hpr-knowledge-base/hpr_transcripts/hpr4069.txt

Episode: 4069
Title: HPR4069: Passwords and Bitwarden news.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4069/hpr4069.mp3
Transcribed: 2025-10-25 19:15:00

---

This is Hacker Public Radio episode 4,069 for Thursday the 7th of March 2024.
Today's show is entitled, Passwords and Bitwarden News.
It is part of the series' privacy and security.
It is hosted by some guy on the internet and is about 12 minutes long.
It carries a clean flag.
The summary is, Scotty talks about passwords and Bitwarden.
Hello everyone, Scotty here.
This is not the all-no news, but I wanted to cover a couple of news stories really quickly
because I'm bored and I'm out here at the public library.
So first up, let's take a look at Bitwarden.
Right now they've got a new auto-fill option that they're building into where browse it.
The web browser extension and the auto-fill option works inside the fields now.
So when you click on the field to enter your credentials and you have your Bitwarden password
manager logged in through the web extension, your web browser extension.
As you click on the credential fields, it will then show you the credentials you have
for that site right inside the field.
I guess that's a more secure way of doing an auto-fill.
As some of you would remember, we covered a story not too long ago.
One of the all-no news episodes of Bitwarden was targeted in that article, but this was
an issue with all password managers and using auto-fill.
So I guess Bitwarden has really focused on this and done some extensive testing.
They said that I got to scratch my ear here, these headphones are itchy.
Sorry.
They've done extensive third-party penetration testing for this feature, which is great.
They put out some new documentation.
And overall, it just looks nice.
I mean, if you use a lot of browser extensions and you use Bitwarden, take a look at it.
If you like it, do a show, talk about it, or don't because it's dealing with credentials,
but at least this is a heads up on new features for one of our beloved open-source password
managers, so kudos to Bitwarden for that.
When I run a subject of password managers, let's talk about past keys just for a little
while, and I also want to bring up a show that was done not too long ago on password policies.
A lot of the momentum behind past keys kind of went away, like I remember when it was
heavy in the news cycle, it was talked about a lot.
It's not a new technology, but Google made a lot of headlines, and everyone was excited
for a little while at least.
My question to you guys, the audience, how many of you are actually making use of past
keys?
And what do you think about it?
What's been your experience?
Is it difficult to adopt, or are there lots of sites, or maybe your workplace, like
is your workplace making use of it?
Is there anywhere in particular you'd like to see it adopted if it does work pretty well?
You know, give us your feedback on it.
I hadn't touched it.
I've been just sticking with what I know so far.
I haven't had a whole lot of time to tinker around, but maybe I will.
Who knows?
Alright, while I got a little bit of time left, I want to talk to you guys about a show.
It was HPR 40, 70, excuse me, HPR 40, 47, change your passwords once in a while.
It was hosted by Delta Ray.
First of all, I want to say thank you for the show Delta Ray, great show.
I love anything security, and I like hearing what other people do with their security, you
know, how they, how they practice it.
And I just want to talk a little bit about my own practices with passwords and password
rotations.
I remember a while back, it was a big thing that they were convincing everyone to rotate
your passwords, and a lot of companies were actually making it mandatory.
So on certain sites, you would go on to there would be a prompt if you had not rotated
your password in a while, they would force you to do it, right?
You try to log in and authenticate, and you could not until you reset your password.
Well, they sent stop doing that because people were well complaining and mistakes were made.
They were just basically reusing the same password and basically what do you call that, that
term that they do with passwords like salting it or salting, salting, hashing it or whatever.
That kind of thing just to reuse the password personally, and in my own internal policy,
how I manage my passwords, I have levels for my passwords.
There's a level for, let's say, the lighter things like social media and maybe some random
form like Reddit, whether it's not any payment information or personal information that
ties back to me like a home address or anything like that.
And then there's another level where there may be some sensitive information, but no payment
information, that kind of thing.
And then there's a level that is more secure where you can include things like banks
and things of that nature, right?
So let's just call that high level all the way down to low level.
They actually have different names, but I'm not going to give you those names.
So the low level stuff, I don't think I ever changed those passwords unless I actually
hear, like I have a Facebook account and that one is actually a medium level security
for me just because I have a lot of family that, you know, they recognize that is an account
that I use and they may want to talk to me on there, even though I log on like once
a year.
But the thing I would hate to have happen is for that account to become compromised.
And then my family members are then made vulnerable due to a compromised account.
So that one's a medium security.
And when Facebook had that big, what was that about two years?
Well, maybe more than two years ago, a few years ago, they had a leak.
I went ahead and rotated the credentials for that account.
And from most of the low level stuff, I don't rotate hardly ever unless, you know, again,
I hear about a breach, somebody brings it up and, or I read about it, then I'll go ahead
