January 24, 2025 • 27 mins
Ready to start using passkeys?
First, you’ll need a password manager.
By default, your phone or laptop might offer to store your passkeys in your browser.
But here’s the catch: if you do, your secret isn’t so secret anymore—Google or Microsoft could have access to it.
The smarter move? Use a dedicated password manager.
I recommend 1Password, ProtonPass, or Bitwarden.
In this episode, we dive into why browser-based options fall short.
Google Password Manager official information
Microsoft Edge Password Manager official information
Apple iCloud KeyChain official information
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Ah, where can I store my passkeys? I've honestly wondered this myself,
as we've talked about passkeys, like I've wondered. Hopefully there's a simple solution.
So there's Nick's commentary. Makani, you're on the clock soon.
What are three big downsides to browser-based password managers?
(00:25):
Look, they can kind of be a pain. I use four different browsers daily. Daily. So
what are Makani's three trusted password managers? Curious to know. He's got three.
(00:46):
All right. I think we've only talked about two before.
I was like, you added one. You caught me off guard there. I was like, wait a second.
How many bugs can you find in Makani's code?
(01:06):
All right. For all those that know code, let's see if you can find some bugs in Makani's code.
It's kind of a trick question. You'll see. It's mostly entertainment value,
but it is relevant. It is relevant. All right. Fair enough. Fair enough.
(01:28):
All right. Welcome back, and thanks for tuning in. I'm Nick,
and this is Super Simple Security Principles. Listen each week and learn how to think,
not what to think. This is episode 47, picking a password manager for passkeys.
(01:49):
It is our fourth episode of our series about passkeys, and Makani's saying
there's just one more. Yeah, in this series. I'm sure we'll talk about passkeys in the future
again, but we've been able to wrap up at least this first introductory series about it.
(02:11):
Fair enough. Fair enough. Okay. So where are we going to start today? We obviously,
we ... Do we need to recap? Because we've been on passkeys for a while, but what do you think?
(02:32):
Slightly. Here's what I was thinking is, so we've been working up to,
if we kind of look at this series as one episode in a way. We started with the first episode,
we talked about the why. We talked about some details, and then our last episode next time is
going to be kind of our call to action. We've had a mini call to action along the way, but
next episode is really going to be kind of one big call to action episode, sort of. And so this
(02:59):
episode is the final piece that we want to address before doing that, and that's talking about
picking a password manager, because that's the primary method. We'll talk about one other one,
but we're not really going to focus on it too much. There is one other place you can store
passkeys besides like a full-blown password manager, but mostly I use a password manager,
(03:23):
and that's my recommendation as well, at least for now. The other thing just to kind of underscore
is we've always talked a lot about the importance of keeping your email account safe
for a number of reasons, but one of the big ones is simply it's a master key to your other
(03:46):
online accounts. Well, keeping your password manager safe is at least as important basically
for the same reasons, because not too much explanation needed there, I imagine. You got
all your passwords, or at least however many you have in there. If you're just starting out,
(04:06):
you might not have many, but ultimately, like I do, I have everything in there, and so we want
to be really careful and intentional about our choice of password manager instead of, for example,
just using the default one that our device presents to us, which is typically going to be
the browser-based ones, is what we're going to be talking about. We're going to talk about
(04:30):
what those ones look like a little bit, and my preferred ones, and why.
Okay, so if you haven't explicitly installed a password manager, then every browser these days
has one built into it, and the most common one, of course, is Google Chrome browser,
(04:56):
and that password manager is simply called the Google Password Manager,
and it works not only in Google Chrome, but across your whole Android device,
but again, our focus here is really going to be the browser usage, and then there's in
the Apple Safari browser, and that password manager is called iCloud Keychain,
(05:23):
and then if you're using Microsoft Edge, it's just called the Microsoft Edge Password Manager. I
prefer... Yeah. Wait a second. You're saying you don't want to share your password with those
(05:46):
big people, and you don't want to have those big people generating your passwords for you?
That sounds wise. Yeah, well, and we'll talk about that, actually. It's interesting that that's
your perception, because to me, I was thinking if you have a password manager,
(06:11):
then that doesn't mean that they would know what was in there, like that they wouldn't be
able to see my passwords, right, because that's crazy to me that you would even offer a service
like that where somebody else could know your passwords. I mean, I know with Google Docs and
(06:31):
we share it, but... Don't you think Google knows your password at the end of the day?
