235

March 30th, 2020 × #security#privacy#tips

Hasty Treat - Get Gud at Passwords & Password Management

How to create strong passwords, use password managers effectively, enable two-factor authentication, and more.

or
Topic 0 00:00

Transcript

Announcer

Monday. Monday. Monday.

Announcer

Open wide dev fans. Get ready to stuff your face with JavaScript, CSS, Node modules, barbecue tips, get workflows, breakdancing, soft skill, web development, the hastiest, the craziest, the tastiest web development treats coming in hot. Here is Wes, barracuda, Bos, and Scott, el toroloco, Tolinski.

Topic 1 00:27

Password security

Scott Tolinski

Welcome to Syntax. In this very secure episode of Syntax, we're gonna be talking about password management, how to lock those passwords up because you don't wanna make sure anything that you have gets stolen, used, or accessed without your knowledge.

Scott Tolinski

And, this is vitally important for every service or anything that you do online. It's extremely important.

Wes Bos

Hey, everybody. I'm actually really excited for this episode because this is a question that I get from my friends and family as well as web developers Vercel.

Wes Bos

So I'm hoping that this show can be a show that you send to, like, literally anybody. You don't have to be a web developer to listen to this one. It's just gonna be like, how do you get good at passwords? Because I think for us Wes developers, one of the biggest pain points is our friends and family who have sloppy password management hygiene.

Scott Tolinski

Yeah. Totally.

Scott Tolinski

And, speaking of hygiene, you're gonna make sure your application has proper hygiene from bugs, and we don't want bugs in our application.

Scott Tolinski

And that's why we use a service like century@century.i0.

Scott Tolinski

Now you're gonna wanna sign up, use the coupon code tasty treat, all lowercase, all one word, and you're gonna get 2 months for free of this fantastic service.

Scott Tolinski

Now Sanity is the bug pnpm error handling exception tool that really just makes everything so so easy.

Scott Tolinski

Sentry is adding new features all the time.

Scott Tolinski

Now I'm currently looking at the discover tag, which has a little new sign because it's letting you know that, hey. This is a new and it's looking for searching events, users, tags, and everything else, allowing you to see new bugs that have popped up. For instance, I'm seeing this interesting bug popping up here, and it looks like it's coming in on our API.

Scott Tolinski

Cannot read property ID of null, which means, I can tell you exactly why that is coming up because that's a very standard bug. But this allows me to see every time this bug or this error is happening, when it's happening on my server, if it's on my API, my front end, wherever it is, I can track this thing. I can take a look at it. I can fix it, find it, Yarn it as resolved, and then no more bug. I mean, that's really, really the, the end result of this all. Looks like this this is a bug that just popped up, and it just popped up with the latest release. Not only that, but I can actually I can, I can write a test for this bug to make sure it never comes back and that we don't have any regressions, which, of course, you could track on the Century as well? So check it out at century.iocouponcodetastytree, all lowercase, all one word. You absolutely will not regret adding this to your application.

Scott Tolinski

It's pnpm essential service in my mind. So password management, getting good at passwords, I this is a holds a special place in my heart because, not because I've been hacked or anything, I have not, but I am acutely aware of the consequences of this. And to be honest, I don't know if you've ever been to Have I Been Pwned, which we'll link in the description.

Topic 2 03:12

Password breach history

Scott Tolinski

For those of you who are sitting available with the computer right now, which I'd imagine most of you are because a lot of people are at home right now Yeah. Or in the office or not driving, I would say head to have I been phoned in the show description, enter your email in the have I been phoned search bar, hit enter, and then just be kind of horrified because I'm horrified at at all of these things. What it is is a listing of every time your email has shown up in a password breach. How many does your show up for? A lot.

Wes Bos

Mine's 23.

Scott Tolinski

Node it say a number? Mine's 16 breaches.

Scott Tolinski

I'm in Bitly, which I'm sure you are as well.

Wes Bos

Yeah. Bitly

Scott Tolinski

Discuss.

Scott Tolinski

Discuss is a commenting service.

Wes Bos

500 pixels, Adobe, Dropbox, Imager, Kickstarter, LinkedIn, MyFitnessPal, MyFitnessPal,

Scott Tolinski

MyFitnessPal. MyFitnessPal. Patreon.

