Hi and welcome to backup Central's Restore it All podcast.

I'm your host w Curtis Preston, AKA Mr.

Backup and I have with me, my carpet demolition expert, Prasanna Malaiyandi

it going, Curtis,

It's um,

so I have to say first, congratulations

on being done with one room,

one room out of six.

that's it's progress, right?

It's progress.

They say the first one's the hardest.

And then the rest go faster.

Right?

Well, in my case, the first one is absolutely the

hardest cuz it's the entryway and it's got like this rounded entryway and a

lot of funky angles and everything.

Everything else is a rectangle, like a normal house, but the front

room was absolutely the hardest.

And of course I did it as the first.

Um, so yeah, but, but, and then I ripped up a bunch more carpet

last night and uh, so, uh,

the kids who eat broccoli first, and then they

eat all the yummy stuff after.

Right.

You get done with the bad stuff in the beginning and then everything else

Exactly.

Yeah.

So, um, but do you have any further advice for me from your, your YouTube pals

for in terms of carpet repair or pulling

up or anything else like that?

No, not really.

Okay.

Yeah, I got, I got nothing for you other, other

than make sure your floors are flat.

Make sure you don't work backwards or no, actually, I guess you

have to work backwards this

I have to work backwards in this one

room, the one room I have

And okay.

The only thing I will say is take breaks.

Oh trust me.

That's happening.

I do.

Yeah.

Cuz I'm freaking old.

And, and now that now that my doctor has informed me that I have bursitis

on my knees, it just, who the hell?

Like why, why did I get this idea of laying down my own flooring anyway,

uh, you know, definitely falls into the category of I'm too old for this shit,

And, and just, don't go asking a flooring person how

much it would've taken to install it.

Okay.

I already know, I have a quote this time.

I know, I know how much I'm saving.

yeah.

But, but at this point I am like really

It's all good Curtis.

Yeah.

Uh, well, let's bring out our guest.

He has been in it for over 20 years with an MBA from Temple University

where he also managed infrastructure.

He was in presales for several years and is now a lecturer in computer science

at Montgomery county community college.

You can read his blog@hayner.net.

Welcome to the podcast, Chris Hayner.

How's everybody doing today.

Well, you know,

I'm doing well.

I dunno about

putting an ice bag on my knee, I'm doing great.

Yeah.

I feel like we should put out the it stuff to side and talk

about this flooring situation.

Some more.

Yeah, luxury, luxury vinyl planking.

That's what I'm all about.

Um, replacing, uh, like carpet, tile and, uh, the, what do they call it?

The laminate and the diner and the dining room.

Like, so with one solid thing.

Yeah.

Anyway, it's, uh, it's a, it's a fun project.

I feel a bit, a lot more fun if it was like, I Don.

10 15 years ago.

It was somebody else's knees.

if I was doing this with my 40 year old body instead of

my 55 year old body, but, uh, yeah.

Anyway, so, uh, I, I know we brought you on, um, I don't remember how I came upon

your, uh, your article, but we brought you on because you know, I read this

article that speaks to something that I believe in, like I could have written

the article just as much as you had.

And that was this idea of, I, I think the title was, yes,

you do need a password manager.

Does that sound about right?

Yes, Brett, you do need a password manager.

Yes, you do.

Yes, you, do you think you don't?

For the record Prasanna and I both have password managers, actually.

I think Prasanna has two don't you Prasanna.

just have the one.

Oh, I thought you had the, I thought you

had one for work and one for,

Nope.

Yeah.

So for home I have my own, but I took a different approach than you Curtis.

I don't use a service.

So you host your own

Yeah.

I'm a da, I'm a Dashlane person.

Uh, I don't know what you're using there, Chris.

I have been last pass for the past couple of years, although,

and one of the things that actually got me to think about this article

that ended up being posted a few months ago was my renewal is coming up.

So I was kind of exploring some of the other options in the

marketplace and there's a lot,

Yeah,

um, you know, I, I did a quick check and I wanna say I got to

around 40 different pot, uh, different password manager, softwares that exist.

Some of them everyone's absolutely heard of.

Right.

Everybody's heard of Dashlane.

Everybody's heard one password.

Um, hopefully everybody's heard of last pass.

You know, those are like the main players, but then there's

a lot of little bit players.

Bit warden is an open source.

One that's pretty popular that you can also host your own with.

And one of the things I think that makes it helpful is it's not that difficult

to build these types of products.

It's difficult to build them though with a feature set and a security reliability

that people are going to be confident in.

Yeah.

Let's start, with why do we need a password manager?

Right.

Let's just, let's just start there.

I mean, basically the whole purpose of your article, because there, you know,

there are people we run into 'em and they're like, well, I don't, you know, I,

you know, we, we should talk about like, why we need one and then we should talk

about the, like the objection of, well, well, I feel that that puts all my stuff

in one place that makes it easier to hack.