Well, yeah, so let's pause on that for just a second, because that's my first main point of
comparison, because I'm really glad you brought it up, though. Okay, okay.
(06:54):
Because the one other thing I want to mention first is just the three password ones that I
do recommend, right, not the browser ones. Of course, my favorite, as you know, is 1Password.
We trust Bitwarden, and the new one that you don't know about is ProtonPass.
Okay. It comes from a company that I've known about and has been around for,
(07:16):
I don't know, 10 years, I think. They're a longtime champion, anyway, of privacy and security,
but only recently, earlier this year, they came out with their password manager called ProtonPass.
They started with secure email. Yeah, exactly, and it's good, and it also has a free plan,
(07:38):
just like Bitwarden, that you can really try it out and then pay more if you want to upgrade.
All right, well done. Yeah, very exciting. It's a really solid offering, so
like some healthy competition there. All three of them will keep each other honest
and keep them, you know, pushing forward instead of getting lazy, so I'm really excited about that.
(08:02):
Yeah, and it just meets a little bit different niches, little different needs for people in
different ways, so. Right, right, absolutely. The one non-password manager option is a hardware
security key, and I'm sure we'll do it, so here's what it looks like. I got mine with a little
(08:26):
tie-dye pattern on it, even. Yes, so I had to pay five bucks extra for the tie-dye pattern, but
totally worth it. I think so. So, and it's just, you stick this into the USB slot when you need to use it.
(08:46):
It can also connect wirelessly with your phone, so you can use it with a phone as well,
even if you don't want to plug it in. Anyway, that's all I'll say about that for today.
It was not a dedicated password manager, but you can store passkeys here. Really?
Yeah, and I do use it, and I actually do store my email passkey on there,
(09:14):
so we'll talk about that more, but that's all we're gonna say for today.
Cool, okay, and we'll end up doing probably an individual episode, so we've already done one on
one password. I'm sure we'll do on a Bitwarden and ProtonPass at some point, maybe even the browser
ones. I don't know exactly. It's less compelling because I don't recommend them, but maybe going
(09:34):
into why I don't might be worth it, but anyway. So, what we do want to focus on is the three reasons
why I prefer dedicated password managers, a standalone one, not the browser-based ones where
it's just kind of an add-on piece to the browser. That's a very accurate description you just said
(09:58):
there, add-on piece. That's how I would see it. Yeah, why do you say that? I mean, because they're
trying to do everything else. I want somebody that's going to take care of my passwords to be
an expert in that field. I want them dedicated to that. Yeah, exactly, and browsers for a long
(10:25):
time didn't have those. They've added them for a while now, but yeah, exactly, and it's not
their focus, and I almost actually list that, but I ended up not listing it, so I'm glad you
brought that up. The first reason, probably, and one of the absolute biggest is you already
jumped right to it before, was the question, does Google or Apple or Microsoft, can they see your
(10:52):
passwords? Right, that's what I wanted to know. Yeah, well, and I want to introduce a phrase here,
because you'll encounter it sometimes in online security, and there's this phrase called
zero knowledge encryption, and that's what you want when it comes to any data that you want to
(11:13):
keep private. You want them to, and obviously, you want to be able to verify the claim, but
a lot of times, they don't even make the claim, because they know they'll be checked, and so if
they can't say that honestly, they won't try. Gotcha. And what zero knowledge means is that
there is zero knowledge on the part of the provider of the service, so Google would have
(11:36):
zero knowledge if they were a zero knowledge encryption service, right, if they were.
Right, right. Well, in like email, they clearly aren't. Google Docs, they aren't, and so with Google,
they say, so because I went and checked this just today before we recorded, and they have a feature
(11:59):
called on-device encryption, which means that it gets encrypted before they then send it to Google,
okay, which would mean in theory, right, that that means Google couldn't see your passwords,
right, but here's the catch. It's not enabled by default. Oh, geez, okay, right, and the reason why
(12:27):
I think is because convenience has such a high priority for people, typically so much more, and
they're going to get mad at Google if they lose all their passwords, right, and if Google
absolutely can't access them, and they mess up, you know, then they could lose all their passwords,
(12:47):
and then they're going to blame Google, right, right, whereas they don't really know if Google
knows their password. They don't even really think about it in most cases, and
as long as Google doesn't steal them and doesn't do anything nefarious with them, then
why does it matter, right? This is the, I think this is the thought process anyway, right? Clearly
(13:08):
not my thought process. Right, right, nor mine, but yeah. So with Microsoft, it doesn't even have
that ability, as far as I can tell, to have zero knowledge of your passwords.