and just rotate those accounts.
Now from my high level accounts, things that tied direct like say, for instance, email,
email is a high level one because email is also used for two factor authentication.
I rotate high level accounts often.
How often depends on how paranoid I'm feeling at the time?
Like I don't actually have a set time, like say, for instance, every six months, every
nine months, anything like that.
What I do is I basically just, you know, if I hear about a big thing happening or I just
feel like something's wrong, right?
Maybe I tried to log in and it just got weird.
Like maybe they did something on the back end because they had a vulnerability or they
may have had a breach of some sort, but they haven't revealed it yet.
So they're working on the back end and it's causing little, little issues on my end when
I try to log in, you know, I'm noticing these weird things.
Like I thought I deleted that information months ago.
And suddenly here it is again, almost like somebody just restored from a backup because
of malware or something, right, ransomware.
So would I get a feeling like something has happened?
My paranoia just tells me this is a high level account.
Don't fool around.
Go ahead, change the credentials.
I got you.
The keys attached to most of those kind of things anyways and, you know, to F A to everything
that'll accept it.
Might as well go ahead and rotate the credentials because, you know, the old credentials
are randomly generated and they're probably floating around out on the site somewhere.
I don't reuse passwords because, you know, obviously that's bad practice.
You don't want to do that.
And that's just one of the things that go through as far as rotating passwords.
Not every single one of them needs to be rotated in my own practice.
But the high level ones, the moment my paranoia just tells me it's time, then there you go.
That's what we do.
Now because I have multiple password managers, I have to actually set the time aside to do
that kind of thing because I have to change them in each of the managers.
And it's becoming weirder with me as well because some of the things, and if you can hear
that noise in the background, that's my power inverter.
I'm sitting in my car recording and I'm charging my phone and laptop and everything while
I'm recording.
So I apologize if you can hear that little buzz from the power inverter in my car.
Okay.
So the power inverter had me a little distracted just now.
I'm adding in a third password manager now just to kind of test it out because I want
something that I can do from the command line.
So I'm looking at pass.
And you know, it's just P.A.S.S. if you use Linux, you've probably seen it.
Very simple.
It uses GPG.
I haven't done a lot with GPG.
I've been playing around with like symmetrical ciphers and things to encrypt packages and
send them around.
And you know, just that kind of stuff, but I haven't done anything as far as email or whatever.
One of the things that I'm running into is when I have to send sensitive information to
other people, people are just, you know, can you just email it?
That's the reply they'll have.
And I'm like, no, I'm not going to just email it.
What are you crazy?
Well, we don't have any other way to receive it.
Like it, like, are you serious?
You have no other way.
And because they're not using encrypted email, even if they were, it's probably encrypted
internally.
So like if I try to send something to them, they're not going to, it's not going to work.
Let's just put it that way.
So in order for me to deliver the package to them safely with my security somewhat upheld,
I have to encrypt the package locally.
So I archive the package usually with a zip because if it's on windows, they don't,
they're, I think windows recently added support for tar.
That's my car.
I had to push the button again so my car doesn't turn off.
I'm also sitting in the car.
I got my little GLI net router over here at the public library.
I'm already getting super distracted.
Anyway, I have to encrypt the package locally is normally a zip archive, I archive the package
encrypted locally, send it to them.
And then over the phone, I tell them what the key is to unlock it.
And I use a decent key, right?
I use a past phrase for the key for the file.
So that way they can hopefully get into it fairly easily, you know, so far that has worked.
I really don't like doing it this way, but this is just what I have at the moment.
I really got to get another public next cloud setup.
It's just that I don't have time to really manage it and go through the logs and everything
to make sure that I'm not being owned.
So I don't feel safe just leaving something like that up.
It's just, I'm on the road a little too much and it's too hard for me to do anything
at the moment.
The third password manager, I want it to be used mostly for these type of files whenever
I need to, you know, encrypt the package and then send that package.
Usually through email and insecure transmission, at least the package itself will be secure
enough.
I still want to manage those credentials and hold on to them for some time.
Those will not be rotated obviously because it's just the file, but I like to at least,
you know, keep track of it.
So that's just a little bit about my own password security at the moment.
Enough about that.
Thank you for the show, Delterate, fantastic show.
I appreciate it.
I know I ran all crap and it's starting to rain.
All right, got to go, got to go catch you guys in the next episode.
You have been listening to Hacker Public Radio.
That Hacker Public Radio does work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording podcasts, click on our contribute link to find out how
easy it really is.
Hosting for HBR has been kindly provided by an honesthost.com, the Internet Archive
and our sings.net.
On the Sadois status, today's show is released under Creative Commons, Attribution, 4.0,
International License.