 Well, it's that time of the week again. It's time for Chitchat Across the Pond. This is episode number 760 for February 28th. Nope, I wrote that yesterday for March 1st, 2023. And I'm your host, Allison Sheridan. This week, our guest is Rod Simmons, who is one-third of the ASMR podcast. Welcome back to the show, Rod. Thank you so much. It's nice to know that someone as polished as you can make mistakes, like on date, like where you write, I usually will look at one thing and then like bounce around and I mess up date or the show number because I'm looking at the last show number and I just know to increment and I forget to increment, so. I've been talking a lot about that increment problem, but this time I can blame TextExpander because I wrote the notes yesterday and I have a TextExpander snippet that writes the intro for me. So I wrote it yesterday, which is why it says yesterday's date. But hey, the reason I asked Rod to come on the show is that he, like many people became, and I'm gonna be generous here and say that we're disenchanted with LastPass after their progressive disclosure of security breaches. And he's migrated to one password. I wanted to hear about his migration because he, boy, he did it. He did it. He did the migration and there's a lot to this. I wanna tell you guys upfront, and I didn't warn Rod that I'm gonna say this, but he has an incredible ability to find the bugs and bad things in absolutely everything. It's a talent. And so he might not be the cheerleader type that I am. I tend to see everything half full and he's kind of maybe he'll begrudgingly give you 12% full, something like that and everything. So is that a fair assessment, Rod? Yeah, I mean, to be fair, I work in product design. So I certainly, well, certain things tend to just pop to me because it's like, oh, that's not how I would have built it. And which means it's not right. Of course not. And that's just, I think that's probably just a flaw of the career field being in. But yeah, I feel like I like to say over time, I tend to push products to definitely the extremes of, and I find little bugs, but I'll say with one pass, but I don't feel like I've only found one thing that didn't really work the way I intended it, but it was an edge case, so I wasn't worried about it. It's so far. Oh, I don't wanna bury the lead, but so far, good. I'm liking the app so far. Okay, that's about as positive over a rating I've ever heard Rod give anything. Yeah, forgive me if I'm wrong, I don't wanna get into details of your actual career, but you've got somewhat of a security background. Is that it? Yes, that is correct. The software that you work with. Yeah, so I mean, I can tell a little bit of background. So I started my, you know, if I don't wanna go back too far, most people will start guessing my age at that point. But if I went back 20 years of my career, I really focused on like, I was in the Windows space, Active Directory onboard it, maybe like migration, all that kind of stuff. And then at my career slowly evolved more identity focused. Like looking at threats, persistent threats, detecting threats, mitigating threats. And then around, like now I'm really focused around governance, identity management, and all the security that has to do, but I get it around identity and governance and reducing risk for organization. So I'd probably say the last 10 to 15 years of my career have been really heavily focused on either threat detection, threat mitigation and or understand, like really focused on identity as it relates to users and enterprises. Okay, so not at the regular user home consumer level, but certainly attentive to things along the security lines, especially with password managers. Yeah, and honestly, I'd say, if you look at the enterprise, I feel it's fundamentally no different than the home user. It's just, it's at scale. Like we all, as an end user, we deal with identity management. If you look at you as being the identity and I have all these accounts and I need to manage them across all these bit disparate systems, you're dealing with the same problem enterprises are dealing with, but they just deal with it for every single employee, every single account that they're provisioning to the user. So it's every problem that the enterprise has, it's just, they deal with it at scale, you deal with it on your own basis. Except if your company isn't real smart. I remember I worked for a company that I did a series of video tutorials, not unlike what I do for screencasts online, except I had to do it on Windows, on Camtasia and it was the worst piece of software I've ever used in my entire life. But anyway, I did these tutorial videos and I learned about LastPass and so I did a video tutorial on LastPass and explained how it worked and how now we can store passwords in the secure vault and all this stuff. And within 10 minutes of me posting it, security took it down and banned LastPass from our domain. Because they didn't trust that, well, there was this free version and if there's a free version that must mean they're selling all your data and so we can't possibly have that. So there were no password managers. Now I did retire a decade ago, I don't know what the situation is now, but a decade ago, there was a way to have your password secure and they didn't let us, so. So I'm sure Bart has probably told you about this many times, but I will share along. If anybody's interested, I think this is a really cool thing. If you want to know what's happening in the enterprise, OCTA, O-K-T-A. They do a really cool report every year. I'm gonna drop a URL in the chat. They do it every year. This is a 2022 report, but it's called Business at Work. The very cool thing is you see what applications businesses are using in this report. And- By business or? It doesn't really break it out by what businesses. It just says like, okay, these are the most popular apps in enterprises. It gives you like, and if you scroll through the report, you'll quickly start to see like, okay, you start off very broad level looking at it by category. They call out some specific apps. LastPass was one of the growing apps from 2021 as they did the report in 2022, which, oh my gosh. Hindsight would have been 2020 here. But as you start to scroll through, if you just search for one password, you'll see one password is actually on their chart of one of their top growing applications. I think it grew at like 198%. Was that before? In the enterprise? That was 2021 going into 2022. At the same time, LastPass was growing one password where they were both on a very good upward trajectory. While LastPass was probably more dominant. So I'm really interested to see the report in 2022 or the report that covers 2022 that we get 2023 and the 2023 and 2024 is to, does LastPass just totally fall off the enterprise password solution market? Because I would imagine the report that will report the end of this year will see a change. But it's a really, again, it's a really cool report. If you're just trying to figure out like, what applications do enterprises use? You'll see like a what's most important like Netscape and Postmon and Intercom. But one password is down there. It's seconds from the bottom on the fastest growing apps with unique visitors. Did you just put Netscape in that list? It's not, oh, sorry, Netscope. I said scope. Sorry, I didn't say scape. Yeah, I apologize. This was from 1957, right? Now you do have to create a login in order to see this report, it looks like. No, the URL I gave you should have been free. If not, I will, I'll send it. This should be a, I sent you just the link right to the, if you Google search for the name of the report. Oh, that's weird. No, you're right. It is. I don't know why you asked me for it. Yeah. Yeah. You should be able to get right to the report at no cost. It's a, again, it's a fantastic report that they put out. It tells you a lot of information about, because if you think about what, sorry, if you don't know what octa, if the heart octa is like an IDP identity provider and all they're really trying to accomplish is, you don't want to use Microsoft for authentication. You want to use octa, but they can understand what apps, what applications your users are authenticating to. So you take your token, you go and you want to log into one password. They know that that's a unique new user going to one password. So they can say of our user base, which is massive, not as big as like Microsoft's Azure Active Directory authentication platform, but it's huge. And for them to be able to provide this data and you can see growth, you can see trends in the marketplace. So it's a, it's a fantastic report. If you've never, never seen it. And again, it looks like it's about a million pages long, but if you like that, my scroll bar is the smallest scroll bar I've ever seen. But yeah, this, it's, it's long, but you can zoom to the, to the graphics and stuff. Yeah, I think of it as the Verizon data breach report. There are very few people who read it in entirety, but everybody like looks through and says, what is this graph? What is it saying? Okay, next graph. This is a great report. If you're just trying to get statistics or if you work someone in this field and you're trying to sort of verify like, Hey, what are the popular apps should be looking at? And you're trying to figure out what other companies are using. This is a great way to get some dynamic data. So there you go. Interesting. Okay. All right. Back to the topic. So just to get people up to date on what LastPass did wrong and why was it so egregious for you to abandon the product? And by the way, there was a new report out from LastPass today with their final findings. So why don't you just refresh people? What did LastPass do? What was, what was so bad that would make you leave? Yeah. So I'll start with, I was, I was a LastPass user and I feel like it's been like 13 years, 13, 14 years. It's been a long time I've been with LastPass. That's hard to break up with somebody you've been with. Yeah. That's a good relationship right there. And I want to start. The fact that they were breached is literally the least of my concern. And it sounds really odd because most people like, mind you, if I went to bet 10 years, I would ask people how many people have been abroad in a data breach? You'd have one hand raised in a room. And then as each year, that number would multiply. It was like a, it was like this exponential curve of having people in a room. So everyone has had their data lost in a breach and that's not the bad part. The bad part is, how does the organization handle it and report it? So for me, LastPass lost my trust. And that's right there. I just, I couldn't keep my credentials with