Apple, thankfully, does it by default for your passwords. Hey, yeah, thank you, Apple.
(13:31):
Yep, now, which makes sense because it seems a little different. I've used all of them,
to be honest. Oh, really? Nice. Yeah, yeah, yeah, so I've used all of them,
but yeah, I'm glad to know that Apple's felt a little different,
(13:57):
and it was the keychain, right? Yep, yeah, iCloud keychain, because it gets, by default,
they like to store it in the cloud so that you can access it on your other Apple devices.
Yeah, yeah, yep. Now, there are reasons not to use Apple either, and we'll cover a couple of those
(14:21):
in the next, you know, reasons number two and three, but just this first reason is enough,
at least for me, to never store any password, at least that I care about at all with Google
or Microsoft, because I don't want to trust, passwords aren't the sort of thing you want to
trust anybody to not look at or to not know about. You want to know that they don't have any ability
(14:45):
to see those. Right. Not only because of trust, but because of bugs, because that means if there's
bugs in their system, then it means that if they could know them, that means any hackers that
compromise the system could also know them, and so it's just more ways they can get out, but
anyway. Okay, reason number two, and this goes back to the bugs question at the start. Okay.
(15:15):
And the reason, I'll say it this way, complexity breeds bugs. Now, as you know, I've been a
software developer for over 30 years, and I take great pride in writing code that doesn't have a
lot of bugs. I'm good at it. It's one of my, I feel like my strengths as a software developer,
(15:39):
but it's hard. It's really hard, and I've had plenty of bugs over the years, despite my best
efforts. Okay. Okay. And so that was really just a joke, you know, like I'm not going to show
any code or ask you to find any bugs, just to reference to this, because, so why am I talking
(16:00):
about this right now? Right. It's because bugs are one of the biggest sources of security breaches,
and the bigger, the more complex an app is, the more bugs naturally, right, you might think
are going to be found in there, right? Right. Harder to make sure there's no bugs.
(16:23):
And here's what's not obvious. I suspect to most people, I haven't polled or anything, but
browsers are actually one of the most complex apps we have today.
Certainly, I would say, especially in common use, because everybody uses a browser pretty
much every day. Yeah. Yeah. Well, and if you think about why does sometimes a website work
(16:46):
in one browser or another? Right. That's kind of the red flag that can, okay, well, it's because
there's a lot of complexity behind the scenes. There's tons of formal geek specifications that
tell how a webpage should look, given certain HTML, you know, the data behind the website.
(17:10):
Yeah. And it's just, there's hundreds of specifications that have to be built
correctly. Anyway, there's just, there's a lot to it. And so they aren't as simple as we think of
them. Because a lot of times we do, we think, oh, just ask Google, you know? Yeah. Not a big deal,
(17:34):
you know? It's not, it seems very simple anymore. Well, and that's the magic of technology, right?
Is it hides all the complexity and makes it easy for the end user.
You know, little kid, they can hop in a browser and start doing stuff. No big deal, right?
(17:55):
Start with a Google search, some, whatever they want to see. And yeah.
Chase does it all the time. Yeah. Yep. But anyway, and so that's one of, that's my second
reason why I don't want my passwords affiliated, you know, with the browser password manager,
because each of those bugs basically means a risk that my passwords will be compromised.
(18:21):
Makes sense. Now, most of them won't, most of them won't cause that kind of compromise, but
each of them has the possibility. Exactly. And I don't want that. I want my password manager only
to have, you know, only have password manager features to worry about, not all the browser
ones too, basically. Right. Okay. Reason number three, vault access control. What that means is
(18:52):
what steps do I have to take when I need to unlock my password vault so I can log into some website.
Right now, I know you're familiar with this since you use a password manager,
you have to either type in your password, your master password, or use your face ID, right?
(19:14):
Yep. And for browser-based password managers, most often it's nothing more than just unlocking
your device, right? You have a separate step using one password like I do. Right.
