Ccatp_2023_03_01

2021, Allison Sheridan
Chit Chat Across the Pond
https://podfeet.com

Edit Transcript Remove Highlighting Add Audio File
Export... ?

Transcript


[0:00] Music.

[0:08] Well, it's that time of the week again, it's time for Chit Chat Across the Palm.
This is episode number 760 for February 28th. Nope, I wrote that yesterday for March 1st, 2023.
And I'm your host, Alison Sheridan. This week, our guest is Rod Simmons, who is one third of the ASMR podcast.
Welcome back to the show, Rod.

[0:24] Thank you so much. It's nice to know that someone as polished as you can make mistakes, like on date, like where you write.
I usually will look at one thing and then like bounce around and I mess up date or the show number because I'm looking at the last show number and I just know to increment and I forget to increment.
So I've been talking a lot about that increment problem, but this time I can blame TextExpander because I wrote the notes yesterday and I have a TextExpander snippet that writes the intro for me.
So I wrote it yesterday, which is why it says yesterday's date. But hey, the reason I asked Rod to come on the show is that he, like many people became, and I'm going to be generous here and say that we're disenchanted with LastPass after their progressive disclosure of security breaches and he's migrated to one password. I wanted to hear about his migration because he, boy, he did it. He did it. He did the migration and there's a lot to this. I want to tell you guys up front and I didn't warn Rod that I'm gonna say this but he has an incredible ability to find the bugs and bad things in absolutely everything. It's a talent and so he might not be the cheerleader type that I am. I tend to see everything half full and he's kind of maybe he'll begrudgingly give you 12% full, something like that on everything. So is that a fair assessment.

[1:44] Rod?
Yeah. I mean, to be fair, I work in product design. So I certainly think, well, certain things tend to just pop to me because it's like, oh, that's not how I would have built it. And which means it's not right.
Of course not. And that's just, I think that's probably just a flaw of the career field being in. But yeah, I feel like I.

[2:04] I like to say over time I tend to push products to definitely the extremes of, and I find little bugs, but I'll say with one pass, but I don't feel like I've only found one thing that didn't really work the way I intended it, but it was an edge case, so I wasn't worried about it so far.
I don't want to bury the lead, but so far good. I'm liking the app so far.
Okay. That's about as positive of a rating I've ever heard Rod give anything.
Give me if I'm wrong, I don't want to get into details of your actual career, but you've got somewhat of a security background.
Is that like the software that you work with? Yeah.
So I mean, I can tell a little bit of background. So I started my, you know, if I don't want to go back too far, most people will start guessing my age at that point.
But if I went back 20 years of my career, I really focused on like I was in the Windows space, Active Directory on board, like Manny, like migration, all that kind of stuff.
And then my career slowly evolved more identity focused, like looking at threats, persistent threats, detecting threats, mitigating threats.

[3:09] And then around like now I'm really focused around governance, identity management, and all the security that has to do banking around identity and governance and reducing risk for organizations.
So I'd probably say the last 10 to 15 years of my career, I've been really heavily focused on either threat detection, threat mitigation, and or understand, like really focused on identity as it relates to users and enterprises.
Okay, so not at the regular user home consumer level, but certainly attentive to things along the security lines, especially with password managers.

[3:46] Yeah, and honestly, I'd say if you look at the enterprise, I feel it's fundamentally no different than the home user. It's just, it's at scale. Like we all, as an end user, we deal with identity management. If you look at you as being the identity and I have all these accounts and I need to manage them across all these bits of spirit systems, you're dealing with the same problem enterprise are dealing with, but they just deal with it for every single employee, every single account that they're provisioning to the user. So it's every problem that the enterprise has is just they deal with it at scale.
You deal with it.

[4:15] Yeah. On your own basis, except if your company isn't real smart.
Um, I remember I worked for a company that, uh, I did a series of tutorial things, video tutorials, not unlike what I do for screencast online, except I, had to do it on windows on Camtasia.
And it was the worst piece of software I've ever used my entire life.
But anyway, I did these tutorial videos and I, and I learned about LastPass.
And so I did a video tutorial on LastPass and explained how it worked and how now how we can store our passwords in the secure vault and all this stuff.
And within 10 minutes of me posting it, security took it down and banned LastPass from our domain.
Because they didn't trust that, well, there was this free version.
And if there's a free version, that must mean they're selling all your data.
And so we can't possibly have that. So there were no password managers.
Now I did retire a decade ago.
I don't know what the situation is now, but a decade ago, there was a way to have your password secure and they didn't let us.
So I'm sure Bart has probably told you about this many times, but I will share along.
If anybody's interested, I think this is a really cool thing.
If you want to know what's happening in the enterprise, Okta, they do a really cool report every year.
I'm going to drop a URL in the chat. They do it every year.
It's a, this is a 2022 report, but it's called business at work.

[5:32] The very cool thing is you see what, what applications businesses are using in this report. and by business or.

[5:40] It doesn't really break it up by what businesses just says like, okay, these are the most popular apps in enterprises.
It gives you like, and if you scroll through the report, you'll quickly start to see like, okay, you start off very broad level looking at it by category.
They call out some specific apps.
LastPass was one of the growing apps from 2021 as they did the report in 2022, which, oh my gosh, hindsight would have been 2020 here.
But as you start to scroll through, if you just search for one password, you'll see one password is actually on their chart of one of their top growing applications. I think it grew at like 198%. Was that before and after the breach? That was 2021 going into 2022. So at the same time, LastPass was growing one password where they were both on a very good upward trajectory while LastPass was probably more dominant. So I'm really interested to see the report in 2022 or the, The report that covers 2022, we get 2023, and the 2023 and 2024 as to does LastPass just totally fall off the enterprise password solution market?
Because I would imagine the report that will report the end of this year will see a change.
But it's a really, again, it's a really cool report.
If you're just trying to figure out what applications do enterprises use, you'll see what's most important like Netscape and Postmon and Intercom.
But one password is down there, seconds from the bottom on the fastest growing apps with unique visitors. Did you just put Netscape in that list?

[7:06] It's not, oh sorry, Netscope. I said scope. Sorry, I didn't say scape.
Yeah, I apologize. This was from 1957. Now you do have to create a login in order to see this report, it looks like.
No, the URL I gave you should have been free. If not, I will send you, this should be a, I sent you just the link right to the, if If you Google search for the name of the report. Oh, that's weird. No, you're right.

[7:30] It is. I don't know why you asked me for it. Yeah, you should be able to get right to the report at no cost.
Again, it's a fantastic report that they put out.
It tells you a lot of information about because if you think about what, sorry, if you don't know what octa if the heart octa is like an IDP identity provider?

[7:46] And all they're really trying to accomplish is you don't want to use Microsoft for authentication, use Okta, but they can understand what apps, what applications your users are authenticating to.
So you take your token, you go and you want to log into one password.
They know that that's a unique user going to one password. So they can say of our user base, which is massive, not as big as like Microsoft's Azure Active Directory authentication platform, but it's huge.
And for them to be able to provide this data and you can see growth, you can see trends in the marketplace.
It's a fantastic report if you've never, never seen it. And again, it's like it's about a million pages long, but if you like it, then my scroll bar is the smallest scroll bar I've ever seen, but yeah, this it's, it's long, but you can zoom to the, um, to the graphics and stuff.
Yeah. I think of it as the Verizon data breach report. There are very few people who read it in entirety, but everybody like looks through and says, what is this graph? What is it saying? Okay, next graph.
Um, this is a great report. If you're just trying to get statistics or if you work somewhat in this field and you're trying to sort of verify like, hey, what are the popular apps should be looking at?
And you're trying to figure out what other companies are using.
This is a great way to get some dynamic data.
So there you go. Interesting.
Okay, all right, back to the topic. So just to get people up to date on what LastPass did wrong and why was it so egregious for you to abandon the product.
And by the way, there was a new report out from LastPass today with their final findings.
So why don't you just refresh people? What did LastPass do? What was, what was so bad that would make you leave?

[9:15] Yeah. So I'll start with, I was, I was a last pass user and I, I feel like it's been like 13 years, 13, 14 years, it's been a long time I've been with last pass.
That's hard to, hard to break up with somebody you've been with.
Yeah. That's, that's a good relationship right there. Uh, and I want to start the, the fact that they were breached is the literally the least of my concern.
And it sounds really odd. Because most people, like, mind you, if, when I bet 10 years, I would ask people, how many people have been abroad in a data breach?
You'd have one hand raised in a room. And then as each year, that number would multiply, it was like this exponential curve of how many people in a room.
So everyone has had their data lost in a breach. And that's not the bad part.
The bad part is how does the organization handle it and report it?
So for me, LastPass lost my trust. And that's right there. I couldn't keep my credentials with them.
Not because I feel maybe they don't have the greatest security controls in place for enterprise management.