Scott Tolinski

Patreon yeah. Patreon, this is one of the reasons Wes Patreon got hacked, I emailed them and said, hey. Can you delete my account from your service considering you're not, securing your database or whatever? And they're like, no. We can't do that. And I was just like, what? Deno. We don't delete accounts.

Scott Tolinski

Okay. They said they can't do it for tax reasons. I think that was a BS answer. Oh, yeah. Yeah. They have to, like, tie the the purchase to a actual person because

Wes Bos

yeah. Whatever. Yeah. Anyway, we should say, like, when a website gets hacked, usually, what happens is that, like, a database dump is taken or something like that, and they get access to your username. And, usually, in in best case, your password is hashed, meaning that it's it's not if your password is dogs, it's not sitting in the database as dogs. Although that does happen, that's being called, clear text.

Wes Bos

So anytime a a email service will email you your password or, like, I know Bluehost does this. They ask for the last 4 characters of your password, which it's possible that they save that in it, but that's still not a good good, process to do anyways. But they are are hashed, meaning that it's very hard to unhash them or to generate a hash of words and and match them. That that is definitely possible, especially with probably the biggest hashing algorithm out there JS MD 5 that's used, very popular in, PHP world. Specifically, WordPress uses it.

Wes Bos

And if you use a common password, the m d five hash of a common word will always be the exact same hash.

Scott Tolinski

So you people are still able to to reverse engineer those. What's, really fascinating about have I been pwned is that it gives you quite a bit of information about the hacks that took place for each one. Yeah. So you can get a good amount of information whether or not it has been a hashed, password and what it was hashed with. Alright. Was it Bitly? They gained access to 9,300,000 email addresses, usernames, and hashed passwords using sh a one and a small number using bcrypt.

Scott Tolinski

Did you ever use the service Apollo? It's not Apollo GraphQL because I saw Apollo on here, and I was like, holy cow, did Apollo GraphQL get hacked for some reason, and it's Scott. I never used it, but mine's in here as well. So what's up with that? Yeah. Because mine is in here, and it says Apollo left a database containing billions of data points publicly exposed without a password.

Scott Tolinski

Okay. Apollo, who are you, and what

Wes Bos

were you thinking? This is a sales tool or a data prospecting. So what they do is they, basically, they basically scrape data and buy databases from people. Like, anytime I subscribe for a magazine, I put a funny middle name on there, and then you can see where that data trickles through and who's bought it. Smart. And that's that's kinda what they do JS they sell your data, which is these are awful companies. Wes, the security researcher here.

Wes Bos

Yes.

Topic 3 07:33

Good password practices

Wes Bos

So Fantastic. Thanks. Talk about let's talk about, like, how do you actually set a a good password and and what tools should you be using? So regardless of what you do, you absolutely must have a unique password for every single website, and this is probably the one that gets absolutely everybody.

Wes Bos

If you reuse the same password on multiple websites, as soon as that password is found out on any of these websites, then that immediately, bots will try those passwords on other popular websites. So Yep. Case in point, this happened to me. I was getting a little sloppy for my McDonald's password, and I had reused the same password on McDonald's as I had used on some app that I had used years ago. I don't know which one, but, obviously, it was breached at some point. And then what happened is someone went and bought $8 worth of McDonald's, And then about 10 minutes later, they went and bought a $120 worth of McDonald's.

Wes Bos

And it was such a pain to get those charges reverted because it wasn't like credit card fraud. I couldn't call my credit card company saying, like, someone stole my card because they hadn't. They had just got access to my McDonald's account. Right. And they just went up and and ran the ran the thing. So that's case in point, a place where you should never reuse it. It's not that your password is not guessable.

Wes Bos

It's not someone's not just trying to sit there and guess. It's that when it does get out, it's only an amount of time before your McDonald's and your Uber and your PayPal. All of those things are like people will test if these passwords work, and then all of a sudden, you're you're out of luck. Like, it's it's such a huge pain to have to try to revert all of that. So never reuse a password. And this isn't just like some Node sitting in his basement trying 1 password at a time. These are either complicated,

Scott Tolinski

Bos Yeah. Yeah, botnets doing it or, farms of human beings trying, various things. So, you know, this is absolutely number 1 super big concern doing anything online.

Scott Tolinski

So, again, generating a new password, how do you generate a password? And and I keep using the word generate a password here because you're most likely not going to want to just invent a password Vercel. Because if you can remember it that easily, chances are it's not a great password. Now there's some exceptions to that.