But with browser- We have that extra layer of security. Exactly. And for me, that's really
(19:40):
important. With browsers, you know, there isn't that extra step, and I know it's designed for
maximum convenience, but that's just totally unacceptable for me. This is ultimately why I
went away from using Apple, because I had used it for such a long time, because as you know,
(20:02):
my house is full of Apple devices. I like Apple's products. I like that I can find stuff across any
device. So ultimately, for me, that extra layer of security was what I needed and wanted,
and so it's why I let what was pretty convenient go and replaced it with
(20:28):
what still is very convenient. Took some time to set it up, but once set up,
slick. Cool. Good to hear. Well, and I want to share a few specific details of what that looks
like too, because so if we say I'm using one password on my iPhone, right, which is a common
(20:49):
case for me, but this will be kind of similar regardless of what device you're using.
So first of all, I have three options for my primary unlock method for my password vault.
I can either type in my master password. I can do face ID. If I had an older phone with a touch,
(21:12):
I used to use that when there was a touch sensor, or you can actually pick a numeric passcode.
And then optionally, you can force it. So say you pick a simple just numeric passcode so you can do
it quickly on a daily basis, but then you want to make sure you never forget your master password
(21:35):
and you want to add that extra authentication once a day. You can say, okay, but every day or every
three days or every two weeks, I have to actually enter my full master password. Yeah.
So there's flexibility, not just like one tiny little setting. There's that. And then there's
(21:56):
also a few settings that I like in connection with relocking the vault. And so I can have it
if I haven't touched my password vault for say 15 minutes or however strict I want to be,
then that password vault will automatically relock and I'll have to do my unlock method again.
(22:22):
Yeah. So if I walk away from my computer, forget about it, it'll automatically lock.
Yeah. And well, and actually that's a separate setting because you can also have it so if
the device itself gets locked, either shut down or your lock screen on a laptop or whatever,
or on your phone, same thing, that your password vault will lock at the same time as well.
(22:51):
Yeah. That makes sense?
Makes total sense. Well, and maybe it makes perfect sense because I used them. And yes.
Right. Yeah. You're right. And this one you're familiar with. Yeah. That's fair. But the main
thing is no, there are some, you have a lot more fine grain flexibility and control of how your
(23:14):
password vault not only unlocks, but locks. So to meet whatever security standards you need in your
situation. And for me, that level of control, it's very valuable. I do not want my password
automatically unlocked with my device. That's the single biggest thing out of all that.
(23:36):
That's just crazy to me. And I don't want it to stay unlocked indefinitely.
Right. I want it to automatically unlock fairly quickly. And I'm probably more aggressive on that
than a lot of people would be, and that's okay. But anyway, I have that control. So those are the
three reasons, the zero knowledge encryption, the bugs associated with the complexity of browsers,
(24:03):
and the vault access control. Okay. Those are pretty good reasons not to use them.
I don't think so. Yeah. I'm impressed. Okay. Well, good. Yeah. Any questions about any of those or
anything else that came up for you? No. Okay. So that's simple?
(24:30):
Yeah, I think so. I'm ready for our final stage. That call to action part?
That's right. Yep. That's right. All right. What's our call to action, buddy?
To decide what password manager you want to use and start getting it set up.
(24:53):
And we've talked about that before back in episodes 7 to 10. So I know that's
kind of a big call to action. So if you need more help with that, either
listen to those episodes and or reach out on the forum. And if you decide on one password,
(25:15):
the one I use, the one you use, it does cost a small bit of money, three dollars per month
for an individual or five for a family. And as I mentioned earlier, the ProtonPass
and Bitwarden have free plans, but with premium plans as well for more features.
(25:35):
And then once you have a password manager set up, you'll be ready for the final episode,
which is where we get to answer the question, should you use passkeys?
And listen, for those people that took our call to action earlier,
this is going to be a super easy call to action. You know, like this should be, hey, guess what?
(25:59):
For me, this was, yes, we've got it easy. So I love it. Great call to action. And for those that
need to review, review, hit us up on the forum. I love it. Okay. That was a great episode, dude.
