lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
020d324edba8c5bab6dfdc9d45b0267059868edd
hpr-knowledge-base/hpr_transcripts/hpr3626.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

323 lines
17 KiB
Plaintext
Raw Blame History

Episode: 3626
Title: HPR3626: The stuff Evil Steve doesn't want you to know S01E06: Use a Password Manager
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3626/hpr3626.mp3
Transcribed: 2025-10-25 02:22:39
---
This is Hacker Public Radio Episode 3626 from Monday the 27th of June 2022.
Today's show isn't titled.
The stuff evil Steve doesn't want you to know Saeyi, use a password manager.
It is part of the series' privacy and security.
It is hosted by Lerking Pryon, and is about 18 minutes long.
It carries an explicit flag.
The summary is, making ourselves a less attractive target by utilizing a password manager.
Good morning, good afternoon, good evening, good night, wherever it happens to be, wherever
you are in the world.
You're listening to the stuff evil Steve doesn't want you to know, and I'm your host,
Lerking Pryon.
For those of you that have been following, you may have noticed the title of the show
has changed from Edmund Edmund to the stuff evil Steve doesn't want you to know.
While searching the internet to find the name for this podcast, I overlooked the fact
that there already was a podcast called Edmund Edmund, and the great Ken Fallon pointed
that out to me.
So we will see since it is from using that and henceforth be known as the stuff evil
Steve doesn't want you to know.
On the last episode I talked about two-factor authentication and making sure that you set
that up on all of your accounts.
Some of you might find it strange that I recommended implementing that before touching
your passwords.
Granted in the first episode I talked about passwords and the fact that you need to change
them.
However, two-factor authentication is going to be a big stopgap when stopping someone from
trying to get into your account.
Even if they do have your username and password, there's still that second layer of authentication
that's going to present a barrier.
Now can these be bypassed?
Absolutely.
Everything can be bypassed.
We know this.
Which one is best?
Yes.
Again, it depends on whether or not you want to pay, if you want to use something free,
how many platforms it has to be compatible with, and whether or not you and or your family
will use this.
What does it have to integrate with?
These are all things that you're going to have to think about and consider.
Now do I recommend putting passwords and two-factor authentication in the same app?
No.
No, I don't.
I don't recommend that at all.
So I would highly recommend keeping your passwords and your two-factor authentication
separate.
Now some of you might be asking, well what about Google or Apple remembering my passwords?
I am not a fan of this.
And depending upon what literature you read, some people say, okay, it's to care other people
and not so much.
The key to remember with Google and Apple remembering your password is the key to your
kingdom is simply unlocking your device.
Your password that you use for your Apple iCloud or for your Google account is solely the
key to your kingdom.
That's it.
You don't have any other backup, there's nothing else.
So if you walk away and you leave your phone sitting on the desk and it's unlocked, they
have access to literally everything that you have.
All they have to do is open up your banking app, Apple automatically fills it in, and then
they can transfer your funds to whatever account they want.
This I'm hoping is not a happy situation for you.
I'm going to do this, use a separate authenticator app and make sure that it has a pin so that
you have to enter a pin every single time to open the app.
That way even if you leave your phone laying around and the screen happens to be unlocked,
then they could open the authenticator app but there's a pin now blocking it.
Any important app on your phone should have a pin lock and it should not be the same
pin as you use to lock your phone.
So to factor authentication, it's a good thing, let's use it.
Now let's talk a little bit about your passwords and password managers.
I've already thrown out the flaws in using Google and Apple.
The flip side is they're very easy to use and chances are your family will use them readily.
So is it better than nothing, yes.
So if you're going to be doing that, here's a few recommendations.
First of all, make sure that you have a strong pin or password to unlock the device.
Set the device to time out, let the screen lock after 3 minutes, 5 minutes, 10 minutes
and force the reentry of a pin to get back in.
If you're using biometrics to unlock your device, okay, again, do your homework and it
all depends on how comfortable you are with that level of security.
Keep in mind, locking your device is important.
We've all walked away and left our phone sitting somewhere and then gone back to find it.
Another thing that I like to point out when it comes to your phone is your lock screen.
I always recommend putting a phone number on your lock screen that someone can call if
they find your phone.
For example, in my lock screen, it's got the name of my phone and it's got my wife's
phone number.
It doesn't do it good to put your phone number on the phone because they find your phone.
They're going to call and the phone in the hand is going to ring.
It does you know good.
Now while we tend to focus on security and we focus on the evil steves of the world, the
reality is is that most people in the world are actually good, decent human beings who
try to do the right thing.
Chances are if someone finds your phone, they're going to try and get it back to you.
