Hands-On Windows 103 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Paul Thurrott
Coming up next on Hands-On Windows, we're going to take a look at third-party password managers and why you should be using one instead of whatever it is you're using now Podcasts you love From people you trust. This is Twit. Hello everybody and welcome back to Hands-On Windows. I'm Paul Thrott and this week we're going to take a look at third-party password managers. We talked about I guess we'll call them first-party password managers from Apple, google and Microsoft the primary personal competing account holders, if you will. Mostly Microsoft, because that's what we focus on here. But, as I said last time, you can do better than that. The third party solutions offer more features that I think are very useful. In fact, put them over the top. There are a lot of great choices, both free and paid. The paid ones are not very expensive. I should mention that two of them, 1password and Bitwarden are sponsors of the Twit Network, and my mentioning them actually has nothing to do with that. Those are the two that are consistently rated the highest. If you look at the Wirecutter, for example, which is a site that I trust very much, they've just recommended those two again, but this past year I've been using Dashlane mostly, I'd say, from January through about the middle of the year, and that's fantastic. And then more recently I've been experimenting with ProtonPath, which I also like quite a bit too. However, I am going to use 1Password for most of the demos today because I feel like that's the obvious choice for most consumers. It's very friendly, easy to use and so forth.
The first step in switching to a password manager or at least experimenting one with one, of course, is to install it everywhere. Right, you want it on your phone. If you have a tablet, you're going to want it on there. Whatever PCs, macs et cetera that you have, grab the standalone app if it's available it usually is. Most of the password managers I mentioned do have standalone apps. And then you're going to want the web browser extension, right, and the idea here is you're going to be able to do autofill of all of that information, basically no matter where you are. In the case of 1Pass here, this is the mobile app. I'm using the Firefox web browser today without an account signed in, so I have kind of a clean experience, but I did install the one password extension. I've cleaned out my one password account, so there's only a couple of accounts in there, just to make it easier to see, and so forth and so, plus, you won't see all the terrible accounts that I have with no good protections on them. So I did all that just to kind of relieve the tedium there.
Once you have this app installed on mobile, you're going to want to go in and make sure it's configured as the autofill provider. That varies a little bit between iOS and Android, but it's pretty straightforward and if you're going to be using it also, turn off whatever other autofill providers may be listed there. On the PC. There's really nothing to do with the app itself, but in the extension there's a couple of things to check. One is well, actually we've got settings. That's going to launch the app anyway, but you can go into. If we go into some of these, yeah, we'll have to open the one password app right to get to the settings. But also in the browser settings, and this will vary, you know, by browser, but in Firefox you go into privacy and security and then down here into passwords. You can see that I have the wrong thing enabled, so let me re-enable one password as the password provider.
It has turned off its internal password functionality. I'm leaving this one on because there's no reason not to have yet another trusted source looking for breached websites that my accounts may be part of. So that's fine, but basically you want all of the built-in browser password functionality to be off. People don't do this, but you should all go in, also go into your previous password manager. Once you're sure that you're switching and everything's working, delete all your your passwords right Now. This is a clean copy of the browser, so I don't actually have that in there. And then down below passwords is this auto-fill section. So Firefox, like other web browsers, will also try to fill out things like payment methods, addresses, phone numbers, et cetera. It can store those itself, associate it with whatever account you have there, but that's stuff that can be saved through the password manager as well, so my recommendation is just to turn that off.
So beyond that, a lot of the configuration functionality is going to involve the sign-in process, the authentication process, and on a modern device with biometrics, if you have a Windows Hello camera, a fingerprint or even a pin, same thing on your devices. That will do the pass-through authentication with whatever security solutions you're using, including a password manager. So that's all pretty straightforward and that's about that. So from here we can talk about the several things that I think, put these solutions over the top. So the first is that you can use these third-party password managers to store passkeys right, we talked about passkeys some time ago.
Passkeys are a little bit complex but they're a passwordless authentication technology that typically, or by the standard, literally is per device. So when you save a password, a passkey, sorry, onto your PC, onto your phone, it's tied to that device and if you're on that device you can use it to authenticate yourself against the underlying account. But if you save a passkey to your phone password manager, that makes them portable, so that passkey will go with your password manager on all of your devices. Right now I've done that already here with, I think, my microsoft account. Yeah, so if I go into outlookcom is probably an obvious version or an obvious example it should ask me to sign in and it will autofill because that account's in there. And now it's doing my authenticator app, which is fine and I have that on my phone. But I can also choose to do this sort of thing, and this is where the passkey in the password manager pops up in front of what would have been the device authentication, so I can sign in with the passkey that's built into the password manager, so it's really seamless. Using an authenticator app on a phone is not particularly inconvenient, but using something that's just with you wherever you are super convenient. So however you create a passkey, you know Google has their own method, amazon has their own method, microsoft does. Apple's method, unfortunately, is tied to Apple devices. That won't work with this, but most online accounts that support passkeys almost all of them except for Apple really will save to that password manager instead of the device right, because it's built in. So it's really really nice, just from a kind of convenience perspective.