Yeah. Okay. That's our super simple show today. If you're not a member of the IHP Academy already,
(26:28):
please come join us for free. Stop searching the whole internet for answers and never knowing who
to trust. Ask us instead. We made it super simple to find us and it only takes two minutes to sign
up. Just visit helpmegetsafe.com. Enter your name and your email. You're in. You can also
(26:57):
find the link in our show notes. Thank you for joining us and make it a great day. Bye-bye.
Ah, where can I store my passkeys? I've honestly wondered this myself,
as we've talked about passkeys, like I've wondered. Hopefully there's a simple solution.
So there's Nick's commentary. Makani, you're on the clock soon.
What are three big downsides to browser-based password managers?
(00:25):
Look, they can kind of be a pain. I use four different browsers daily. Daily. So
what are Makani's three trusted password managers? Curious to know. He's got three.
(00:46):
All right. I think we've only talked about two before.
I was like, you added one. You caught me off guard there. I was like, wait a second.
How many bugs can you find in Makani's code?
(01:06):
All right. For all those that know code, let's see if you can find some bugs in Makani's code.
It's kind of a trick question. You'll see. It's mostly entertainment value,
but it is relevant. It is relevant. All right. Fair enough. Fair enough.
(01:28):
All right. Welcome back, and thanks for tuning in. I'm Nick,
and this is Super Simple Security Principles. Listen each week and learn how to think,
not what to think. This is episode 47, picking a password manager for passkeys.
(01:49):
It is our fourth episode of our series about passkeys, and Makani's saying
there's just one more. Yeah, in this series. I'm sure we'll talk about passkeys in the future
again, but we've been able to wrap up at least this first introductory series about it.
(02:11):
Fair enough. Fair enough. Okay. So where are we going to start today? We obviously,
we ... Do we need to recap? Because we've been on passkeys for a while, but what do you think?
(02:32):
Slightly. Here's what I was thinking is, so we've been working up to,
if we kind of look at this series as one episode in a way. We started with the first episode,
we talked about the why. We talked about some details, and then our last episode next time is
going to be kind of our call to action. We've had a mini call to action along the way, but
next episode is really going to be kind of one big call to action episode, sort of. And so this
(02:59):
episode is the final piece that we want to address before doing that, and that's talking about
picking a password manager, because that's the primary method. We'll talk about one other one,
but we're not really going to focus on it too much. There is one other place you can store
passkeys besides like a full-blown password manager, but mostly I use a password manager,
(03:23):
and that's my recommendation as well, at least for now. The other thing just to kind of underscore
is we've always talked a lot about the importance of keeping your email account safe
for a number of reasons, but one of the big ones is simply it's a master key to your other
(03:46):
online accounts. Well, keeping your password manager safe is at least as important basically
for the same reasons, because not too much explanation needed there, I imagine. You got
all your passwords, or at least however many you have in there. If you're just starting out,
(04:06):
you might not have many, but ultimately, like I do, I have everything in there, and so we want
to be really careful and intentional about our choice of password manager instead of, for example,
just using the default one that our device presents to us, which is typically going to be
the browser-based ones, is what we're going to be talking about. We're going to talk about
(04:30):
what those ones look like a little bit, and my preferred ones, and why.
Okay, so if you haven't explicitly installed a password manager, then every browser these days
has one built into it, and the most common one, of course, is Google Chrome browser,
(04:56):
and that password manager is simply called the Google Password Manager,
and it works not only in Google Chrome, but across your whole Android device,
but again, our focus here is really going to be the browser usage, and then there's in
the Apple Safari browser, and that password manager is called iCloud Keychain,
(05:23):
and then if you're using Microsoft Edge, it's just called the Microsoft Edge Password Manager. I
prefer... Yeah. Wait a second. You're saying you don't want to share your password with those
(05:46):
big people, and you don't want to have those big people generating your passwords for you?
That sounds wise. Yeah, well, and we'll talk about that, actually. It's interesting that that's
your perception, because to me, I was thinking if you have a password manager,
(06:11):
then that doesn't mean that they would know what was in there, like that they wouldn't be
able to see my passwords, right, because that's crazy to me that you would even offer a service
like that where somebody else could know your passwords. I mean, I know with Google Docs and
(06:31):
we share it, but... Don't you think Google knows your password at the end of the day?
Well, yeah, so let's pause on that for just a second, because that's my first main point of
comparison, because I'm really glad you brought it up, though. Okay, okay.
