On this episode of Too Embarrassed to Ask, everyone wants to know more about how and why a password manager is a good idea. Jeffrey Goldberg works at 1Password and holds the title of Chief Defender of the Dark Arts, so who better to answer our curious readers?
You can read some of the highlights from the discussion here, or listen to it in the audio player above. Below, we’ve posted a lightly edited complete transcript of their conversation.
If you like this, be sure to subscribe to Too Embarrassed to Ask on Apple Podcasts, Spotify, Pocket Casts, Overcast or wherever you listen to podcasts.
Kara Swisher: Hi, I’m Kara Swisher, executive editor of Recode.
Lauren Goode: And I’m Lauren Goode, senior tech editor at The Verge.
KS: And you’re listening to Too Embarrassed to Ask, coming to you from the Vox Media podcast network. This is a show where we answer all of your embarrassing questions about consumer tech.
LG: It could be anything at all, like whether or not Kara has watched the new season of my YouTube series, “Next Level.” Have you watched it?
KS: No. But I will, I promise. Right after I don’t watch “House of Cards,” I now have a free area. But yes, I will do that tonight, absolutely.
LG: Okay, well, just slide me right into your “House of Cards” slot, because I can tell you that mine is a little bit less scandalous.
KS: All right, fantastic.
Anyway, send us your question, find us on Twitter, or tweet them to at Recode, or myself, or to Lauren, with the #tooembarrassed.
LG: We also have an email address, it’s firstname.lastname@example.org. And a friendly reminder, there are two Rs and two Ss in embarrassed.
So sometimes on this show I like to joke that Kara’s password is something really absurdly easy to guess, like 123456 or “password” or “Lauren is the real driving force behind this show.” That really is her password.
KS: No, it’s not. I have very good passwords, and I used 1Password. It’s not the last one for sure.
LG: We both use password managers, because in case you’ve missed the memo, you’re not supposed to have something absurdly simple or guessable for a password. And you’re absolutely not supposed to use the same password for multiple accounts, because if someone is able to brute force their way into one of your accounts, they could use that information to reverse engineer their way into other accounts. You use 1Password, Kara?
KS: Yeah, I do. We use password managers. I use 1Password because I think it’s important to have ... And I use two-step verification. I use all the things that you can do. Although I still think, “Why in the world, in this day and age, do have password? There should be another way to do this.” I try to use, when I use other things, my eyeball, or my fingerprint, or things like that. But I do use 1Password now at this moment in time.
LG: How do you use an eyeball when you wear sunglasses indoors all the time?
KS: It’ll be just fine. I take off my glasses, and I put it to the eyeball meter, or whatever. A lot of people still have questions about these services, why it’s a good thing. We’re joined by Jeffrey Goldberg of AgileBits. It’s the maker of 1Password. Jeffrey’s other title is the Defender Against the Dark Arts, which ... Okay Jeffrey, welcome to Too Embarrassed to Ask.
Jeffrey Goldberg: Well, thank you very much. It’s really great to be here. I really like talking about passwords and password managers.
KS: Fantastic. All right, so explain, just explain to start with what 1Password does, and services like it. Just let’s try to be as broad as possible.
As you’ve mentioned, people should not use easy-to-guess passwords. And even more importantly, people should not use the same passwords on multiple site, because if one of those gets compromised, then in a sense, every place you use that same password gets compromised.
Here you are, you’ve got security experts telling people, “Don’t use easy-to-guess passwords, and use a unique one for each and every site that you use.” Most people have scores of different sites and services. Now they might think they only have a smaller handful, because they only think about the ones that they use on a daily basis, or weekly basis, but overall people have lots and lots and lots of site services.
You’ve got these security people, people like me, telling people to do the impossible: A unique, hard-to-guess password for each site and service. That’s just not humanly possible. And the password manager is a tool that is designed to help manage these things so that you don’t have to actually know the vast majority of your passwords. I don’t know my Facebook password. I don’t know, I simply don’t know most of my passwords. What I do know is my master password for 1Password. With the password manager, it not only remembers all of these different passwords and allows me to have different passwords for all of these sites. It can be used to create very strong passwords for each one of these sites. Most password managers have tools for integrating with web browsers, as does 1Password, so that it actually makes it easier to fill in the login forms that you come across for site after site.