them. Not because like, I feel maybe they didn't, they don't have the greatest security controls in place for enterprise management. That's, yeah, I don't want to overstate it because again, I don't know their internal process, but it feels that way, a little bit of kinds of what happened. So I'll give you a great example. Someone was able to compromise credentials on a laptop, totally fine. They were able to exfiltrate out data, but there was nothing in that said, hey, this is abnormal data for Rod to be downloading all of this stuff. Like even though I'm an authorized user, I should have access to it. Isn't it abnormal that I'm doing this? Like it didn't pick up on any anomalies of my behavior, but for me, the biggest part was, if they would have said like day one, as soon as they learned we've been breached, we don't know the full scope of what we've lost, but we do feel that there was some data loss. It may have been vaults. If you want to take as much corrective access as possible, we'd recommend changing passwords. And that would have been what? Like last May or March or something like that. It was pretty early last year. Yeah, I thought it was until August. I think it was August. Oh, maybe it was the second one. August, I know August through October was kind of a big one. Because there were two incidents. Yes, I thought it was August through October. Maybe there was another one right before it. But again, for me, it's disclosure. Tell me as fast as you can, so I can make a quick decision. And for me, again, I don't like changing 400 passwords, but if that's what I have to do, that's what I'm gonna do. For how I use my vault, I've definitely changed how I'm using one password compared to last pass. And I'll talk to that a little bit as we kind of get into one password. But the type of data I was storing in my vault, I started realizing, like, oh my gosh, if someone actually could decrypt my vault, so I'll give a good example. I've always said, I don't, when I go to a site and it says, okay, well, you have to set up how you get back in if you forgot your password. I would say, all right, it doesn't matter what question. I'll just choose a random question. I would copy what the question was and put it in a note on my vault. And then I would just generate a random password and put it as the answer. Right, that's what I do. So my answers were never valid. Right. The problem is they were in my vault. So now if you compromise my vault, you had my username, my password, and all my question answers. That's a thing. And I was like, uh... Yeah, but that's one source you are supposed to trust. Trust. I know. And if... Oh, behold. But I think that was one of the problems with the last pass breach was that we found out that certain things were not encrypted. And we do know with one password that those same things are all encrypted. One of the things that gave me the most angst was, and I always get the acronym wrong, it starts with PD something K, F2, it's got a lot of letters. Yeah, the rounds of encryption they do. Yeah, the rounds of encryption. So from the current recommendation is 600,000 rounds of encryption passes. So they go through your password and they hash it and hash it, hash it over and over and over again. They were not doing 600,000, they were doing 200,000, but only on like recent vaults. And if you had an older vault, we kept hearing progressive disclosure of how few passes there were. And I had a test account that I had no live data in and mine was at 5,000, which is basically, you know, somebody with... When it first started. With the smallest raspberry pie could crack that in about 10 minutes, right? So, I mean, I'm exaggerating, maybe. Probably not actually. Not by that much, right? And so they did up people, but they didn't do it retroactively. Like new accounts got it. And when you talk about the security controls that they had, that's a really perfect example of where they didn't have the security controls in place to protect the data, right? Yeah, so, all right. So my vault at one time was 5,000. And that was, again, 13 years ago. And then I remember an episode of security now where Steve Gibson made a comment and said, oh, you should up it. I think it was when they let you go up to like 20,000 or 25,000. And he's like, you should just choose a number randomly because you don't want to give away exactly how many you're using. You want to be somewhere in that general range. I was like, that's probably a valid statement. So I increased mine. And I've subsequently, over the years, just always increased their number of rounds of encryption. I never even knew it was a setting. I mean, most normal person would know. Wouldn't know if it works and watch the security now. What we did, we didn't learn much in the briefing that came out today from last pass, but what I did learn that I didn't know before, maybe everybody else knew, is that one of the things they lost unencrypted was how many passes you had, how many iterations your vault had. So they can now sort that by, okay, here's all our 5,000s and let's just scrape those right now. They also gave away how many, like the other thing that was lost, and this is, that's another thing that really pissed me off. Like the rounds of encryption, I damn, I know I hated that, but they do have to store that, that they stored last time you visited a site. So to me, what that kind of leads on to an attacker is what do I actively use? So it also, it gives you two good ways of looking at attacking a user, identify people with the highest, the lowest rounds of encryption, and then go after that, like you could either go off to the sites that look enticing, because you know the URLs, so you know I have an account there, and go off to things I don't frequently use and work your way up the stack, or go off to the things you know that I actively use, because you know the credentials are valid. You can look at it either way, either way it's bad, and... Or the cross-section of the two. We did also learn, you're gonna be talking about this with one password in the transition, but the, what does it called equivalent URLs, like where Google.com and Gmail.com are the same? They lost that list that you had self-created. Not only did they, of course, the list that they offered you already, that these things are all the same, like Audible's the same as Amazon, that was public knowledge, but they lost whatever ones you set up as well. Yeah, so equivalent domains. So I'm not too concerned with losing equivalent domains, because I think that's a... Additionally, it's the additive nature of these things. Yeah, I know, it's a death by a thousand cuts. You just like rubbing salt in that wound, don't you? Yeah, I don't like that they lost the data. Again, I will always come back to my bigger issue with them, was the speed at which they disclosed it, disclosed data to us, and that just killed, but equivalent domains, it's one thing that I deeply miss. Let's get into that one second, because I wanna say one more thing that bothered me about the last past breach was that they still haven't, even in the new report, because I read the whole darn thing today, they don't tell us what the date of those backups that they lost were. So if they lost backups from a month before the breach, and you had 200,000 on your iterations, you're probably okay, but if they lost them from five years ago, or 10 years ago, or all of them, 13 years ago, then they have an encrypted version of your vault at 5,000 iterations, even though you have diligently gone in and changed it. So they still haven't told us when those backups were. Yeah, and I think probably, if I had to guess on part of the challenge is, maybe a lot of, oh no, even if you, it depends on how they're backing up the vaults, because there may be certain data that's quote, not vault data. So if a lot of, some people might put credentials in, they virtually never change. So to say, there could be a challenge of how they're trying to articulate what the date really is, because one person might wanna say, what date is my vault? Like, versus what, but saying, look, we lost backups for everyone's vault as of this date, I think would have been the most accurate thing to do. It would have just, it gives you a general idea, but if I'm trying to remember the last pass UI, I don't think there's a way I can see the last time I changed the password. And I know I can see the last time I changed the password, but it's not really, it's you have to look at every single item. There's no way you can see like last updated password changed, like in a very clean, if I remember correctly, in a very clean way to see that, because then at that point, if you know you lost it on August 1st, but you've changed a bunch since August 1st, you'd say, well, these are safe. So I just need to start changing the other ones, but I think for most people, most of their passwords are aged a little further than they should be. Yeah. I think one password, I seem to remember one of the things Watchdower gives you is something you haven't updated in a really long time. Yes, one last pass, you could do the same thing. The challenge I think with when you're talking password eight, you really just needed a, it was changed on this date, and I need to sort by last date change on the password so I could go and attack the ones that potentially would have been known by the attackers because of the bundle that they have. And I don't think anybody really provides that, but there's not really a good use case to provide that. What you would, last pass, one password and all the vendors typically say, you haven't changed this password in like 234 days, get to work. So it's telling you that they're just really old, like get on these items. Right, the chances that you had a good password that long ago were fairly low. It's, and by the way, these things aren't telling you, change it every 30 days or any of that nonsense. We already know that's a bad idea. All right, let's shift gears. Bottom line, they lost your trust because they didn't disclose properly the right information at the right time. So they're dead to you. Now, how did you decide to go with one password? Did you do a big old matrix of all the different possible password managers out there with feature lists or? So nope, I listened to two close friends. You, I know you're a huge one password user, so that was already one top of the list for me to take a look and consider because you gave glowing recommendations for it and I've heard you talk about all the security with it. So that puts it on the list, at least of things to look at. And then bit warden was, I had a bunch of friends, security guys who were using bit warden swore by it