Right.

I'm worried that someone will get in and then they'll have my entire world.

Uh, I think that's a valid concern.

I just, I.

I think that that any of the decent products have addressed that concern.

Uh, and then, and then I think we can talk about like, um, basically, like you

talked about the features, the features and function, like the ones that I,

that I like a lot from Dashlane that, that made me choose it, some of which

are now available in other products.

Um, and, um, I think that would round us out.

So let's talk about, let's talk about first, Chris, you know, what it, why.

Why

Just why just.

that's just why

Um, so the biggest reason is you are being required to get a username

and password and log into pretty much every website that exists in the world.

Now we can set aside whether that is necessary or advisable,

but we have to do it.

And if you don't use a password manager, what you end up doing

inevitably is using the same password over and over and over again.

Right.

The trouble.

There is a lot of the times when a website gets breached, that username and password

combination becomes immediately available to anybody who wants to pay for it.

And I've actually looked into this and it is really, really sad in terms

of how much a hacker has to pay for a valid username and password combination.

It starts out at less than one 10th of 1% per person.

And it goes down to $0 because about a week after a breach, that

information is publicly available.

Right.

Wow.

Publicly available to

Oh, I see.

I see two, two people that know where to go.

Yeah.

Right.

The I'm I'm assuming this is a dark web

That's the one.

Yeah.

Right, it seems now that I've had a password manager for

forever, but I know there was a time when I knew that I shouldn't use, um,

The same password everywhere, but I didn't wanna use a password manager and

I didn't wanna just use a spreadsheet.

So I had this, you know,

System.

out it's, it's not that uncommon, but I had a system where

I did use the same password everywhere.

Well, just the places it mattered.

Right.

Like, but okay.

Let me rephrase if it was a site that it didn't matter.

I had the same password everywhere.

Like who cared if somebody got my, you know, login credentials to.

Whatever, what to what?

Not to yo, not to yo no, but yeah, anything that I thought mattered, I had a

separate password that was semi complex.

And then I had a string that I would put on.

I would append to that.

That was unique to each site.

So I just had to remember that string for each site.

I don't think I'm completely alone in that, in that idea.

Um, but at some point.

I got the idea of trying a password manager and honestly, it's so much easier.

Right?

It's so much easier than, than the alternatives.

I mean, Prasanna you, how, how long have you been doing this?

Prasanna Malaiyandi:

using a password manager.

Prasanna Malaiyandi:

I wanna say the last eight years or so, or eight or 10.

Yeah.

Yeah.

And I agree.

It's easy.

I don't have to remember it.

Um, and like you said, you can make those passwords more secure.

Cause I'm the type who always runs into here's the max number of

characters, website supports, right.

Because I'm always like 32 characters plus special characters plus everything.

Right.

Throw the kitchen sink at it because I'm like, I don't need to remember it.

Yeah, that's a Chris.

That's something that comes up pretty regularly on here is, is we talk about,

we use these password managers and then we, we have these giant passwords and then

we get a site that says like, oh, you can only have 16 characters in your password.

And, and you can't have these special characters.

Right.

can't be repeating characters or things like that.

That always bugs me too.

Right.

They're basically putting together a recipe for an insecure password,

Yeah.

Yeah.

which is another reason to be really, let's just say paranoid

about the username and password combination, not being able to.

get into more than one website,

Yeah, I, I actually wanna make a comment about that.

Something you just brought up, Chris, a lot of people think password

managers are just for creating random passwords, but you could also use

it to create random usernames, which actually help secure you in addition

to just having a random password,

Yeah.

You're I mean, That is, that's a very good point.

And, and especially around Prasannal security, there's no reason

that you need to have the same username all over the internet.

So if you're logging into a site that you don't necessarily care for,

or don't care about that much, you know, like a good example would be

the website, uh, called newsr, which is just a news aggregation site.

They don't need to know who I really am.

They just wanna know where to send their newsletter.

Right.

So my username doesn't have to be associated with me as closely.

So then if there's an, an incident and a user or that like gets breached, then the

breach doesn't associate with me directly because I didn't use the same username.

And in fact, you can use a password manager to save a whole Prasanna, so

you can create a fake name for yourself and just have that auto fill as well.

And also going one step further.

Some sites also require like security questions.

I remember we had a guest Curtis.

I don't know if you remember Zoe, right?

Who talked about how the fact that she uses, like the security question, she

creates some randomly she's like, you don't need to know my birthday or the

city I was born in, as long as I remember.

And you can also use a password manager, some of them to store that

additional information as well.

So like you said, Chris, you have an entire new Prasanna created for.

Yeah.

And I think that's a great point, cuz it also comes into password.

Management.