(06:54):
Because the one other thing I want to mention first is just the three password ones that I
do recommend, right, not the browser ones. Of course, my favorite, as you know, is 1Password.
We trust Bitwarden, and the new one that you don't know about is ProtonPass.
Okay. It comes from a company that I've known about and has been around for,
(07:16):
I don't know, 10 years, I think. They're a longtime champion, anyway, of privacy and security,
but only recently, earlier this year, they came out with their password manager called ProtonPass.
They started with secure email. Yeah, exactly, and it's good, and it also has a free plan,
(07:38):
just like Bitwarden, that you can really try it out and then pay more if you want to upgrade.
All right, well done. Yeah, very exciting. It's a really solid offering, so
like some healthy competition there. All three of them will keep each other honest
and keep them, you know, pushing forward instead of getting lazy, so I'm really excited about that.
(08:02):
Yeah, and it just meets a little bit different niches, little different needs for people in
different ways, so. Right, right, absolutely. The one non-password manager option is a hardware
security key, and I'm sure we'll do it, so here's what it looks like. I got mine with a little
(08:26):
tie-dye pattern on it, even. Yes, so I had to pay five bucks extra for the tie-dye pattern, but
totally worth it. I think so. So, and it's just, you stick this into the USB slot when you need to use it.
(08:46):
It can also connect wirelessly with your phone, so you can use it with a phone as well,
even if you don't want to plug it in. Anyway, that's all I'll say about that for today.
It was not a dedicated password manager, but you can store passkeys here. Really?
Yeah, and I do use it, and I actually do store my email passkey on there,
(09:14):
so we'll talk about that more, but that's all we're gonna say for today.
Cool, okay, and we'll end up doing probably an individual episode, so we've already done one on
one password. I'm sure we'll do on a Bitwarden and ProtonPass at some point, maybe even the browser
ones. I don't know exactly. It's less compelling because I don't recommend them, but maybe going
(09:34):
into why I don't might be worth it, but anyway. So, what we do want to focus on is the three reasons
why I prefer dedicated password managers, a standalone one, not the browser-based ones where
it's just kind of an add-on piece to the browser. That's a very accurate description you just said
(09:58):
there, add-on piece. That's how I would see it. Yeah, why do you say that? I mean, because they're
trying to do everything else. I want somebody that's going to take care of my passwords to be
an expert in that field. I want them dedicated to that. Yeah, exactly, and browsers for a long
(10:25):
time didn't have those. They've added them for a while now, but yeah, exactly, and it's not
their focus, and I almost actually list that, but I ended up not listing it, so I'm glad you
brought that up. The first reason, probably, and one of the absolute biggest is you already
jumped right to it before, was the question, does Google or Apple or Microsoft, can they see your
(10:52):
passwords? Right, that's what I wanted to know. Yeah, well, and I want to introduce a phrase here,
because you'll encounter it sometimes in online security, and there's this phrase called
zero knowledge encryption, and that's what you want when it comes to any data that you want to
(11:13):
keep private. You want them to, and obviously, you want to be able to verify the claim, but
a lot of times, they don't even make the claim, because they know they'll be checked, and so if
they can't say that honestly, they won't try. Gotcha. And what zero knowledge means is that
there is zero knowledge on the part of the provider of the service, so Google would have
(11:36):
zero knowledge if they were a zero knowledge encryption service, right, if they were.
Right, right. Well, in like email, they clearly aren't. Google Docs, they aren't, and so with Google,
they say, so because I went and checked this just today before we recorded, and they have a feature
(11:59):
called on-device encryption, which means that it gets encrypted before they then send it to Google,
okay, which would mean in theory, right, that that means Google couldn't see your passwords,
right, but here's the catch. It's not enabled by default. Oh, geez, okay, right, and the reason why
(12:27):
I think is because convenience has such a high priority for people, typically so much more, and
they're going to get mad at Google if they lose all their passwords, right, and if Google
absolutely can't access them, and they mess up, you know, then they could lose all their passwords,
(12:47):
and then they're going to blame Google, right, right, whereas they don't really know if Google
knows their password. They don't even really think about it in most cases, and
as long as Google doesn't steal them and doesn't do anything nefarious with them, then
why does it matter, right? This is the, I think this is the thought process anyway, right? Clearly
(13:08):
not my thought process. Right, right, nor mine, but yeah. So with Microsoft, it doesn't even have
that ability, as far as I can tell, to have zero knowledge of your passwords.