Scott Tolinski

The whole sentence based password thing, that's a a a good way. We'll talk a little bit about that in a second. But for the most part, I think it's the easiest to rely on a password generator regardless of what it is. Right? If it's through the browser, through a service of which we'll talk more about, But having a generated password, something that's not logical, not a sentence, not a dictionary word, not a dictionary word with some, you know, threes swapped out for e's or something. Exclamation mark and a one to the end? Oh.

Scott Tolinski

It doesn't do anything. Right. Yeah. Because they're they're if their service can check for, you know, password, they're gonna be able to check with an ampersand or a at sign as an a. So that's not really a thing. I I always reach for a generator that generates a nonsense password myself.

Wes Bos

Yeah. I do that as well. I'm gonna talk about this little generation method I do. However, I don't use this method anymore since the password management integration in Bos has gotten so good. So for for years years, you had to, like, quit the app, go to the app, copy the password, come back, open the app, paste it in, and and that was just like a bad workflow that I didn't like. So I use this new or not.

Wes Bos

For years, I use this approach, which was first thing you do is you make a sentence.

Wes Bos

So make a sentence. I love to eat pizza. That's the sentence. Right? So that's your base password.

Wes Bos

Then you go ahead and decide on casing of that. So do you want a camel case it? Do you want a lowercase? I love to eat. And then, uppercase pizza. Just decide on that for how you're going to spell it. And then what you do is to in order to make that password unique, because you can't just use, I love to eat pizza on every website, you have to make an algorithm for how you generate your password based on I use the domain name of the website. So one example is you could take the 3rd letter of the domain name, or sorry. You could take the 3rd letter of I love to eat pizza and replace it with the 4th letter of the domain Node. Mhmm. And then you could count the number of letters in the domain name and add that to the end. Oh, my geez. You are every single website like, it it seems complicated, but as long as you say, I have a system. I love to eat pizza JS my base password, and then I always know that the third letter is replaced with the 4th letter of the domain I'm trying to sign ESLint.

Wes Bos

And then the number of characters in the domain name is just added on to the end or to the start or in the middle or whatever it is. And then you can say, okay. Knowing these 2 rules, you always have to remember those 2 rules. You can generate a unique password and remember a unique password for for any single one. So I, that worked forever for me. It worked really, really well. I still use it on some things like Netflix that you have to share with Sanity and whatnot, but I've pretty much entirely moved over to just random generated strings, which is I I probably would say this is what everybody should be using these days. Yeah. I totally agree. You wonder why I like Android so much. Android's always had good integration with that kind of stuff, especially It was awful on Bos for years.

Scott Tolinski

Yeah. And I always I I still I really dislike the Ios keyboard.

Scott Tolinski

And, like, the Android keyboard, if if you didn't like something like that that Wes, like, sort of keyboard integration, somebody would just come out with a better keyboard, and then everyone would use that. So, like, the competition over like, the Bos keyboards are just, like, skinned versions of the iOS one. It's it's, like, not Node. They're not. No. They're they're so great. Are they so bad?

Wes Bos

Why are they all so bad? Because the custom ones on Android are great. Oh, that's that's a good question. They are not just skinned versions. They are their own, and you can tell that they're their own thing because they are not that good. Well, the Ios one's the worst one of the bunch. It's the worst one of the bunch. Okay. So I like the Ios. Anyways Rant over. We do Sanity Ios rant on another episode.

Wes Bos

Yeah. So using a password manager, you go ahead and you sign up for this, and you install it in your browser. You install it on your phone.

Topic 4 13:51

Password manager usage

Wes Bos

And and then every time that you sign ESLint a website or every time you sign up for a website, it'll try to add that password to your list of passwords, and then you have a master password that you can use to to sign in to your whatever. So I personally use 1 password. I was on LastPass for years, and we talked to him to see about how awful the user experience is on LastPass. I would recommend to nobody, no matter how much money they spend on sponsoring YouTubers, don't use LastPass. It's awful. And I'm I'm not saying that because, like, I I don't like the company. I'm saying that because I've tried to get family members on LastPass, and they say, screw this. This is too hard. It doesn't work. Yeah. It doesn't work all the time. It's annoying. Password.

Wes Bos

It's annoying.