It doesn't have to be in a password manager itself, but the idea that you

are managing your information, that's a great rule for people, no matter

what do not ever answer those security questions, honestly, you know, what

was the city that you grew up in?

Sorry, I was born on one twenty three anywhere street, and I

dare you to prove different.

Right.

As long as you answer them the same way on the front end and the back end

doesn't really matter what you put there.

exactly.

And that's another great use case for a password manager to

keep that information for you.

Yeah.

The only thing that, and I, I agree with everything you just said, the

only thing that stinks about that is that that's not auto fillable.

Right.

Um, you're gonna put that in the notes for your password manager in most cases,

Yeah.

That's I mean, that does bring up, uh, a challenge because it depends on the

password manager, whether or not they have an ability to natively store,

additional information or custom fields.

Right.

And how is the website built?

Because nothing drives me up the wall faster than when a website

puts in JavaScript that blocks a password manager from auto.

Yes.

That seems so unnecessary,

There are, there are even some that won't allow you to paste,

like even manually paste the password.

right?

That's when I get that's, when I get like, it's one thing

where, you know, if it won't auto fill it, but then you're like, okay, fine.

It's one of these sites where I have to copy and paste it and then you

go to copy and paste it and it's like, Nope, here's what I, here's

what I think we should do, Chris.

I think we should start a website, like a website shaming website.

Where, you know, we list companies that, that do stupid stuff like this.

Like they, they, they have fewer than, you know, they, they have

limitations on the size of the password.

They have limitations on the number of characters we can put in, um, and

the, you know, all that kind of stuff.

And, um, you know, and, and they can't, and they won't allow us

to auto fill or copy and paste.

I think we should.

I like

yeah, think we should do a little password shaming dot.

Oh, there was, there was already a robust traffic in,

um, pass, not password shaming, but S3 bucket malfeasance, shaming,

Oh, nice.

Yes.

Yes, exactly.

sadly ha still happens.

Well, you know, what, if, if it still happens like with new

stuff, then you deserve what you get.

Because, because AWS makes it really, really hard to make an open bucket now.

Right.

It used to be the default.

Um, if you create an open bucket now you really meant to do it,

which means you deserve, you deserve everything that's coming to you.

Yeah.

You had to click through giant flashing banners that say, don't do this ever.

right.

And yet here we are.

Someone is still doing it.

Yeah.

moving on to sort of the password managers itself, I'm sure

a lot of people are like, Hey, Google Chrome or safari or Mac has key chain.

Right.

Why can't I just use that.

Why do I need, like what you were talking about Chris, like a dash

lane, a one password last pass, etc.

right.

So that comes out to very simply the preference that you're gonna have.

Do you want to use something all within one infrastructure?

Or do you want to use something that is independent of that infrastructure?

So there's a, there's a big difference.

For example, between using the password manager, that's built into

Chrome and the password manager that's built into apple, right?

Because the coverage is very different, but.

For example, in a Chrome environment, you can have a Chrome account and

you can save passwords and share them across securely, assuming you trust

Google of course, across different installations of that browser.

So it's the same exact concept in the sense that wherever you try to log

in, as long as you log in with your valid username and password, you get

all of your passwords along with you.

But there.

let me, let me just append to your comment.

All of the passwords associated with that Chrome profile.

right.

Because I use two Chrome profiles constantly.

So that's an important point.

But it

that's, that's a great point because it to, it speaks immediately

to the limitation of doing it this way.

The one thing about it that you, that is true is that it

is, uh, simple, straightforward.

You don't have another product to manage.

You don't have another product in many cases to pay for, because most.

Professional password managers that we're gonna talk about are not free.

They might have some type of free tier, but it's usually deeply limiting,

Yeah, but just to the Chrome example, isn't it a little

bit of a chicken or egg problem, because you still need to remember the password

to how to log into Chrome right.

Into your Chrome account, right before you can get access to

the rest of your password.

So

Which is

I mean, but that's the same as a password manager, right?

You need to remember that password, right?

I will say.

Again, this is something that comes up regular on the pasta on, on the podcast.

Something is always better than nothing.

Right?

Not using any password manager at all.

Like we're not arguing.

You have to use Dashlane or last password, one pass, right?

We're we're just arguing.

You need a password manager.

If you wanna live in the one that's free with, with Chrome.

And again, I don't know anything about the security of how that is managed.

I, I have that concern still better than nothing, I think.

Um, right.

And to their credit, a lot of the major browsers can do

this and they do it a lot better now than they used to do it.

Um, when password management first came out in internet Explorer, it

was saved basically in encoded, but in plain text on your computer.

right.

So that's.

the first, the first step in, you know, Dashlane I remember

was sucking all the passwords outta my browser that I had in my browser, which

meant that they were stored in plain text

And exactly how did they do that?