[10:21] That's yeah, I don't want to overstate it because again, I don't know their internal process, but, It feels that way a little bit of because of what happened. So I'll give you a great example Someone was able to compromise credentials, On a laptop totally fine They were able to exfiltrate out data, but there was nothing in that said Hey, this is abnormal data for rod to be downloading all of this stuff Like even though i'm an authorized user, I should have access to it, Isn't it abnormal that i'm doing this? Like it didn't pick up on any anomalies of my behavior But for me, the biggest part was if they would have said like day one, as soon as they learned we've been breached, We don't know the full scope of what we've lost But we do feel that there was some data loss It may have been vaults if you want to take as much corrective action as possible We'd recommend changing passwords and that would have been like last May or March or something like that. It was pretty early last year, Yeah, I thought it was wasn't till August it was August August, Yeah, maybe it was a second one I know August through October was kind of a big one.
Because there were two incidents. Yes. I thought it was August through October.
Maybe there was another one right before it.
But again, for me, it's disclosure. Tell me as fast as you can so I can make a quick decision.

[11:35] And for me, again, I don't like changing 400 passwords. But if that's what I have to do, that's what I'm going to do.
For how I use my vault, I've definitely changed how I'm using one password compared to LastPass.
I'll talk to that a little bit as we kind of get into one password.

[11:52] But the type of data I was storing in my vault, I started realizing like, oh my gosh, if someone actually could decrypt my vault.
So I'll give a good example. I've always said, I don't, when I go to a site and it says, okay, well.
You have to set up how you get back in if you forgot your password.
I would say, all right, it doesn't matter what question, I'll just choose a random question.
I would copy what the question was and put it in a note on my vault.
And then I would just generate a random password and put it as the answer.
Right.
So my answers were never valid. Right. The problem is they were in my vault.

[12:20] So now if you compromise my vault, you had my username, my password, and all my question answers. That's it.
I was like, yeah, but, and, but that's one source you are supposed to, to supposed to trust. Trust, I know.
And if, but I think that's one of the, that was one of the problems with the last pass breach was that we found out that certain things were not encrypted.
And we do know with one password that those same things are all encrypted.

[12:51] One of the things that gave me the most angst was, and I always get the acronym wrong, it starts with PD something K F2, It's got a lot of letters.
The rounds of encryption. Yeah, the rounds of encryption.
So from the current recommendation is 600,000 rounds of encryption passes.
So they go through your password and they hash it and hash it, hash it over and over and over again.
They were not doing 600,000. They were doing 200,000, but only on like recent vaults.
And if you had an older vault, we kept hearing progressive disclosure of how few passes there were.
I had a test account that I had no live data in and mine was at 5,000, which is basically, you know, somebody with the smallest Raspberry Pi could crack that in about 10 minutes, right?
So, I mean, I'm exaggerating maybe. Probably not actually. Not by that much, right?
And so they did up people, but they didn't do it retroactively.
Like new accounts got it. And when you talk about the security controls that they had, That's a really perfect example of where they didn't have the security controls in place to protect the data.
Right? Yeah. Um.

[14:06] All right. So my vault at one time was 5,000. And that was again, 13 years ago. And then I remember an episode of security now where Steve Gibson made a comment and said, Oh, you should up it.
You can go. I think it was when they let you go up to like 20,000 or 25,000. And he's like, you should just choose a number randomly because you don't want to give away exactly how many you're using. You want to be somewhere in that general range. I was like, that's probably a valid statement. So I increased mine. And I've subsequently over the years just always increased.
I never even knew it was a setting.
I mean, most normal person would know. Normal person watches security now.
We didn't learn much in the briefing that came out today from LastPass, but what I did learn that I didn't know before, maybe everybody else knew, is that one of the things they lost unencrypted was how many passes you had, how many iterations your vault had.
So they can now sort that by, okay, here's all our 5000s and let's just scrape those right now.
They also gave away how many, like the other thing that was lost.
And this is, that's another thing that really pissed me off.
Like the rounds of encryption. I, I, I damn, I know I hated that, but they do have to store that.

[15:14] That they stored last time you visit a site. So to me, with that, what that kind of leads on to an attacker is, what do I actively use?
So it also, it gives you two good ways of looking at attacking a user.
Identify people with the highest, the lowest rounds of encryption, and then go after that, like you could either go after the sites that look enticing because you know the URLs. So you know, I have an account there and go after things I don't frequently use and work your way up the stack, or go after the things you know that I actively use because you know the credentials are valid.
You can look at it either way. Either way, it's bad. Right. Or the the cross section of the two. We did also learn you're going to be talking about this with one password in the transition, but the what is it called equivalent URLs like where google.com and gmail.com are the same.
They lost that list that you had self-created.
Not only did they, of course the list that they offered you already that these things are all the same, like Audible's the same as Amazon, that was public knowledge, but they lost whatever ones you set up as well.

[16:21] Yeah, so equivalent domains. So I'm not too concerned with losing equivalent domains because I think that's... Additionally, it's the additive nature of these things.
Yeah, it's a death by a thousand cuts. You just like rubbing salt in that wound, don't you? Yeah, I don't like that they lost the data. Again, I will always come back to my bigger issue with them was the speed at which they disclose data to us and that just killed. But equivalent domains, It's one thing that I deeply miss.
Let's get into that one second. Cause I'm going to say one more thing that bothered me about the last past breach was that they still haven't even in the new report, cause I read the whole darn thing today, um, they don't tell us what the date of those backups that they lost were were.
So if they lost backups from, uh, you know, a month before the breach, and you, had, you know, 200,000 on your, on your iterations, you know, you're probably okay.
But if they lost them from five years ago or 10 years ago or all of them 13 years ago, then you're then they have an encrypted version of your vault at 5,000 iterations Even though you have diligently gone in and changed it. So they still haven't told us when those backups were, yeah, and I think probably if I had to guess on part of the challenge is.

[17:37] Maybe a lot of now even if you Depends on how they're backing up the vaults because there may be certain data that's quote not vault data, data. So if a lot of some people might put credentials in, they virtually never change.
So to say, yeah, there could be challenges of how they're trying to articulate what the date really is. Because one person might want to say what date is my vault? Like, yeah, that is versus what but saying, look, we lost backups for everyone's vault as of this date, I think would have been the most accurate thing to it would have just, it gives you general idea, but if I'm trying to remember the last pass UI, I don't think there's a way I can see, the last time I changed the password. No, I can see the last time I changed the password, but it's not really... You have to look at every single item. There's no way you could see like last updated, password changed, like in a very clean, if I remember correctly, in a very clean way to see that.
Because then at that point, if you know you lost it on August 1st, but you've changed a bunch, since August 1st, you'd say, well, these are safe. So I just need to start changing the other ones.
But I think for most people, most of their passwords are aged a little further than they should be.
Yeah. I think one password I seem to remember one of the things Watchtower gives you is is something you haven't updated in a really long time.

[18:53] Yes, one last pass, you could do the same thing. The challenge, I think, with when you're talking password eight, you really just needed a, it was changed on this date and I need to sort by last date change on the password so I could go and attack the ones that potentially would have been known by the attackers because of the bundle that they have. And I don't think anybody really provides that, but there's not really a good use case to provide that. What you would last pass, one password and all the vendors typically would say, you haven't changed this password in like 234 days, get to work.
So it's telling you that they're just really old, like get on these items.
Right. The chances that you had a good password that long ago were fairly low.
And by the way, these things aren't telling you change it every 30 days or any of that nonsense. We already know that's a bad idea.
All right, let's shift gears. Bottom line, they lost your trust because they didn't disclose properly the right information at the right time.
So they're dead to you. Now, how did you decide to go with One Password?
Did you do a big old matrix of all the different possible password managers out there with feature lists or?

[19:59] So, no, I listened to two close friends. You, I know you're a huge One Password user, so that was already one top of the list for me to take a look and consider because you gave glowing recommendations for it and I've heard you talk about all the security with it.
So that puts it on the list, at least some things to look at.
And then Bitwarden was, I had a bunch of friends, security guys who were using Bitwarden swore by it and said, it's a great password manager.
You should at least give it a look.
So that put those two on the top of the list.
I'm sure you're thinking, what about Dashlane? Cause Dashlane has some really cool features, but I had a friend who had credentials in Dashlane and then they went to this kind of fun paid model.
And his, has he described it? My password got held hostage until I paid the fee.
Because he was, I'm assuming he was in between where they went from free to paid tier at either the number of credentials or time range.
And then he couldn't get access to anything where it was free at one time and then it went to paid.
So he felt it, they held him ransom. So for me, they were off my list because of the bad experience I heard a friend went through.
So for me, it was two password managers, Bitwarden and one password.
Okay. All right. Um, you took a look at the two. How did you decide one password over bit warden?
Just it word. No, no, no. I mean, and watch your tongue. There's yeah.
Sorry. I apologize. There's there's a.