The second big one is tied to dark web monitoring, right, basic security stuff. So again, I'll go into settings, which will eventually bring me over to the app and so in the app settings under privacy. This is particular to this password manager. The language is a little bit different with different password managers, but you'll see this type of thing Check for compromised websites, check for vulnerable passwords these are under Watchtower in this case. These are things that a lot of password managers offer, but in the case of 1Password and most of the ones that I've recommended, they will also check the dark web right, and so the dark web is where your credit card numbers, bank account numbers, addresses, email passwords, et cetera, et cetera, are all traded and if that stuff shows up, you'll get an alert through the password manager, which is really handy, so nice thing to have on.
And then the third and fourth because they're kind of tied together are getting alerts for accounts that you have saved that could be better protected, more specifically through 2FA and passkeys. So, for example, the built-in password manager in your browser, in your operating system, will often look for weak passwords, reused passwords, that kind of stuff. That's all built into these products as well. But they kind of go to the next step by looking for two-factor authentication and pass keys that you could have configured on existing accounts. This is super important because the goal is to secure every one of your online accounts as much as possible, but we all have so many accounts there's no way to keep track of them. Every once in a while, one of them will introduce the ability to do new forms of 2FA or add PASCIs. Sometimes it'll email you and tell you. Sometimes you'll never find out, but by having these things checked here or similar options and other password advantages, you'll be alerted when you are using accounts that could be better protected, right? And so in my case, like I said, I only have a couple of accounts listed here, but if one of them could be protected with two of a or with a passkey, one password would alert me. Now in my, my real account, I actually have several alerts I need to deal with, so that's something I need to work on as well, but it's kind of a nice thing, because no human being could ever keep up with this stuff, so that's really really nice.
The final one is kind of a pet peeve of mine, and it's that password managers typically require kind of old school authentication. Right, you have an email address, which is your account, you have a password, you have some kind of a security key or master password, whatever they might call it they have to keep track of, and you can, of course, protect it with 2FA. So this particular account I have these three things that I need to get into this when I first set it up. I do have 2FA on the account, so I can protect it that way. But ideally, what you would have as an account where you sign in and just use a passkey, now you don't save that passkey in the password manager. In this case, you want it to actually be on the device, because those things you know, that's how the phrase is like storing the keys to the safe inside the safe, right. But the idea here is that you want to do passwordless authentication to the password manager itself, right? Which is the most secure way to do that. So 1Password actually does offer this to some degree.
I believe it's still in beta. I couldn't find it for my account here. But I also configured Dashlane. I thought I did. Let me go in and make sure it's here and I got to turn it on again. All right, so if we turn on Dashlane and we go in and this is kind of the first run experience, right, so I've not signed in yet Dashlane, the account I have is passwordless, right? So there's no, there's no password associated with this account. There's no master password, there's nothing like that. All I have is the account name. So when I click login, I can enter my name or my email address sorry and then it will prompt me to authenticate on an existing device. This could be a PC or phone. Most people can have a phone. So I've dashed lane on my phone.
I played around with sort of showing you this screen on, you know, through PC link or the phone link app, but it actually blanks out the screen because it's a security thing. So I sign into Dashlane on the phone, usually by. It's usually biometric. In this case it asks me for a six digit pin. They kind of mix it up. That's by design. I don't think you'll be able to see this, but on the settings screen there's an add new device option and when I test that, it says it looks like you're trying to sign in from Firefox, from where I am in Pennsylvania, the date and time, et cetera. Is this you? Yes, and then you'll see on the screen it has these five words. These are randomly generated and what it's asking me to do in the Dashlane app on the phone is type in one of them randomly. In this case it's the last one. So I type in that, I confirm it and that has successfully signed me into Dashlane. So now I'm authenticated in Dashlane on this device and I can set up a pin etc.
I'm not going to go through that process, but I really really like the passwordless authentication. If you're familiar with the way Brave works, for example, brave doesn't support online accounts for their web browser, but they have a system like this where you get a code on one device you've signed in and configured, you enter that code or you scan a QR code. However, you do it on another mobile device PC, mac, whatever it is and then you sync everything over and you can choose what to sync, obviously. But if you want to sync everything your passwords, if you're doing that, extensions, the theme, et cetera, et cetera it just all kind of goes back and forth between those two accounts without involving a third-party middleman, and no worries about any vulnerability and any, you know, when getting into it. So it's really nice. So that's there. There's more, but to me those are the big ones.
Not every one of the I guess five features that I mentioned are available in every single one of these password managers yet, but they're all getting there. I believe that 1Password is probably the most complete in that way, if you will, protonpass and Dashlane and Bitwarden are pretty close. If they don't have all five, it's four of the five. It's close. I know Bitwarden, at least, is working on passwordless access to their password manager as well. So big takeaway, though, aside from yes, you need to do this, is when, whatever you choose, you might experiment, try it a few, whatever it is, but if you choose one password Bitwarden whatever.
Once you do that, you need to go back and make sure you delete all the passwords from your old password manager. You don't want these things out there floating in different online accounts. Um, the problem with that and I probably mentioned this last time was that you probably have multiple password managers because you've used so many browsers, operating systems, whatever it is. That data is probably out there in many different places, so it's best to keep it one place. Keep them in place. That's super secure. One place. That's super secure. One place that's available everywhere like a third-party password manager. So there you go. Thank you so much for watching. I hope you found this useful. We'll have a new episode of Hands-On Windows every Thursday. You can find out more at twittv, slash H-O-W, and I will see you again next week. Thanks everybody.