Yeah.

they do that

Um, but yeah, I mean the Chrome ones are better.

Everything these days is at least at rest encrypted AEs 2 56.

It's not really a problem with any major browser that you can think of.

Everybody has their favorites.

We've been talking about Chrome, but Firefox does it too.

Uh, edge does it too.

And then with Microsoft and apple, it gets a little bit more confusing because you

can do it at an operating system level.

Right.

So depending on the applications you're using, you can also use, um,

uh, what is it called in, in windows?

I don't actually use windows all that often, but I know they have

a similar built in like key chain

It's called not key chain.

yeah, something like that key bucket.

Um, but that's where the third party tools really have some value.

So you immediately have to manage two different things.

For example, when you install last pass, you install an application

that reaches out to all your browsers plugs in and to that connection,

an actual third party plugin.

So if you're on Chrome, you log in right.

Click fill password.

If you're in internet Explorer, same thing you can't have that

kind of spread if you're just using the Chrome password manager.

And also mobile and.

Um, like I, I have Dashlane installed on my phone, so I get

all this stuff on my phone as well.

But I believe though, if you're using like

an iPhone plus a Mac, right.

And an iPad, right.

I think with apples now they have an iCloud key chain.

That'll sort of sync everything now across assuming that you're using the same

iCloud account across all your devices.

Yeah, that's correct.

Yeah.

And I don't, I don't know anything about that.

Right.

I haven't tried to use that.

I mean, once I, once I went down the Dashlane.

There's no,

I was pretty and I'm paying like 39 bucks

a year or something like that.

Uh, and it comes with some like dark web monitoring or whatever, which, which is,

I don't know, which is just depressing.

They're like, Hey, your email address showed up over here now.

Um, right.

And you're, you know, and I'm like, oh, okay.

All right.

When I see my fake birthday showed up over in this other place.

Cause I use a fake birthday just like we were talking about, I

don't use my real birthday unless I'm dealing with like a bank or,

Right.

that sort of thing.

Right.

Yeah.

Just because a website is asking for your honest information, as long as

you're not, like you're saying a bank is a great case where you're gonna

want to be honest, but, uh, sorry.

target.com.

I was born in 1923 and I dare you to prove me different.

Um, but by the, just, just how many, uh, we could have a

little contest, cuz I think I might win.

How many passwords do you have in your password manager?

oh, that's a great question.

Um, I looked at this before and it was somewhere in the four to 500 range.

Yeah, I win.

I have about double that, but, but okay.

But again, I share the password manager with my wife, right.

So

Ah, interesting thumb on the scales.

I feel there,

what's that.

it says a little bit of a thumb on the scales

having more than one person.

It is, it is.

Yeah.

I, I, but I think I'm more than I'm more, I'm definitely more

than half of that, of that.

Uh, so I think I might win, even if I go through it, but I don't even wanna

look and I wanna look at 800 accounts.

start doing, start doing accounting of that.

Um, but let's talk about, so we, we we've talked about some of the alternatives.

I, I, I don't think.

Just not having anything, is it, I mean, there are people and I've seen it.

There are people that use spreadsheet as password manager

Or use their heads.

I used to do that.

I, there was a guy, there was a guy that

I interacted with on Reddit.

That was just like, it's not that hard to remember a unique

password for every website.

And I'm like, are you serious?

Like.

you're only at five websites that they visit, right.

and well, and he, and I, I argued with that.

He's like, no, I have, you know, and he gave some number, there was a significant

number and I'm like, really like

Yeah.

And I think that comes back to what you, what you said at the top, which

is one way to get around using the same password everywhere is to come up

with some kind of a mental algorithm that takes into consideration the

website that you're using, for example.

So my, my algorithm could be, uh, I hate the Nike store.com.

I hate adidas.com.

You know, I recognize that these are different passwords.

, but they're the same in the sense that the algorithm is very easy to figure

out once a password gets broken.

So even know each password is

yeah, all, but the, the problem there is all, all,

again, all that somebody has to do is hack one of those passwords.

Right.

And then it's not that hard to figure out others again, it just

depends on it's still again, that's still better than nothing.

That's still better than using the exact same password.

Every.

But

even with unique passwords or even

whatever the algorithm is, right.

Even if it's something more complex, that's still so much like mental loads

you have just to remember that stuff.

It's like, why would you want to take that on with everything else in the world you

could be doing with that mental capacity?

You know, it's just, why do you wanna clutter your brain?

Right.

Let's make life easier.

Let's do that instead.

the Sherlock Holmes, um, philosophy, right?

The cuz he has this thing, that's like, he doesn't want to put anything in his

brain that isn't useful for everything.

Right.

So, um, so I, I guess the only.

Um, I'll call it valid concern, cuz it, I, I think it's a concern that needs to

be addressed is, well, I'm worried that if I use a password manager, all of my

passwords will be in the same place.