and said it's a great password manager, should at least give it a look. So that put those two on the top of the list. I'm sure you're thinking, what about Dashlane? Because Dashlane has some really cool features, but I had a friend who had credentials in Dashlane and then they went to this kind of fund paid model and his, has he described it, my password got held hostage until I paid the fee because he was, I'm assuming he was in between where they went from free to paid tier at the number of credentials or time range. And then he couldn't get access to anything where it was free at one time and then it went to paid. So he felt it, they held him ransom. So for me, they were off my list because of the bad experience I heard a friend went through. So for me, it was two password managers, bit warden and one password. Okay. All right. So you took a look at the two, how did you decide one password over bit warden? Just Bit Warden annoyed the love of me. And Watch your tongue. Yeah. Sorry. I apologize. There's a lack of polish. So there are little things in Bit Warden that like I say would drive me crazy. So a good, one good example. And I, again, reaching out to the front saying, okay, you're using this. I've imported all my last pass credentials. Great. Now what I'm trying to do is I have a credential and all I want to do is click on the three dots and move this credential like into a folder, tag it some, like some type of concept. And they have a concept called tagging, but you can't add a tag to a credential unless you click on the credential and then you can add your tags to it like by going into or folderizing it. You had to go into the credential to add it to a folder. But for me, I only had like four or five like category folders as I was scaling them up because I was reorganizing my credentials as I wanted them. Like, why do I have to go into the credential to find something to then add this in here? So that's like little UI clumsiness. Yeah, little UI clumsiness. And the funny thing was I was like, all right, maybe I'm doing something wrong. So the first thing I tend to do is I don't assume that I know everything right. I go and start looking at the forms. And many of the items that like I kept stumbling over with Bit Warden, a lot of people were complaining about in the forms and the form threads would start like 2015 and still be complaining about it in 2022. So it tells me that it's not that I don't want to imply that they're not doing active development. They really are. Because they have some better, like the OTPs that both one password or yeah, one password. OTP is one-time password, by the way. Sorry, yeah. That's okay. One, last pass didn't have that or at least I never looked for it. So to me, those are great features. They're, well, to an extent, I'll explain why I don't love them a lot but that's a different story. But they're great features that they're adding on. It just feels like they're not getting at the little nickels that bother people. Yeah, there's just sharp corners. And I wanted something for the family. So it had to be better than what my wife was using and it's just not. It's from a general end user. She's using one password. Oh, okay. So she's already one password user. She's an already one password user. So if I was gonna give her something new, it literally had to be a net increase in the quality of her experience versus a decrease. And I deeply feel after using one password, it is a far better end user experience. So if my wife won't complain, my kids won't complain and I can use anything but I only wanna pay for this thing one time. So it's not to be too much of a cheerleader for one password, but it's in my personality. When one password went from seven to eight, there was a lot of hue and cry and annoyance about it. The main thing was. I fixed myself. What's that? You fixed my wife's problems, remember? Yeah, that's right, that's right. Well, but the biggest thing was that they became an electron app so that it worked well across all platforms. And I can't blame them for wanting to do that. And they did a really, really, really good job of an electron implementation, I should say. I think they did a good job. It's fast, but they had a bunch of problems with usability and people just screamed at them and they just came out with an update where they went, okay, we heard you. You said this stunk, this stunk, this stunk. You hated this, you didn't like this, you didn't like this, you didn't like this. Yeah, we just fixed it. And so unlike Bitwarden where the complaints are heard but not addressed, I think, I'm not saying it's perfect. I'm sure there's complaints people are gonna have to me about what they don't like still but they are reactive to that and I think that's great. So I don't, I guess I don't have the historical bad, like, let me explain the problem I ran into because this will also explain why Allison was like, you were wrong on how to migrate. Oh, he was talking on SMR podcast and I was screaming into my phone just going, no, this is all wrong. So I think it was from six to seven. My, I think I'm pretty sure, yeah, six to seven. One password at some, my wife somehow ended up with two vaults. So, but the, unfortunately I wasn't a one password user. So to me, nothing made sense. It was like sometimes like she would be in the browser and when she'd log in, she'd see some credentials but on the desktop app, she wouldn't see the same things. So she's in this very weird world but it wasn't literally making, I was like, I don't understand why and when it was like, Allison's coming to town. I was like, thank God a one password user could figure this thing out. Cause it didn't make sense. I was like, I don't know why something's in the desktop and not here. And I just couldn't figure, I just, I didn't want to dig into it but I also was like, I don't know which one's right, which one's wrong. And Allison was able to figure out for somehow her browser was stuck in one version with one, in one vault or another, the desktop app was in another version with a different vault but each vault had the same credentials but every time she would add something. There was duplicates and everything going on. So it was like just, okay. Yeah, so one of the things that is a big difference between last pass and one password in last pass, if I wanted to share a password with Steve, I could take the password and say, I'm going to share this with Steve. And then Steve and I, and we could share it so that we would both be able to change it. But you do it on an individual login or credential element individually. In one password, you create these vaults and it's just, you have a shared vault. So, or you have a work vault and a home vault and you can easily right now with one password eight and it might have been in seven, in the later versions of seven, but you can just drag and drop things into these different vaults. So if you're looking at one vault, you'd be going, where did all my credentials go? I don't know where they are. And they're actually in the other vault. So the whole concept of a vault would have been something you had never seen before having been a last pass user. Yes. And I like the sharing in the family. I think it challenges across to friends. Like if I want to share a credential, I think the max I can share it with you for is 30 days. And I can't share something with you through perpetuity. And I wish that there was an option that I could share long-term. So a good example is when you're blogging with somebody or you're doing a podcast or you have like a shared account to log into your web host. And it's just one account. Anybody who needs it can get to that one account because you can't provision any other account with this particular level of access. So all the people who need it, but we don't want to be on a family plan. So that is the one limitation I still was sharing. Again, it's a minor, but it's, I don't want to say it's an edgy's case. But what I do like about the family sharing and I haven't tried it, but I'm sure this works is that if you put the MFA on top of it for credentials at one point in time, you're like, well, I'm sharing this with somebody, but I have my phone with the app and they can't log in. Now I can share a credential with them. It has the MFA code across my family and everyone has it. So I don't have to weaken security for a site because I want to use MFA. You just roll the MFA inside of last or one password and it's on the essential, the record in the vault. That makes sense. So let me use some more words around this. So people know what Rod's talking about. You're deep into it. And most of our listeners are into this stuff. But just in case when he says MFA means multi-factor authentication and he's talking about how you can add a one-time password to an entry, one of your things in your vault. And so I never knew this was there until I watched a screencast online video that Don McAllister did about one password. It's so weirdly buried when you open up, instead of being an obvious thing of two-factor authentication, which I think it should be surfaced like right at the top. I think it should be there. You have to go into add more, one-time password, and then there's a little icon that looks like a miniature QR code and you tap on that and then it'll recognize if there's a QR code on the screen for the site you're trying to log into. And it actually changed how it worked in different versions of it. You can also type in the one-time passcode. But I personally think that that, from let's complain about product design, why is that not near the top of things that you would know where it was even there? I think it should be when you're looking at a record and you click at it, it should be right there on the screen. The way I stumbled across it was looking in Watchtower and Watchtower would say- Explain what Watchtower is. Oh, sorry, Watchtower is equivalent to, well, let me talk about one password. It essentially analyzed your vault to find all the things that you should fix to have a better security hygiene. So for example, password reuse. It'll tell you that, hey, you have password reuse. Every vault, I think does one thing wrong when it comes to password reuse, is doesn't say, hey, these three are the same. So you know what, like how your quote duplicated or triplicated or quadruple, whatever you wanna look at it. So it will tell you the password reuse. It will tell you, I think weak passwords inside the vault. I don't have any- One password does show you which ones are the same. Oh, I don't have any that are the same anymore, so. Yeah, yeah, no, it will show you. I mean, so it says- It will say that this one- I have one for California Pizza Kitchen, I have one for CPK, California Pizza Kitchen, cause one is the ordering site and one is the menu. So they are the same. So they're equivalent domains, right? They are, yeah, and let's jump to equivalent domains. So this is a phrase I'd never heard before because it was something, it was a feature named that in last pass. But from what I understand, this is where you have two different things, let's say CPK and it's ordering system, which is like SnapFish or something, I forget what it is. It's something else. Those two things are the same place, therefore I have the same password. It never occurred to me until somebody mentioned it to me just like six months ago. Well, just put both domains into the same entry and then you don't have to have separate entries and then it won't be, it won't look like an error. 