They're going to take it to the lost and found or if there's a phone number on the lock
screen, then they're going to call that number and try and get the phone back to you.
I have found people's phones and I've had to open them and go through their contacts
and look for a contact like mom to call and say, okay, we're going to have an awkward
conversation here, but I have this phone and I'm trying to return it to its owner.
I shouldn't be able to do that, however, keep in mind you really don't want people
poking around on your phone.
I could have just as easy looked through all of his pictures or everything else that
was on their phone.
We don't want that.
We want to make sure that the phone is locked, people aren't digging through what we have.
Make it nice and easy for them.
Also make sure that you're able to track your device.
There's a number of different apps that you can use for tracking your device.
I highly recommend that you have one that can not only track your device, but can turn
on the ringer.
It's happened to me a few times where I've lost my phone like in my couch or under my car
seat and it was on silent.
It doesn't do any good to call that phone because all it's going to do is sit there and
be quiet while the screen flashes.
Not too good.
Use something that will actually turn the volume all the way up so it will ring so you
can actually hear it if it happens to be in your couch or under your car seat.
Also make sure that you're able to remotely wipe the device.
If that device is lost and it's out of your control and you know 100%, it's not in
your couch, it's not under your car, it is gone, it's in somebody else's hands.
Remote wipe that device.
Now you're going to say, oh my gosh, I'm going to lose everything.
You should be backing up stuff.
We'll cover that in another episode.
I back up all of my stuff and on a bi-monthly basis, I remotely wipe all of my devices.
Blame.
Wipe them all remotely.
That way I make sure that it works.
I remember the passwords to get into what I use to locate and track my devices.
I make sure that I can call them and that they actually turn on a ring.
I make sure that I can actually use the location to find the device.
Does this take a little bit of work and is it a little bit of time?
Yes.
I feel that it's personally worth it to me.
Yes.
That is the level of security that I am comfortable with.
Your use case is completely different, however, these are things that you may or may not
have thought of and these are things that your family may or may not be doing.
So basic security of not only your accounts but how you access those accounts.
But we tend to be very cavalier about our phones.
And the problem is you don't carry a phone.
You carry a computer that makes phone calls.
You haven't carried a phone around for over a decade.
Think about it.
You're using a computer.
You're carrying a computer.
It makes phone calls for you.
But essentially, it's a computer.
Let's treat it like a computer and protect it like a computer.
You wouldn't want to leave your laptop sitting around in the middle of the mall completely
unlocked.
That would be absurd.
Well, think of your phone exactly the same way.
Now what I really wanted to talk to you today about was your passwords.
I wanted to get back on that and have a little discussion about this.
A lot of us tend to use the same username and password on multiple sites because it's
easy to remember.
That's great.
The problem is when you store passwords at a site, we assume that those are going to
be protected.
However, that's not always the case.
And you might even be surprised to learn that some of the sites that you use actually store
your passwords in plain text, which means if someone gets access to that database, then
they have complete access to your username and password.
This takes a short little script to run through to see if that is working on any other
site.
Now, there's a website out there called haveibemponed.com.
That's have I been P-W-N-E-D.com, I'll put the link in the show notes.
This guy has collected over 350 databases.
These are open databases of hacked passwords from different companies.
So all of their username and passwords, they're out there.
On the web, they're freely available for anyone.
So what he does, he comes through all those databases.
If your email address was found in one of those database breaches, it will tell you which
breach it was, when it was, and that will give you a good indication that you should go
change that password, not only on the site where it was breached, but everywhere else you
happen to use that username and password combination.
You can check all of your emails, you can also check phone numbers.
There's a number of sites where you use a phone number to identify yourself as a username.
You might want to check that as well.
So anywhere your phone number or your email has been breached, definitely go change the
password on the sites that have been involved in the breach, and anywhere else that you use
that password.
So now we have passwords that we know have been exposed.
We're going to go and we're going to change them.
Here is where I want you to really start thinking about a password manager.
This is going to allow you to remember one master passphrase.
Once you open the password manager, you can then generate passwords for any other site
that you don't have to remember, and you can create very strong passwords.
It will remember them, it will auto fill them, and the good thing is is a lot of them will
tell you, hey, change your password, you can set times to when you want to change your
password.
Say you want to change your password every six months.
You can set up your password manager.
It will tell you, hey, these passwords are about to expire, let's go change them.
This allows you to have a different password for every site that you use, every app that
you use.
The thing to keep in mind is, since you have a single password or passphrase, which
I highly recommend, you're definitely going to want to keep that secure.
Make sure it's something that you can remember and that you don't have to write down.
Which password manager?
That is completely up to you.