And then someone will be able to not hack just one account, but my entire life,

um, you know, what do we say to that?

so the first thing to pay attention to with the provider that you're

using is where does the encryption happen?

If the encryption happens on your machine with your key.

And then the only thing that the provider saves is the encrypted content.

It doesn't matter if last pass gots hacked, for example, And that's a

significant concern, cuz like we talked about older versions that were directly

on the desktop weren't encrypted at all.

So it's definitely a possibility, uh, but what

last pass was hacked, right?

they were hacked, but they did not lose individual account

information in the sense of passwords.

They lost other information, but the passwords themselves were secure.

Okay.

Okay

But you're right in the sense that you now have really a master

account, for lack of a better word, that needs to be secured in a different way.

You can't have your password for your password manager in your password manager.

That's not gonna work, but really what you, yeah.

So what you need to do there is come up with a password that is

really secure and again, unique, but that you can trust your memory.

However, you should still double protect that account

with multifactor authentication.

Um, and a lot of almost all of these providers make that an, uh, a possibility.

So even if somebody does steal your master password to your password manager, they

can't log in without that six digit code.

Right, right.

I know with mine, it, you know, it pops up.

I actually have to go to my phone, um, and authenticate, like if I log

into a new browser, uh, I, I have to go to my phone and authenticate

that in the Dashlane app itself.

Um, which, which I, I like that.

I prefer that to, let's say an SMS.

What happens though, if you forget your master password, right.

You're well, again,

that just.

I mean, it's, that's a really good question because for

example, if you have an apple account and you're enabled on iCloud, your stuff

is encrypted in action, and I'm sorry.

In motion and at rest, however, it's the master encryption of apple in iCloud,

which means that if you lose your apple password, apple can unlock it for you.

Yep.

A lot of these providers don't do that by design.

So it's security versus convenience, which is a common Seesaw that we find.

But generally, if you forget and are locked out of your, like, I keep

coming back to last pass, cuz it's the one I know the best their answer is.

This is the way it's designed to

Prasanna Malaiyandi:

they give you an option?

Prasanna Malaiyandi:

Like I know Facebook, for instance, with their passwords, you could have

Prasanna Malaiyandi:

like another person's account who you trust, who they could reach out to, or

Prasanna Malaiyandi:

here's a recovery password that you can print out and store in a safe location

Prasanna Malaiyandi:

just in case like a one time password.

Right.

Some of them do do that and they also have sort of a, a dead man switch option

that you can put in place as well.

We're starting to get into like enterprise level features though.

When you talk about that type of thing.

Cause another thing that exists, if you're a business, you can create an

organization and then you can kind of have here's the engineering master password.

Here's the sales master password, et cetera, all the way across your company.

And then because you're one layer down now, your it department has the ability.

If you enable it to say, uh, Steve forgot his password, please reset it.

Gotcha.

Yeah.

Uh, for a while, my wife and I had, we, we both had Dashlane and, uh, I had my

Dashlane password in her account and she had hers in mind, but then we realized,

why are we both paying $39 a year?

For what is essentially the same service, you know, and as long, as long as I, and

neither of us had accounts that we didn't want the other one to be able to log into.

Right.

So that, you know, that that works.

But, um, the.

Uh, yeah, generally speaking.

And I know by the way that, um, let me throw out our, our

disclaimer, uh, Prasanna and I work for different companies.

He works for zoom.

I work for Druva.

And the opinions that you hear are, um, ours, and this is not an

official podcast of either company.

Uh, and I say that, you know, one, I just wanted to mention, you know, at Druva.

Up until just recently.

Um, this was the way Druva worked because we do our encryption using

the password and it's a, it's a, a envelope encryption system.

And it wasn't that long ago that I was talking with a customer who had done this,

where he had changed his Druva password.

And it's.

The only alternative was to basically just start over.

Right.

Because there was because we by design, didn't allow you to reset your

password because we couldn't figure out a way up until recently to do that

without allowing someone in Druva to also be able to reset your password.

Right.

Cause you it's a brain.

So, um, So we figured it, we figured out a way, uh, thanks of course, to another new

service by our, our lovely partner, AWS.

right.

Thanks.

Thanks to them.

We were able to figure this out.

So now you're actually able to reset the, the password.

Uh, it do, it does trigger up, you know, MFA and all that kind of stuff.

Right.

But so it, so you, you don't think that the concern of, of having everything

all in one place is a well you're, you're saying it's a valid concern.

But it just means you need to look into the way the, the, the products are built.

Right,

Exactly.

It's a concern that you have a number of options in the

marketplace as to how you manage it.

You know, one of the other concerns that people have that is similar

to this is, well, what happens if last pass goes out of business?

right.