Scott Tolinski

And the user experience is is so important when you're trying to get family members onboard for this type of thing. Yeah. Absolutely. Because it's already invasive enough, right, to ask somebody to use something like this in in place of their, you know, handwritten notes password or using the same password on every site. It's already invasive to their workflow. They're adding a step into whatever they're doing. So you gotta make it as smooth and as easy as possible. And I I, again, likewise, I, Yarn and I both used LastPass for a little while, and she always hated it. She never wanted to use it because of it. I hated it, and I knew I needed to use it, so I still did anyways. But, once we move to 1 password, it definitely it's just so much nicer. The interface, everything is just way easier to use. But there there are certainly other good versions in other good applications as well. I just don't have the experience with some of these, like Dashlane. Haven't used it before.

Wes Bos

So I don't know, but people seem to really like it. Yeah. There's Dashlane seems to be pretty popular, and Bitwarden is a open source version of it. So if you want to host the the password database yourself, which, I argue that's a very good way to do it because then you're not giving some random company your all your passwords. I should also say, like, 1 password is not like, they don't just have a database full of all of your passwords, and if that gets hacked, then you're screwed.

Scott Tolinski

Bos

Wes Bos

what they do is they encrypt it based on your your master password.

Wes Bos

So if 1 password gets hacked, the person just gets encrypted passwords. It's they don't get access. And that's the reason why if you forget your master password, nobody in all of land can help you because all of your passwords on their server are encrypted, and even 1 password can't unencrypt them unless they have some sort of, like,

Scott Tolinski

triple locked door with a secret key. They might have that, but who knows? For the I have a a little note here. It says, for the love of God, do not forget your master password because, Courtney has forgotten her master master password twice Node. And Kayla's did too. Very frustrating.

Scott Tolinski

Because he's like, Node. That's I shared all these passwords with. She'll be like, what's the Amazon password? I'm like, I'm not reading this this line of of No. You know, generated text out to you. So where's your Node password?

Wes Bos

Yeah. Oh, man. Like, Caitlin did that too. She lost it, and then she just stopped using 1 password altogether. Yeah. Like yeah. Yeah.

Wes Bos

It's in like, it's on us as developers to make this stuff as as easy as possible because I know. Like like, what do you do with your master password? Well, like, first of all, you can recover it if you have a family member on the same account. Like, you can assign family members that will allow a reset, which is good. And then you can also, like, I I LastPass, I forgot mine once. And, but luckily, I had the Chrome extension installed, and it, like, verified it based on that, which is good as well.

Wes Bos

So just write it down, put it somewhere super safe so you won't accidentally lose that because Yeah. It's it's not the end of the world. You can go through the process of of resetting every single password that you have.

Wes Bos

Like, it JS not the end of the world, but it's it's just a pain. It's a pain. Yeah. Totally.

Wes Bos

Other tips here. So one huge tip I have for people JS turn off Chrome or Firefox built in password remember, which is what happens is yeah. It's it's hard to do because it, like, gets in the way. It, like, drops down in front of the Node password.

Wes Bos

But, also, I see a lot of people relying on that. And then then then that's not like it doesn't work on their phone, so, like, their passwords aren't remembered from that. And then, like, when they change your password, it updates in Node of them, but not both of them. And then it's out of sync, and that's where a lot of this frustration with these password managers. If you have 1 single source of truth on all of your devices, turn everything else off, key chain, all of this stuff, turn it all off except for whatever password manager you're using,

Scott Tolinski

and life will be so much better. I guarantee it. Yeah. Totally. And and, you know, okay, I should offer up a a tip here. Let me pop up in Chrome because it is Chrome, like, really, really wants you to use their their solution. Chrome's like, can you please use our password manager? Like, you Node.

Scott Tolinski

So let me pop up in my extension here real quick for 1Password.

Wes Bos

Yeah. I was gonna use, like, Google password because they have, like, their own thing. They have their own generator. Yeah.

Wes Bos

They don't have an like, it doesn't work on Firefox, and it doesn't I don't think they have an app as far as I could see. So, like, it's just, like, not there. And, also, they don't have Node, like, password manager notes for me, things that I want like, confidential things, like passport numbers and expiry dates, all that stuff needs to be saved. Credit card numbers.

Wes Bos

Anything anything sensitive

Scott Tolinski

should be stored in your password manager. And, also, you can group them. You can organize them. Like, we have ours grouped by entertainment so that I can share the entire entertainment folder with Courtney rather than, like, having to share each Node individually or whatever. Here's all of our, you know, YouTube whatever log ins. Here's all of our shopping log ins. Here's all of our personal finance log ins. And then I have my, like, level up tutorials logins that I can share with the team members, people who are using this thing, that aren't me. You know? I find it very, very valuable in those sort of ways. Absolutely. But it's it's a little bit of work to to get up and running, but well worth it.