100% an absolute true statement. However- It didn't occur to me. It is SnapFinger, I'd guessed right. Yeah, it does require you to update the vault versus the vault just, because over time, what winds up happening is that you've saved things over the years and like for example, today, well, actually let's go back in the day. At one point in time, you had a Sprint account. Well, Sprint was Sprint and then you decided, I hate Sprint, I'm going to Nextel or vice versa. And now you have a Nextel account and then Sprint acquires Nextel. I have to tell you that association. So I may have never went and got rid of my Sprint, one that was sitting in my vault. I didn't do the hygiene and cleanup and I now have this Nextel thing, but they got acquired and it's really the same thing. So now the system in the backend could just say, look, these are equivalent domains. Don't worry about the records anymore. It's okay. So the equivalent domains takes care of things that, A, I don't, like sometimes the user doesn't know, like you know that Apple is the same thing as iCloud. They're absolute equivalents, but most users don't know all the various equivalents. So if you get into like, you have Bing, Hotmail, Live, Microsoft, MSN, like Xbox, Azure, they're all the same. And I'm giving you very obvious ones, but you start to get into like very obscure ones, but actually you know, amazon.com, amazon.com.be.ae. And then the list and you just, you're just always at a cascade down this rabbit hill of all these equivalent domains that you just may not know what to do. And you don't know that they're quote equivalents until you stumble across them. And it's nice to have that categorized list. Someone has actually done the work for you. And I think it's something you can also crowdsource and share. So you went on what I'm gonna call a venomous rant about the fact that One Password didn't have this feature. And it would have never occurred to me that this was something that would be helpful. It is tremendously helpful because here's the thing, when you have equivalent domains, if I go to, if I'm at Microsoft.com. You mean predefined, and by that you mean predefined someone else has done the work to tell you that Skype and Microsoft 365 login are the same. Yep. So when I go to like xbox.com and I already have a Microsoft account, just says, yeah, you want to log in with the Microsoft account. So I never actually make the mistake of doing the create or doing this and then saving it because of them being equivalent. Like there's no work on my part because it just says I'll pop the credential because they are equivalent domains. And again, if you look at someone like One Password, they're trusted to kind of do some of the management of this stuff. And most of the lists that many of these vendors come up with, they're, I don't want to say they're the obvious ones, but LastPass was a very extensive for the number of equivalents they had. Like there are some that I'm like, I never use it, but if I stumble, I'm okay. I know I'm covered. Yeah, but how, just because they have hundreds of those, how many do you actually need? I don't know. And it didn't matter. I never had to think about it. That was the beauty is- But it's maybe 10 or 15? It just seemed like a huge deal to you that this was like the end of times as we know it because One Password didn't have this. And I thought like, hey, that's kind of a cool feature. It grows over time. And again, it's one of those things, it's almost like you don't know how great something is until someone just takes it away. You're like, man, this was really nice. Like I didn't realize I used it. And for me, it was a lot of sites like Marriott Properties. I had to deal with this with Microsoft. I had to deal with this Unify, which at one point time I never had, but Unify has two sites, UBNT and UI.com. And again, like I say, the list just kept going on and on and on and on and on. And it was many of the vendors, by the nature of One Password doing this for me, it prevented me from accidentally creating these other credentials. And then getting myself out of the sink of what the heck's going on, why aren't things working? The equivalent domain global setting saved the user from trying to figure, like essentially you're putting it on top of the user to figure out what our global domains or the global domains. So, but again, there's a solution. That would have been cool. I mean, my favorite, if I could complain about One Password, about one thing is in general, when you do a search, it searches the names. I think there is a way to search farther in, but I have a login called Microsoft OneDrive Skype Office Live. Actually, I need to add 365 in there so that I can find it because whatever I'm searching, I can search for Skype and I can't find my Skype account because it's under Microsoft. So I had to put everything into the title so that it could find that this is all the same dang thing. Just put the extra URLs in, you're good to go, you never have to think, yeah. No, no, no, they are, but I'm saying what I'm searching for, what I'm searching for. Yeah, you're thinking of it because you're on 365 or you're on this and that's where your brain is. Yeah, I mean, Skype app, that's not an equivalent domain at all. It is, yeah. No, the Skype app is not a domain. That's not equivalent domain. No, I don't use Skype credential to get into Skype. That is correct. Well, but I mean, it's an app, it's not a domain. So the equivalent domain wouldn't help me. Well, on the, is on the iPhone doesn't it work? I felt on the iPhone, like if you, I know with one password you could, or last pass you could, yeah, I've done it with one password where you go and you launch an app and then it's, when the username password it feels it will search. Sure, sure, but there's not a domain for it. It's always been accurate for me. Yeah, but it's not a, there, it is an HTTPS colon slash slash something. Yeah, but I'm assuming there's got to be a way it figures out because like if I like earlier today, somehow it knew like I, when I logged into like my HR benefit site, it says, here's the one. It's like, yep, that's it. Click. So somehow it's pulling something. So I'm assuming that the apps are sending a well, a domain to these, I don't know, there's got to be something they're doing to figure it out, but I know that 99% of the time there's very few apps I deal with that don't work. Okay. So let's talk about the process you followed because I do know people have abandoned LastPass and the people I'm most proud of, my daughter, Lindsey and her husband, Nolan, I was so bummed about the LastPass breach because we had just convinced him to use a password manager after years and years and years and years of badgering him. And so having to write to him and tell him, yeah, so you're kind of on the wrong one. But he confessed to me that he really liked having a password manager. It made him really happy. And so they just went, okay, we're out. What should we do? And I had a family plan where I was able to add Lindsey without any extra cost. And I think Nolan cost me like $2 a month. I said, I will pay for this because I feel so bad. I'll add the $2 to my account. And they just like did it. I mean, they didn't call me. They didn't ask for any help. They just did it. And then they went in and they said, okay, all our banking stuff and all of our insurance, I think we'll change all those passwords. They went into it, all the important stuff, but you didn't just do the important stuff. You literally changed 400 passwords. Is that right? God, it was awful. Yes. So what was your process? How did you do it? All right, so I'll start with, there's one feature in last and one password that made this 10 times easier for me. I shouldn't say 10 times, but it made organization of it easier. I, so Chris, another guy in SMR, what he did was he was, he would create them in one password and then delete them. So create them, change them and then delete. I was like, I'm not doing that. I created a new vault called last pass and put all my credentials in there. And then as I would go through and change them, I would move them to the private vault with the one that is just mine. And it essentially gave me a to-do list. Everybody likes to-do list. So was it just a to-do list? Go through and change all these. So I could change the credentials. I could add MFA. So, and that's what I found is like, if I was in there and it didn't have MFA configured, I was configuring MFA. I was changing passwords. I was making sure I back up codes. I was changing security questions and then on to the next one. So that organization alone. That's actually a really good way to do it. It was, for me, it was a game changer because it made it 10,000 times easier not to which one did I change. And again, I wanted to work off of a, I didn't want to start from A and go through Z, like I either first credential on the list and then go through the last. You wanted to start with B for bank. Yeah, important, important, important. So, oddly enough, while banks, the first day I changed everything that had direct access to money credit cards. Oddly enough, and if you don't like, or like if you're a Starbucks person, like Starbucks, as you might as well call it, it is a bank. They just don't, they never give you back your money. But like things like that, I started changing all those credentials. Like, did you change your email password? The right on the same day emails all went away. So the nice thing about having everything out in a CSV file out of last pass was I was able to sort by usernames and identify the most predominantly used email addresses. I don't say 100% of the time, but 99% of the time you're logged in for most sites is your email address. So what I wanted to make sure is that I was, you get your emails, because sometimes you forget like, oh, I forgot I had that email address. So by