[21:23] There's a lack of polish. So there are little things in Bitwarden that like I say would drive me crazy.
So a good, one good example. And I, again, reaching out to the front saying, okay, you're using this.
I've imported all my last pass credentials. Great.

[21:37] Now what I'm trying to do is I have a credential and all I want to do is click on the three dots and move this credential like into a folder, tag it, some like some type of concept.
And they have a concept called tagging, but you can't add a tag to a credential.
Unless you click on the credential and then you can add your tags to it, like by going into or folderizing it, you have to go into the credential to add it to a folder.
But for me, I only had like four or five category folders as I was scaling them up, because I was reorganizing my credentials as I wanted them.
But I'm like, why do I have to go into the credential to find something to then add this in here?
So that's a little bit of a little UI clumsiness.
And the funny thing was, I was like, all right, maybe I'm doing something wrong.
So the first thing I tend to do is I don't assume that I know everything right.
I go and start looking at the forms and many of the items that like, I kept stumbling over with Bitwarden, a lot of people were claiming complaining about in the forms and the form threads would start like 2015 and still be never about in 2022.
So it tells me that it's not that I don't, I don't want to apply that they're not doing active development. They really are.
Because they have some better like like the OTPs that both one password or one password.
One time, by the way. Sorry. Yeah.
One last pass didn't have that, or at least I never looked for it.
So to me, those are great features.

[23:04] Well, to an extent, I'll explain why I don't love them a lot, but that's a different story.
But they're great features that they're adding on. It just feels like they're not getting at the little nickels that bother people. There's just sharp corners.
I wanted something for the family. So it had to be better than what my wife was using.
And it's just not. It's from a general end user. What was she using before?
She's using one password. Oh, okay. So she's already one password user.
She's an already one password user. So if I was going to give her something new, It literally had to be a net increase in the quality of her experience versus a decrease.
And I deeply feel after using One Password, it is a far better end user experience.
So my wife won't complain, my kids won't complain, and I can use anything.
But I only want to pay for this thing one time.
So it's not to be too much of a cheerleader for One Password, but it's in my personality.
When One Password went from seven to eight, there was a lot of hue and cry and annoyance about it. The main thing was... You fixed myself.

[24:07] What's that? You fixed my wife's problems, remember? Yeah, that's right. That's right. Well, but the biggest thing was that they became an electron app so that it worked well across all platforms. And I can't blame them for wanting to do that. And they did a really, really, really good job of an electron platform, of electron implementation, I should say. I think they did a good job. It's fast, but, they had a bunch of problems with usability and people just screamed at them and they just came out with an update where they went, okay, we heard you.
You said this stunk, this stunk, this stunk, you hated this, you didn't like this, you didn't like this, you didn't like this. Yeah, we just fixed it.
And so unlike Bitwarden where the complaints are heard but not addressed, I think, I'm not saying it's perfect, I'm sure there's complaints people are gonna have to me about what they don't like still, but they are reactive to that and I think that's great.

[24:59] So I don't, I guess I don't have the historical bad, like let me explain the problem I ran into because this will also explain why Alison was like, you were wrong on how to migrate.
He was talking on SMR podcast and I was screaming into my phone just going, no, this is all wrong.
So I think it was from six to seven, my, I think I'm pretty sure. Yeah. Six to seven, one password at some, my wife somehow ended up with two vaults.
So, but the, unfortunately I wasn't a one password user. So to me, nothing made sense.
It was like sometimes like she would be in the browser and when she'd log in, she sees some credentials, but on the desktop app, she wouldn't see the same things.
So she's in this very weird world, but it wasn't literally making, I was like, I don't understand why.
And when it was like, Alison's coming to town, I was like, thank God, a one password user can figure this thing out. Cause it didn't make sense.
I was like, I don't know why something's in the desktop and not here.
I just couldn't figure. I just, I didn't want to dig into it, but I also was like, I don't know which one's right, which one's wrong.
And Allison was able to figure out first, how her browser was stuck in one version with one in one goal or, and another, the, the desktop app was in another version with a different vault, but each vault had the same credentials.
But every time she was at something, it's and everything going on. So, so it was just.

[26:20] Yeah, so one of the things that is a big difference between LastPass and OnePassword in LastPass, if I wanted to share a password with Steve, I could take the password and say, I'm going to share this with Steve.
And then Steve and I, and we could share it so that we would both be able to change it.
But you do it on an individual login or credential element individually.
In OnePassword, you create these vaults and it's just, you have a shared vault.
You have a work vault and a home vault and you can easily right now with one password eight and it might have been in seven in the later versions of seven, but you can just drag and drop things into these different vaults.
So if you're looking at one vault, you'd be going, where'd all my credentials go?
I don't know where they are. And they're actually in the other vault.
So the whole concept of a vault would have been something you had never seen before having been a LastPass user.
Yes. And I like the sharing in the family. I think it challenges across to friends.
Like if I want to share a credential, I think the max I can share it with you for is 30 days.

[27:22] And I, I can't share something with you through perpetuity. And I wish that there was an option that I could share long-term.
So a good example is when you're blogging with somebody or you're doing a podcast and you have like a shared account to log into your web host and it's just one account, everybody, anybody who needs it can get to that one account because you can't provision any other account with this particular level of access.
So all the people who need it, but we don't want to be in a family plan.
So that is the one limitation I still with sharing. Again, it's a minor, but I don't want to say it's an edgy case.

[27:57] What I do like about the family sharing, and I haven't tried it, but I'm sure this works, is that if you put the MFA on top of it, for credentials at one point in time, you're like, well, I'm sharing this with somebody, but I have my phone with the app and they can't log in.
Now I can share a credential with them. It has the MFA code across my family and everyone has it.
So I don't have to weaken security for a site because I want to use MFA. You just roll the MFA inside of last or one password, and it's on the essential, the record in the vault.
That makes sense? Yeah, so let me use some more words around this so people know what Rod's talking about.
You're deep into it, and most of our listeners are into this stuff, but just in case, when he says MFA means Multi-Factor Authentication, and he's talking about how you can add a one-time password to an entry, one of your things in your vault.
And so I never knew this was there until I watched a ScreenCastsOnline video that Don McAllister did about one password.
I did, it's so weirdly buried when you open up, instead of being an obvious thing of two factor authentication, which I think it should be surfaced like right at the top.
I think it should be there.
You have to go into add more one time password.
And then there's a little icon that looks like a miniature QR code.
And you tap on that and then you can, it'll recognize if there's a QR code on the screen for the site you're trying to log into.

[29:25] And it actually changed how it worked in different versions of it.
You can also type in the one-time passcode.
But I personally think that that from, let's complain about product design.
Why is that not near the top of things that you would know where it was even there.
I think it should be when you're looking at a record, you click edit, it should be right there on the screen.
The way I stumbled across it was looking in watchtower.

[29:48] And watchtower. Explain what watchtower is. Oh, sorry. Watchtower is equivalent to, well, I should talk about one password.
It essentially analyzes your vault to find all the things that you should fix to have a better security hygiene.
So for example, password reuse, it'll tell you that, hey, you have password reuse.
Every vault, I think, does one thing wrong when it comes to password reuses, doesn't say, hey, these three are the same. So you know what, like how your quote duplicated or triplicated or, quadruple, whatever you want to look at it. So it will tell you the password reuse.
It will tell you, I think, weak passwords inside the vault. I don't have any problems with my vault.
One password does show you which ones are the same.

[30:28] Oh, I don't have any that are the same anymore. So. Yeah. Yeah. No, it will show you. I mean, it says, I have one for California Pizza Kitchen.
And I have one for CPK, California Pizza Kitchen, because one is the ordering site and one is the menu.
So they are the same.
So they're equivalent domains, right? They are, yeah. And let's jump to equivalent domains.
So this is a phrase I'd never heard before because it was something, it was a feature named that in LastPass.
But from what I understand, this is where you have two different things, let's say CPK and its ordering system, which is like Snapfish or something, I forget what it is. It's something else.
Those two things are the same place. Therefore I have the same password.
It never occurred to me until somebody mentioned it to me just like six months ago, we'll just put both domains into the same entry.
And then you don't have to have separate entries. and then it won't be, it won't look like an error.

