:00):
Unfortunately, they suffered a breach where one of their senior
engineer laptops was compromised and they were able to extract
data from the customer environment. This data wasn't fully encrypted,
so the vaults were encrypted, but some of the metadata
involved in some of the vaults was not encrypted, like
the customer's email address, and some of the line items
(13:23):
within the vault, like what they had entries for. There
was some metadata associated with that, so they could see
like this person's email address. Oh and by the way,
they have a coinbase entry.
Speaker 1 (13:34):
So Coinbase, if you're not familiar with this, this is
a site where people can buy and also store cryptocurrency.
Oversimplifying a lot here, Just think of it as a
bank where some people keep their bitcoin, and if you
figure out that someone has an accounts in this bank,
well you can imagine where this is going.
Speaker 2 (13:52):
So now you have a lot more information to sort
of triangule your attack and say, like I want to
decrypt this fault and I want to focus my cracking
on this particular vault. And so that's basically what happened.
Speaker 3 (14:04):
I see.
Speaker 1 (14:04):
So basically what hackers were able to obtain wasn't necessarily
passwords itself, but they were able to find Okay, I
can see the email address, and I can tell that
they have an account at such and such bank, and
if they can figure out high profile targets within that,
(14:25):
they can tell oh this email address, I know who
this person is. I think they're rich. Yeah, let me
throw some computing power and figuring out what their password is.
Speaker 2 (14:34):
And they use multiple avenues of attack, So attacking the
vault for you know, did they use a bad password
that's easily cracked, So try to attack the vault, but
also very targeted phishing emails. If you know that they're
at a particular bank, and you also know that they
have all these other accounts, it's very easy to craft
an email saying we noticed a fraudulent attempt at this
(14:55):
service that they had an entry for from this bank,
and now it's looked like a very legitimate email from
the bank, and they're more likely to click and get
fished with that information, Like they send a fake email
from Bank of America saying we had a problem with
your utility payment to this utility.
Speaker 3 (15:12):
Aha.
Speaker 2 (15:13):
Right, so now you're starting to like make it more
likely that the user is possibly going to click.
Speaker 1 (15:19):
So here's what happened. In September of twenty twenty three,
security researchers found that the previous year's last pass breach
led to thirty five million dollars in cryptocurrency being stolen
for more than one hundred and fifty victims. Then in
January of twenty twenty four, it was reported that one
hundred and fifty million dollars in crypto was stolen from
(15:40):
one person, the co founder of a crypto platform, obviously
a very high profile individual. The access point they're hacked
last pass data, And I should say here Josh was
talking about a theoretical extra step that hackers could use
to trick you into giving up your information, like send
you emails at looks like it's from your bank. If
(16:02):
I was a hacker, honestly, that's the route that I
would go. But in these cases the hackers didn't have
to do that. Security researchers found that some of the
people who'd lost the most money didn't get hit with
social engineering attacks. They had used weak master passwords. See now,
when you sign up with last pass or basically any
other password manager, it makes you choose a really complicated
(16:25):
master password. Now, for years, last Pass has recommended a
twelve character minimum password as a default, but if you
were lazy, you could override that and choose a shorter
and simpler one. That made those people more realistic targets
for a brute force attack. How would a hacker get
that main password?
Speaker 2 (16:48):
So because they had the vaults, now you're able to
put that on your own hardware, either at home or
in the cloud, and run millions of cycles against it.
If you're just trying to cycle through twelve sixteen characters
and you got enough horsepower, some of these new machines
are so fast they can get through, especially if you
haven't used a great password.
Speaker 1 (17:10):
This truly was a nightmare scenario. Now, last Past says
that they've updated their security measures and changed the data
encryption process to protect users from a future breach. And
there is one major change that we can all see.
Last year. Last Past forced all of their users, even
their day one customers, to update their master password to
(17:30):
something that is at least twelve characters. You cannot override this.
You are being forced to be more secure. This is
a good thing. But this incident, if you're hearing about it,
I understand if it maybe turns you while from using
a password manager. Maybe it makes you want to go
back to just trying to remember your passwords, or using
the same one or multiple sites, or writing it down
(17:50):
in your notesapp. Please do not do that. Security experts,
including Josh Will all still recommend a password manager over
any of those options I just mentioned. I mean, would
you person at this point, is Last Past something you
suggest to people?
Speaker 2 (18:07):
Of course?
Speaker 1 (18:07):
Yeah? Really? Even despite that, Yeah.