Scott Tolinski

In addition, here's another little hot tip. If you are using 1 password, take advantage of their watch tower feature. This one might go sort of, you know, above the radar if you're not looking for it or below the radar. I don't know. I'm not a radar technician. Under the radar. Yeah. Under the radar.

Scott Tolinski

The watchtower feature is a feature that tells you which of your passwords have been included within data breaches.

Scott Tolinski

It also tells you which of your passwords are reused on multiple sites.

Scott Tolinski

So it can take a look, and it can say, hey, dude. You're using the same password on, these 2 sites, and you should probably do you should probably change that. It's also good. It tells you which ones are weak, which ones have been hacked, which ones are unsecured, which ones aren't using 2FA that should be using 2FA. We're gonna be talking a little bit more about 2FA in just a second. So use the watchtower. It's really, really useful feature.

Topic 5 20:49

Two-factor authentication

Wes Bos

Next up is, turn on biometrics.

Wes Bos

So, likely, your phone or and or your computer has face ID, touch ID, some sort of sensor, blood ID, turn those on because typing your master password your master password should be strong, and typing it every single time you wanna open that sucker up sucks. So, if you can turn on fingerprint or face ID to get access to your passwords, that's just another, like, it has never been better for just regular people to use a password manager because of, because of these things. You very rarely ever have to type your password because of biometrics.

Scott Tolinski

Totally. Yeah. And, again, any anything that gives that opportunity, do it because it's so much faster.

Scott Tolinski

So let's talk about 2 FA, which stands for 2 factor authentication, which means that you need 2 factors to authenticate you into the site, as in you need more than just a password to get in. You need a password plus something that is a little bit more secure. Right? And there's a whole bunch of different ways to do 2FA, very of which have been this, like, 6 digit code that is a 2FA code that sort of it changes. However, was it every 30 sec every Yeah. Every 3 seconds? Or 30 seconds, you get a new

Wes Bos

six digit code, which, like, I remember being, like, 7 years old, and my dad had this little thing on his key chain,

Scott Tolinski

to VPN ESLint his work. And I'm just like, oh, man. All these years later, I finally understand what that's for. Yeah. So the two f a, is just such a really interesting thing. It makes you feel like a secret agent because you're getting this special code. So what happens is you'll go to log in to a service, and it's gonna say, okay.

Scott Tolinski

That's cool.

Scott Tolinski

You are authenticated.

Scott Tolinski

But before we can let you in, before we know it's actually you, we need this six digit code that you need to enter. There's several services. Authy is probably the biggest one. Google Authenticator is also really big. I would recommend using something called Authenticator Plus for various reasons.

Scott Tolinski

Authenticator Plus allows you to host everything locally and and back it up in your, like, Google Drive or whatever.

Scott Tolinski

And Oh, cool. Yeah. The reason why that's great is because if you lose access to your authenticator, it is a giant pain in the butt to get this reset, this thing that is generating all of these codes. So Authenticator Plus is my pick. There's an Android version. There's an Bos Vercel. So both of you are covered. And, you know, the coolest thing about Authenticator Plus for me, besides the fact that I can import and export and take these with me to various devices or backup somewhere is that Mhmm. They have a I I iWatch or whatever the Apple Watch is called. They have the Apple Watch app so that I can get the codes on my on my watch, and I can just look on my my wrist, hit it, and then type it in, which is way better than looking at your phone or, some other service.

Wes Bos

Yeah. So we should say, like, the whole idea behind two factor authentication is that even if someone does get your password when you log in, they will then still ask you for this Node. And, generally, the codes live on your phone.

Wes Bos

And if they don't have physical access to your phone, then they they they still can't log in, which is great.

Wes Bos

So I forever had been using I used Authy initially, then I moved over to Google Authenticator because I think there's just some services that wouldn't do it. And then I actually, I dropped my phone in the lake, and it started acting up. So I brought it ESLint Apple, and they replaced it for me. And I was just driving Node.

Wes Bos

Oh, no.

Scott Tolinski

Oh, the decor.