That those passwords can be as secure as they want, but if they

go out of business and all of a sudden I can't use them anymore, then I might

be 500 passwords into a big problem.

Uh, and this is an argument that is often made and support of

self-hosting your own solution.

So a lot of the ones that we've been talking about live in the cloud, they're

a service, you log into a website, username password, the whole nine.

You can do all this stuff for yourself for $0.

If you'd like, or you can even have it's the best.

It's the best price out there.

Isn't it.

$0.

I'll take 10.

Yeah.

I, I, I think, again, this, this falls into the category of, I mean, if

Dashlane, I'll just say Dashlane, if Dashlane started going out of business,

we would get some kind of notification.

It wouldn't be like, okay, boom, Dashlane is outta

I don't know

though, I Curtis, but how many times have we talked to companies though

that have basically been like, something happened to my environment

and the next day the business is gone.

Right?

So

Yeah.

Okay.

It's a possibility.

I just don't think it's a,

on Mr.

Backup saying that that's not an issue, not a concern.

it's not a concern for me outside.

I mean, I'm because basically if, if, if dash lane, if they, if there was any hint

of financial instability, boom, I'm making a, I'm making a, an export real quick.

right.

Yeah.

And.

can then import that to another.

And that's exactly what you can do for yourself is

periodically take an export, encrypt that export, keep it someplace safe.

Um, and that

drive.

well, if you encrypt it, then we'll agree now.

Another way that companies are solving that along the lines of

the enterprise level type of tools.

Uh, one that comes to mind is keeper, which has actually been around for

a while, but they've only started making waves over the last year

or two in the enterprise space.

They have an option where you can enable local only.

Password management, which effectively means yes, they have a copy of it up

in the cloud and you can update and refresh whenever you want to, but you

can say I'm gonna be offline for a week.

I want my password manager to still work and it will still work.

So the services kind of neat in that way, where you can download onto your machine,

have it actively running and functioning.

And if their website or their business went out of business,

you would still be ok.

Yeah.

Yeah

So that's, that's a keeper thing that not every single provider has.

And again, we're talking about enterprise space with some of this

stuff, but it's an interesting solution.

Yeah, it is.

So I want to hear, I want to hear about what you do Prasanna.

What do I do?

So , so I use key pass, which is a free open source tool as

Mm-hmm

Prasanna Malaiyandi:

for a password manager.

Prasanna Malaiyandi:

And I create passwords on my desktop.

Prasanna Malaiyandi:

um, I don't do browser integrations.

Prasanna Malaiyandi:

Call me old school.

Prasanna Malaiyandi:

I still copy and

Prasanna Malaiyandi:

paste it from key pass.

Prasanna Malaiyandi:

Yep.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

Um, and then that's how I use it on my laptop.

Prasanna Malaiyandi:

And then what I do is I actually have a mobile version of key pass installed on

Prasanna Malaiyandi:

my phone and I manually sync the password file back and forth from my desktop.

Prasanna Malaiyandi:

So my desktop is always the primary copy and I never make

Prasanna Malaiyandi:

changes on my mobile phone for my.

Do you have, you have a backup of that?

Prasanna Malaiyandi:

Yes, I do have a backup.

okay.

Yep.

I do

He actually, he hosted on his S3 bucket.

Yeah.

Yeah.

It's wide open for everyone, but because there's a master password,

Yeah.

Yeah.

Um,

like you said, I don't make changes on my phone.

Right.

So I don't have to worry about the syncing problem.

Going back to it.

And so it's always just any changes happen on the laptop and then

periodically pushed to the phone.

And on the phone side, they've done great things like now it integrates with like

apples password managers or features.

So you can go to website, you can say, Hey, by the way, there's username,

password, click the password.

As it automatically loads the password from the mobile side as well.

Yeah.

I mean, that sounds interesting for me.

I, you know, I, I, I think, I think I've gotten used to the features and

functionality that I get, you know, on Dashlane too much to, I mean,

when you start talking about copying and pasting, when I have to copy and

paste a password, I get pissed off.

Right.

It's just way too much, way too much effort.

Um, the, uh, I love, I mean, what happens to me is that.

Dashlane the way Dashlane now works.

Is it only, it, it, on the desktop, it only runs in the browser, right?

So you, you have to, when you log in, uh, a new time, like right now,

I'm looking up and I can see that Dashlane is deactivated at the moment.

It's a little, the little D is orange instead of green.

So I know if I went to a website right now to log in.

I would have to go log into Dashlane first, but as soon as I come back to the

website, my password's already there.

It's already auto filled and I just have to click submit.

It's just, I don't

no.

And I think that's a big thing that these password managers help with is you don't

want, especially in security, right?

You don't want things to be cumbersome in order for people to be.

You want to be as seamless as possible, looking at Dashlane

and all these other services.

I think that's one of the biggest values they add, right.