Speaker 2 (18:10):
They're a business that's you know, there to service their clients,
and they're going to rotate very quickly to a more
secure posture. They're going to fix the wholes, they're going
to scrub all the things that they're offering and make
sure that they're secure. So yeah, it's probably a great
time to use the service at this point, some people
just never feel comfortable with that. And there's other alternatives
(18:31):
as well. You know, there's one password, and there's the
free alternative on your phone, the password manager built into
the iOS.
Speaker 1 (18:38):
Yeah. Well, for people who you speak to just in
personal life, are there certain ones that you recommend over others.
Speaker 2 (18:47):
I personally prefer the built in one to the iPhone
for myself. I know a lot of folks really like
one password, and that's a very popular one in the
commercial environments as well. But you know, largely this concept
of like creating a sixteen character password has been surpassed
(19:08):
by this technology called passkey, which aims to remove the
need to keep track of these passwords and they're also
stored in a very safe way within your digital devices.
Speaker 1 (19:23):
So yes, password managers are still recommended. I use one,
but the security community has started to move on to
something that is more secure passkeys.
Speaker 2 (19:34):
Pastkey is a technology that was invented by a consortium
of folks Apple, Google, Microsoft, Amazon. They all sort of
came together and said, you know, this password world is terrible.
How do we solve this properly for businesses and consumers.
Speaker 1 (19:56):
You might have seen this option before when you were
logging into Amazon or Google. It basically removes the need
for a password altogether, so you can sign it with
face ID or a fingerprint or a pin on a device.
It kind of takes a while to wrap your head around,
but it's pretty simple. If you're to explain this to
a five year old, how to pass keys work.
Speaker 2 (20:17):
For a five year old, I would say I would
tear a piece of paper in half in like a
unique way, and I would say, I'm gonna put this
one somewhere in the house, and I'm not going to
show you this other one, but I'm gonna hide this
one on the vault. And if you find that public
one in the house and you bring it back to
(20:38):
me and it matches mine, I'll give you an ice cream.
And that's like kind of a simple way to describe
it in not so much accurate terms.
Speaker 1 (20:47):
But you know, that's an interesting, actually way to put it,
because I've seen the comparison of passwords to pass keys
as something you need versus something you have.
Speaker 2 (21:02):
Yeah, And I think you're right there because it does
involve those two components. And so when on your phone
you want to enable a pass key for say Netflix,
it will give them that torn side of the piece
of paper, the public side, and then within your phone
it will put in the secure enclave the private portion.
(21:23):
And that secure enclave on your phone is a separate
chip from the main processor on your iPhone chip, and
it actually runs its own boot process in its own
operating system, and so the kernel of the iPhone cannot
access the secure enclave directly.
Speaker 1 (21:43):
So it's kind of like having a separate place where
you keep all these torn pieces of paper exactly for
very specific things. Okay, you know what I actually feel
like I'm doing. What you're saying here is so a password.
Somebody could guess my password conceivably, even if it's a
really long one, given enough time. I'm in a powerful
enough computer, they can run a bunch of numbers and
(22:03):
eventually figure out that my password is Fido one two three.
For those listening, my password is not Fidle one two three.
Please do not try that. But nobody will ever be
able to rip a piece of paper in precisely the
correct way that when if I go up to the vault,
they put together and they match perfectly exactly. That can
(22:25):
never happen.
Speaker 2 (22:26):
The other thing is that the operating system will not
allow the papers to be compared. Then tell it validates
my face. So a friend could come and bring you
the piece of paper. And in order to unlock the
vault to even do the comparison, the operating system prompts
(22:46):
for your bio, and the comparison is only made inside
the vault and then signed and sent out, So the
other side of the torn paper never comes out.
Speaker 1 (22:55):
Okay, all right, so nobody else gets to see it.
So it's like we're stretching the metaphor, but let's keep going.
It's like there's somebody inside the vault. Yeah, you know,
in order to even get to the vault, I got
to prove that it's me via fingerprint or you know,
face scan or something like that. And then somebody who
lives inside the vault. For some reason, I don't know why,
but in this metaphor, somebody lives inside the vault. I
(23:16):
put the piece of paper inside the vault. The little
guy inside the vault says, man, these two things match.
Speaker 2 (23:21):
Yeah. He puts a stamp on the on the paper,
sends it back, and then somebody sees the stamp and said, oh, yeah,
this really was legit.
Speaker 1 (23:31):
Okay, but there is a downside to using pass keys?