[31:21] 100% an absolute true statement. However, it is snap finger, I'd guess. Right. Yeah.
It does require you to update the vault versus the vault. Just because over time, what winds up happening is that you, save things over the years.
And for example, today, actually, let's go back in the day.
At one point in time, you had a Sprint account.
Sprint was Sprint.
And then you decided, I hate Sprint. I'm going to Nextel. So you or vice versa.

[31:53] And now you have an Excel account and then sprint requires next cell.
I have to tell you that association.
So I may have never went and got rid of my quote sprint one that was sitting in my vault.
I didn't do the hygiene and clean up and I now have this next cell thing, but they got acquired and it's really the same thing. So now the system in the back end could just say, look, these are equivalent domains.
Don't worry about the records anymore.
It's okay. So the equivalent domains takes care of things that a I don't like sometimes the user doesn't know. You know that Apple is the same thing as iCloud. They're absolute equivalents, but most users don't know all the various equivalents. So if you get into like you have Bing, Hotmail, Live, Microsoft, MSN, like Xbox, Azure, they're all the same. And I'm giving you very obvious ones, but you start to get into like very obscure ones. But actually Amazon.com, Amazon.com.be.ae, and then the list and you're just always at a cascade down this rabbit hill of these all these, equivalent domains that you just may not know what to do and you don't know that they're.

[32:56] Quote equivalents until you stumble across them and it's nice to have that categorized list someone has actually done the work for you and I think it's something you can also crowdsource and share.
So you went on what I'm going to call a venomous rant about the fact that one password didn't have this feature and it would have never occurred to me that this was something that would be helpful.

[33:20] It is tremendously helpful because here's the thing, when you have equivalent domains, if I go to, if I'm at Microsoft.com, and I create an account.
You mean predefined, and by that you mean predefined, someone else has done the work to tell you that Skype and Microsoft 365 login are the same.
Yep. So when I go to like Xbox.com and I already have a Microsoft account, it just says, yeah, you want to log into Microsoft's account. So I never actually make the mistake of doing the create or doing this and then saving it because of them being equivalent.
Like I, there's no work on my part because it just says, I'll pop the credential because they are equivalent domains. And again, if you look at someone like one password, you, they're trusted to kind of do some of the management of the stuff.
And most of the lists that many of these vendors come up with, they're, I don't want to say that the obvious ones, but last pass was a very extensive for the number of equivalents they had. Like there are some that I'm like, I never use it, but if I stumble, I'm okay. I know I'm covered.
Yeah, but just because they have hundreds of those, How many do you actually need?
I don't know. And it didn't matter. I never had to think about it. That was the beauty is maybe.

[34:30] 10 or 15. This is it just seemed like a huge deal to you that this was like the end of times as we know it because they did because one password didn't have this. And I thought like, Hey, that's kind of a cool feature. It grows over time. And you again, it's one of those things.
It's almost like you don't know how great something is until someone just takes it away.
You're like, man, this was really nice. Like I didn't realize I used it.
And for me, it was a lot of sites like Marriott properties. I had to deal with this with Microsoft.
I had to deal with this, uh, unify, which at one point in time I never had, but unify has two sites, ubnt and UI.com.
And again, like I say, the list just kept going on and on and on and on and on.
And it was many of the vendors by, by the nature of one password doing this for me, It prevented me from accidentally creating these other credentials and then getting myself out of sync of what the heck's going on, why aren't things working.

[35:27] The equivalent domain global setting saved the user from trying to figure out.
Essentially you're putting it on top of the user to figure out what are global domains or equivalent domains.
Again, there's a solution. I will give you that. That would have been cool.
If I could complain about OnePass about one thing is in general, when you do a search, it searches the names. I think there is a way to search farther in, but I have a login called Microsoft OneDrive Skype Office Live.
Actually, I need to add 365 in there so that I can find it because whatever I'm, I can search for Skype and I can't find my Skype account because it's under Microsoft.
So I had to put everything into the title so that it could find that this is all the same dang thing.
Just put the extra URLs in, you're good to go. You never have to think.
No, no, no, they are. I do get what you're saying. But I'm saying when I'm searching for it.
When I'm searching for it. You're thinking about, on 365 or you're on this and that's where your brain is.
Yeah, I mean Skype app, that's not an equivalent domain at all.

[36:25] It is. Yeah. No, the Skype app is not a domain. No, I don't use it.
That's not equivalent domain. No, I don't use when I use a Skype credential to get into Skype.
That is correct.
Well, but I mean, it's an app. It's not a domain. So, yeah, but equivalent domain wouldn't help me.

[36:41] Well, on the, is on the iPhone, does it work? I felt on the iPhone, like if you, I know with one password you could, or last pass you could.
Yeah, I've done it with one password where you go and you launch an app.
And then it's when the username password it feels. Sure, sure.
But there's not a domain for it. It's always been accurate for me.
Yeah, but it's not a, it is an HTTPS colon slash slash something.

[37:02] Yeah, but I'm assuming there's got to be a way it figures out.
Because if I like earlier today, somehow it knew like I, when I logged into like my HR benefit site, it says, here's the one. It's like, yep, that's it.
Click. So somehow it's pulling something. So I'm assuming that the apps are sending a domain to these.
I don't know. something they're doing to figure it out.
But I know that 99% of the time there's very few apps I deal with that don't work.
Okay.
So let's talk about the process you followed because, um, I do know people who have abandoned LastPass and, uh, the people I'm most proud of, my, my daughter, Lindsay and her husband, Nolan.
Um, I was so bummed about the LastPass breach because we had just convinced him to use a, uh, password manager after years and years and years and years of badgering him.
And so having to write to him and tell him, yeah, so you're kind of on the wrong one.
But he confessed to me that he really liked having a password manager.
It made him really happy.
And so they just went, okay, we're out, what should we do? And I had a family plan where I was able to add Lindsay without any extra cost. And I think Nolan cost me like $2 a month.
I said, I will pay for this because I feel so bad. I'll add the $2 to my account.
And they just like did it.

[38:13] I mean, they didn't call me. They didn't ask for any help. They just did it.
And then they went in and they said, okay, all our banking stuff and all of our, you know, insurance, everything will change all those passwords. They went in and did all the important stuff, but you didn't just do the important stuff. You literally changed 400 passwords.
Is that right? God, it was awful. Yes. So what was your process? How did you do it?
All right, so I'll start with, there's one feature in last and one password that made this 10 times easier for me.

[38:41] I shouldn't say 10 times, it made organization of it easier.
I, so Chris, another guy in SMR, what he did was he was, he would create them in, um, in one password and then delete them. So chain, create them, change them.
And then delete.
I was like, I'm not doing that. I created a new vault called last pass and put all my credentials in there.
Okay. And then as I would go through and change them, I would move them to the private vault with the one that is just mine.
And it essentially gave me a to-do list. Is everyone likes to do this?
So is it just a to-do list?
Go through and change all these so I could change the credentials. I could add MFA. So, and that's what I found is like, if I was in there and they didn't have MFA configured, I was configuring MFA, I was changing passwords, I was making sure I backup codes, I was changing security questions, and then on to the next one. So that, that organization alone, it was, it, for me, it was a game changer because it made it 10,000 times easier, not to which one did I change.
And again, I wanted to work off of a, I didn't want to start from A and go through Z.

[39:44] Like I either first credential on the list and then go through the last.
You wanted to start with B for bank. Yeah, important, important, important. So oddly enough, while banks, the first day I changed everything that had direct access to money, credit cards, oddly enough, and if you don't like, or like, if you're a Starbucks person, like Starbucks, as you might as well call it, as a bank, they just don't ever, they never give you back your money. But like things like that, I started changing all those credentials like did you change your email password?
That right on the same day, emails all went away. So I said the nice thing about having everything out in a CSV file out of LastPass was I was able to sort by usernames and identify the most, predominantly used email addresses. Okay. I don't say 100% of the time, but 99% of the time, your login for most sites is your email address. So what I wanted to make sure is that I was, you know, you get your emails because sometimes you forget like, oh, I forgot I had that email email address. So by organizing it, I was able to kind of go through and make sure like, okay, Gmail's first, then this and then that. And it reminded me that, okay, I don't use that anymore.
No, I'm talking about actually changing the password to your email.
Oh, that was, yeah, that was day one. So day one was all the email addresses.