organizing it, I was able to kind of go through and make sure, like, okay, Gmail's first, then this and then that. And it reminded me that, okay, I don't use that email. No, I'm talking about actually changing the password to your email. Oh, that was, yeah, that was day one. So day one was all the email addresses, and because again, sometimes you have an email account that you're like, I totally forgot I created that years ago and I don't really use it, but I was like, all right, well, if I'm changing, I'll change that as well. So I did all my email accounts, all the direct financial stuff was accomplished on day one. Let me interrupt for a second and explain, Bart has said it, I've said it, but I'm just gonna say it every time the subject comes up. The single most important thing to change is the password on your email. And that sounds counterintuitive. You would think it would be your bank or your iCloud password, but if your iCloud password is your email password, definitely it is the number one, but it's the number one because that's how you get password resets. So someone has access to your password to your email, then they own you. They own everything. You're game over, man. I mean, there's MFA and stuff that could protect you, but change that first, change your email password, and then start working your way down to where you use that email password, right? Yeah. And again, as long as you're changing the password, if you don't have MFA, multi-factor authentication, super easy to configure at that moment in time. And because of my model of my security questions were stored on each one of the records, I updated all my security questions and all the answers for every security questions I went through those. Now, did you move those to a different service? Yeah, I store my, well, I'm not gonna tell everybody, but yes, I have them in another encrypted area that my security questions and MFA backup codes are stored on individual records that match the names of my sites in a different secure storage. So I didn't want to- That's messy. It is, but it allowed me to make sure that if for some reason, something happens with one password where I lose it, I'm hoping that I won't lose all the question answer because that, it took me a lot longer because I had to go through and like, sometimes it's hard to find where you do question-answer changes on sites and some sites don't have the question-answer change. So you're looking for something that actually doesn't exist. Yeah, that's tedious. But it took me a little longer. So I was like, I don't wanna go through this pain again and I also don't wanna go through having to disable MFA, re-enable MFA, get new codes, hopefully that I should be a little cleaner. So are you trusting one password for the one-time passcode with the QR code and all that? Are you doing that or are you keeping it in a third-party authentic? This is both. So this is my little thing that I like and I don't like about one password. So I was really scratching my head because like Watchtower kept saying, you have all these sites without MFA and I'm like, I'm looking at this. I'm like, my Microsoft account has MFA on it. I'm like, I know I'm looking at the MFA code right here. Oh, but one password doesn't know about it. Right, and so all they support is to say ignore this. And I wish there was an option. They needed to ignore this button all over the place. Yeah, I just wanted to say, I don't, it's not really ignore, it's just, it's managed elsewhere. Like I'd like to say already managed. So it's not, I feel it's a different signal than ignored. Or I can't do anything about this is the button I want. Like I've got my library card in there and the password to my library card is four digits. Stop yelling at me, Watchtower. I can't fix that. I can't change it. Yeah, I want to leave me alone. Quit bothering me. Bloopers the hardest one to get the MFA taken care of because you can't do, so the beautiful thing of how one password does MFA is a screen grab. So I essentially was going to sites when I, and I did set up, I set up on a lot of sites. I'd go to the site, I'd say set up MFA, the code would appear. I would just click scan. It's like, boom, it's in. I'm like, done. I'd copy the code, paste it in. And the login, oh my goodness. Like when you go to a site that requires MFA and you click login, it's just like, boom. This is like magic. So it is fantastic. Well, and you can tell which sites are good. My favorite is GitHub. So command, backslash, is that right? The one under the delete key. I always get mixed up which one's which. Sorry. The one in the upper right backslash. That's backslash. So command backslash. I've got a t-shirt that says command backslash is my password. It's from one password. It's adorable. Anyway, you hit command backslash on a site like GitHub and it goes, beep, beep. And then the second page comes up with MFA and it goes, beep, and it logs you in. I mean, the same thing happens with my Synology. It's like, beep, beep, beep, beep, beep, and you're in. You don't have to hit enter. You hit nothing. It just does it. I love that one feature. When it works. The sites that don't do it right. I haven't had a failure yet. No, no, no. But somebody said like Google for crying out loud. Let's operate everything onto separate pages and mislabel the button so that it doesn't work. So what it also does well is like with a site like Google, is it when on, if you're on the first page, like some sites will say, what's your email address? And you click on one pass when it says it plays it in. And then when it advanced to the next page, it just always puts in the right password. And what I mean by the right one is if you had like five Google accounts. Yeah, yeah. If it auto fills with one pass, with last pass, it was like, man, it's a crap. Shoot, which one I put in here? Like it might be the right one. It will fill it, but I won't tell you which one. You don't know what to when it put in. So you're just like hoping. I've literally not had a single problem with one password, actually putting in the correct password when we go to the next step. That's a great point. I shouldn't take that for granted. Yesterday I was pulling some tax documents from an institution where Steve and I both have logins. And when it asked for the log in, it showed me mine and it showed me Steve's. When I chose mine, it auto filled my password on the next screen. When I put in his, it automatically put his password in the next screen. You don't realize those nice features. That, to me, are a really beautiful feature on how they implemented that. I don't know if it's just pure luck for me, but you're describing the same behavior. But I know that I often had problems with that with last pass. Often would go and click enter and it's like, ah, wrong password. And I have to hit the dropdown, copy that particular password I wanted, and then paste it in. So, but again, that I think is a brilliant way they've implemented that. So yeah, that's probably something else that I really do enjoy about it. The watch tower, I love the feature because I like the security challenge that last pass had. The thing that's my only other annoyance with it, I don't know what perfect is. And I want to be perfect. Oh, the total, what's your score? I'm sure your score is way above mine. I'm at 10-10, but I've got 29 sites within active two-factor authentication. 11-82. Oh, that's not that much better. Interesting. Because I don't know what perfect is. And but the problem is, it says, you're all good. There's nothing that requires your attention here. And I'm like, it's got- Well, maybe 11-82 is perfect. Maybe it is. You know, you should text them. It could be 1200. You should ask them, what is perfect? I need a perfect score. There is a long thread of people asking, what is a perfect score? And they answer every question around that, but don't tell us what perfect is. And it's like, it's almost like they're like, yeah, just keep trying. But it's like, I don't know what else to try. I've done everything I could. Well, I mean, I wonder whether if you've got a 16-character password, which is considered fantastic. But if you made it 32, you'd get 11-83. That's possible. Try taking one of your passwords and just making it one digit longer and seeing what it does. I'll have to play around. So that's probably another thing. When you change a password on the site, it always goes to the, I think it's, is it memorable? Not memorable, it's a smart password. Oh, no, I think it's- And I was- Memorable. I think it's smart. And what doesn't make sense to me a little bit about smart is I was assuming that smart somehow knew something about the site. There's no smart. There's memorable, random, and PIN code. Well, I thought when you go to change a password on a site, it has a- Well, a website may ask that, but- No, no. Are you sure you're not looking at, you're not using iCloud Keychain? All right, so I am, let's see. I'm gonna jump right in my Google account right now. Let's just jump in here. Let's do this real time. I'll do the play by the way. Yeah, no, cause- All right, yeah, that's probably boring to listen to. So I will recall being on a site and it, when you, in the upper right hand corner of your browser, when you choose, and it's like, hey, I'm gonna generate a password for you. I think there's one like smart where it tries to build a little bit shorter of a password that is ready for the site. And what I thought it was doing is either scraping the site or knowledge of the site to say, hey, this meets all the password requirements of the site or potentially the most common. My concern was there are some sites that like, you can have a 65 character password, but I don't want it to be, quote, smart and give me something that's only like, you know, 25 characters. Let's go like, give me in the fifties. I'll be happy with that. So I just wanted the passwords a little bit longer in some of those areas. So I think that's probably the only challenge or issue or concern that I had with some of the password chains. But- Well, I guess you can change the number of words. You can make that sucker real long if you tell it 15 words. Throw in separators. By the way, I just discovered something I did not, well, I want it to be typable because there's gonna be that time you need to type it. So I don't actually use the password manager, the password suggestion feature in one password. I use Bartxkpasswd.net password generator. Okay. But the thing I was gonna ask you why one password doesn't and tell you I hate this about it, I just discovered it does have is what I've never been able to get it to do is put numbers in. But I just noticed if you can change the separator to be