LG: Basically it’s a service where instead of you having to humanly remember all of these complicated, long, multi-character passwords, you pay for the service and 1Password does it for you. So then across devices, you can easily sort of grab that password and plug it in when you need to. There are other services out there in addition to 1Password that do this. We’ve talked about LastPass and Dashlane before on this show.
I have another question about why 1Password does these sort of the scramble of random characters. Because some security experts say you should be using three random but complete words. It’s kind of like a nonsensical phrase, but they’re real words. Others say it’s better to use that scramble of random characters. Why does 1Password operate the way it does, and which is better in your mind?
I love this question. I should actually say that one of my lame claims to fame is that I helped repopularize this notion of using truly randomly chosen words. The main difference is whether it’s a password you’re never going to need to type or remember, versus a password that you will never need to type or remember, and you can leave to your password manager. If there’s something that you can leave entirely to your password manager, you use the completely scrambled word business. I mean, completely scrambled letters, because that is going to be stronger per just length of password. If you’re using a 20-character password, something that’s just the scrambled characters and letters is going to be enormously stronger than something based on a word list. But which one are you more likely to remember, if it’s a password that you need to remember?
We do recommend things like the word-list-based password for your 1Password master password. It is something you’re going to have to type, and it is something you’re going to have to remember. But for the passwords that you use for all the sites and services that 1Password is managing for you, there, just use our password generator that generates complete utter gibberish of characters.
KS: Okay, let’s talk about what’s going on in the password industry. You all ... Essentially, you get these services, you use them to open different sites, and they populate them. Apple does the same thing, you can save passwords on the Apple systems. These are still enormously confusing to use. Why don’t we talk about where this whole sector is going. At some point we’re not going to have all passwords. Why don’t we talk about sort of the state of the art right now, what’s the best things people can do, and then where it’s going?
This is a really interesting question. But I should preface this by saying, back in the ’90s, when I first started worrying about the password problem, which is that we’re asking people to do things that are impossible. And since people won’t do what’s impossible, then you have all these security problems. I and some other people came up with various schemes, and we thought we were going to more or less eliminate passwords for the most part within the next five years.
Well, as I said, that was in the mid-90s, and it was one of my predictions that was spectacularly wrong. Since then, I’ve seen proposals to eliminate passwords come and go. As a consequence, I’m a bit pessimistic about any new proposal about what’s going to replace passwords. Simply because I’ve seen them come and go, and I’ve understood why they’ve gone as well.
LG: But is it worth noting that in the mid-90s, the access to things like biometric scanning, it wasn’t as accessible to everybody yet. That was very futuristic at the time, and maybe it was the kind of thing that would work at your well-funded office building. But now we are seeing biometric scanning happening right on our consumer devices, our personal devices. Everyone has fingerprint scanners, in some cases iris scanners and now even 3-D face scanners. That market has changed a little bit, too.
Yes, that definitely does change things, but things like these biometrics, I’m sorry again, I don’t know how to do this without getting too technical. Things like biometrics work very well for what’s called local authentication. You are proving yourself to the device that you are holding with you. You’re not actually proving who you are to some remote service. And so this is why, what’s still going on behind the scenes when you’re using these biometrics, is effectively, you’re using a password manager locally, that you’re unlocking with, say, your fingerprint. But then that is still using passwords back and forth to the remote service, or something like passwords. This is fine when you’re connecting specifically from that device.
Now with 1Password, you can synchronize your passwords, you can unlock it on your device with your fingerprint, so this is generally managed. But you are using ... effectively you’re using biometrics to open something that’s playing the role of a password manager, or in our case, is a password manager.
The reason that you don’t use biometrics to replace passwords in general as the way that a server will say how you prove your existence, is ... Well, one thing is consider what happens when a server’s breached and you’re told you have to change your password. You’ve got to change your password for that service, and you’ve got to change the password for every other service where you’ve reused that same password. Changing your fingerprint is a little bit harder. Imagine having to be told that you have to change your fingerprint.
LG: Right, yeah, so your fingerprint could be stolen, in other words. Your fingerprint or your face could be stolen. I see.
Right. And furthermore, in these cases, in the biometric cases, now I’m not saying that there isn’t a place for biometrics. Used for local authentication, they’re actually really good. But a fingerprint or your face are not secret, they’re really just another form of your mother’s maiden name. They’re things that maybe not everybody has access to, but they’re not things that are designed to be secret like a password.