[41:02] And because again, sometimes you have an email account that you're like, I totally forgot I created that years ago and I don't really use it.
But I was like, all right, well, if I'm changing, I'll change that as well.
So I did all my email accounts, all the direct financial stuff was accomplished on day one.
Let me interrupt for a second and explain.
Bart has said it, I've said it, but I'm just going to say it every time the subject comes up.
The single most important thing to change is the password on your email.
And that sounds counterintuitive. You would think it would be your bank or your iCloud password, but it's, if your iCloud password is your email password, definitely it is the number one.
But it's the number one because that's how you get password resets.
So someone has access to your password, to your email, then they own you.
They own everything.
They're your game over, man. I mean, you know, I mean, there's MFA and stuff that could protect you.
But change that first, change your email password and then work.
Then start working your way down to where you use that email password. Right.
Yeah. And again, if you're as long as you're changing the password, If you don't have MFA...

[42:02] Multi-factor authentication. Super easy to configure at that moment in time. And because of my model of my security questions were stored on each one of the records, I updated all my security questions and all the answers for every security questions I went through those.
Now, did you move those to a different service?
Yeah, I store my, well, I'm not going to tell everybody, but yes, I have them in another encrypted area that my security questions and MFA backup codes are stored on individual records that that match the names of my sites in a different secure storage.
So I didn't want to messy.

[42:36] It is, but it allowed me to make sure that if for some reason, something happens with one password where I lose it, I, I'm hoping that I won't lose all the question answer.
Cause that it took me a lot longer because I had to go through and like sometimes it's hard to find where you do question, answer changes on sites.
And some sites don't have the question, answer change. So you're looking for something that actually doesn't exist.
Um, but, uh, it took me a little longer. So I was like, I don't want to go through this pain again.
And I also don't want to go through having to disable MFA, re-enable MFA, get new codes, um, hopefully that I should be a little cleaner.
So are you using, are you trusting one password for the one-time pass code with the QR code on it?
Are you doing that or are you keeping it in a third party?
Authentic. Jesus.

[43:25] Both. So this is my little thing that I like and I don't like about one password.
So I was really scratched my head because like Watchtower kept saying, you have all these sites without MFA.
And I'm like, looking at this. I like my Microsoft account has MFA on it.
Like I know I'm looking at the MFA code right here. So what password doesn't know about it?
Right. And so what all they support is to say, ignore this.
And I wish there was an option. They need to ignore this button all over the place.
Yeah. I just wanted to say, I don't.
It's not really ignore. It's just it's managed elsewhere. Like I'd like to say already managed. So it's not I feel it's a different I can't do anything about this is the button I want like like I've got my library card in there, And the password to my library card is four digits. Stop yelling at me watchtower. I can't fix that. I can't change it Yeah, I want to leave me alone. Quit bothering me, The looper is the hardest one to get the mfa taken care of because you can't do, So the beautiful thing of how one password does mfa is a screen grab So I essentially was going to sites when I and I did set up I set up on a lot of sites I'd go to the site. I'd say set up FFA the code would appear. I would just click scan. It's like boom, It's in I'm like done. I copy the code paste it in and the login Oh my goodness, like when you go to a site that requires MFA you click login. It's just like boom, This is like magic. So it is.

[44:47] Sites are good. My favorite is github. So command Command, uh, backslash, is that right?
The one under the delete key. I always get mixed up which one's which.
The one in the upper. Yeah. That's backslash. So command backslash.
Um, I've got a t-shirt that says command backslash is my password.
It's from one password. It's adorable.
Anyway, you hit command backslash on a site like GitHub and it goes beep beep.

[45:10] And then the second, the second page comes up with the, and it goes beep and it logs you in.
I mean, it's the same thing happens with my sonology. It's like beep beep beep beep beep and you're in, you know, there's, you don't have to hit enter. You hit nothing. It just does it. I love that.

[45:25] One feature when it works. The site said don't do it. No, no, no. But somebody said like Google for crying out loud. Let's, let's separate everything onto separate pages and mislabeled the button so that it doesn't work. So what it also does well is like with a site like Google, is it went on, if you're on the first page, like some sites will say, what's your email address?
And you click on one password. It says it plays it in. And then when it advanced to the next page, it just always puts in the right password. And what I mean by the right one is if you you had like five Google accounts. Yeah. Yeah. Auto fills with one pass with, with last pass. It was like, man, it's a crap shoot. Which one I put in here.
Like it might be the right one.

[46:04] You don't know what you want to put in. So you're just like hoping I've literally not had a single problem with, with, um, one password actually putting in the correct password when we go to the next step. That's a great point. I shouldn't take that for granted. Yesterday, I was pulling some tax documents from two, an institution where Steve and I both have logins. And when I, when I, when it asked for the login, it showed me mine and it showed me Steve's.
When I chose mine, it auto filled my password on the next screen.
When I put in his, it automatically put his password in the next screen.
So you don't realize those nice features that to me, bar really beautiful feature on how they implemented that.
I don't know if it's just pure luck for me, but you're describing the same behavior.
But I know that I often had problems with that with last pass often would go and click enter and it's like, Oh, wrong password.
And I have to hit the drop down, copy that particular password I wanted, and then paste it in.
So, but again, that I think is a brilliant way they've implemented that.
So yeah, that's probably something else that I really do enjoy about it.

[47:04] The watch tower, I love the feature because I like the security challenge that LastPass had.
The thing that's my only other annoyance with it is I don't know what perfect is and I want to be perfect. Oh, the total. What's your score? I'm sure your score is way above mine. I'm at 1010, but I've got 29 sites within active two-factor authentication. 1182.
Oh, that's not that much better. Interesting. Because I don't know what perfect is. But the problem is it says you're all good. There's nothing that requires your attention here. And I'm like, like, it's gotta be something because- Well, maybe 1182 is perfect.
Maybe it is, but it could be 1200. You should text them, you should ask them, what is perfect? I need a perfect score.
There is a long thread of people asking, what is a perfect score?
And they answer every question around that, but don't tell us what perfect is.
And it's almost like they're like, yeah, just keep trying. But it's like, I don't know what else to try.
I've done everything I could. Well, I mean, I wonder whether if you've got a 16 character password, which is considered fantastic, but if you made it 32, you'd get 1183.

[48:02] That's possible. Try taking one of your passwords and just making it one digit longer and see what it does. I'll have to play around. So that's probably another thing.
When you change a password on the site, it always goes to the, I think, is it memorable?
Not memorable, it's smart password.
Oh, no, I think it's... And I was... Memorable.
I think it's smart.
And what doesn't make sense to me a little bit about smart is I was assuming that smart somehow knew something about the site. There's no smart, there's memorable, random, and pin code.

[48:37] No, I thought when you go to change a password on a site, it has to be...
Well, a website may ask that, but...
No, no. Are you sure you're not looking at... You're not using iCloud Keychain?
All right. So I am... Let's see. I'm going to jump on my Google account right now. Let's just jump in here.
Let's do this real time. I'll do the play by play.
Yeah. No, because... All right. Yeah. This is probably boring to listen to.
So we're calling on a site and when you... In the upper right-hand corner of your browser, when you choose and it's like, hey, I'm going to generate a password for you.
I think there's one like smart where it tries to build a little bit shorter of a password, that is ready for the site. And what I thought it was doing is either scraping the site or knowledge of the site to say, Hey, this meets all the password requirements of the site or.

[49:23] Potentially most common. My concern was there are some sites that like, you can have a 65 character password, but I don't, I don't want it to be quote smart and give me something that's it's only like 25 characters.
Let's go like, get me in the 50s.
I'll be happy with that. So I just wanted the passwords a little bit longer in some of those areas. So I think that's probably the only challenge or issue or concern that I had with some of the password chains. But if you play with- Well, I guess you can change the number of words.
You can make that sucker real long if you tell it 15 words. Throw in separators. I just go random.
By the way, I just discovered something I did not, well, I want it to be typeable.
Because there's going to be that time you need to type it. So I don't actually use the password manager, the password suggestion feature in one password.
I use BART's xkpasswd.net password generator.
But the thing I was going to ask you why one password doesn't and tell you I hate this about it, I just discovered it does have is what I've never been able to get it to do is put numbers in.
But I just noticed if you can change the separator to be numbers and symbols.
So I just had separators as, you know, hyphen spaces, periods, commas, underscores, but I didn't notice you could make it, uh, numbers and symbols.
So you can end up with a, a nice messy long, uh, password with stuff you can't possibly type.

[50:41] Yeah. I have not played around with, uh, see, I'm just trying to think.
Yeah. I haven't played around with that.
So I just told it three words. I just told it three words, numbers and symbols, capitalize and full words. So it says fell on all caps, the number four, slightly exclamation point arch on, which apparently is a word.