What if you lose your device? That's after the break.
So okay, let's come back to reality a little bit.
What happens if I lose my piece of paper? See
(23:52):
with a password, even if it's a bad password, If
I remember it, I remember it. But in this metaphor
that that torn piece of paper might be my actual phone, right, Yeah?
What happens if I lose my phone or even break
my phone? Oh I dropped my phone into the toilet.
I can't read my email anymore, or I can't access
(24:13):
my bank. You might start wishing you just use passwords.
Speaker 2 (24:17):
Yeah, So the smart folks involved in this consortium have
figured out ways to sort of operationalize this exact problem.
People lose their phones all the time. It has all
your pass keys on it. How do we restore this madness?
And in the last few years, people have moved to
a concept called zero knowledge encryption, which is they can
(24:38):
handle your super sensitive data without having to know what
the data is. So since the last past attack, now
last Past can even unencrypt your data. It's entirely encrypted
in their system. They can't recover it, they can't see it,
they can't see any of the metadata, same with one password,
and this is much safer for them and us because
(25:00):
if attackers know that there's nothing of value within one
password or last pass they're less likely to attack these
vendors as well. This same concept applies to the Apple
iCloud keychain. So Apple has a way in which the
secure enclave can encrypt its data, send it into iCloud,
(25:22):
and then be decrypted by another secure enclave once it's authorized.
When you lose your Apple device, you have to prove
that this new device is indeed you through validating on
an old device or another trusted device, and then once
you have that authentication established the iCloud as this is
(25:44):
your new device, then that secure enclave can unencrypt that
pass key and utilize it again.
Speaker 1 (25:52):
All right, So let's be real here. This is a
downside with passkeys. It can get complicated if you lose
any of your devices, and if you happen to lose
your phone and you don't have access to another device,
like say a laptop, that you can use to sink
your pass keys again, then you might have to wait
to get a new phone before you can access your email.
Not exactly an ideal situation. But Josh and pretty much
(26:14):
any security expert you talk to is going to say
that the occasional inconvenience is still worth it given the
added security that past keys can give you. So I
think somebody might be listening to this and thinking this
sounds like a pain. All this stuff sounds like a pain.
You know, we're talking about Jeremy here, right, Jeremy is
just yo.
Speaker 3 (26:34):
Man.
Speaker 1 (26:34):
Look, I do my little shopping, I do my little email.
You know, I pop on Instagram, maybe TikTok every once
in a while. That's it. Nobody's looking for me, and
this past key thing sounds like a pain. Password managers,
maybe you could twist my arm make me do this.
(26:54):
What would you say would be the one thing that
you're confident you could convince somebody to do.
Speaker 2 (27:00):
Let me walk you through how to enable your past
key on your Gmail account. It'll take it up five minutes,
and it's going to make your life way more secure.
Speaker 1 (27:09):
So your recommendation would be, first thing past key on
your email account?
Speaker 2 (27:16):
Correct?
Speaker 1 (27:17):
Okay, that one simple thing.
Speaker 2 (27:18):
Yeah, It's incredibly important to do, and it's a safety
net for all your other accounts that are going to
password reset to your email.
Speaker 1 (27:26):
And you say that's five minutes.
Speaker 2 (27:28):
Yeah, So you're just going to go into your Google account.
You're going to click on I think it's your security settings.
It'll have your sort of authentication methods there, and you
can start to just set up past key and it'll
prompt you on your device, ask you for your face
ID or your touch depending on what device you're using,
and then it's sort of seamless being real.
Speaker 1 (27:51):
Here. Before I did this interview, none of us a
kill switch. We're using pass keys. Neither me nor our
producers were using this. But we decided, all right, maybe
we better try this ourselves. And I'll be honest, it
took a little bit for me to understand it. But
once it's set up, you really don't have to think
about it again. And look, if you have a Gmail account,
(28:11):
I can walk you through the whole thing right now
while you're listening. So you can do this on your
computer or on your phone. So here we go. Take
out your phone, get out your computer. Let's go. First thing,
open up a browser and go to this address g
dot co slash passkeys. It's g dot co slash passkeys.
(28:34):
So this is Google's official page. You'll need to be
signed into your Google account already. If you're not, it'll
just tell you to sign in. Once you're in, you'll
see a screen that talks about passkeys, and there should
be a blue button that says use passkey or create passkey.