KS: Is there anything that’s coming that’s ... Is there any other way to do it besides passwords, or is it just with us forever then?
As I said, I’ve been pessimistic about this. I’ve seen proposals come and go. There are some things that have me more optimistic about solving the password problem than I’ve been in a while. This is the, I think it’s been renamed, but the proposals out of the Fido Alliance. UTF and UTA solve the privacy problem that has existed with other schemes to eliminate passwords.
If we look at other schemes to eliminate passwords, let’s look at all this “log in with Google” or “log in with Facebook” that you find on site after site. These are these so-called single sign-on services. One of the difficulties with those is that you are letting Facebook or Google or whatever service you’re using know exactly when you’re signing into a site.
LG: Right, so they have more information, mm-hmm.
That might be fine for some people, but generally the technology community — or at least the security technology community — cares deeply about privacy, so we tend not to push for systems that are inherently non-private.
LG: But couldn’t it be argued that if I’m using a web browser and I go to Facebook.com — or some other sites, my Gmail or whatever it might be — and I use 1Password or any other password manager to authenticate, that service still knows that I’m using their service. Trust me, especially right now, I love the idea of having my data sort of siloed away from as many social networks as possible, because of what we’re seeing going on right now with social networks. But still, ultimately, if I go to them regardless of what password manager I’m using to log in, if I’m in Safari and I’m using Safari keychain or I’m using 1Password, everyone still knows where I’m going.
That is not the case with 1Password. We do not know, we’ve designed 1Password in such a way that when you visit a page, or open a login, we don’t know what sites you have logins for, and we don’t know when you use them.
KS: I think it’s a fair point. Do we want Google, Amazon, whatever, to know every single thing we do? They already do in a lot of ways.
This is one of the things that as the chief Defender Against the Dark Arts, I spend a lot of time on working and designing. We have designed 1Password in such a way that we do not receive any such information about your usage.
LG: I want to ask one question before we get to our reader questions, and we do have a lot. But earlier this year, some people in the security community were a little upset when 1Password began to emphasize cloud subscription packages over local vaults. I know one of the reasons why I first signed up for 1Password instead of the others is because of that local vault, and this idea that everything was local to my devices. But you also have a cloud service, and it’s subscription based. Talk about the difference between the two, and your response to people who were upset from this move away from the local vault.
Oh yeah, I’m happy to do that. First of all, the accounts or subscription service 1Password is for families, teams or individuals. It allows for ... One of the huge differences is that it allows for secure sharing of data among individuals. You can share vaults within your family, within your teams and manage things that way. That was not something that we could do with our standalone version.
The other thing that we can do with this is, of course people who were using the standalone version, the vast majority of them were still syncing their data. So while it’s the case that we never saw any of your data in any form whatsoever, even encrypted, most people were syncing with Dropbox. And Dropbox is fine, and we designed our data format to be secure if it gets captured from Dropbox, but when we designed our own system for managing that kind of synchronization, we were able to build it with additional security features and additional structure. And also simply making syncing much, much more reliable. Those are the two big things with using the subscription service.
There’s another benefit to users with the subscription service is that we consider somebody who’s using 1Password on any platform to be a 1Password customer. But given the way that app stores work, if you were buying standalone, and you are using an Android, iOS device, a Mac, a Windows machine, you would have to purchase 1Password for each and every one of those platforms when we are selling licenses for that, because there’s no way to sell it through a single store. A subscription allows us to treat people as 1Password customers, and then they can use 1Password on whatever platform.
KS: All right, okay, let’s get to the reader’s question. In a minute we’re going to take questions about passwords from our readers — we’ve got a lot of them, as Lauren said — and Jeffrey’s going to answer. But first we’re going to take a quick break for a word from our sponsors. Lauren?
LG: I was going to say ka-ching but I figured I should scramble it a little bit, so like ching-ka!s$.
KS: We’re back here with AgileBits’ Jeffrey Goldberg, whose title is Defender Against the Dark Arts. We’re talking about password management, which is very critical these days, and will be forever, I think, as we get more digital. And now we’re going to take some questions about the topic from our readers and listeners. Lauren, would you read the first question? And Jeffrey, if you could keep your answers short because we got a ton of questions, that would be great.