Again, your use case is yours.
Do you want to use something proprietary?
Do you want to use something open source?
How many platforms does it have to be?
Does it have to integrate with a browser?
Is it a browser based?
Does it live on the web?
Is it a standalone database?
That's all up to you.
Me personally, I've been using key pass for years.
I keep my key pass on my one drive.
I sync that database to all of my devices.
When I make a change to a password, it automatically syncs up with my database on my one drive.
If I lose my phone, I don't have to worry about it.
My database exists on one drive.
Do I keep my password manager secure?
Yes.
Do I remember other passwords?
Yes.
And you should too.
There are going to be email accounts that you're going to want to know the password for.
First of all, your primary email address.
You want to make sure that you can remember that password or pass phrase.
I recommend making the longest pass phrase that you can remember.
Keep in mind, I talked in the first episode about complexity requirements and all of that.
Throw it out the window and just create a nice long pass phrase.
Pick a paragraph from your favorite book that you remembered or a poem that you memorized
in high school.
Something that you can easily remember.
And the length is going to matter more than anything else.
The length and who you tell about it or where you write it down.
That's the key.
You also want to be able to remember your recovery account.
If you happen to forget that primary email address or other email addresses, you want to
make sure that you can get into the recovery account so that you can get whatever confirmation
method is coming in to remember what that is.
You banks.
You probably want to be able to remember your banking information so that you can log
in.
And depending upon what you do, there might be other sites that you want to remember those
passwords.
Aside from those, everything else, you should have a different password for every single
site and they should all be stored in your password manager.
So password manager, two-factor authentication, look, can all of these be bypassed?
Sure.
Are some better than others?
Yes.
Which one is best?
Yes.
Should we start layering our security?
Yes.
It's all about putting more barriers between us and attacker.
It's about being a harder victim than the next person.
Again, Evil Steve is going to go for the easiest target.
Let's start making ourselves and our family a more difficult target than the next family.
That's what we're trying to do.
Let's be a more difficult target.
Let's be the one that is the hardest to get to.
Think about being on a battlefield and there's a sniper.
Do you want to be the person standing in the open or do you want to be the person who
is completely hidden behind a wall?
Does that mean you're safe behind the wall?
No.
Not at all.
Are you safer than the person standing in the open?
Yes.
Who's the sniper going to go for the person standing in the open?
If you are standing in the open, well, if you're standing there and there's an officer standing
next to you, who do you think the sniper is going to take out?
The officer.
So again, it's about being a more secure target than the next person.
Right.
I'm assuming that at some point, somebody's going to have some feedback, some questions,
maybe some comments that they want to bring up and I will happily address those.
Keep in mind, my goal here is just kind of starting out with simple things that we can do
to make ourselves more secure.
We're never going to get too secure, just accept that fact.
It's going to happen as soon or later, something bad is going to happen.
What I'm hoping to do is help you prepare for that eventuality and hopefully postpone it
as long as possible.
So again, two-factor authentication, set up a password manager, start using it and go
to haveibempone.com and check and see what passwords have been breached and definitely
change those and anywhere else that you use that username and password combination.
If you know of any other resources that you would like to share with other people in
the community, pass them on to me, I'll be more than happy to share that with the community.
Give me some feedback.
Do you like what I'm doing here or am I wasting my time or am I wasting your time?
I'm hoping that you all are getting something out of this.
I do have 20 years plus worth of experience that I like to share with people.
A lot of what I say might be old hat.
You might be sitting here saying, okay, I know this, I know this, I know this.
Then again, maybe it's something brand new and you're like, wow, I hadn't thought about
that.
Let me know.
I'd love to hear.
Am I going to get into more advanced stuff as we go down the road?
Yes, yes I will.
If there are certain security things that you would like me to talk about, send them to
me.
I will gladly talk about them if they are in my wheelhouse.
There are plenty of topics out there that I am not the expert on or that I don't know
enough to talk about.
If that's the case, I will honestly tell you that's outside my wheelhouse.
But if it's something that I can definitely talk to, then I'll be more than happy to address
that particular topic for you.
So until next time, I hope you've enjoyed listening to Admin Admin, this is Lurking
Pryon.
Have a wonderful morning, afternoon, evening or night, wherever you happen to be.
Stay safe.
You have been listening to Hacker Public Radio at HackerPublicRadio.org.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording podcasts, then click on our contribute link to find
out how easy it means.
The HBR has been kindly provided by an honesthost.com, the internet archive and our sings.net.
On the Sadois stages, today's show is released under Creative Commons, Attribution 4.0 International
License.
Reference in New Issue View Git Blame Copy Permalink