[51:02] So is there, is there a reason why you prefer the, uh, I'll call it them, uh, not memorable, but the, uh, I think, yeah, I think that's the memorable passwords. Is there a reason why you like memorable?
Yeah, because it's a lot easier to type when you do need to type it is I can look at it and I can go, okay, fell slightly arch on. All right.
I got a four and an exclamation point in between without looking at it.
I can repeat that back to you.
But if it's L7Q0, zero, you know, I haven't got a chance. I do like, another thing I like about one password is that it uses syntax highlighting.
So if it's a number, it's going to be blue. If it's a special symbol, it's orange.
If it's a letter, it's white. So you can tell zeros from O's.

[51:48] Yes, I love that in reveal one. Sorry, what last pass did that?
Password does that, that is a healthy option when you're revealing passwords.
I also can figure out what the characters are.
I also like showing large type.
That's another one of my favorites.

[52:05] I haven't played around with that. If you, if you select, instead of hitting copy on a password, if you hit the downward arrow, there's reveal and show in large type, it was, boom, it puts it huge across your screen.
I will give a recommendation. So when I was doing a lot of my password changes, what I tend to be, so I was, tend to be in the browser changing the password. And I, would have the desktop app open and I would paste the passwords into the desktop app. Because I feel that they're a little too aggressive as to when they pop the dialogue saying, Okay, we've recognized a new password. Do you want to save it? It's like, eh, hasn't committed here yet. And it's like it's overload on the page. So it's like, I have to kind of save it before I can submit it on the site, only to find out it fails. And then I have to go through password history. So I feel that they should wait until you submit.
Yeah, it's funny, virtually everybody I talk to feels like that.
I know a lot of people who bring up like a text editor and they paste it in there while they finish and then they go over and they copy and paste it.
I don't, I tend to trust it. But yeah, I've gotten burned, but not that often enough to worry about it.
But I know everybody worries about that. So that that's a pain point.
They should try to figure out how to get around. If that if everybody I know does that.
For 400 passwords, I probably had.

[53:19] I had that happen to be probably a dozen times where the site didn't actually accept the password. Right.
But what I had happen far more often to me was I would have, again, the desktop app open, I would generate a password in the browser, I would paste the password in, I'd hit submit, it would accept it, and then I would go to paste it into the desktop app.
The problem is, the muscle memory was you got to remember to click edit, to edit the record, then to paste the password. If you click on the password field ready to type, you've literally just copied the password over top of what you had. It's like, oh my gosh, what have I done?
So you don't use a clipboard manager?

[53:59] Well, it wasn't. No, I don't. Actually, a lot of clipboard managers won't take password fields.
So the nice thing with one password, which I found out of in my first moment of panic, like I just changed his password on a site and I don't know the password was that you can, I think it's the dot dot dot in the cup in the upper corner, I think it is, which gets you out and you can actually look at your password history. So that I will say I burned myself a couple times where I was there for a long time either. Yeah, maybe some of these things from a UI perspective should be more revealed. We've got a list of two things, password history and QR codes, scanning. Yeah and just for anybody who hasn't run into it, that's actually if you click on like in your browser extension, if you click on the last pass browser extension at the very top you have the search box right to the right of it there's like a little thing that looks like a hamburger menu which is a menu. If you tap on that there's a thing for password generator and then on that list, there's an option to get to password generator history at the very bottom. When you click on that, it shows you all the sites and all the most recent one is right at the top. So you're never far off from it. But just remember that's how you get to it. Because when you burn yourself and you're like you're at that panic moment, they've got you covered. Your password is actually stored in that password history. You can get to it. So again, I don't actually ever use the little button in the URL bar.

[55:28] Oh. I don't tend to use that. I tend to just use command backslash and it pops it in or I open up the web, I open up the desktop app.
Okay. All right.

[55:39] So what else? Let's see, from a top level picture now, oh, I know the other thing I wanted to ask you was when I originally used LastPass and then I moved over to WinPassword, one of my biggest surprises was looking back at LastPass how, Linux and open source it felt you know versus a polished UI in terms of graphics and things like that and I just assume that they'd come a long ways and then but Lindsey said the first thing Lindsey said was oh my gosh one password is beautiful.
She just really like that like when you have a login for a website it grabs the icon for the website so it's easier to see in a list this is gonna be amazon or this is gonna be california pizza kitchen and she was really surprised and delighted by the UI itself.
Do you feel that or does it matter to you because you're a nerd?
Oh, no, no. It's I feel like I've gone from running a Linux product to running a Mac OS product.
It's a beautiful product.
They've definitely gone above and beyond what I need from a user experience in a product. It is fantastic.
From a UI standpoint, they've done a really good job there. Once you get over and again, when you're coming from something that you really did like, because I really loved LastPass as what it provided for me, you're trying to figure out like, how do I do this? Like I did in LastPass and some of those things I'm trying to relinquish.

[57:03] Equivalent domains is what I'll hold on to for a while, but I am, I am trying to step away and look at it from, all right, what's the proper way of LastPass? Do that? Like migration is, I think one of the things that thank you, one password. Migration is one of those things that I've been tripped, I got tripped up on, like you and I were going back and forth about how to migrate last night.
Yeah, describe, describe this problem. Um, because unfortunately I changed to a, a family plan long enough ago that I don't remember the process. I remember there being a stumbling step.

[57:33] But it doesn't sound like what you've run into. So, so Karen was an existing last pass, uh, one password user. You created a new vault and a family plan and then you're trying to migrate her in.
In. Right. Which I think probably was my first mistake. I should have made her the family plan and I migrated into where she was at. Just because where you came from. But if you both had one password account, you would have run into this. So what was the problem you ran into? So when I was trying to figure out, okay, well, how do I invite her to the fan plan? And I've, okay, there's the invite place. Let me just send invites out to everybody.
So when we invited her, what it's, I think it's probably part of what my expectations were from the product.
So what I had expected to happen was I clicked invite. I put in her email address, which is her current email address she uses for one password.

[58:27] And it would just be like a, do you want to join this family plan?
And while she's there and there was literally nothing more for her to do.
That's just not how it works.
Mem.
When she accepted the invite, I was like, why are you creating a username and password?
This makes no sense. I was like, okay, I've done something wrong here.
We'll stop. And even though she can go through the process, I have to accept her into the family of man before I think the whole process stops.
So I was like, let's stop right here. We actually haven't progressed any further. You and I chatted last night, but, uh, yeah, we need to do a screen share come where I get to see what's going on.
Yeah, of course we do. Or I need to, or I need to fly to, to, uh, Maryland.
That's even better. We'll make some barbecue.
Uh, so hang on. Where American.com.

[59:10] Where I got concerned was because we had that issue in the past with her having the six and seven vault and what I didn't want to run into is she already doesn't like she uses the password manager. Cause I finally, you know, strong password manager, but she loves it now.
Um, but what I couldn't have happened is that she's running into mix mashing of credentials, logging in and the vault looks empty.
Anything that makes it harder.
Yeah. And when in reading the, I sent you a link, we should probably include the link to the article that I found, which the one person said.
Not an article. It was a, it was a discussion forum, but we think the way it was written, it was the person who, um, it was somebody who worked there at one past.
It smells like, yeah. So it started in 2018, but most of the thread was in 2018.
So if you stumbled across it, I'm like, well, surely in the last four years, they've changed this process because people are describing, well, you can have two accounts with LastPass, one that is like an enterprise, one that is a personal or one that is a personal one that is a family with the same email address. And I'm like, what?

[1:00:13] It makes no sense. Like, so how do I know which one I'm logging into? And that's where I was like, all right, I'm hugely concerned that I could get something messed up with my wife. I'm like, this has probably changed over four years. So let me find the right thread. Because if I go down the pathway of this and I'm 100% wrong, I create a bad experience for the wife and the migration. And then I get flamed for why'd you use it, rely on a four year old article?
Yeah, I was looking for the new article that explained it. But apparently the process is, just create your new account, copy your data over, and then delete your old account and away you go.
Which again, it's simple, but I was expecting it to be invite them to the new organization, the family suck and they just essentially as long as they're logged in, it'll say, okay, we're just going to move your you're moved over to the family. We're going to decommission your old account and it just becomes like a seamless process for the user.