LG: Sure, the first was around pricing. Jim Gresham wants to know, “How easy is it to set up and use the family/shared vaults? Does it cost extra?”
There’s a fixed priced for families. I do not actually know what we’re offering that price for. But it’s designed for families, and that should allow — I think currently — five family members. We certainly hope it is easy to set up. There’s a free trial, give it a shot.
KS: All right, the next question’s about competition. Ben Ford says, “How do they feel they compare to LastPass, because I couldn’t see any differences except LastPass is free?”
I really don’t want to be drawn into a discussion of our competitors’ security model. But I mentioned earlier that when you use 1Password to log into a site or service, we do not know that you’re doing so. I am not certain that that kind of privacy protection is part of LastPass. I also believe that our sharing is more secure. And I think that when you actually do come to use it, and as I’ve said, give a try with a free trial, you’ll see the enormous amount of work that’s been done into what is called usable security. I think you should find 1Password a pleasure to use.
KS: All right, next question Lauren?
LG: Okay, let me just note that on the 1Password, or the AgileBits website right now, 1Password families is $4.99 per month for a family of five when billed annually. That seems to be the pricing for that right now, for that application.
The next two questions were actually, we touched on a little bit earlier, these are from Daniel Shaikh and Ashwin George: “How does 1Password stay competitive in a world where password management is baked into the operating systems in browsers?” And Ashwin points out that Google also wants to be a password manager. We’ve talked a little bit about how Apple’s doing this in Safari where it’s built into the Chrome OS. As more and more, I guess, technology companies start to bake these features directly into their software, how do you stay competitive?
Okay, well there are a number of things. First of all, there’s the notion that not everybody sticks to just one browser or just one operating system. That’s the big obvious thing. But you can use 1Password for not just passwords. You can share documents. You can keep other records in them. You can help organize a lot of aspects of your digital life in a very, very secure way that you can share with those who you want to share with, and you can synchronize across all of your platforms.
KS: All right, next question is about data store — the next series of questions, store data essentially. Rochelle had several questions, but these were two we hadn’t gotten” “Is it safe on public Wi-Fi? What if I’m using a friend’s computer?” That’s a good question, I think about that a lot.
Yes, it’s safe on public Wi-Fi. We assume that the network is compromised. All of our security design assumes that the network is compromised, or other parts of systems are compromised. We’re using strong end-to-end encryption. Actually, there are three layers of this in our transport security.
The question about using a friend’s computer, this is going to be hard for anything. If the computer that you yourself are using — and you are viewing and exposing secrets on — is compromised, then there’s actually very little that any software that you’re using can defend against that. While we take measures to try to defend against things that are running on compromised systems, ultimately there’s the old security slogan, “Once your computer is compromised, it’s no longer your computer.”
LG: Next question is from Jaydeep Deshpande: “Does 1Password log all login attempts? Alternately, does it show most recent login attempt from any of the reconfigured devices?”
Okay, with the subscription service where there are actual logins, where you are connecting to our service, then the answer is yes. If you are just using it locally without connecting to our service, then there is really nothing to log, because it’s not really a login attempt. You are merely decrypting data on your own device.
KS: Right, and the next one is from Soren Lindhoff: “How do we know there is no backdoor if they don’t let the source code be publicly audited?”
That is a really good question. We cannot absolutely 100 percent prove that there isn’t a backdoor. But what we can do, and what we have done, is we have documented how 1Password behaves, and how the end-to-end encryption works in really great detail. An enormous amount of that, of the behavior that we’re claiming for how 1Password runs on your system, is independently verifiable.
You can monitor your network. You can see that what is created is created as we say it is. You can analyze the software running on your system. From that, you should be able to see that nothing is sent to us, or nothing is sent off your machine that would violate your privacy. You do not actually need to see you trust the server code, all of the encryption is done in the client. This is extremely well documented, and we invite people to analyze that and look at that.
LG: So you’re saying you do let the source be publicly audited?
Publicly audited, it depends what you mean by publicly audited. Any individual can, we’re not publishing the source code, we’re not open source. However, we want to get as many of the benefits, the security benefits of open source as possible. It’s actually really easy to de-compile the software, to attach debuggers to it, and to do various sorts of analyses on your end. It does take some expertise, but if enough experts are looking at that and poking around at that, they can see that 1Password does behave as we say it behaves.