Tap or click that button, and your device will then
ask you how you want to create your passkey. You
(28:54):
could use a device pen, your fingerprint, your face ID,
say yes, follow the instructions, and boom, you're done. That's it.
If you were following along, you're maybe already done now.
Also extra credit, do this same process on another device,
just as backup.
Speaker 2 (29:12):
It can be very problematic if you don't have any
backup devices anywhere, because Apple to get that device back
online it needs a previously trusted device to sort of
help you through that.
Speaker 1 (29:25):
So I have this old phone from I think twenty nineteen,
has got a crack screen, rundown battery, the speaker doesn't
work right. I can't use it as a phone anymore,
but it's perfect as a backup. I created another pass
key on this device. So if I'm out somewhere and
I lose my phone or it breaks or it gets stolen,
I know that I got a backup back at the house,
(29:45):
and it's not going to take me a whole bunch
of time to get back up and running. You know,
it occurs to me that I feel like and this
is honestly part of not only this episode, but part
of this podcast, part of the show in general. Is
it a lot of cybersecurity and a lot of technology.
Really isn't even about the computers anymore. I suppose it
(30:06):
never was. It's about people, you know, It's about relationships
to people, how we speak to each other. And I
think you know, some of us who are who are
kind of good at technology, we can look at people
and say, hey, why aren't you doing this very simple
technological thing. Why aren't you doing it? But a lot
of the security stuff is actually having a personal conversation
(30:27):
with somebody and saying, hey, I care about you. Yeah,
I know you think you're not going to get hacked,
but let's let's get beyond that.
Speaker 2 (30:37):
Yeah. And I think I think one of the problems
with the Consortium on Past Key is that the marketing
and education has been very poor. Right, there hasn't been
sort of this outreach to the public on hey, folks,
this is the most revolutionary thing in passwords. You should
(30:57):
be adopting these things. Paskys are are game changing, but
most people haven't even heard of them, and so I
think it's it's unfortunate that the educational campaign hasn't sort
of matched the technology capabilities, because you know, people really
are getting a like several levels increase in security and
(31:18):
it's available to them, but most folks don't understand that
it even didn't exists, and so we.
Speaker 1 (31:23):
Got to be out here like weird evangelists telling everybody
to use it. Yeah, so yes, thank you for letting
us evangelize to you. This is a cause that I
care a lot about. I really don't want to hear
about any kill switch listeners getting hacked. So if you
were a Jeremy, I hope you've decided to join us
here in the light, or if you have a Jeremy
in your life, seriously send this to them hopefully they
(31:46):
join us as well. And also, if your literal name
is Jeremy, this is probably a very disorienting episode and
for that I apologize. But yo, for real, I still
think password managers are great again. I use one. My
mother uses a password manager. By the way, Mom, thank
you for not getting mad at me for yelling at
you until you finally started using one. I appreciate it,
(32:09):
but for real, my mom can do this, so can you.
Now this does not mean you will be bulletproof. Password
managers and passkeys do not prevent you from scams or
fishing or anything like that. That's a whole other episode.
But this is a great start because, look, one of
the points of this show of kill Switch is that
the future does not have to be scary. Things are
(32:29):
scary when you are so overwhelmed that you don't know
what to do and you feel like there's nothing you
can do, But there is something you can do here,
and it really does feel kind of cool to take
back some control for yourself. It's cool to be vigilant,
but you don't have to be scared. And I will
(32:54):
cut out with the diet tribe there. Thank you once
again so much for listening to kill Switch for Real.
Let us know what you think and if there's something
you want us to cover or some questions you might have,
you can hit us up at kill Switch at Kaleidoscope
dot NYC. You can also follow us on Instagram at
kill switch pod or my personal account dex Digi that's
(33:15):
d e X d I g I on Instagram or
blue Sky And for real, first priority, set up that
past key, set up your password manager. But after you've
done that, while you got your phone out, you know,
make sure to leave us a review because it helps
other people find the show, which in turn helps us
keep doing our thing. And this thing is hosted by
(33:36):
me Dexter Thomas is produced by Sena Ozaki, Darluck Potts
and Kate Osbourne. Our theme song is by me and
Kyle Murdoch, and Kyle also mixes the show from Kaleidoscope.
Our executive producers are Ozro Lashin, Mangesh Hajigadur and Kate Osbourne.
From iHeart, our executive producers are Katrina Norville and Nikki e. Tour.
(33:58):
Catch on in the next one
Speaker 3 (34:10):
By
kill switch News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Show Links
AboutPopular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.