[1:01:04] I know there's a security reason in the background behind it, but I would have expected it to be a bit more seamless for the user to transition from personal into family without saying, open up two vaults and copy. In the discussion form, the person answering the question said, if it worked that way, where you just invite somebody and it sucks them in, they said you wouldn't be able to share vaults, which is huge if they did it that way. And you wouldn't be able to do recovery for other family members. Now, I don't understand why that's true with the way the architecture is done. But I absolutely do not remember making a second account. I remember our shared vault, we had to mess with it. We had to create a new shared vault and move everything into that. But that's the only thing I can remember having to do. Yeah. And here's the thing.
If let's say, for example, they're saying, well, your vault is tied to your encryption key. So, you have to, we have to generate all new encryption. Totally fine. But when I say to join the the family plan, it says, okay, log into your vault.
You'll see a pop-up that says you're joining the family.
And it just says, please wait while we re-encrypt your vault into the family plan.
You have your own private vault. They literally could do all this behind the scenes.
And it was just something that I'm like, okay, this cannot be like, I understand this, maybe this is, I thought maybe this is when they just added family plans.
And they just said, let's get it out the door.

[1:02:24] It's not the prettiest process, but we'll deal with it over the next couple of releases.
So I figured there has to be another article.
So what I have been doing is scouring and trying to find it.
And when we did the show, I'm like, this is what's frustrating me is that I thought I almost screwed up my wife's fault trying to add her to this family plan versus anything else.
So apparently that is the process. So I'll just copy paste and be logged into two vaults.
I'm saying, and by the way, it's not copy paste.
It's command a to select all right click, move to select the fault and you're done.

[1:02:54] Yes. I mean, the way you're saying it sounds like copy paste, copy paste, copy paste.
Come because the person in the forum said that they were doing that and they're like, no, you don't have to do that.
And I think four years ago they didn't have the move thing. And by the way, you can drag and drop too.
Which was a new feature added just recently.
I have not done drag and drop, but I have done. I think the thing that was, I felt like they didn't have multi-select when I first was messing around, but yeah, just multi-select and command A. Oh, you go command A.
Select all. It's mainly, it's usually like sometimes you want to select a region of credentials and deal with them. Oh, so shift select.
Yeah. Yeah, that does work. So overall, this is, this is what Rod sounds like when he's happy and loves something.
It's really good product. And I know it's funny because you're like, I, I almost didn't have him on.
He was so mad on SMR.

[1:03:47] I was so frustrated because it was like I literally could have messed up my wife's fault and I will never hear the end, but i'm i'm not lying when I say I I don't love the idea of MFA being on the, The record that's in the vault for the like individual save credential if you will however in the shared model, It is golden. Yeah, I don't yeah I cannot underscore how nice it is to like if you have something like where everybody uses the same account for Ring or Nest and you turn on MFA and you just share it in the vault and like everybody has the code. Anybody, your entire family can use the one credential, get into your Ring account and they everybody can do everything they need to do. That is it's the one brilliant idea where it solidified to me why there are certain accounts you want MFA on. So I'll tell you why I tell you why I like it in the vault is I hear people all the time talking about migrating to a new phone and not being able to bring their their MFA with them because they had it in a separate authenticator app That is literally never a problem with one password because it just comes with you. I don't know any I don't know why you would want to use a separate MFA, Tool except for the separation of security. Yeah, so not to discount it, Yeah, there's that the separation. I use I use Google authenticator use Microsoft Uh, who's I use both of those place.

[1:05:13] I do use a couple, but I use very once for different reasons, but I will say with some of them, I really do like the push.
I mean, and again, what, what we're doing in one password is very seamless because you don't, the dialogue pops, it fills and it goes, and you don't think about it anymore, which is nice.
Um, but with push, you just get a notification on your phone and you can complete the pushes.
I don't know what you mean. Ah, so, um, a long time ago, a company called duo.
Implemented this concept that most people really love called push, which is you'd go to log in and rather than saying, Hey, go get your RSA token ID and type in the six digit code on it. It would just push to your authenticator app on your phone saying, do you approve the sign in for on this IP address, this user data, like you just tried to sign into Microsoft or you're approving it.
Then you say approve. And then you do your fingerprint authentication or face ID and it I would complete that on your computer, the login process would complete.
So push allowed when with.

[1:06:12] I think this is kind of the way my, uh, one of my investment companies works is when I go to log in on my desktop, it sends a push notification to my phone and, it looks at my face ID and says, yes, I want to, I want to let that in way harder than just having it enter the code and move on way hard.
Yes. When it magically enters a code, it is definitely harder.
There are some that, you know, Magically enters a code is easier.
Oh, no. Yeah, sorry. Magically enters a code is super easy, but push is, I'd say it's pretty diagonal easy because you just tap and you're logged in. And again, remember... Five taps.
It's, yes, I want to send something to my phone. Which phone would you like to send it to?
This phone, pick up my phone, let it see my Face ID so that I'm going to get the push notification.
The push notification comes up. I have to tap on it.
It then comes up and says, okay, do you want to allow this?
I tap it again. I say, yes. Now it does my Face ID another time because now it's the app asking for Face ID.
And then it goes back to the website. So it's like, it's easy.
Your bank was a worse experience.
So for me, my Android phone, yes, I do have to get into the phone, but I would, you pull down your notifications, you'd see like, you know, sign in here and I click approve.
And then immediately it just, it sees my face again. And it's like, so it is doing your face twice where I've already told the website, I've already authenticated to the website.

[1:07:39] Well it's authenticating you to the authenticator app saying, and it's like you're secure.
It would be cool to accessing the secure enclave on your iPhone to saying, I'm getting into another security area.
So I'm re validating the holder of the phone is who I think they are.
So I'm going to do a really quick face ID check before I allow this login process complete.
So for my work, I cannot complete the process with an authenticator app unless I log into, it. Other authenticator apps like the application provider may say, I don't require additional authentication.
So the app might pop up and just say, You'd like it to ask for your authentication.
I don't think that's a bad thing. Absolutely.
But I would rather not have this separate device problem.
That doesn't sound as fun to me. Security isn't easy. There's a separation that is nice.
But I think as a convenience of putting them in all in one place, I do.
I will say I enjoy, but I, I do have it on my.

[1:08:36] Less concerning items. I don't have it on my banks. Okay. So one last thing I want to give you a hard time for on the SMR podcast. You eventually figured it out. You cracked the code during the show. But one of your big complaints was, why does it log me out all one password log me out all the time? It does it so quickly. And you didn't, but you didn't go as far as to look in settings to see if there was an option to change it. And it was like, I have 45 minutes into the show where Chris kind And it goes, well, did you look in settings?
And you said, well, let me look right now. And you go, oh, there it is.
So here's the funny thing. You ran it for like seven minutes on this topic.
So this tells you sometimes, we all are glutton for punishment.
So I'll give you a story with work.
So on my work, when I log in, I have to use MFA, multi-factor authentication.
And the default is to put in the code. So I would have to open up the app, get the codes, type them in. I was like, oh, this sucks.
And I was like, I just, and I know all I need to do is go into 365 and switch the default method from code to app.
Literally I just changed one dropdown and say, use the authenticator app.
It will then push to the phone and I just click approve and I'm done.
So I've literally moved all friction. I know this. I've done it at multiple organizations.

[1:09:57] It took a year before it annoyed me enough to change it. So this was one of those things where it would log me off and I was like, But I need to get back in so I get back in and everything's great for a while.
Right in the middle of it.
Yeah. And then, mind you, I've only been a one password user for like a month.
So it's been scratching at me. And it's just like when we were talking about things that annoy me, it's like, oh, let me talk about this thing. This annoys me.
Because I hadn't looked into it because it was like, it's just annoying me.
But it's that little brother who just keeps scratching your arm saying, this is probably you yet. It's going to get you. That was one of those things.
So I've already changed that setting.
Okay. So there's two different settings we're talking about here.
I want to make sure we're clear because I have a second question related to this.
One is auto lock and it's set by default. It's lock on sleep, screensaver, switching users, but then there's lock after the computer is idle for, and I think yours was set to like two minutes and you can have it anywhere from one minute to never.
Uh, and, uh, you can have it eight hours. I think having it check out after like 30 minutes is pretty, pretty good.
Um, but there's a second thing was you kept saying, I kept having to type my password so you can have it unlock with Touch ID or your Apple Watch.
But you're not an Apple user anymore, but on your phone, but you do have a Mac, but you're probably talking about on your PC.
No, I'm talking about my Mac. So here's the thing.