numbers and symbols. So I just had separators as hyphen spaces, periods, commas, underscores, but I didn't notice you could make it numbers and symbols. So you can end up with a nice, messy, long password with stuff you can't possibly type. Yeah, I have not played around with, see, just trying to think. Yeah, I haven't played around with that. So I just told it three words, numbers and symbols, capitalized and full words. So it says fell in all caps, the number four, sightly exclamation point archon, which apparently is a word. So is there a reason why you prefer the, I'll call it them, not memorable, but the, I think, yeah, I think that's a good number of passwords. Is there a reason why you like memorable? Yeah, because it's a lot easier to type when you do need to type it. Is I can look at it and I can go, okay, fell slightly archon. All right, I got a four and an exclamation point in between. So if you're looking at it, I can repeat that back to you. But if it's L seven Q O zero, you know, I've got a chance. I do like, another thing I like about one password is that it uses syntax highlighting. So if it's a number, it's gonna be blue. If it's a special symbol, it's orange. And if it's a letter, it's white. So you can tell zeros from O's. Yes, I love that in review. One, sorry, what last pass did that? One password does that. That is a healthy option when you're revealing passwords. I also love, that you can figure out what the characters are. I also like show in large type. That's another one of my favorites. Hmm, I've played around with that one. If you select, instead of hitting copy on a password, if you hit the downward arrow, there's reveal and show in large type. It was boo. And then it puts it huge across your screen. I will give a recommendation. So when I was doing a lot of my password changes, what I tended to be, so I was tend to be in the browser changing the password and I would have the desktop app open and I would paste the passwords into the desktop app because I feel that they're a little too aggressive as to when they pop the dialogue saying, okay, we've recognized a new password. Do you want to save it? It's like, eh, hasn't committed here yet. And it's like, it's overload on the page. So it's like, I have to kind of save it before I can submit it on the site, only to find out it fails. And then I have to go through password history. Sorry, I feel that they should wait until you submit. Yeah, virtually everybody I talk to feels like that. I know a lot of people who bring up like a text editor and they paste it in there while they finish and then they go over and they copy and paste it. I don't, I tend to trust it. But yeah, I've gotten burned, but not that often enough to worry about it. But I know everybody worries about that. So that's a pain point. They should try to figure out how to get around if everybody I know does that. Over 400 passwords, I probably had, I had that happen to be probably a dozen times where the site didn't actually accept the password. But what I had happen far more often to me was I would have, again, the desktop app open, I would generate a password in the browser, I would paste the password in, I'd hit submit, it would accept it. And then I would go to paste it into the desktop app. The problem is the muscle memory was, you got to remember to click edit to edit the record then to paste the password. If you click on the password feel ready to type, you've literally just copied the password over top of what you had. It's like, oh my gosh, what have I done? So you don't use a clipboard manager? Well, it wasn't, no, I don't. Actually a lot of clipboard managers won't take password fields. So the nice thing with one password, which I found out of my first moment of panic, like I just changed this password on a site and I don't know the password was that you can, I think it's the dot, dot, dot in the cup in the upper corner, I think it is, which gets you out and you can actually look at your password history. So that I will say I burned myself a couple of times where I was- I didn't know password history was there for a long time either. Yeah. Maybe some of these things from a UI perspective should be more revealed. We've got a list of two things, password history and QR codes scanning. Yeah, and just for anybody who hasn't run into it, that's actually if you click on, like in your browser extension, if you click on the last pass browser extension, at the very top, you have the search box, right to the right of it, there's like a little thing that looks like a hamburger menu, which is a menu. If you tap on that, there's a thing for password generator. And then on that list, there's an option to get to password generator history at the very bottom. When you click on that, it shows you all the sites and all the most recent one is right at the top. So you're never far off from it, but just remember that's how you get to it, because when you burn yourself and you're like at that panic moment, they've got you covered, your password is actually stored in that password history, you can get to it. So, again. I don't actually ever use the little button in the URL bar. Oh. I don't tend to use that. I tend to just use command backslash and it pops it in or I open up the web, I open up the desktop app. Okay. All right. Yeah. So, let's see, from a top level picture now. Oh, I know the other thing I wanted to ask you was when I originally used LastPass and then I moved over to OnePassword, one of my biggest surprises was looking back at LastPass, how linuxy and open-sourced it felt, versus a polished UI in terms of graphics and things like that. And I just assumed that they had come a long ways and then, but Lindsay said, the first thing Lindsay said was, oh my gosh, OnePassword is beautiful. She just really liked that, like when you have a login for a website, it grabs the icon for the website. So it's easier to see in a list, this is gonna be Amazon or this is gonna be California Pizza Kitchen. And she was really surprised and delighted by the UI itself. Do you feel that or doesn't matter to you because you're a nerd? Oh, no, no. It's, I feel like I've gone from, yeah, running a linux product to running a Mac, it's a beautiful product. They've definitely gone above and beyond what I need from a user experience in a product. It is fantastic. From a UI standpoint, they've done a really good job there. Once you get over, and again, when you're coming from something that you really did like, because I really loved LastPass as what it provided for me, you're trying to figure out like, how do I do this like I did LastPass? And some of those things I'm trying to relinquish, equivalent domains is one I'll hold on to for a while, but I am trying to step away and look at it from, what's the proper way of LastPass? Do you like migration is, I think one of the things that, thank you, one password. Migration is one of those things that I've been tripped, I got tripped up on. Like you and I were going back and forth about how to migrate last night. Yeah, describe this problem because unfortunately I changed to a family plan long enough ago that I don't remember the process. I remember there being a stumbling step, but it doesn't sound like what you've run into. So Karen was an existing LastPass, one password user, who created a new vault and a family plan. And then you're trying to migrate her in. Right, which I think probably was my first mistake. I should have made her the family plan and I migrated into where she was at. Just because where you came from. But if you both had one password, if you both had one password accounts, you would have run into this. So what was the problem you ran into? So when I was trying to figure out, okay, well, how do I invite her to the family plan? And I've, okay, there's the invite place. Let me just send invites out to everybody. So when we invited her, I think it's probably part of what my expectations were from the product. So what I had expected to happen was I clicked invite. I sent, I put in her email address, which is her current email address she uses for one password. And it would just be like a, do you wanna join this family plan? And voila, she's there and there was literally nothing more for her to do. That's just not how it works. And then when she accepted the invite, I was like, why are you creating a username password? This makes no sense. I was like, okay, I've done something wrong here. We'll stop. And even though she can go through the process, I have to accept her into the family plan before I think the whole process stops. So I was like, let's stop right here. We actually haven't progressed any further. You and I chatted last night, but I never- Yeah, we need to do a screen share where I get to see what's going on. Yeah, of course we do. Or I need to fly to Maryland to help. We'll make some barbecue. Hang on, we're American.com. Where I got concerned was, because we had that issue in the past with her having me a six and seven vault. And what I didn't wanna run into is, she already doesn't, like she used the password manager because I finally, you know, strong arm to get her password manager, but she loves it now. But what I couldn't have happened is that she's running into mix-mashing of credentials, logging in and the vault looks empty. Anything that makes it harder. And in reading the, I sent you a link, we should probably include the link to the article that I found, which the one person said- Not an article, it was a discussion forum, but we think the way it was written, it was the person who, it was somebody who worked there at one passion. It smells like that. So it started in 2018, but most of the thread was in 2018. So if you stumble across, I'm like, well surely in the last four years, they've changed this process because people are describing, well, you can have two accounts with last pass, one that is like an enterprise, one that is a personal or one that is a personal, one that is a family with the same email address. And I'm like, what? It makes no sense. Like, so how do I know which one I'm logging into? And that's where I was like, all right, I'm hugely concerned that I could get something messed up with my wife. I'm like, this has probably changed over four years. So let me find the right thread. Cause if I go down the pathway of this and I'm 100% wrong, I create a bad experience for the wife and the migration. And then I get flamed for, why did you use it rely on a four year old article? So I was looking for the newer article to explain it, but apparently the process is, just create your new account, copy your data over, and then delete your old account and away you go, which again, it's simple, but I was