Apple, thankfully, does it by default for your passwords. Hey, yeah, thank you, Apple.
(13:31):
Yep, now, which makes sense because it seems a little different. I've used all of them,
to be honest. Oh, really? Nice. Yeah, yeah, yeah, so I've used all of them,
but yeah, I'm glad to know that Apple's felt a little different,
(13:57):
and it was the keychain, right? Yep, yeah, iCloud keychain, because it gets, by default,
they like to store it in the cloud so that you can access it on your other Apple devices.
Yeah, yeah, yep. Now, there are reasons not to use Apple either, and we'll cover a couple of those
(14:21):
in the next, you know, reasons number two and three, but just this first reason is enough,
at least for me, to never store any password, at least that I care about at all with Google
or Microsoft, because I don't want to trust, passwords aren't the sort of thing you want to
trust anybody to not look at or to not know about. You want to know that they don't have any ability
(14:45):
to see those. Right. Not only because of trust, but because of bugs, because that means if there's
bugs in their system, then it means that if they could know them, that means any hackers that
compromise the system could also know them, and so it's just more ways they can get out, but
anyway. Okay, reason number two, and this goes back to the bugs question at the start. Okay.
(15:15):
And the reason, I'll say it this way, complexity breeds bugs. Now, as you know, I've been a
software developer for over 30 years, and I take great pride in writing code that doesn't have a
lot of bugs. I'm good at it. It's one of my, I feel like my strengths as a software developer,
(15:39):
but it's hard. It's really hard, and I've had plenty of bugs over the years, despite my best
efforts. Okay. Okay. And so that was really just a joke, you know, like I'm not going to show
any code or ask you to find any bugs, just to reference to this, because, so why am I talking
(16:00):
about this right now? Right. It's because bugs are one of the biggest sources of security breaches,
and the bigger, the more complex an app is, the more bugs naturally, right, you might think
are going to be found in there, right? Right. Harder to make sure there's no bugs.
(16:23):
And here's what's not obvious. I suspect to most people, I haven't polled or anything, but
browsers are actually one of the most complex apps we have today.
Certainly, I would say, especially in common use, because everybody uses a browser pretty
much every day. Yeah. Yeah. Well, and if you think about why does sometimes a website work
(16:46):
in one browser or another? Right. That's kind of the red flag that can, okay, well, it's because
there's a lot of complexity behind the scenes. There's tons of formal geek specifications that
tell how a webpage should look, given certain HTML, you know, the data behind the website.
(17:10):
Yeah. And it's just, there's hundreds of specifications that have to be built
correctly. Anyway, there's just, there's a lot to it. And so they aren't as simple as we think of
them. Because a lot of times we do, we think, oh, just ask Google, you know? Yeah. Not a big deal,
(17:34):
you know? It's not, it seems very simple anymore. Well, and that's the magic of technology, right?
Is it hides all the complexity and makes it easy for the end user.
You know, little kid, they can hop in a browser and start doing stuff. No big deal, right?
(17:55):
Start with a Google search, some, whatever they want to see. And yeah.
Chase does it all the time. Yeah. Yep. But anyway, and so that's one of, that's my second
reason why I don't want my passwords affiliated, you know, with the browser password manager,
because each of those bugs basically means a risk that my passwords will be compromised.
(18:21):
Makes sense. Now, most of them won't, most of them won't cause that kind of compromise, but
each of them has the possibility. Exactly. And I don't want that. I want my password manager only
to have, you know, only have password manager features to worry about, not all the browser
ones too, basically. Right. Okay. Reason number three, vault access control. What that means is
(18:52):
what steps do I have to take when I need to unlock my password vault so I can log into some website.
Right now, I know you're familiar with this since you use a password manager,
you have to either type in your password, your master password, or use your face ID, right?
(19:14):
Yep. And for browser-based password managers, most often it's nothing more than just unlocking
your device, right? You have a separate step using one password like I do. Right.