[1:11:14] If in yours you use you have one monitor, but do you have your Mac up and open at all times? Right?
Like it's like your second monitor or no. Yes, and I have a keyboard with my with my touch id on it.
I should just go get a keyboard with touch id. Yeah, so your problem is you're using your Mac in clamshell mode.
I'm old school. Oh, he's got an extended keyboard. Extended keyboard.
I've had this for, I couldn't even tell you how long. And it doesn't have Touch ID on it.
It's a fantastic keyboard. So I haven't, I don't, and yes, mine is in clamshell mode, so it's closed all the time, and it's under my desk. So if I want to solve the problem, I have to go into there, open it up and then screen resolutions all go out of whack while you open it, tap it, and then close it. So it's easier just to put the password in.
I will say the one thing it did help me do Is it helped me rememorize my password from putting it in?
Yeah, that's actually a good idea.
Yeah, that isn't the worst idea. But yeah, if you get one of the, I don't know if they make the extended keyboard with Touch ID, they do the little one.

[1:12:13] So I do type of numbers a lot. Yeah, yeah, no, no, I understand that.
It just takes up too much desk space. Why do you have it in clamshell mode?
A lot of people do, and I know Bart does now, and I don't get it.
Why not have more screen real estate on your desk? You just don't have room.
I literally have a 49 inch monitor in front of me. That's right. That's right. We did talk about the giant monitor.
I think I had Chris talk about the giant monitor that you bought as well.
It's massive. So I don't, I don't need any more screen real estate.
And it's very funny because it'd be funny to go from 49 inches down to like a 13 inch computer screen. So it's just, but it's additional I have 32 and 14. So I like that.

[1:12:53] So I, as I said, like sometimes I let things bother me. There are some things that I don't let bother me.
And one of them is if I have to, I usually wrote, I used to run dual monitors all the time. If one monitor failed and it was not produced and I couldn't buy anymore, I threw them both away and bought two new monitors.
I cannot have two non matching monitors where it's slightly off.
They can't get them perfectly aligned.
Like when I had monitors with three, yeah, they literally have to be butt side to side.
They have to look the same.
If they look different, if I'm dealing, yeah, color hues, all that stuff, they got to both go.
Start off with. It's a workflow thing, but if you're on your computer enough, I see people who have like a 25 inch monitor, a 13 inch monitor next to it. I'm like, I don't know how you do that. Because even dragging windows, it's like, oh, I'm too high. I need to drag lower because the size is, nope, not doing it. I've been there, suffered through that.
And I said, never again.
All right. They just spent 200 bucks a year money. You can get the Extend keyboard with the Touch ID.

[1:13:49] It comes in white or black. The black one's sexy. Yeah, I like these black keys.
This might be a buy. All right. There you go.
Before I spend any more money with you. And you need to go back to the iPhone so you can wear an Apple watch.
And cause I got all excited cause I got the touch ID keyboard.
And I thought, you know, I was having to reach all the way over to the right here to touch my keyboard on my Mac.
So I was all excited about getting this, but the stupid watch gets precedence.
So the watch is always going, I'm ready before I can even get my finger down there. So yeah, I should.
Yeah. I, there are things I do miss about the iPhone, but I will say the camera on these Samsung phones are just crazy. Good. So nice.
And the screen is unbelievable.
Well, that's a discussion for another day about why you went to the dark side.
The thing I find so fascinating about you and, and I admire it because it's something I don't have in my DNA at all, is that you can just abandon things.

[1:14:49] I couldn't abandon the Apple ecosystem. I mean, I'd probably sell one of my kids, the good one I'd keep, but before I could leave Apple, leaving one password would be heart wrenching for me to have to do that.
But you're just like, I'm not gonna use Apple anymore because it made me mad, even though it was 100% my fault, or my son's fault. And then, and you just go, I'm on Android now.
And I don't know how you do that. That's amazing to me. I would honestly, if someone would sponsor it, I would love to have you go on a challenge, like a 90 day challenge of you have to only use Windows, and Android phones.
Like literally you have to turn off everything Apple, like Apple TV gone.
Like you got to figure out your life for the next 30 days without anything Apple in your life.
No Apple Watch, no this, no that, Just 30 days and like see if you could go.
Oh, actually 30 would probably enough. I guess I think you'd have the shakes two weeks.
Oh, I'd have shakes within the day.
I did briefly use windows at work for about three years and you could constantly hear out of my office, me screaming people choose this because it was so bad.
I hated every minute. Now, to be fair, it was Windows Vista was the only windows I ever used, but it was, it was, it was a nightmare.
I couldn't stand it.

[1:16:10] Yeah, but I would like again my day-to-day runner is a mac and I struggle like when it's like or I have to do like any creative workflow, Um, I can't I can't do those on windows anymore. It's like no I need to use uh, Screenflow like if i'm recording I want to record in screen flow. I want to edit it in final cut, I can use adobe premiere, but I don't like it as much as I like final cut for my editing premiere. Yeah premiere, um, so there's a lot of flows that I really do like significantly better on the mac, but.

[1:16:39] But yeah, switching technologies, I think it's healthy because you find what you'd like on each side of the aisle.
I couldn't do it. I'm a loyalty, I mean, I would go to the same hairdresser for like 35 years and I don't even like her or the way she cuts my hair.
But I've always been doing it so I'm gonna keep doing it forever.
Yeah, I found what's shocking for me, I use virtual desktops, spaces.
Yeah, it's called spaces, yeah.
On Windows, they have virtual desktops.
Literally, if you talk to Windows users, 90% of them never use it.
I don't know. What's a virtual desktop?
You know on the Mac, if you take three fingers and swipe on your mouse, you are on like a new desktop screen. Oh, spaces. Sure.
Spaces. Yeah. Windows, I think, okay, yes. Windows calls them virtual desktops. Mac calls them spaces. Okay.

[1:17:25] You happily use them and frequently use them. I love them.
I literally cannot change my workflow. When I get on Windows, I have to remember, let's control arrow to switch between spaces.
But if I talk to most Windows users, they don't even understand what it is.
And then you start explaining this feature that Microsoft add, how great it is.
But people are like, but you can't see it. I'm like, exactly.
Like you could take your email photo onto another screen.
And when you want to be in email mode, you just go to the screen with email.
And when I launch email, I can tell it to launch always in the space so that if I have to close it because it's consumer memory or something crazy, and I launch it, it just launches back in the space I want it.
I can handle that whole quote screen for my workflow. If I need to be in browser doing research, if I need to be in chatting, I can be over there, but I can be truly singular focus. And a lot of Windows users don't use it.
You'd enjoy this. On the Nosilicast, I had my buddy Ron come on with me to talk about how much we really enjoy stage manager.

[1:18:27] And how neither of us could ever get the hang of spaces.
And it just didn't work for us. It just, for whatever reason, it just didn't work for us and how we really like using stage manager.
Bart just came on last week where he did a long thing on acknowledging that for you guys, that makes perfect sense the way you think.
Here's how I think and why spaces is amazing.
And so we have both sides of the story of what works for different people.
But the important thing that you're trying to point out is we know about both of them.
We know they exist.
Now we are power users. So I don't know whether normal people even know that spaces exist.

[1:19:00] That'd be an interesting question to ask if we can ask the muggles.
But hey, I told you I had 40 minutes to talk.
I was mostly worried we might go too short. I should not have worried.
It's been an hour and 20 minutes.
So I'm actually gonna cut us off. No, it's been too long since we chatted. That's the problem.
But if people want to follow you online, The best place to go is...

[1:19:20] If you want to get me on Twitter, it's Rod Simmons on Twitter.
So super simple to find me, but head over to SMR Podcast, take a listen to the show.
We have a lot of fun geeking out. If you love food, BBQ and tech, bbqandtech.com.
And you can listen to what we do about barbecue. And tech, SMR.
That's so quaint. You're still on Twitter, huh?
I'm still on Twitter. I haven't left yet. Oh, massive. That's so much more fun. All right.
I'm going to have to go look at this because you said you were on it all this morning.
I definitely need to take a peek at this.
All right, well, I'll let you go now. Thanks a lot, Rod. This was really fun.
Thanks for having me. I hope you enjoyed this episode of Chit Chat Across the Pond.
Did you notice there weren't any ads in the show?
That's because this show is not ad supported. It's supported by you.
If you learned something, or maybe you were just entertained, consider contributing to the Podfeet Podcast.
You can do that by going over to podfeet.com and look for the big red button that says support the show.
When you click that button, you're going to find different ways to contribute.
If you like to do a one-time donation, you can click the PayPal button.
If you want to make a recurring contribution, click the weekly Patreon button.
Or another way to contribute is to record a listener contribution.
It's a great way to help the NoSilicastaways learn from you.
If you want to contact me for any reason, you can email me at allison at podfeed.com and you can follow me on Twitter at.

[1:20:44] Podfeed. Maybe you want to talk to other NoSilicastaways.
You can do that in our Slack group at podfee.com slash slack. Thanks for listening and stay subscribed.

[1:20:54] Music.