Wes Bos

I lost I lost all of my comments. So the process of getting back into your account when you have don't have the codes is very hard because you have to, like, submit your driver's license or some some sort of proof. Every every single one has a, a different way to get back in, and it it probably took me 2 weeks to get back into to every single one. It takes time. Authy Authy is like a like a like an actual

Scott Tolinski

one and a half week waiting period. They they really make it. Yeah. No. It's intentional because Yeah. They don't want somebody

Wes Bos

just jacking it from you or like that. So I actually recently probably in the last month, I switched over from Google Authenticator over to using 1 password for 2 factor authentication.

Wes Bos

Oh.

Wes Bos

And for the longest time, I'm like, that doesn't make sense because the whole idea behind 2 factor authentication is it's something you know, your password, and something you have. It's Yep. Your, like, your phone. Right? And you have a code on there. And if you put them in the same place, isn't that kinda defeating the purpose? Like, if somebody gets into your your one password, then they'll have both things that they need to get into your account. So for the longest time, I was like, that's dumb. That's the silliest thing ever. And then I finally, like, looked into it. I was like, why why are people doing this? And then I realized that you can't set up, you can't log in to 1 password. You can't set it up on a phone. You can't log in to it with an app without having an additional sign in code. So, and that sign in code is generated from, another app that has 1 password on it that is logged in or from somebody in your family who can also get that secure sign in code. So 1 password itself is two factor. Meaning you need your master password and you need a code to set it up on a device. So meaning that JS even if somebody got my 1 password password, they wouldn't be able to log in on a device unless they had that secondary code to to log in. So with that under a thing, I said, oh, okay. I'm gonna start moving over to, using 1 password for this because you don't have to whip out your phone or look at your watch every single time that you wanna code. You can just open 1 password, and it will give you the Node, which you can copy and paste. Or in most cases, it autofills the code for you from thing, which is amazing. So I had resisted this forever. I was wrong, and it's the best workflow I've I've found so far for this type of thing. I wonder if I can easily migrate. I don't know. It seems, Yeah. I I don't think so unless you have backed up your initial QR code.

Wes Bos

So if that's the case, then you have to turn off 2 factor. This is what I'm doing with everything.

Wes Bos

You have to turn off 2 background on every service. So what I'm doing is every time I log in to a website, I move it over and then delete it from Google Authenticator.

Scott Tolinski

Yeah. Yeah. That's cool. Yeah. I I I like Authenticator plus maybe keep some of these things in in separate little islands, but I totally see where you're coming from. That sounds like a really nice little workflow. And, especially, again, if you're trying to make security easy, that is the goal. Right? Then keeping everything within 1 password is definitely the the easiest way to go here.

Wes Bos

What else is when you set up two factor authentication, you almost always get backup codes, and it's anywhere from 5 to 20 different codes, which Yarn sorta like one time use passwords. So if you don't have your phone on you or you can't get access to it or you totally lost it, your backup codes are what is gonna save you, and you can print those out. I don't know if it's a good idea to put the backup codes in your one password.

Wes Bos

I think it would be okay because of the reasons we just talked about. Yeah. And you just put them out, put them somewhere safe. And, if something ever happens, then you have to go and reach it for those backup codes. And I've I've had to use mine once or twice before, to get it get back into my account.

Scott Tolinski

Interesting.

Wes Bos

Other people say JS, like, you can just back up the QR code. So the QR code that you scan to set up 2 factor authentication, that code has a number in it, which will allow you to generate these things. And if that if you save that QR code or you save the number that's in the QR code, you can always readd these to other things. So if you were to lose everything but you still have that QR code printed on paper, you could just open another authenticator app, add it, and it would give you the code that you need. Yes.

Scott Tolinski

Wes, I don't know if I've taken proper precautions for if my things go bye bye, but I, has done a pretty good job. Well, I guess the fact that I can export my what's it called? Has, like, all you only have to remember a master password because when you export it, it gives you, like, a pnpm encryption password. And then when you import, you have to type in that encryption password. So as long as you have that encryption password, you're good with Authenticator plus. But, yeah, I should have done a better job of remembering these backup codes. Maybe I'm gonna start turning it off on some services

Wes Bos

and then moving everything over to 1 password. I think you've convinced me. It's, like, kinda scary, and and that's the reason why a lot of people don't do it because they say, like, well, I don't wanna I don't wanna be locked out out of my account.

Wes Bos

But let me tell you, please turn on 2 factor authentication for every service that offers it. Yeah. Definitely.