Is the fact that yes, it is very simple to still get access to your websites or

whatever else it is while being secure.

Yeah.

And, and in the case, I, again, I want to hear about last pass, but I know in the

case of dash, so Dashlane has gotten where it was really rinky-dink was on the phone.

When I first got Dashlane.

Dashlane was at best a thing I could copy and paste passwords into, into a

website on the phone right now it's really integrated with the, with the website.

Generally speaking again, as long as I'm on, you know, a supporter browser

on there, it, it just automatically fills in the password, you know,

the username and password, and it also integrates with, um, face ID.

If I wanted to, you can turn that feature on and off.

So all I have to do is look at, literally look at the website

and then just magic happens.

Right.

Um, I do have to click the, there's a, the word password

Prasanna Malaiyandi:

That's the same thing.

Prasanna Malaiyandi:

I.

Prasanna Malaiyandi:

Yep.

Yeah, yeah.

I have to click password.

Um, but, but then it, but then it, uh, it, it either makes me log

in with my password or used face ID to, to integrate with that.

Right.

Um, and I, uh, I also recently found out that and I, and I was

happy about this is that it, it, it now supports password history.

Right.

So, um, because again, that, by the way that customer, that the Juva

story that I told we were actually able to get him logged in because his

password manager had password history.

So he logged in, he was able to, um, Forget exactly how, how it worked,

but he was able to use that password history feature to be able to log in.

Um, but, um, the, yeah, I love the password history feature.

I love the, you know, the fact that I can use it to also, it, I don't

use this much, but it has the ability to automatically reset passwords

on a lot of popular websites.

So you can just go into Dashlane and just say reset my Facebook password.

And it just does it cuz that's the other thing.

Changing your password on a regular website is, is way too much pain.

Right.

Um, and so automating that I think is, I think is good.

What about last pass?

Like how did you end up, you know, at last pass, cuz you've

had it for a while now as well.

yeah, I've had it for a while and I ended up going with them.

They were the first password manager that I actually paid.

Um, and I ended up going with them for the very reasonable logical and well

thought out reason that I had a coupon.

Um, and I found myself in the same situation that, that you just described,

which is I am now used to last pass.

I am used to its quirks and eccentricities.

I know how to do what I need to do with it with a minimum of fuss.

right.

So I've had it for the, the past five years, uh, on regular price.

So they got their value out of that coupon, I'll say.

and overall, I feel like it's solid.

Um, I don't think that it's mobile presence is great.

I think it's fine.

Uh, I also think that doing things on the phone is super complicated.

Um, I've never reliably had at work in terms of auto-filling the password on the.

Sometimes it works.

Sometimes it doesn't depends on the, the page.

It depends on the time.

It depends on the, the cycle of the moon.

Well, well, I have to say dashlane's pretty, pretty good there.

Um, it works.

I'm gonna say about 80, 80% of the time.

And when it doesn't work, it's the website.

It's not

Right?

Yeah.

And I.

I think that speaks to dash Lane's goals as a company.

Um, they actually, a few days ago, I wanna say their CTO did an interview, an

AMA on Reddit, uh, which was quite good.

And basically what he was saying and talking about was like touting

all these new advancements.

And it really feels to me like they're going hard after

the consumer level market.

And what that means is getting away from some of the enterprise features

like, you know, the password sharing or, or the running offline things

that a regular user is not gonna necessarily be that concerned about.

And in favor of let's build an absolutely rock solid cellphone service.

right.

Other companies are just like, listen, we've got 750 features.

I mean, we're working on that one, but we got all these other ones too.

And that was one of the things that he said in this interview is they

discontinued the application that it gets installed on the desktop tactically.

They said, there's too many products.

We have to focus on what customers want and need.

And this is not one of them.

Yeah.

And if you think about it, a lot of people these days, they like, I don't

know about you guys, but I use my mobile phone probably 80% of the time.

Like I'm rarely ever on my laptop.

And it's just like how I do things these days.

Cuz it's always on me.

Yeah.

Yeah, absolutely.

Uh, my only criticism and again, it is something I'm they'll probably

add is they don't yet have MFA.

As part of their things that they manage.

I know some other password managers will manage both your

password and your MFA token.

Um, so I use, I use authy for that.

Yeah, that you might wanna check, uh, check your

terms and conditions that might have actually changed this week.

He specifically talked about the two FA options that can be built into

dash land if you want to use them.

Okay.

All right.

I will do that, Chris.

Um, and actually, incidentally, I'm curious what,

what you both think about using a multifactor authentication from

a password management company.

Whether or not that that violates sort of the,

The

separation of, yeah.

Yeah.

I I've gone back and forth on that.

I, I, I, I, I've gone back and forth on that.

Let's just say I, I, I was considering changing it because of that.