expecting it to be, invite them to the new organization, new family. Suck it in. And they just, essentially as long as they're logged in, it'll say, okay, we're just gonna move your, you're moved over to the new family. We're gonna decommission your old account. And it just becomes like a seamless process for the user. I know there's a security reason in the background behind it, but I would have expected it to be a bit more seamless for the user to transition from personal into family without saying open up two vaults and copy. In the discussion form, the person answering the question said, if it worked that way, where you just invite somebody and it sucks them in, they said you wouldn't be able to share vaults, which is huge if they did it that way. And you wouldn't be able to do recovery for other family members. Now, I don't understand why that's true with the way the architecture is done, but I absolutely do not remember making a second account. I remember our shared vault, we had to mess with it. We had to create a new shared vault and move everything into that. But that's the only thing I can remember having to do. Yeah, and here's the thing. If, let's say for example, they're saying, well, your vault is tied to your encryption key. So you have to, we have to generate all new encryption. Totally fine. But when I say to join the family plan, it says, okay, log into your vault, you'll see a pop-up that says you're joining the family. And it just says, please wait while we re-encrypt your vault into the family plan. You have your own private vault. They literally could do all this behind the scenes. And it was just something that I'm like, okay, this cannot be, like I understand this. Maybe this, I thought, maybe this is when they just added family plans and they just said, let's get it out the door. It's not the prettiest process, we'll deal with it over the next couple of releases. So I figured there has to be another article. So what I have been doing is scouring and trying to find it. And when we did the show, I'm like, this is what's frustrating me, is that I thought I almost screwed up my wife's vault, trying to add it to this family plan versus anything else. So apparently that is the process. So I'll just copy paste and be logged into two vaults. Yeah, and by the way, it's not copy paste. It's command A to select all, right click, move to, select the fault and you're done. I mean, the way you're saying it sounds like copy paste, copy paste, copy paste, copy paste coming. Cause somebody in the forum said that they were doing that and they're like, no, you don't have to do that. And I think four years ago, they didn't have the move thing. And by the way, you can drag and drop too. You just, which was a new feature added just recently. I have not done drag and drop, but I have done, I think the thing that was, I felt like they didn't have multi-select when I first was messing around, but yeah, just multi-select in command A. Oh, there you go. Command A. Select all. Well, it's mainly, it's usually like, sometimes you want to select a region of credentials and deal with them. Oh, so shift select, yeah. Yeah, that does work. So overall, this is what Rod sounds like when he's happy and love something. I think it's a really good product. And I know it's funny because you're like, I almost didn't have him on. He was so mad on SMR. I was so frustrated because I was like, I literally could have messed up my wife's fault and I will never hear the end. But I'm not lying when I say, I don't love the idea of MFA being on the record that's in the vault for the individual save credential, if you will. However, in the shared model, it is golden. I don't, I cannot underscore how nice it is to, like if you have something like where everybody uses the same account for ring or nest and you turn on MFA and you just share it in the vault and everybody has the code. Anybody, your entire family can use the one credential, get into your ring account and they, everybody can do everything they need to do. That is, it's the one brilliant idea where it solidified to me why there are certain accounts you want MFA on. So I'll tell you why, I tell you why I like it in the vault is I hear people all the time talking about migrating to a new phone and not being able to bring their MFA with them because they had it in a separate Authenticator app that is literally never a problem with one password because it just comes with you. I don't know any, I don't know why you would want to use a separate MFA tool except for the separation of security. Yeah, so not to discount it. Yeah, there's that, the separation. I use, I use Google Authenticator, I use Microsoft. Who, they're all over the place? I do use a couple, but I use very, ones for different reasons, but I will say with some of them, I really do like the push. I mean, and again, what we're doing in one password is very seamless because you don't, the dialogue pops, it fills and it goes and you don't think about it anymore, which is nice. But with push, you just get a notification on your phone and you can complete the log in. I don't know what push is, I don't know what you mean. So a long time ago, a company called Duo implemented this concept that most people really love called push, which is you'd go to log in and rather than saying, hey, go get your RSA token ID and type in the six digit code on it, it would just push to your Authenticator app on your phone saying, do you approve the sign in? For on this IP address, this user, like you just try to sign into Microsoft, are you approving it? And you say approve and then you do your fingerprint authentication or face ID and it's complete. Then on your computer, the login process would complete. So push allowed, when with the radius. I think this is kind of the way my, one of my investment companies works is when I go to log in on my desktop, it sends a push notification to my phone and it looks at my face ID and says, yes, I wanna let that in. Way harder than just having it enter the code and move on. Way harder. Yes, when it magically enters a code, it is definitely harder. There are some that- No, no, magically enters a code is easier. No, yeah, sorry, magically enters the code is super easy, but push is, I'd say it's pretty easy because you just tap and you're logged in. And again, remember- No, it's like five taps. It's yes, I wanna send something to my phone. Which phone would you like to send it to? This phone, pick up my phone, let it see my face ID so that I'm gonna get the push notification. The push notification comes up, I have to tap on it. It then comes up and says, okay, do you wanna allow this? I tap it again, I say yes. Now it does my face ID another time because now it's the app asking for face ID and then it goes back to the website. So it's like, it's easy, but it's long. Your bank was a worse experience. So for me, my Android phone, yes, I do have to get into the phone, but you pull down your notifications, you see like, sign in here and I click approve and then immediately it just, it sees my face again and it's like- So it is doing your face twice where I've already told the website, I've already authenticated to the website. Well, it's authenticating you to the authenticator app saying, and it's like you're secure, it would be cool to accessing the secure enclave on your iPhone and saying, I'm getting into another security area, so I'm revalidating that the holder of the phone is who I think they are. So I'm gonna do a really quick face ID check before I allow this login process complete. Like, so for my work, I cannot complete the process with an authenticator app unless I log into it. Other authenticator apps, like the application provider may say, I don't require additional authentication. So the app might pop up and just say- You'd like it to ask for your authentication. I don't think that's a bad thing. Absolutely. But I would rather not have this separate device problem that doesn't sound as fun to me. Security isn't easy. Yeah. There's a separation that is nice, but like as a convenience of putting them in all of one place, I do, I will say I enjoy, but I do have it on my less concerning items. I don't have it on my bags. Okay. So one last thing I wanna give you a hard time for on the SMR podcast, you eventually figured it out. You cracked the code during the show, but one of your big complaints was, why does it log me out all, one password, log me out all the time it does it so quickly. Oh, that was- And you didn't- That would be mad. But you didn't go as far as to look in settings to see if there was an option to change it. And it was like, I had 45 minutes into the show where Chris kind of goes, well, did you look in settings? And you said, well, I'm not gonna look right now. And you go, oh, there it is. So here's the funny thing. You've ran it for like seven minutes on this topic. So this is, this tells you sometimes we all are glutton for punishment. So I'll give you a story with work. So on my work, when I log in, I have to use MFA, multi-factor authentication. And the default is to put in the code. So I would get, I would have to open up the app, get the codes, type them in. I was like, ah, this sucks. And I was like, I just, and I know all I need to do is go into 365 and switch the default method from code to app. Literally, I just change one drop down and say use the authenticator app. It will then push to the phone and I just click approve and I'm done. So I've literally moved all friction. I know this. I've done it at multiple organizations. It took a year before it annoyed me enough to change it. So this was one of those things where it would log me off and I was like, ah, but I need to get back in so I get back in and everything's great for a while. I'm right in the middle of it. And then mind you, I've only been a one password user for like a month. So it's been scratching at me. And it's just like, when we're talking about things to know, it's like, oh, let me talk about this thing. This annoys me because I hadn't looked into it because it was like, it's just annoying me, but it's that little brother who just keeps scratching your arm saying, this is probably you yet. It's gonna get you. That was one of those things. So I've already changed that setting. Okay. So there's two different settings we're talking about here. I wanna make sure we're clear because I have a second question related to this. One is auto lock and it's set by default. It's lock on sleep, screensaver, switching users, but then there's lock after the computer's idle four. And I think yours was set to like two minutes and you can have it anywhere from one minute to never. And you can have it eight hours. I think having