Scott Tolinski

Yeah. If it offers it. And some places will even give you a discount. Mailchimp gives you a discount for using it. So,

Wes Bos

that's actually a a good reason right there in itself. Yeah. Right? It's on a big discount, but You can also do text message 2 factor authentication. So you sign in, and it will text you a code.

Wes Bos

I recommend not doing this,

Scott Tolinski

because Some places

Wes Bos

you only can do that. Yeah. A lot of places will only allow you to do it, which I don't like. I think the reason they do that is because of the support overhead.

Wes Bos

Well, that happens when someone forgets their password, then you have to, like, assign someone to spend 20 minutes working with this person to get back into their account. Like, I have it with Slack. Like, my Slack room, like, couple times a week, people are like, I lost my 2 factor authenticator for Slack. Can you reset it? And, like, I, as a Slack admin, need to go in and turn it off for their account. And I'm like, oh, this is such a pain. Right? Like, imagine this being on a larger scale. So, some text messages will do. The reason why they don't do it is because there's this thing called SIM jacking, which somebody and this happened to my sister a couple months ago. Somebody will go to your your cell phone provider and say, hey. I am moving from, what are the AT and T and Virgin. Those are in the states. I'll use those. So I'm moving from AT and T to Virgin, and you have to port my number. So they sign up and they pretend to be you, and then they just port your number. And now all of a sudden, some some malicious actor has a new phone with your phone number, and then they can just request, like, a password reset token or a 2 factor authenticator token, and it just text it to them, and then they have access to your entire account. My sister had it. They drained her entire PayPal account, and then they they wouldn't give her her phone number back for, like, 7 days because they, like, trust nobody in this case.

Wes Bos

She had to oh, like, PayPal was trying to tell her tough luck. They took, like, 3 or $4,000 out of her PayPal.

Wes Bos

Wow. Jeez. That's a nightmare overall, and I hear these these stories all the time. So because your phone provider is a weak point, I recommend not using the text message codes where possible.

Wes Bos

And another step you can take JS, at least with my own provider, which is Fido in Canada, you can lock transfer, meaning that I had to call them. I said, lock transfer. So if I ever if I ever wanna move to another provider, I have to call them up. They they took a recording of my voice, which Jeez. I guess they have used voice recognition, and then I have to I think it takes, like, a week to unlock it or something like that. What did you what was your saying? Was it, hey, everyone? Yeah. Hey, everybody. Yeah. Let me let me allow me just to say what I said right then. No. They they just asked me they just asked me a bunch of questions about, like, what I had for lunch, and I think that it, someone could probably take words from this podcast and string together, I would like to change my cell phone provider or just take them as I said. Fine, smoking meats. Smoking meats.

Wes Bos

Smoking meats. Barbecue sauce.

Wes Bos

Anyways, just call your provider and and ask them, like, what can I do to stop getting SIM jacked? Because these providers know that this is a problem, and they are starting to implement stuff, at least in Canada there.

Scott Tolinski

Totally. Cool.

Scott Tolinski

And, if you're interested in a little bit of extra listening on this type of thing, please, I implore you to listen to this episode of the shop talk show. I don't know if you've listened to this one, Wes, but it's from, 2014.

Wes Bos

This is where Chris Coyer got his passport

Scott Tolinski

forged. Yes. Chris Coyer got hacked, and then he interviewed the hacker on the show. It is one of the most interesting podcast episodes I've ever listened to.

Scott Tolinski

You know, it's still it it since 2014, it has sat with me. So, go ahead and listen to that because it is very, very fascinating.

Wes Bos

Awesome. So please send this podcast to family members, anyone that needs to get better password hygiene. Please figure this out now before you get hacked, before your PayPal gets drained because it's a nightmare, trying to get this stuff back. So take precautions now. Wash your hands. Yeah. Yes. Right. I think

Scott Tolinski

a good way to get them to wake up to some of this is to just have them enter their email and say, have I been pwned? So then this website say, enter your email here Yeah. And see if you've been hacked because that can be a real eye opener for a lot of people to see that and then just see, holy cow, people have access to these things of mine. So, just a just a heads up there.

Wes Bos

Awesome. Alright. Thanks for tuning in. We'll catch you on Wednesday.

Wes Bos

Peace.

Wes Bos

Peace.

Scott Tolinski

Head on over to syntax.fm for a full archive of all of our shows, and don't forget to subscribe in your podcast player or drop a review if you like this show.

Share