And then I had the same thought that you did of like, you know,

maybe I shouldn't, I don't know.

I, I think the, I think the one thing to consider is like

with the MFA, I would say a password manager is probably better than SMS

based, two factor authentication,

Right.

Yeah.

and some of the other forms of two factor authentication,

is it as good as a standalone app?

Probably not, but in order to make it seamless and easy for the user, I

think that trade off may be acceptable, especially for the consumer side.

I think that's the correct answer.

And it kind of also goes along with the theme that we've been having here, which

is there's multiple levels of security.

It's up to you to determine how much is right for your use case.

As long as the answer is not no security.

We're in a much better place.

Yeah.

I, I, I think now that I'm thinking back, and, and again, we, we

should just investigate this.

Well, we'll see what, we'll see what they've done.

Like I would still want.

Like if it's not, if I don't still have to reach for my phone, that's not really MFA.

Right.

If I don't have to reach for a second device, something that I own, if it's

just the password manager's gonna manage my MFA, that's not really MFA.

Right.

Um,

but, but what if it's your password manager

plus using your face ID on your

no, I'm, as long as I have to reach for my

phone, that's what I'm saying.

As long as I have to have my phone on my.

but so say you're logging in from your phone into a website.

That's I'm fine with that.

That's I'm, I'm fine with that.

What I'm saying is, is when I'm on a browser and then if the browser

version of Dashlane will manage both my password and my MFA token,

that's everything all in one place.

And that could potentially be cuz then if somebody's got my master password,

then they're in, there's no multi.

Specifically about that Curtis, about the browser.

I think one thing you could do, and I think I know Okta does,

this is even on your laptop.

Uh, if you use Okta and you log in, it has the ability to ask for your

touch ID to verify that that is you.

So it's not that it's automatic, right?

It's just, you don't need to

Oh.

Oh, okay.

I see what you're

push a button or something else.

It's still using another factor.

It's just

something that I own could be my finger.

Exactly.

All right, Chris.

Well, Hey, you know, this, this was, this was like three guys in the same

choir, all singing the same song.

Right?

We were all We

I was thinking about that.

same page there.

Uh,

The title of the episode could probably just be, yes, I.

Yes.

Yes.

I agree.

What is interesting is that we've chosen three approaches, right?

I've got dash lane.

You've got last pass and he's got, what is it?

Key pass

key pass.

Yeah.

Which is a self-hosted, uh, thing.

Um, but just do it, man.

Like, I, I don't know.

It it's so, and the thing I think it's like, it's like, I, I, I'm gonna

liken it to virtualization again.

And that is like, like you don't get virtualization, try it right.

Once you've tried what it's like to, to be virtual, then you're like, why did I ever

use har you know, uh, raw metal, right?

Or bare metal once you've seen what it's like to log into

websites via a password manager.

You're like, how did I ever not do this?

Right.

I,

Yeah.

it is just so much easier and so much more

secure, uh, than, than anything that you're gonna do on yourself.

Um, whether you cell phone, I'm not counting you, you know, I'm

saying, you know what I mean?

Like, like, like anything else, like spreadsheet or a normal

person doing it by themselves.

So.

Right.

Yeah.

What I often tell people is if you're skeptical, just do

it for one or two websites,

Yeah,

because then if you don't like it, no harm, no foul.

You un install and you move on.

But just see what it's like, do something, you know, do something like cover your

Facebook or go with something more secure, cover your banking account.

You know, you probably have a vested interest in keeping that

password as complex as possible.

right.

Feels like a great place to, to practice.

Yeah.

Agreed.

And, and I know, I don't know.

Um, I know Dashlane again, I haven't checked in a while, but Dashlane,

it used to be free as long as you only did it on one device.

Um, that was, that was their, that was their free version,

They also lock you down to 50 passwords at the moment,

oh, okay.

which, you know, like I said, they're going to, uh, pretty much

an all pay unless you host your own.

Uh, you're gonna end up paying something yearly.

But for right now, dash Lane's got their monthly, uh, special 29

99 for the whole year unlimited access to all of their features.

right.

you know, to, to use a very, uh, tortured metaphor.

It's like five cups of coffee.

Yeah.

It's like, what is

your security worth?

Yeah.

up coffee though, Chris, so, you know,

um, anyway, well, thanks Chris so much for, uh, for coming on

Yeah.

It's been a pleasure.

and thanks Prasanna for, for film.

I, you know, I've never actually really asked you what the, what you were doing.

So I'm glad to, I'm glad to finally hear

no, I, yeah, I don't talk about it a lot, but yeah, no, I know.

You're I know you like to talk about your password manager a lot, but

You want a little bit of security by obscurity.

yeah, exactly.

right.

Well, Hey folks, get a password manager.

Will ya?

And thanks for listening.

And remember to subscribe so that you can restore it all.