it check out after like 30 minutes is pretty good. But there's a second thing was you kept saying, I kept having to type my password. So you can have it unlocked with touch ID or your Apple watch, but you're not an Apple user anymore, but on your phone, but you do have a Mac, but you're probably talking about on your PC. No, I'm talking about on my Mac. So here's the thing. If in yours, you use, you have one monitor, but do you have your Mac up and open at all times, right? Like it's like your second monitor or no? Yes. And I have a keyboard with my touch ID on it. I should just go get a keyboard with touch ID. Yeah. So your problem is you're using your Mac in clamshell mode. I'm old school. Ooh, he's got an extended keyboard. Extended keyboard. I've had this for, I couldn't even tell you how long and it doesn't have touch ID on it. It's fantastic keyboard. So I haven't, I don't, and yes, mine is in clamshell mode. So it's closed all the time and it's under my desk. So if I want to solve the problem, I have to go into there, open it up and then screen resolutions all out of whack while you open it, tap it and then close it. So it's easier just to put the password in. Screen resolution. I will say the one thing it did help me do is it helped me re-memorize my... One password. Yeah, that's actually a good idea. Yeah, that isn't the worst idea. But yeah, if you get one of the, I don't know if they make the extended keyboard with touch ID, they do the little one. So I do type in numbers a lot. Yeah, yeah, no, no, I understand that. It just takes up too much desk space. Why do you have it in clamshell mode? A lot of people do and I know Bart does now and I don't get it. Why not have more screen real estate on your desk? You just don't have room. I literally have a 49-inch monitor in front of me. Yeah, that's right. We did talk about the giant monitor. I think I had Chris talk about the giant monitor that you bought as well. It's massive. So I don't need any more screen real estate and it's very funny because it'd be funny to go from 49 inches down to like a 13-inch computer screen. So it's just easier to get the one screen. I have 32 and 14, so I like that. So I, as I said, like sometimes I let things bother me. There are some things that I don't let bother me and one of them is if I have to, I used to run dual monitors all the time. If one monitor failed and it was not produced and I couldn't buy any more, I threw them both away and bought two new monitors. I cannot have two non-matching monitors where it's slightly off, they can't get them perfectly aligned. Like when I had two monitors or three, yeah, they literally have to be butt side to side. They have to look the same. If they look different, if I'm dealing, yeah, color hues, all that stuff, they got to both go. I got to get two new ones to start off with. It's a workflow thing, but if you're on your computer and now I see people who have like a 25 inch monitor, a 13 inch monitor next to it, and I'm like, I don't know how you do that. Cause even dragging windows, it's like, oh, I'm too high. I need to drag lower cause the size, nope, not doing it. I've been there, suffered through that. And I said, never again. All right. They just spent 200 bucks at your money. You can get, you can get the extended keyboard with the touch ID comes in white or black. The black keys, this might be a buy. All right. There you go. Before I spend any more money with you this. And you need to go back to the iPhone so you can wear an Apple watch. And cause I, I got all excited cause I got the touch ID keyboard. And I thought, you know, I was having to reach all the way over to the right here to touch my, my keyboard on my Mac. So I was all excited about getting this, but the stupid watch gets precedence. So the watch is always going, I'm ready before I can even get my finger down there. So. Yeah, I should, yeah, I, there are things I do miss about the iPhone, but I will say the camera on these Samsung phones are just crazy good. So nice. And the screen is unbelievable. Well, that's a discussion for another day about why you went to the dark side. The thing I find so fascinating about you and, and I admire it because it's something I don't have in my DNA at all is that you can just abandon things. I couldn't abandon the Apple ecosystem of, I mean, I'd probably sell one of my kids, you know, the good one I'd keep. But you know, before I could leave Apple, before I mean, leaving one password would be, that'd be heart wrenching for me to have to do that. But you're just like, I'm not gonna use Apple anymore because it made me mad, even though it was 100% my fault and my son's fault. And then, and you just go, I'm on Android now. And I don't know how you do that. That's amazing to me. I would honestly, if someone would sponsor it, I would love to have you go on a challenge like a 90 day challenge of you have to only use Windows and Android phones. Like literally you have to turn off everything Apple, like Apple TV gone. Like you gotta figure out your life for the next 30 days without anything Apple in your life. No Apple watch, no this, no that, just 30 days and like see if you could go. Oh, actually 30 would probably enough. Like, I think you'd have the shakes in about two weeks. Oh, I'd have shakes within the day. I did briefly use Windows at work for about three years and you could constantly hear out of my office me screaming, people choose this because it was so bad. I hated every minute. Now to be fair, it was Windows Vista. Was the only Windows I ever used. But it was a nightmare. I couldn't stand it. Yeah, but I would like, again, my day-to-day runner is a Mac and I struggle like when it's like, I have to do like any creative workflow. I can't do those on Windows anymore. It's like, nope, I need to use a screen flow. Like if I'm recording, I want to record in screen flow. I want to edit it in Final Cut. I can use Adobe Premiere, but I don't like it as much as I like Final Cut for my editing, Premiere, yeah, Premiere. So there's a lot of flows that I really do like significantly better on the Mac. But yeah, switching technologies, I think it's healthy because you find what you'd like on each side of the aisle a little more. I couldn't do it, I'm a loyalty. I mean, I would go with the same hairdresser for like 35 years and I don't even like her or the way she cuts my hair. But I've always been doing it so I'm going to keep doing it forever. Yeah, I found what's shocking for me, I use virtual desktops, spaces, yeah, it's called spaces, yeah. On Windows, they have virtual desktops. Literally, if you talk to Windows users, 90% of them never use it. I don't know what's a virtual desktop. You know, on the Mac, if you take three fingers and swipe on your mouse, you are on like a new desktop screen. Oh, spaces, sure. Spaces, yeah. Okay, yes, Windows calls them virtual desktops, Macs calls them spaces. Okay. You happily use them and frequently use them. I love them. I literally cannot change my workflow. When I get on Windows, I have to remember let's control arrow to switch between spaces. But if I talk to most Windows users, you're like, what is the heck are you, like they don't even understand what it is. And then you start explaining this feature that Microsoft had, how great it is. But people are like, but you can't see it. I'm like, exactly. Like you could take your email, photo onto another screen. And when you want to be in email mode, you just go to the screen with email. And when I launch email, I can tell it to launch always in the space so that if I have to close it because it's consumer memory or something crazy and I launch it, it just launches back in the space I want it, I can handle that whole quote screen for my workflow. And if I need to be in browser doing research, if I need to be in chatting, I can be over there but I can be truly singular focus. And a lot of Windows users don't use it. You'd enjoy this. On the NewSilicast, I had my buddy Ron come on with me to talk about how much we really enjoy stage manager and how neither of us could ever get the hang of spaces. And it just didn't work for us. Just for whatever reason that just didn't work for us and how we really like using stage manager. Bart just came on last week where he did a long thing on acknowledging that for you guys that makes personal sense the way you think, here's how I think and why space is amazing. And so we have both sides of the story of what works for different people. But the important thing that you're trying to point out is we know about both of them. We know they exist. Now we are power users. So I don't know whether normal people even know that spaces exist. That'd be an interesting question to ask if we can ask the muggles. But hey, I told you I had 40 minutes to talk. I was mostly worried we might go too short. I should not have worried it's been an hour and 20 minutes. So I'm actually gonna cut us off. No, it's been too long since we chatted. That's the problem. But if people want to follow you online, the best place to go is. If you wanna get me on Twitter, it's Rod Simmons on Twitter. So super simple to find me. But head over to SMR podcast, take a listen to the show. We have a lot of fun geeking out. If you love food, barbecue and tech, bbqandtech.com. And you can listen to what we do about barbecue. And tech, SMR. That's a quaint. You're still on Twitter, huh? I'm still on Twitter. I haven't left yet. Oh, Matt, that's so much more fun. All right, I'm gonna have to go look at this because you said you were on it all this morning. So I definitely do take a peek at this. All right, well, I'll let you go now. Thanks a lot, Rod. This was really fun. Thanks for having me. I hope you enjoyed this episode of Chachat Across the Pond. Did you notice there weren't any ads in the show? That's because this show is not ad supported. It's supported by you. If you learned something, or maybe you were just entertained, consider contributing to the Podfeat podcast. You can do that by going over to podfeat.com and look for the big red button that says, support the show. When you click that button, you're gonna find different ways to contribute. If you like to do a one-time donation, you can click the PayPal button. If you wanna make a recurring contribution, click the weekly Patreon button. Or another way to contribute is to record a listener contribution. It's a great way to help the no-cellicast ways learn from you. If you wanna contact me for any reason, you can email me at alison at podfeat.com and you can follow me on Twitter at podfeat. Maybe you wanna talk to other no-cellicast ways. You can do that in our Slack group at podfeat.com slash slack. Thanks for listening and stay subscribed.