KS: All right, next question, go ahead, Lauren.
LG: Next question’s from Ashley Pagnotta on Twitter: “Is it really worth the extra hassle and money to use a password manager?” She wants to know. “Hacks will still happen, and what if the password manager itself gets hacked?” We had got a lot of questions about the fear of hacking, that’s what we’re going to get into right now.
One of the great things about using a password manager, entirely separate from the security, is that it just makes logins so much easier. This is one of these rare security products, or rare products and systems, that both makes things easier for people and improves their security.
For the second part of the question, I think it’s a mistake for people to think of security as an absolute all-or-nothing thing. That is the notion that you cannot protect yourself absolutely fully, therefore why even bother? Just doesn’t make sense. There are reasonably easy things that most people can do to substantially improve their security and reduce their risk.
KS: Here’s another question from Brandon Dangelo: “Is saving all your passwords ultimately in one place just setting up for catastrophe?”
Okay, so there is this notion that you are putting all your eggs in one basket. There’s no question that that’s true, and therefore you should look very carefully at the security design of the password manager you use, if you wish to use one. But you need to keep in mind that reusing the same password across a dozen sites is putting those dozen sites in one basket as well. Password reuse is also putting lots of eggs into baskets. And with simply reusing passwords, you are putting eggs into very, very fragile baskets. Yes, there is the putting your eggs in a basket issue with a password manager, but you also have the same issue with not using a password manager.
KS: All right, next one, Lauren?
LG: We had a question emailed from Bill Schule who asks, “Are cyphers a safe way to hide the English dictionary words I use in my passwords? Or do hackers try variations based on sliding alphabetic characters, forwards or backwards?”
The tools that people ... So password crackers, so somebody gets a hash of a password from some server, and they run attacks, they run automated guessing attacks. The simple fact of the matter is that the people running these attacks know much, much more about password choice behavior than anybody else on the planet. Every little clever trick that you think you have for generating a password, they’ve seen, they’ve known, and they’ve built tools for. This is why you should be using truly randomly generated passwords.
KS: Okay, the next section is some tips and tricks. A couple people asking for tips for using 1Password, but also we got a tip for you guys that we’re going to pass along.
Chris “Alphabet (not Google)” Andrikanich — that is a long Twitter name: “Tips for using 1Password across Mac, iOS and Windows.” Jeffrey, what are your top three tips you would give someone using Mac, iOS and Windows?
For Mac, use the keyboard shortcut. Absolutely use the keyboard shortcut. It’s command backslash. It just makes your life so much easier if you’re not already using this. For iOS, take a look at 1Password seven for iOS, with drag-and-drop features. Getting to use that will make things a lot easier for when you do need to fill passwords into other apps. Take a look at that new feature.
LG: All right, what other tips?
KS: Anything for Windows?
For Windows? Wow, okay, this is embarrassing, I kind of look at the internal cryptography code on our Windows — and I’ve got a machine where I build it and use it every now and then — but please, join our discussion forums and ask for tips. Sorry, I can’t pass off any great tips. There are new features coming out in 1Password for Windows, 1Password six for Windows. It’s ... every time I turn around, there are new cool things added there, but off the top of my head, I can’t think of anything, which is quite embarrassing.
LG: Last question is from Andrew Teman: “Every time I recommend 1Password to a friend, which is fairly frequently, they say, ‘I thought I shouldn’t use just one password.’ Then I have to say, ‘No, it’s an app.’ So, name change?”
Oh wow, yeah, it’s, yeah, yeah. No, we’re not changing our name, but this is a problem. We have had people write in saying, “Okay, now that I’ve got this app, how do I set all of passwords to one single password?” Yeah, it’s a problem.
KS: You have no answer to that.
Well spotted. Oops.
KS: I suggest that you rename it Dark Arts, because you would be the chief of Dark Arts then.
LG: Anyway, thank you so much, Jeffrey, for coming on today for Too Embarrassed to Ask. It’s very helpful. We just do recommend people are very careful about their passwords. It’s a really big deal, and to really think hard about how you want to approach this, because it’s only going to be more so in the future as this stuff enters your home and everything else. Anyway, this has been another great episode. Jeffrey, thank you for joining us.
Oh, and thank you very much for having me. This has been a lot of fun.
KS: Thank you, Jeffrey.
Let's block ads! (Why?)