But with browser- We have that extra layer of security. Exactly. And for me, that's really
(19:40):
important. With browsers, you know, there isn't that extra step, and I know it's designed for
maximum convenience, but that's just totally unacceptable for me. This is ultimately why I
went away from using Apple, because I had used it for such a long time, because as you know,
(20:02):
my house is full of Apple devices. I like Apple's products. I like that I can find stuff across any
device. So ultimately, for me, that extra layer of security was what I needed and wanted,
and so it's why I let what was pretty convenient go and replaced it with
(20:28):
what still is very convenient. Took some time to set it up, but once set up,
slick. Cool. Good to hear. Well, and I want to share a few specific details of what that looks
like too, because so if we say I'm using one password on my iPhone, right, which is a common
(20:49):
case for me, but this will be kind of similar regardless of what device you're using.
So first of all, I have three options for my primary unlock method for my password vault.
I can either type in my master password. I can do face ID. If I had an older phone with a touch,
(21:12):
I used to use that when there was a touch sensor, or you can actually pick a numeric passcode.
And then optionally, you can force it. So say you pick a simple just numeric passcode so you can do
it quickly on a daily basis, but then you want to make sure you never forget your master password
(21:35):
and you want to add that extra authentication once a day. You can say, okay, but every day or every
three days or every two weeks, I have to actually enter my full master password. Yeah.
So there's flexibility, not just like one tiny little setting. There's that. And then there's
(21:56):
also a few settings that I like in connection with relocking the vault. And so I can have it
if I haven't touched my password vault for say 15 minutes or however strict I want to be,
then that password vault will automatically relock and I'll have to do my unlock method again.
(22:22):
Yeah. So if I walk away from my computer, forget about it, it'll automatically lock.
Yeah. And well, and actually that's a separate setting because you can also have it so if
the device itself gets locked, either shut down or your lock screen on a laptop or whatever,
or on your phone, same thing, that your password vault will lock at the same time as well.
(22:51):
Yeah. That makes sense?
Makes total sense. Well, and maybe it makes perfect sense because I used them. And yes.
Right. Yeah. You're right. And this one you're familiar with. Yeah. That's fair. But the main
thing is no, there are some, you have a lot more fine grain flexibility and control of how your
(23:14):
password vault not only unlocks, but locks. So to meet whatever security standards you need in your
situation. And for me, that level of control, it's very valuable. I do not want my password
automatically unlocked with my device. That's the single biggest thing out of all that.
(23:36):
That's just crazy to me. And I don't want it to stay unlocked indefinitely.
Right. I want it to automatically unlock fairly quickly. And I'm probably more aggressive on that
than a lot of people would be, and that's okay. But anyway, I have that control. So those are the
three reasons, the zero knowledge encryption, the bugs associated with the complexity of browsers,
(24:03):
and the vault access control. Okay. Those are pretty good reasons not to use them.
I don't think so. Yeah. I'm impressed. Okay. Well, good. Yeah. Any questions about any of those or
anything else that came up for you? No. Okay. So that's simple?
(24:30):
Yeah, I think so. I'm ready for our final stage. That call to action part?
That's right. Yep. That's right. All right. What's our call to action, buddy?
To decide what password manager you want to use and start getting it set up.
(24:53):
And we've talked about that before back in episodes 7 to 10. So I know that's
kind of a big call to action. So if you need more help with that, either
listen to those episodes and or reach out on the forum. And if you decide on one password,
(25:15):
the one I use, the one you use, it does cost a small bit of money, three dollars per month
for an individual or five for a family. And as I mentioned earlier, the ProtonPass
and Bitwarden have free plans, but with premium plans as well for more features.
(25:35):
And then once you have a password manager set up, you'll be ready for the final episode,
which is where we get to answer the question, should you use passkeys?
And listen, for those people that took our call to action earlier,
this is going to be a super easy call to action. You know, like this should be, hey, guess what?
(25:59):
For me, this was, yes, we've got it easy. So I love it. Great call to action. And for those that
need to review, review, hit us up on the forum. I love it. Okay. That was a great episode, dude.
Yeah. Okay. That's our super simple show today. If you're not a member of the IHP Academy already,
(26:28):
please come join us for free. Stop searching the whole internet for answers and never knowing who
to trust. Ask us instead. We made it super simple to find us and it only takes two minutes to sign
up. Just visit helpmegetsafe.com. Enter your name and your email. You're in. You can also
(26:57):
find the link in our show notes. Thank you for joining us and make it a great day. Bye-bye.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com